├── .gitignore ├── Media └── logo.png ├── Tools ├── LGPO.exe └── LGPO-Download-Info.txt ├── Lists └── SettingsOverview.xlsx ├── GPOs ├── Deltas │ ├── W10_22H2 │ │ ├── BasicSecDomain │ │ │ └── GptTmpl.inf │ │ ├── HighSecComputer.txt │ │ └── BasicSecComputer.txt │ ├── W11_22H2 │ │ ├── BasicSecDomain │ │ │ └── GptTmpl.inf │ │ ├── HighSecCredGuard.txt │ │ ├── BasicSecComputer.txt │ │ └── HighSecComputer.txt │ └── W11_21H2 │ │ ├── BasicSecurity.txt │ │ └── BasicPrivacy.txt ├── BasicPrivacy │ └── Version 21H2_Win10 │ │ └── Enterprise │ │ ├── Tools │ │ └── LGPO-Download-Info.txt │ │ ├── GPO │ │ ├── User │ │ │ ├── user.txt │ │ │ └── registry.pol │ │ └── Machine │ │ │ ├── machine.txt │ │ │ ├── microsoft │ │ │ └── windows nt │ │ │ │ └── SecEdit │ │ │ │ └── GptTmpl.inf │ │ │ ├── comment.cmtx │ │ │ └── registry.pol │ │ └── RestrictedTraffic_ClientEnt_Install.cmd ├── BasicSecUser │ ├── {065B86DC-5229-4FC1-A8C2-BF989FDAEEB4} │ │ ├── gpreport.xml │ │ ├── DomainSysvol │ │ │ └── GPO │ │ │ │ └── User │ │ │ │ ├── registry.pol │ │ │ │ └── comment.cmtx │ │ ├── bkupInfo.xml │ │ └── Backup.xml │ └── manifest.xml ├── HighSecDomain │ ├── {0CC6A02E-2EFE-4774-B3C7-209B1C102367} │ │ ├── gpreport.xml │ │ ├── DomainSysvol │ │ │ └── GPO │ │ │ │ └── Machine │ │ │ │ └── microsoft │ │ │ │ └── windows nt │ │ │ │ └── SecEdit │ │ │ │ └── GptTmpl.inf │ │ ├── bkupInfo.xml │ │ └── Backup.xml │ └── manifest.xml ├── BasicSecComputer │ ├── {70CF3C23-9F4D-4E50-8D2A-DEAD79D5A724} │ │ ├── gpreport.xml │ │ ├── DomainSysvol │ │ │ └── GPO │ │ │ │ └── Machine │ │ │ │ ├── microsoft │ │ │ │ └── windows nt │ │ │ │ │ ├── Audit │ │ │ │ │ └── audit.csv │ │ │ │ │ └── SecEdit │ │ │ │ │ └── GptTmpl.inf │ │ │ │ ├── registry.pol │ │ │ │ └── comment.cmtx │ │ ├── bkupInfo.xml │ │ └── Backup.xml │ └── manifest.xml ├── BasicSecDefender │ ├── {72D1AD12-B481-44E3-9529-AC7C658508B2} │ │ ├── gpreport.xml │ │ ├── bkupInfo.xml │ │ ├── DomainSysvol │ │ │ └── GPO │ │ │ │ └── Machine │ │ │ │ ├── comment.cmtx │ │ │ │ └── registry.pol │ │ └── Backup.xml │ └── manifest.xml ├── BasicSecDomain │ ├── {14144BB4-26AC-4A90-B4E1-BE99F58A4FFF} │ │ ├── gpreport.xml │ │ ├── DomainSysvol │ │ │ └── GPO │ │ │ │ └── Machine │ │ │ │ └── microsoft │ │ │ │ └── windows nt │ │ │ │ └── SecEdit │ │ │ │ └── GptTmpl.inf │ │ ├── bkupInfo.xml │ │ └── Backup.xml │ └── manifest.xml ├── ExtremePrivacy │ └── Version 21H2_Win10 │ │ └── Enterprise │ │ └── GPO │ │ ├── Machine │ │ ├── GptTmpl.inf │ │ └── machine.txt │ │ └── User │ │ └── user.txt ├── HighSecBitlocker │ ├── {98ECD203-A3B2-4419-B1F0-E5A68F4044CB} │ │ ├── gpreport.xml │ │ ├── bkupInfo.xml │ │ ├── DomainSysvol │ │ │ └── GPO │ │ │ │ └── Machine │ │ │ │ ├── comment.cmtx │ │ │ │ └── registry.pol │ │ └── Backup.xml │ └── manifest.xml ├── HighSecComputer │ ├── {FB5B4EEE-3202-4D88-B70D-B0EDE21699D3} │ │ ├── gpreport.xml │ │ ├── DomainSysvol │ │ │ └── GPO │ │ │ │ └── Machine │ │ │ │ ├── registry.pol │ │ │ │ ├── microsoft │ │ │ │ └── windows nt │ │ │ │ │ ├── SecEdit │ │ │ │ │ └── GptTmpl.inf │ │ │ │ │ └── Audit │ │ │ │ │ └── audit.csv │ │ │ │ └── comment.cmtx │ │ ├── bkupInfo.xml │ │ └── Backup.xml │ └── manifest.xml ├── HighSecCredGuard │ ├── {1C44F912-2A2E-444E-81E9-005FDB9018FC} │ │ ├── gpreport.xml │ │ ├── bkupInfo.xml │ │ ├── DomainSysvol │ │ │ └── GPO │ │ │ │ └── Machine │ │ │ │ ├── comment.cmtx │ │ │ │ └── registry.pol │ │ └── Backup.xml │ └── manifest.xml ├── BasicSecBitlocker │ ├── {283903C7-6FA6-4078-92A2-25C026324F68} │ │ ├── gpreport.xml │ │ ├── DomainSysvol │ │ │ └── GPO │ │ │ │ └── Machine │ │ │ │ ├── microsoft │ │ │ │ └── windows nt │ │ │ │ │ └── SecEdit │ │ │ │ │ └── GptTmpl.inf │ │ │ │ ├── comment.cmtx │ │ │ │ └── registry.pol │ │ ├── bkupInfo.xml │ │ └── Backup.xml │ └── manifest.xml └── manifest.xml ├── Utils ├── Uninstall.ps1 ├── Backup.ps1 └── Build.ps1 ├── LICENSE.md ├── Templates ├── en-US │ ├── AdmPwd.adml │ ├── RestrictedTrafficCustomPolicy.adml │ ├── MSS-legacy.adml │ └── SecGuide.adml ├── AdmPwd.admx ├── RestrictedTrafficCustomPolicy.admx └── MSS-legacy.admx ├── README.md └── Install.ps1 /.gitignore: -------------------------------------------------------------------------------- 1 | *.log 2 | 3 | # Unfinished scripts 4 | Utils/Make.ps1 -------------------------------------------------------------------------------- /Media/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/Media/logo.png -------------------------------------------------------------------------------- /Tools/LGPO.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/Tools/LGPO.exe -------------------------------------------------------------------------------- /Tools/LGPO-Download-Info.txt: -------------------------------------------------------------------------------- 1 | Download the LGPO.zip from: https://www.microsoft.com/en-us/download/details.aspx?id=55319 -------------------------------------------------------------------------------- /Lists/SettingsOverview.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/Lists/SettingsOverview.xlsx -------------------------------------------------------------------------------- /GPOs/Deltas/W10_22H2/BasicSecDomain/GptTmpl.inf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/GPOs/Deltas/W10_22H2/BasicSecDomain/GptTmpl.inf -------------------------------------------------------------------------------- /GPOs/Deltas/W11_22H2/BasicSecDomain/GptTmpl.inf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/GPOs/Deltas/W11_22H2/BasicSecDomain/GptTmpl.inf -------------------------------------------------------------------------------- /GPOs/BasicPrivacy/Version 21H2_Win10/Enterprise/Tools/LGPO-Download-Info.txt: -------------------------------------------------------------------------------- 1 | Download the LGPO.zip from: https://www.microsoft.com/en-us/download/details.aspx?id=55319 -------------------------------------------------------------------------------- /GPOs/BasicPrivacy/Version 21H2_Win10/Enterprise/GPO/User/user.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/GPOs/BasicPrivacy/Version 21H2_Win10/Enterprise/GPO/User/user.txt -------------------------------------------------------------------------------- /GPOs/BasicSecUser/{065B86DC-5229-4FC1-A8C2-BF989FDAEEB4}/gpreport.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/GPOs/BasicSecUser/{065B86DC-5229-4FC1-A8C2-BF989FDAEEB4}/gpreport.xml -------------------------------------------------------------------------------- /GPOs/HighSecDomain/{0CC6A02E-2EFE-4774-B3C7-209B1C102367}/gpreport.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/GPOs/HighSecDomain/{0CC6A02E-2EFE-4774-B3C7-209B1C102367}/gpreport.xml -------------------------------------------------------------------------------- /GPOs/BasicPrivacy/Version 21H2_Win10/Enterprise/GPO/Machine/machine.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/GPOs/BasicPrivacy/Version 21H2_Win10/Enterprise/GPO/Machine/machine.txt -------------------------------------------------------------------------------- /GPOs/BasicSecComputer/{70CF3C23-9F4D-4E50-8D2A-DEAD79D5A724}/gpreport.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/GPOs/BasicSecComputer/{70CF3C23-9F4D-4E50-8D2A-DEAD79D5A724}/gpreport.xml -------------------------------------------------------------------------------- /GPOs/BasicSecDefender/{72D1AD12-B481-44E3-9529-AC7C658508B2}/gpreport.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/GPOs/BasicSecDefender/{72D1AD12-B481-44E3-9529-AC7C658508B2}/gpreport.xml -------------------------------------------------------------------------------- /GPOs/BasicSecDomain/{14144BB4-26AC-4A90-B4E1-BE99F58A4FFF}/gpreport.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/GPOs/BasicSecDomain/{14144BB4-26AC-4A90-B4E1-BE99F58A4FFF}/gpreport.xml -------------------------------------------------------------------------------- /GPOs/ExtremePrivacy/Version 21H2_Win10/Enterprise/GPO/Machine/GptTmpl.inf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/GPOs/ExtremePrivacy/Version 21H2_Win10/Enterprise/GPO/Machine/GptTmpl.inf -------------------------------------------------------------------------------- /GPOs/HighSecBitlocker/{98ECD203-A3B2-4419-B1F0-E5A68F4044CB}/gpreport.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/GPOs/HighSecBitlocker/{98ECD203-A3B2-4419-B1F0-E5A68F4044CB}/gpreport.xml -------------------------------------------------------------------------------- /GPOs/HighSecComputer/{FB5B4EEE-3202-4D88-B70D-B0EDE21699D3}/gpreport.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/GPOs/HighSecComputer/{FB5B4EEE-3202-4D88-B70D-B0EDE21699D3}/gpreport.xml -------------------------------------------------------------------------------- /GPOs/HighSecCredGuard/{1C44F912-2A2E-444E-81E9-005FDB9018FC}/gpreport.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/GPOs/HighSecCredGuard/{1C44F912-2A2E-444E-81E9-005FDB9018FC}/gpreport.xml -------------------------------------------------------------------------------- /GPOs/BasicSecBitlocker/{283903C7-6FA6-4078-92A2-25C026324F68}/gpreport.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/GPOs/BasicSecBitlocker/{283903C7-6FA6-4078-92A2-25C026324F68}/gpreport.xml -------------------------------------------------------------------------------- /GPOs/BasicSecComputer/{70CF3C23-9F4D-4E50-8D2A-DEAD79D5A724}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv: -------------------------------------------------------------------------------- 1 | Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value 2 | -------------------------------------------------------------------------------- /GPOs/BasicSecComputer/{70CF3C23-9F4D-4E50-8D2A-DEAD79D5A724}/DomainSysvol/GPO/Machine/registry.pol: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/GPOs/BasicSecComputer/{70CF3C23-9F4D-4E50-8D2A-DEAD79D5A724}/DomainSysvol/GPO/Machine/registry.pol -------------------------------------------------------------------------------- /GPOs/HighSecComputer/{FB5B4EEE-3202-4D88-B70D-B0EDE21699D3}/DomainSysvol/GPO/Machine/registry.pol: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/GPOs/HighSecComputer/{FB5B4EEE-3202-4D88-B70D-B0EDE21699D3}/DomainSysvol/GPO/Machine/registry.pol -------------------------------------------------------------------------------- /GPOs/BasicPrivacy/Version 21H2_Win10/Enterprise/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/GPOs/BasicPrivacy/Version 21H2_Win10/Enterprise/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf -------------------------------------------------------------------------------- /GPOs/HighSecDomain/{0CC6A02E-2EFE-4774-B3C7-209B1C102367}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/GPOs/HighSecDomain/{0CC6A02E-2EFE-4774-B3C7-209B1C102367}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf -------------------------------------------------------------------------------- /GPOs/BasicSecDomain/{14144BB4-26AC-4A90-B4E1-BE99F58A4FFF}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/GPOs/BasicSecDomain/{14144BB4-26AC-4A90-B4E1-BE99F58A4FFF}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf -------------------------------------------------------------------------------- /GPOs/HighSecComputer/{FB5B4EEE-3202-4D88-B70D-B0EDE21699D3}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/GPOs/HighSecComputer/{FB5B4EEE-3202-4D88-B70D-B0EDE21699D3}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf -------------------------------------------------------------------------------- /GPOs/BasicSecBitlocker/{283903C7-6FA6-4078-92A2-25C026324F68}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/GPOs/BasicSecBitlocker/{283903C7-6FA6-4078-92A2-25C026324F68}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf -------------------------------------------------------------------------------- /GPOs/BasicSecComputer/{70CF3C23-9F4D-4E50-8D2A-DEAD79D5A724}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/troennes/private-secure-windows/HEAD/GPOs/BasicSecComputer/{70CF3C23-9F4D-4E50-8D2A-DEAD79D5A724}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf -------------------------------------------------------------------------------- /GPOs/Deltas/W11_22H2/HighSecCredGuard.txt: -------------------------------------------------------------------------------- 1 | ; ---------------------------------------------------------------------- 2 | ; LGPO-text file, used with LGPO.exe. 3 | ; 4 | ; MSFT Windows 11 22H2 - Credential Guard 5 | 6 | Computer 7 | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard 8 | ConfigureKernelShadowStacksLaunch 9 | DWORD:1 10 | 11 | ; ---------------------------------------------------------------------- -------------------------------------------------------------------------------- /GPOs/Deltas/W11_21H2/BasicSecurity.txt: -------------------------------------------------------------------------------- 1 | ; ---------------------------------------------------------------------- 2 | ; LGPO-text file, used with LGPO.exe. 3 | ; 4 | ; Add basic security setting for Windows 11 5 | ; 6 | 7 | Computer 8 | Software\Policies\Microsoft\Windows Defender\Real-Time Protection 9 | DisableScriptScanning 10 | DWORD:0 11 | 12 | 13 | ; ---------------------------------------------------------------------- -------------------------------------------------------------------------------- /GPOs/ExtremePrivacy/Version 21H2_Win10/Enterprise/GPO/User/user.txt: -------------------------------------------------------------------------------- 1 | 2 | ; Disable Windows Update 3 | User 4 | SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate 5 | DisableWindowsUpdateAccess 6 | DWORD:1 7 | 8 | User 9 | SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate 10 | DisableWindowsUpdateAccessMode 11 | DWORD:0 12 | 13 | ; PARSING COMPLETED. 14 | ; ---------------------------------------------------------------------- 15 | -------------------------------------------------------------------------------- /GPOs/BasicSecUser/{065B86DC-5229-4FC1-A8C2-BF989FDAEEB4}/DomainSysvol/GPO/User/registry.pol: -------------------------------------------------------------------------------- 1 | PReg[Software\Policies\Microsoft\Windows\CloudContent;DisableThirdPartySuggestions;;;][Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications;NoToastApplicationNotificationOnLockScreen;;;] -------------------------------------------------------------------------------- /GPOs/Deltas/W11_21H2/BasicPrivacy.txt: -------------------------------------------------------------------------------- 1 | ; ---------------------------------------------------------------------- 2 | ; LGPO-text file, used with LGPO.exe. 3 | ; 4 | ; Add new privacy setting for Windows 11 5 | ; 6 | 7 | Computer 8 | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Dsh 9 | AllowNewsAndInterests 10 | DWORD:0 11 | 12 | Computer 13 | SOFTWARE\Policies\Microsoft\Windows\CloudContent 14 | DisableCloudOptimizedContent 15 | DWORD:1 16 | 17 | ; ---------------------------------------------------------------------- -------------------------------------------------------------------------------- /GPOs/Deltas/W10_22H2/HighSecComputer.txt: -------------------------------------------------------------------------------- 1 | ; ---------------------------------------------------------------------- 2 | ; LGPO-text file, used with LGPO.exe. 3 | ; 4 | ; from MSFT Windows 11 22H2 - Computer 5 | 6 | 7 | Computer 8 | Software\Policies\Microsoft\Windows NT\Printers 9 | CopyFilesPolicy 10 | DWORD:1 11 | 12 | Computer 13 | SYSTEM\CurrentControlSet\Control\Print 14 | RpcAuthnLevelPrivacyEnabled 15 | DWORD:1 16 | 17 | Computer 18 | Software\Policies\Microsoft\Windows NT\Printers 19 | RedirectionGuardPolicy 20 | DWORD:1 21 | 22 | ; ---------------------------------------------------------------------- -------------------------------------------------------------------------------- /GPOs/BasicSecUser/{065B86DC-5229-4FC1-A8C2-BF989FDAEEB4}/bkupInfo.xml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /GPOs/BasicSecComputer/{70CF3C23-9F4D-4E50-8D2A-DEAD79D5A724}/bkupInfo.xml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /GPOs/BasicSecBitlocker/{283903C7-6FA6-4078-92A2-25C026324F68}/bkupInfo.xml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /GPOs/BasicSecDomain/{14144BB4-26AC-4A90-B4E1-BE99F58A4FFF}/bkupInfo.xml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /GPOs/HighSecBitlocker/{98ECD203-A3B2-4419-B1F0-E5A68F4044CB}/bkupInfo.xml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /GPOs/HighSecComputer/{FB5B4EEE-3202-4D88-B70D-B0EDE21699D3}/bkupInfo.xml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /GPOs/BasicSecDefender/{72D1AD12-B481-44E3-9529-AC7C658508B2}/bkupInfo.xml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /GPOs/HighSecDomain/{0CC6A02E-2EFE-4774-B3C7-209B1C102367}/bkupInfo.xml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /GPOs/HighSecCredGuard/{1C44F912-2A2E-444E-81E9-005FDB9018FC}/bkupInfo.xml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /GPOs/BasicPrivacy/Version 21H2_Win10/Enterprise/GPO/Machine/comment.cmtx: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /Utils/Uninstall.ps1: -------------------------------------------------------------------------------- 1 | # Removes ALL custom local group policy settings, and returns system to default 2 | 3 | $IsAdmin = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544") 4 | if (-not $IsAdmin){ 5 | throw "Script is not running with administrative privileges" 6 | } 7 | 8 | Remove-Item -Path "$env:WinDir\System32\GroupPolicyUsers\*" -Recurse -Force 9 | Remove-Item -Path "$env:WinDir\System32\GroupPolicy\*" -Recurse -Force 10 | 11 | secedit /configure /cfg "$env:windir\inf\defltbase.inf" /db "defltbase.sdb" /verbose 12 | 13 | gpupdate /force 14 | 15 | Write-Host "Done. Please reboot your device to apply all settings" -------------------------------------------------------------------------------- /GPOs/BasicSecUser/{065B86DC-5229-4FC1-A8C2-BF989FDAEEB4}/DomainSysvol/GPO/User/comment.cmtx: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /GPOs/HighSecCredGuard/{1C44F912-2A2E-444E-81E9-005FDB9018FC}/DomainSysvol/GPO/Machine/comment.cmtx: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /GPOs/BasicSecBitlocker/{283903C7-6FA6-4078-92A2-25C026324F68}/DomainSysvol/GPO/Machine/comment.cmtx: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /GPOs/BasicSecDefender/{72D1AD12-B481-44E3-9529-AC7C658508B2}/DomainSysvol/GPO/Machine/comment.cmtx: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /GPOs/BasicSecUser/manifest.xml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /GPOs/BasicSecBitlocker/manifest.xml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /GPOs/BasicSecComputer/manifest.xml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /GPOs/HighSecComputer/manifest.xml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Utils/Backup.ps1: -------------------------------------------------------------------------------- 1 | # Backs up current local policy 2 | 3 | [CmdletBinding()] 4 | param( 5 | [string]$LgpoPath = "..\Tools", 6 | [string]$OutputDir = "C:\tmp\" 7 | ) 8 | 9 | $IsAdmin = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544") 10 | if (-not $IsAdmin){ 11 | throw "Script not run as admin" 12 | } 13 | 14 | if (-not (Test-Path -Path "$LgpoPath\LGPO.exe")){ 15 | throw "LGPO.exe not found. Exiting" 16 | } 17 | 18 | if (-not (Test-Path -Path $OutputDir)){ 19 | Write-Warning "Output path not found. Creating it" 20 | mkdir $OutputDir 21 | } 22 | 23 | Start-Process -FilePath "$LgpoPath\LGPO.exe" -NoNewWindow -Wait -ArgumentList "/b $OutputDir" -------------------------------------------------------------------------------- /GPOs/BasicSecDomain/manifest.xml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /GPOs/HighSecBitlocker/manifest.xml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /GPOs/HighSecDomain/manifest.xml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /GPOs/BasicSecDefender/manifest.xml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /GPOs/HighSecCredGuard/manifest.xml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /GPOs/Deltas/W10_22H2/BasicSecComputer.txt: -------------------------------------------------------------------------------- 1 | ; ---------------------------------------------------------------------- 2 | ; LGPO-text file, used with LGPO.exe. 3 | ; 4 | ; from MSFT Windows 10 22H2 - Computer 5 | 6 | 7 | Computer 8 | SYSTEM\CurrentControlSet\Control\Lsa 9 | RunAsPPL 10 | DWORD:1 11 | 12 | 13 | ; from MSFT Windows 10 22H2 - Defender Antivirus 14 | 15 | 16 | Computer 17 | Software\Policies\Microsoft\Windows Defender\Real-Time Protection 18 | DisableBehaviorMonitoring 19 | DWORD:0 20 | 21 | Computer 22 | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules 23 | 56a863a9-875e-4185-98a7-b882c64b5ce5 24 | SZ:1 25 | 26 | 27 | ; ---------------------------------------------------------------------- -------------------------------------------------------------------------------- /GPOs/HighSecBitlocker/{98ECD203-A3B2-4419-B1F0-E5A68F4044CB}/DomainSysvol/GPO/Machine/comment.cmtx: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /Utils/Build.ps1: -------------------------------------------------------------------------------- 1 | # Build registry.pol from LGPO text file 2 | 3 | [CmdletBinding()] 4 | param( 5 | [string]$GpoPath = "..\GPOs\BasicPrivacy\Version 21H2_Win10\Enterprise\GPO", 6 | [string]$LgpoPath = "..\Tools" 7 | ) 8 | 9 | if (-not (Test-Path -Path "$LgpoPath\LGPO.exe")){ 10 | Write-Error "LGPO.exe not found. Exiting" 11 | } 12 | 13 | if (-not (Test-Path -Path $GpoPath)){ 14 | Write-Error "GPO folder not found. Exiting" 15 | } 16 | Start-Process -FilePath "$LgpoPath\LGPO.exe" -NoNewWindow -Wait ` 17 | -ArgumentList "/r `"$GpoPath\Machine\machine.txt`" /w `"$GpoPath\Machine\registry.pol`"" 18 | 19 | Start-Process -FilePath "$LgpoPath\LGPO.exe" -NoNewWindow -Wait ` 20 | -ArgumentList "/r `"$GpoPath\User\user.txt`" /w `"$GpoPath\User\registry.pol`"" -------------------------------------------------------------------------------- /GPOs/HighSecBitlocker/{98ECD203-A3B2-4419-B1F0-E5A68F4044CB}/DomainSysvol/GPO/Machine/registry.pol: -------------------------------------------------------------------------------- 1 | PReg[Software\Policies\Microsoft\FVE;DisableExternalDMAUnderLock;;;][Software\Policies\Microsoft\FVE;UseEnhancedPin;;;][Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab;ACSettingIndex;;;][Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab;DCSettingIndex;;;] -------------------------------------------------------------------------------- /GPOs/HighSecComputer/{FB5B4EEE-3202-4D88-B70D-B0EDE21699D3}/DomainSysvol/GPO/Machine/comment.cmtx: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /GPOs/BasicSecBitlocker/{283903C7-6FA6-4078-92A2-25C026324F68}/DomainSysvol/GPO/Machine/registry.pol: -------------------------------------------------------------------------------- 1 | PReg[SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions;DenyDeviceClasses;;;][SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions;DenyDeviceClassesRetroactive;;;][SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses;**delvals.;;; ][SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses;1;;N;{d48179be-ec20-11d1-b6b8-00c04fa372a7}] -------------------------------------------------------------------------------- /GPOs/HighSecCredGuard/{1C44F912-2A2E-444E-81E9-005FDB9018FC}/DomainSysvol/GPO/Machine/registry.pol: -------------------------------------------------------------------------------- 1 | PReg[SOFTWARE\Policies\Microsoft\Windows\DeviceGuard;EnableVirtualizationBasedSecurity;;;][SOFTWARE\Policies\Microsoft\Windows\DeviceGuard;RequirePlatformSecurityFeatures;;;][SOFTWARE\Policies\Microsoft\Windows\DeviceGuard;HypervisorEnforcedCodeIntegrity;;;][SOFTWARE\Policies\Microsoft\Windows\DeviceGuard;HVCIMATRequired;;;][SOFTWARE\Policies\Microsoft\Windows\DeviceGuard;ConfigureSystemGuardLaunch;;;] -------------------------------------------------------------------------------- /GPOs/Deltas/W11_22H2/BasicSecComputer.txt: -------------------------------------------------------------------------------- 1 | ; ---------------------------------------------------------------------- 2 | ; LGPO-text file, used with LGPO.exe. 3 | ; 4 | ; from MSFT Windows 11 22H2 - Computer 5 | 6 | Computer 7 | Software\Microsoft\Windows\CurrentVersion\Policies\System 8 | EnableMPR 9 | DWORD:0 10 | 11 | Computer 12 | Software\Policies\Microsoft\Windows NT\DNSClient 13 | EnableNetbios 14 | DWORD:2 15 | 16 | Computer 17 | Software\Policies\Microsoft\Windows\System 18 | AllowCustomSSPsAPs 19 | DWORD:0 20 | 21 | Computer 22 | SYSTEM\CurrentControlSet\Control\Lsa 23 | RunAsPPL 24 | DWORD:1 25 | 26 | 27 | ; from MSFT Windows 11 22H2 - Defender Antivirus 28 | 29 | 30 | Computer 31 | Software\Policies\Microsoft\Windows Defender\Real-Time Protection 32 | DisableBehaviorMonitoring 33 | DWORD:0 34 | 35 | Computer 36 | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules 37 | 56a863a9-875e-4185-98a7-b882c64b5ce5 38 | SZ:1 39 | 40 | 41 | ; ---------------------------------------------------------------------- -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Kim Troennes 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /GPOs/Deltas/W11_22H2/HighSecComputer.txt: -------------------------------------------------------------------------------- 1 | ; ---------------------------------------------------------------------- 2 | ; LGPO-text file, used with LGPO.exe. 3 | ; 4 | ; from MSFT Windows 11 22H2 - Computer 5 | 6 | 7 | Computer 8 | Software\Policies\Microsoft\Windows NT\Printers 9 | CopyFilesPolicy 10 | DWORD:1 11 | 12 | Computer 13 | Software\Policies\Microsoft\Windows NT\Printers\RPC 14 | ForceKerberosForRpc 15 | DWORD:0 16 | 17 | Computer 18 | Software\Policies\Microsoft\Windows NT\Printers\RPC 19 | RpcAuthentication 20 | DWORD:0 21 | 22 | Computer 23 | Software\Policies\Microsoft\Windows NT\Printers\RPC 24 | RpcProtocols 25 | DWORD:5 26 | 27 | Computer 28 | Software\Policies\Microsoft\Windows NT\Printers\RPC 29 | RpcTcpPort 30 | DWORD:0 31 | 32 | Computer 33 | Software\Policies\Microsoft\Windows NT\Printers\RPC 34 | RpcUseNamedPipeProtocol 35 | DWORD:0 36 | 37 | Computer 38 | SYSTEM\CurrentControlSet\Control\Print 39 | RpcAuthnLevelPrivacyEnabled 40 | DWORD:1 41 | 42 | Computer 43 | Software\Policies\Microsoft\Windows NT\Printers 44 | RedirectionGuardPolicy 45 | DWORD:1 46 | 47 | ; ---------------------------------------------------------------------- -------------------------------------------------------------------------------- /GPOs/BasicPrivacy/Version 21H2_Win10/Enterprise/GPO/User/registry.pol: -------------------------------------------------------------------------------- 1 | PReg[Control Panel\International\User Profile;HttpAcceptLanguageOptOut;;;][SOFTWARE\Microsoft\Messaging;CloudServiceSyncEnabled;;;][SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost;EnableWebContentEvaluation;;;][SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced;Start_TrackProgs;;;][Software\Policies\Microsoft\Windows\CloudContent;DisableTailoredExperiencesWithDiagnosticData;;;][SOFTWARE\Policies\Microsoft\Windows\CloudContent;DisableWindowsSpotlightFeatures;;;][SOFTWARE\Microsoft\InputPersonalization;RestrictImplicitInkCollection;;;][SOFTWARE\Microsoft\InputPersonalization;RestrictImplicitTextCollection;;;] -------------------------------------------------------------------------------- /GPOs/BasicSecComputer/{70CF3C23-9F4D-4E50-8D2A-DEAD79D5A724}/DomainSysvol/GPO/Machine/comment.cmtx: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /GPOs/ExtremePrivacy/Version 21H2_Win10/Enterprise/GPO/Machine/machine.txt: -------------------------------------------------------------------------------- 1 | 2 | ; Deny Camera access for all apps 3 | Computer 4 | SOFTWARE\Policies\Microsoft\Windows\AppPrivacy 5 | LetAppsAccessCamera 6 | DWORD:2 7 | 8 | ; Deny Microphone access for all apps 9 | Computer 10 | SOFTWARE\Policies\Microsoft\Windows\AppPrivacy 11 | LetAppsAccessMicrophone 12 | DWORD:2 13 | 14 | ; Do not let any apps to run in background 15 | Computer 16 | SOFTWARE\Policies\Microsoft\Windows\AppPrivacy 17 | LetAppsRunInBackground 18 | DWORD:2 19 | 20 | ; Disable Lock Screen 21 | Computer 22 | SOFTWARE\Policies\Microsoft\Windows\Personalization 23 | NoLockScreen 24 | DWORD:1 25 | 26 | ; Disable Microsoft Store Apps 27 | Computer 28 | SOFTWARE\Policies\Microsoft\WindowsStore 29 | AutoDownload 30 | DWORD:2 31 | 32 | Computer 33 | SOFTWARE\Policies\Microsoft\WindowsStore 34 | DisableStoreApps 35 | DWORD:1 36 | 37 | ; Disable Automatic Root Certificates Updates 38 | Computer 39 | SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot 40 | DisableRootAutoUpdate 41 | DWORD:1 42 | 43 | ; Disable Windows Update 44 | Computer 45 | SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate 46 | DisableWindowsUpdateAccess 47 | DWORD:1 48 | 49 | Computer 50 | SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate 51 | DoNotConnectToWindowsUpdateInternetLocations 52 | DWORD:1 53 | 54 | Computer 55 | SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate 56 | UpdateServiceUrlAlternate 57 | SZ:" " 58 | 59 | Computer 60 | SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU 61 | UseWUServer 62 | DWORD:1 63 | 64 | Computer 65 | SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate 66 | WUServer 67 | SZ:" " 68 | 69 | Computer 70 | SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate 71 | WUStatusServer 72 | SZ:" " 73 | 74 | ; Disable Defender Signature Updates 75 | Computer 76 | SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates 77 | FallbackOrder 78 | SZ:FileShares 79 | 80 | Computer 81 | SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates 82 | DefinitionUpdateFileSharesSources 83 | DELETE 84 | 85 | ; Disable NCSI 86 | Computer 87 | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator 88 | NoActiveProbe 89 | DWORD:1 90 | 91 | ; PARSING COMPLETED. 92 | ; ---------------------------------------------------------------------- 93 | -------------------------------------------------------------------------------- /GPOs/HighSecComputer/{FB5B4EEE-3202-4D88-B70D-B0EDE21699D3}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv: -------------------------------------------------------------------------------- 1 | Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value 2 | ,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3 3 | ,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success,,1 4 | ,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3 5 | ,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success,,1 6 | ,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success,,1 7 | ,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Failure,,2 8 | ,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success,,1 9 | ,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3 10 | ,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3 11 | ,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success,,1 12 | ,System,Audit Detailed File Share,{0cce9244-69ae-11d9-bed3-505054503030},Failure,,2 13 | ,System,Audit File Share,{0cce9224-69ae-11d9-bed3-505054503030},Success and Failure,,3 14 | ,System,Audit Other Object Access Events,{0cce9227-69ae-11d9-bed3-505054503030},Success and Failure,,3 15 | ,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3 16 | ,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success,,1 17 | ,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success,,1 18 | ,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success and Failure,,3 19 | ,System,Audit Other Policy Change Events,{0cce9234-69ae-11d9-bed3-505054503030},Failure,,2 20 | ,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3 21 | ,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3 22 | ,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success,,1 23 | ,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success,,1 24 | ,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3 25 | -------------------------------------------------------------------------------- /Templates/en-US/AdmPwd.adml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | LAPS 9 | Enable local admin password management 10 | 11 | Enables management of password for local administrator account 12 | 13 | If you enable this setting, local administrator password is managed 14 | 15 | If you disable or not configure this setting, local administrator password is NOT managed 16 | 17 | Password Settings 18 | 19 | Configures password parameters 20 | 21 | Password complexity: which characters are used when generating a new password 22 | Default: Large letters + small letters + numbers + special characters 23 | 24 | Password length 25 | Minimum: 8 characters 26 | Maximum: 64 characters 27 | Default: 14 characters 28 | 29 | Password age in days 30 | Minimum: 1 day 31 | Maximum: 365 days 32 | Default: 30 days 33 | 34 | At least Microsoft Windows Vista or Windows Server 2003 family 35 | Large letters 36 | Large letters + small letters 37 | Large letters + small letters + numbers 38 | Large letters + small letters + numbers + specials 39 | Name of administrator account to manage 40 | 41 | Administrator account name: name of the local account you want to manage password for. 42 | DO NOT configure when you use built-in admin account. Built-in admin account is auto-detected by well-known SID, even when renamed 43 | 44 | DO configure when you use custom local admin account 45 | 46 | Do not allow password expiration time longer than required by policy 47 | 48 | When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy. 49 | 50 | When you disable or not configure this setting, password expiration time may be longer than required by "Password Settings" policy. 51 | 52 | 53 | 54 | 55 | Password Complexity 56 | Password Length 57 | Password Age (Days) 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /GPOs/HighSecBitlocker/{98ECD203-A3B2-4419-B1F0-E5A68F4044CB}/Backup.xml: -------------------------------------------------------------------------------- 1 | 2 | 01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /GPOs/BasicSecDefender/{72D1AD12-B481-44E3-9529-AC7C658508B2}/Backup.xml: -------------------------------------------------------------------------------- 1 | 2 | 01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /GPOs/BasicPrivacy/Version 21H2_Win10/Enterprise/RestrictedTraffic_ClientEnt_Install.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | 3 | ECHO =============================================================================== 4 | ECHO =============================================================================== 5 | ECHO. 6 | ECHO This script installs restricted traffic baselines into local policy for Windows 10. 7 | ECHO. 8 | ECHO Press Ctrl+C to stop the installation, or press any other key to continue... 9 | PAUSE > nul 10 | 11 | ECHO. 12 | ECHO You are about to apply the Windows Restricted Traffic Limited Functionality settings on this device. For details on what settings are applied please refer to this online article (https://review.docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services). 13 | ECHO. 14 | ECHO Do you agree to apply these settings? 15 | ECHO [Y] Yes [N] No (default is 'N'): 16 | SET /P reply= 17 | IF /I not "%reply%" == "y" GOTO :End 18 | 19 | :: Make the directory where this script lives the current dir. 20 | PUSHD %~dp0 21 | SET RTGUIDE=%CD% 22 | SET RTGUIDELOGS=%RTGUIDE%\LOGS 23 | SET LGPOPATH=%1 24 | MD "%RTGUIDELOGS%" 2> nul 25 | 26 | ECHO RestrictedTraffic-install.log > "%RTGUIDELOGS%%\RestrictedTraffic-install.log" 27 | ECHO. >> "%RTGUIDELOGS%%\RestrictedTraffic-install.log" 28 | ECHO User agreed to apply the settings >> "%RTGUIDELOGS%%\RestrictedTraffic-install.log" 29 | 30 | ECHO Checking if LGPO.exe exists in Tools folder ... 31 | ECHO Checking if LGPO.exe exists in Tools folder ... >>"%RTGUIDELOGS%%\RestrictedTraffic-install.log" 32 | IF NOT EXIST %LGPOPATH%\LGPO.exe ( 33 | echo. 34 | ECHO LGPO.exe is not found in .\Tools folder. Failed to apply 'Windows Restricted Traffic Limited Functionality Baseline'. 35 | ECHO Please check '.\.\Windows Restricted Traffic Limited Functionality Baseline\readme.txt' to install the tool and retry. 36 | ECHO . 37 | ECHO LGPO.exe is not found in .\Tools folder. Failed to apply 'Windows Restricted Traffic Limited Functionality Baseline'. >> "%RTGUIDELOGS%%\RestrictedTraffic-install.log" 38 | ECHO Please check '.\.\Windows Restricted Traffic Limited Functionality Baseline\readme.txt' to install the tool and retry. >> "%RTGUIDELOGS%%\RestrictedTraffic-install.log" 39 | ECHO. >> "%RTGUIDELOGS%%\RestrictedTraffic-install.log" 40 | EXIT /B 41 | ) 42 | 43 | ECHO Installing Windows 10 Restricted Traffic settings and policies... 44 | :: Apply Windows 10 Restricted Traffic 45 | %LGPOPATH%\LGPO.exe /g .\GPO >> "%RTGUIDELOGS%%\RestrictedTraffic-install.log" 2>>&1 46 | echo Windows 10 Local Policy Applied 47 | 48 | :: Copy Custom Administrative Templates 49 | ECHO Copying custom administrative templates... 50 | copy /y Templates\*.admx %SystemRoot%\PolicyDefinitions >> "%RTGUIDELOGS%%\RestrictedTraffic-install.log" 51 | copy /y Templates\*.adml %SystemRoot%\PolicyDefinitions\en-US >> "%RTGUIDELOGS%%\RestrictedTraffic-install.log" 52 | 53 | ::Display Notifications 54 | ECHO. 55 | ECHO =============================================================================== 56 | ECHO =============================================================================== 57 | ECHO. 58 | ECHO The Restricted Traffic Limited Functionality settings have been applied successfully 59 | ECHO Please reboot and login with current account. 60 | ECHO. 61 | ECHO Additionally, check log files located in this directory: 62 | ECHO. %RTGUIDELOGS% 63 | ECHO. 64 | ECHO =============================================================================== 65 | ECHO =============================================================================== 66 | ECHO. 67 | POPD 68 | 69 | :End -------------------------------------------------------------------------------- /Templates/en-US/RestrictedTrafficCustomPolicy.adml: -------------------------------------------------------------------------------- 1 | 2 | Windows Restricted Traffic Custom Policy Settings 3 | Settings for the Windows Restricted Traffic Baseline that are not exposed through existing Windows Group Policy Objects 4 | 5 | 6 | Windows 10 or Windows Server 2016 7 | Windows Restricted Traffic Custom Policy Settings 8 | Allow websites to provide locally relevant content by accessing user's language list 9 | Allow websites to provide locally relevant content by accessing user's language list: 10 | If you disable this policy setting, the corresponding UI setting will be truned off, thus no traffic about it will be sent to Microsoft." 11 | 12 | if you enable or do not configure this policy setting, Windows will provide locally relevant content by accessing user's language list, user may see traffic sent to Microsoft. 13 | 14 | Messaging cloud sync 15 | Messaging cloud sync: 16 | Select Disabled for "no traffic." 17 | "Enabled" is the default. 18 | Potential side effects: (TBD) 19 | 20 | Turn off Windows Defender Notifications 21 | Turn off Windows Defender Notifications: 22 | If you disalbe or do not configure this policy setting, Windows Defender will send notifications with critical information about the health and security of your device. 23 | 24 | If you enable this policy setting, Windows Defender will not send notifications with critical information about the health and security of your device. 25 | 26 | Prevent OneDrive from generating network traffic until the user signs in to OneDrive. 27 | Enable this setting if you would like to prevent the OneDrive sync client (OneDrive.exe) from generating network traffic (checking for updates, etc.) until the user signs in to OneDrive or starts syncing files to the local computer. 28 | 29 | If you enable this setting, users must sign in to the OneDrive sync client on the local computer, or select to sync OneDrive or SharePoint files on the computer, for the sync client to start automatically. 30 | 31 | If this setting is not enabled, the OneDrive sync client will start automatically when users sign in to Windows. 32 | 33 | If you enable or disable this setting, do not return the setting to Not Configured. Doing so will not change the configuration and the last configured setting will remain in effect. 34 | Enable Track Programs In Start Menu 35 | Enable Track Programs In Start Menu and Task Bar: 36 | If you eanble and do not configure this policy setting, Windows will track app launches to improve Start and search results. 37 | If you disable this policy setting, Windows will not track app launches to improve Start and search results. 38 | 39 | 40 | Enable Web Content Evaluation 41 | Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use. 42 | Select Disabled for "no traffic." 43 | "Enabled" is the default. 44 | Potential side effects: (TBD) 45 | 46 | 47 | -------------------------------------------------------------------------------- /Templates/AdmPwd.admx: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | -------------------------------------------------------------------------------- /GPOs/HighSecCredGuard/{1C44F912-2A2E-444E-81E9-005FDB9018FC}/Backup.xml: -------------------------------------------------------------------------------- 1 | 2 | 01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /GPOs/BasicSecUser/{065B86DC-5229-4FC1-A8C2-BF989FDAEEB4}/Backup.xml: -------------------------------------------------------------------------------- 1 | 2 | 01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /GPOs/BasicSecDefender/{72D1AD12-B481-44E3-9529-AC7C658508B2}/DomainSysvol/GPO/Machine/registry.pol: -------------------------------------------------------------------------------- 1 | PReg[Software\Policies\Microsoft\Windows Defender;PUAProtection;;;][Software\Policies\Microsoft\Windows Defender\Real-Time Protection;DisableIOAVProtection;;;][Software\Policies\Microsoft\Windows Defender\Real-Time Protection;DisableRealtimeMonitoring;;;][Software\Policies\Microsoft\Windows Defender\Scan;DisableRemovableDriveScanning;;;][Software\Policies\Microsoft\Windows Defender\Spynet;SubmitSamplesConsent;;;][Software\Policies\Microsoft\Windows Defender\Spynet;SpynetReporting;;;][Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR;ExploitGuard_ASR_Rules;;;][Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules;75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84;;;1][Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules;3b576869-a4ec-4529-8536-b80a7769e899;;;1][Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules;d4f940ab-401b-4efc-aadc-ad5f3c50688a;;;1][Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules;92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B;;;1][Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules;5beb7efe-fd9a-4556-801d-275e5ffc04cc;;;1][Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules;d3e037e1-3eb8-44c8-a917-57927947596d;;;1][Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules;be9ba2d9-53ea-4cdc-84e5-9b1eeee46550;;;1][Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules;9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2;;;1][Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules;b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4;;;1][Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules;26190899-1602-49e8-8b27-eb1d0a1ce869;;;1][Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules;7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c;;;1][Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules;c1db55ab-c21a-4637-bb3f-a12568109d35;;;1][Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules;e6db77e5-3df2-4cf1-b95a-636979351e5b;;;1][Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection;EnableNetworkProtection;;;] -------------------------------------------------------------------------------- /GPOs/manifest.xml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Templates/RestrictedTrafficCustomPolicy.admx: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 35 | 36 | 37 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 56 | 57 | 58 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 77 | 78 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 96 | 97 | 98 | 99 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 118 | 119 | 120 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 139 | 140 | 141 | 142 | -------------------------------------------------------------------------------- /GPOs/BasicSecDomain/{14144BB4-26AC-4A90-B4E1-BE99F58A4FFF}/Backup.xml: -------------------------------------------------------------------------------- 1 | 2 | 01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /GPOs/HighSecDomain/{0CC6A02E-2EFE-4774-B3C7-209B1C102367}/Backup.xml: -------------------------------------------------------------------------------- 1 | 2 | 01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /GPOs/BasicSecBitlocker/{283903C7-6FA6-4078-92A2-25C026324F68}/Backup.xml: -------------------------------------------------------------------------------- 1 | 2 | 01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /GPOs/HighSecComputer/{FB5B4EEE-3202-4D88-B70D-B0EDE21699D3}/Backup.xml: -------------------------------------------------------------------------------- 1 | 2 | 01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /GPOs/BasicSecComputer/{70CF3C23-9F4D-4E50-8D2A-DEAD79D5A724}/Backup.xml: -------------------------------------------------------------------------------- 1 | 2 | 01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 5c c2 b5 ed fe b0 41 b9 7b 08 d8 cd 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

2 | 3 |

4 |

Privacy and security baseline for personal Windows 10 and Windows 11

5 | 6 | ## Quick start 7 | 8 | This will apply basic privacy and security settings for Windows 10 and Windows 11 9 | 10 | ```powershell 11 | powershell.exe -ExecutionPolicy Unrestricted -File .\Install.ps1 -Level Basic 12 | ``` 13 | 14 | ## What is this? 15 | 16 | This is a handpicked collection of privacy and security settings for standalone Windows 10 and Windows 11 systems that tries to strike a good balance between privacy, security and usability. It uses group policy and is mainly based on Microsoft's [Windows security baselines](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10) and [Windows Restricted Traffic Limited Functionality Baseline](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services). 17 | 18 | It comes with two security levels, based on your threat profile: 19 | 20 | #### Basic security and privacy 21 | 22 | Contains privacy and security settings that limits sharing of your personal information and improves the security configuration without extensively reducing performance or usability. 23 | 24 | - :bust_in_silhouette: For standalone and personal use systems 25 | - :beetle: Helps protect against passive attacks (malware and attacks against many people at once) 26 | 27 | #### High-level security and privacy 28 | 29 | Includes extra security settings for individuals with a higher threat profile. This includes enterprise-grade security settings and protections against physical attacks. This might reduce usability and performance, compared to the basic level. 30 | 31 | - :busts_in_silhouette: For standalone, personal use systems and small domains/enterprises 32 | - :dart: Helps protect against targeted attacks (dedicated hackers or other malicious agents trying to access your device specifically) 33 | 34 | ## How to use 35 | 36 | Install the Basic security and privacy baseline: 37 | 38 | 1. (Optional, but recommended) Download the newest LGPO.exe tool from [Microsoft Security Compliance Toolkit](https://www.microsoft.com/en-us/download/confirmation.aspx?id=55319) and place it in the Tools folder. 39 | 2. (Optional, but recommended) Backup your current settings so you can revert later. Run `Backup.ps1` from the Utils folder. E.g. `.\Backup.ps1 -OutputDir C:\tmp\` 40 | 3. (Optional, but recommended) Review the list of changed settings in [Lists/SettingsOverview.xlsx](Lists/SettingsOverview.xlsx) 41 | 4. Run `Install.ps1` with PowerShell with administrative privileges. 42 | 43 | ```powershell 44 | .\Install.ps1 -Level Basic 45 | ``` 46 | 47 | Use another value for `-Level` to select another baseline: 48 | 49 | ```powershell 50 | -Level Basic [default] Basic security and privacy 51 | -Level HighSecurity High security settings (assumes basic security setting are in place) 52 | 53 | Advanced use and more granular control: 54 | -Level BasicSecurity Basic security, with no privacy settings added 55 | -Level BasicPrivacy Basic privacy, with no security settings added 56 | -Level HighSecurityBitlocker A subset of high security settings: Disk encryption settings 57 | -Level HighSecurityCredGuard A subset of high security settings: Virtualization-based security 58 | -Level HighSecurityComputer A subset of high security settings: Computer settings 59 | -Level HighSecurityDomain A subset of high security settings: Domain computer settings 60 | -Level ExtremePrivacy [experimental] Privacy settings that degrade security and usability 61 | ``` 62 | 63 | ## FAQ 64 | 65 | ### Which Windows versions are supported? 66 | 67 | The Install script will detect your version and apply supported settings. The current versions are supported: 68 | 69 | - Windows 10 (21H1, 21H2 and 22H2) 70 | - Windows 11 (21H2, 22H2 and 23H2) 71 | 72 | In both cases, the **Enterprise** or **Education** editions of Windows are recommended. Pro will partially work, but some settings, such as telemetry, cannot be set to the desired level. 73 | 74 | Windows Home edition is not supported. 75 | 76 | ### Why use this instead of CIS benchmark or Microsoft's security baseline? 77 | 78 | Although both CIS' and Microsoft's security baselines are great, they are geared towards organizations using domain-joined computers. This baseline is made for personal/standalone computers, and includes additional settings for increased privacy. 79 | 80 | ### What is more important, privacy or security? 81 | 82 | Both are important. This baseline tries both, but there are conflicts between them. In the following cases, privacy wins over security: 83 | 84 | - Windows Defender does not send samples to Microsoft. 85 | - Smartscreen is disabled 86 | 87 | Security and usability wins in some cases too, detailed below: 88 | 89 | ### Does this baseline stop all traffic sent to Microsoft services? 90 | 91 | No. Traffic to Microsoft is limited, but for usability and security reasons, the following services still sends information to Microsoft: 92 | 93 | - Windows Update is enabled to automatically download security updates 94 | - Windows Defender signature updates are enabled to automatically download anti-malware definition updates 95 | - Automatic Root Certificates Update is enabled to automatically check the list of trusted authorities on Windows Update to see if an update is available 96 | - Network Connection Status Indicator (NCSI) sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. This is required to get Windows Updates and some other features 97 | - The "Microsoft Account Sign-in Assistant" service (wlidsvc) is enabled. This is required to get Windows Updates. 98 | - Telemetry is set to the lowest level availble for your Windows version. If you don't have the Enterprise/Education edition, some telemetry is still [sent to Microsoft](https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization). 99 | - This baseline might have flaws and does not cover all possibilities. Please submit an issue if you see room for improvement. 100 | 101 | ### What are the usability implications of installing this? 102 | 103 | Functionality related to Microsoft accounts, Cortana, OneDrive, Store, cloud, feedback and customer experience improvement are disabled or reduced. 104 | 105 | ### I want to change some of the settings 106 | 107 | Everything is customizable through group policy: 108 | 109 | 1. To get an overview of your current settings, run `gpresult.exe /h GPreport.html` with administrative privileges. Then open the report in a browser and click "Show all". Identify the setting(s) you want to change and note their path. 110 | 111 | 2. To change a setting, run `gpedit.msc` with administrative privileges, and change the setting(s) identified in the step above. The paths in the GPreport corresponds with the gpedit tool. To reset a setting its default state, set it to "Not configured". 112 | 113 | ### What is the difference between the Basic and High security levels? 114 | 115 | The High level has the following security improvements compared to the Basic level: 116 | 117 | - Stronger User Account Control (UAC) settings 118 | - Increased protection against physical attacks (Direct Memory Attack (DMA) protections, Sleep mode disabled, machine inactivity limit) 119 | - Virtualization-based security features enabled (Hypervisor-Protected Code Integrity (HVCI), Secure launch) 120 | - Enhanced logging enabled (audit, powershell, firewall) 121 | - Hardening of Enterprise/domain features (Domain security settings, remote access like RDP and WinRM) 122 | - More strict password policy 123 | 124 | The privacy settings are equal in both levels. 125 | 126 | ### How to verify changed settings before installing? 127 | 128 | Download Microsoft's Policy Analyzer tool from [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319), then import GPOs to view which settings they change. 129 | 130 | ### Does this baseline improve any applications? 131 | 132 | No. Only the Windows operating system and built-in Windows components are covered. There are no improvements to Microsoft Edge and Internet Explorer included here. 133 | 134 | ## Contributing 135 | 136 | Don't be afraid to contribute! For now, create an issue if you see room for improvement, and we'll take it from there. 137 | 138 | ## Credits 139 | 140 | The main components of this baseline are 141 | 142 | - Microsoft's [Windows Security baselines](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) and [Microsoft Security Compliance Toolkit](https://www.microsoft.com/en-us/download/confirmation.aspx?id=55319) 143 | - Microsoft's [Restricted Traffic Limited Functionality Baseline](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services) 144 | 145 | I learned a lot from mxk's [Windows 10 and Server 2019 Secure Baseline GPO](https://github.com/mxk/win10-secure-baseline-gpo) and included some adjustments based on that baseline. -------------------------------------------------------------------------------- /GPOs/BasicPrivacy/Version 21H2_Win10/Enterprise/GPO/Machine/registry.pol: -------------------------------------------------------------------------------- 1 | PReg[Software\Microsoft\OneDrive;PreventNetworkTrafficPreUserSignIn;;;][Software\Microsoft\Windows\CurrentVersion\Policies\Explorer;AllowOnlineTips;;;][Software\Policies\Microsoft\FindMyDevice;AllowFindMyDevice;;;][SOFTWARE\Policies\Microsoft\MRT;DontReportInfectionInformation;;;][Software\Policies\Microsoft\Speech;AllowSpeechModelUpdate;;;][SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient;Enabled;;;][SYSTEM\CurrentControlSet\Services\W32Time\Parameters;Type;;;NTP][SOFTWARE\Policies\Microsoft\W32time\Parameters;NtpServer;;";pool.ntp.org,0x8][SOFTWARE\Policies\Microsoft\Windows Defender\Spynet;SpynetReporting;;;][SOFTWARE\Policies\Microsoft\Windows Defender\Spynet;SubmitSamplesConsent;;;][SOFTWARE\Policies\Microsoft\Windows Mail;ManualLaunchAllowed;;;][SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform;NoGenTicket;;;][SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo;DisabledByGroupPolicy;;;][SOFTWARE\Policies\Microsoft\Windows\AppPrivacy;LetAppsAccessAccountInfo;;;][SOFTWARE\Policies\Microsoft\Windows\AppPrivacy;LetAppsAccessCalendar;;;][SOFTWARE\Policies\Microsoft\Windows\AppPrivacy;LetAppsAccessPhone;;;][SOFTWARE\Policies\Microsoft\Windows\AppPrivacy;LetAppsAccessCallHistory;;;][SOFTWARE\Policies\Microsoft\Windows\AppPrivacy;LetAppsAccessCamera;;;][SOFTWARE\Policies\Microsoft\Windows\AppPrivacy;LetAppsAccessContacts;;;][SOFTWARE\Policies\Microsoft\Windows\AppPrivacy;LetAppsAccessEmail;;;][SOFTWARE\Policies\Microsoft\Windows\AppPrivacy;LetAppsAccessLocation;;;][SOFTWARE\Policies\Microsoft\Windows\AppPrivacy;LetAppsAccessMessaging;;;][SOFTWARE\Policies\Microsoft\Windows\AppPrivacy;LetAppsAccessMicrophone;;;][SOFTWARE\Policies\Microsoft\Windows\AppPrivacy;LetAppsAccessMotion;;;][SOFTWARE\Policies\Microsoft\Windows\AppPrivacy;LetAppsAccessNotifications;;;][SOFTWARE\Policies\Microsoft\Windows\AppPrivacy;LetAppsAccessRadios;;;][Software\Policies\Microsoft\Windows\AppPrivacy;LetAppsAccessTasks;;;][SOFTWARE\Policies\Microsoft\Windows\AppPrivacy;LetAppsAccessTrustedDevices;;;][Software\Policies\Microsoft\Windows\AppPrivacy;LetAppsGetDiagnosticInfo;;;][SOFTWARE\Policies\Microsoft\Windows\AppPrivacy;LetAppsRunInBackground;;;][SOFTWARE\Policies\Microsoft\Windows\AppPrivacy;LetAppsSyncWithDevices;;;][SOFTWARE\Policies\Microsoft\Windows\CloudContent;DisableSoftLanding;;;][SOFTWARE\Policies\Microsoft\Windows\CloudContent;DisableWindowsConsumerFeatures;;;][SOFTWARE\Policies\Microsoft\Windows\DataCollection;AllowTelemetry;;;][SOFTWARE\Policies\Microsoft\Windows\DataCollection;DoNotShowFeedbackNotifications;;;][SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization;DODownloadMode;;;c][SOFTWARE\Policies\Microsoft\Windows\Device Metadata;PreventDeviceMetadataFromNetwork;;;][SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors;DisableLocation;;;][SOFTWARE\Policies\Microsoft\Windows\Maps;AllowUntriggeredNetworkTrafficOnSettingsPage;;;][SOFTWARE\Policies\Microsoft\Windows\Maps;AutoDownloadAndUpdateMapData;;;][Software\Policies\Microsoft\Windows\Messaging;AllowMessageSync;;;][SOFTWARE\Policies\Microsoft\Windows\OneDrive;DisableFileSyncNGSC;;;][SOFTWARE\Policies\Microsoft\Windows\Personalization;LockScreenImage;;B;C:\windows\web\screen\img105.jpg][SOFTWARE\Policies\Microsoft\Windows\Personalization;LockScreenOverlaysDisabled;;;][SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds;AllowBuildPreview;;;][SOFTWARE\Policies\Microsoft\Windows\SettingSync;DisableSettingSync;;;][SOFTWARE\Policies\Microsoft\Windows\SettingSync;DisableSettingSyncUserOverride;;;][Software\Policies\Microsoft\Windows\StorageHealth;AllowDiskHealthModelUpdates;;;][Software\Policies\Microsoft\Windows\System;EnableAppUriHandlers;;;][SOFTWARE\Policies\Microsoft\Windows\System;EnableCdp;;;][SOFTWARE\Policies\Microsoft\Windows\System;EnableFontProviders;;;][SOFTWARE\Policies\Microsoft\Windows\System;EnableSmartScreen;;;][SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition;Teredo_State;;;Disabled][SOFTWARE\Policies\Microsoft\Windows\Windows Search;AllowCortana;;;][SOFTWARE\Policies\Microsoft\Windows\Windows Search;AllowSearchToUseLocation;;;][SOFTWARE\Policies\Microsoft\Windows\Windows Search;ConnectedSearchPrivacy;;;][SOFTWARE\Policies\Microsoft\Windows\Windows Search;ConnectedSearchUseWeb;;;][SOFTWARE\Policies\Microsoft\Windows\Windows Search;DisableWebSearch;;;][SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules;{0DE40C8E-C126-4A27-9371-A27DAB1039F7};;8;v2.25|Action=Block|Active=TRUE|Dir=Out|Protocol=6|App=%windir%\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\searchUI.exe|Name=Block outbound Cortana|][SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications;NoCloudApplicationNotification;;;][SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen;ConfigureAppInstallControlEnabled;;;][SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen;ConfigureAppInstallControl;;;Anywhere][Software\Policies\Microsoft\Windows\System;EnableActivityFeed;;;][Software\Policies\Microsoft\Windows\System;PublishUserActivities;;;][Software\Policies\Microsoft\Windows\System;UploadUserActivities;;;][Software\Policies\Microsoft\Windows\AppPrivacy;LetAppsActivateWithVoice;;;][Software\Policies\Microsoft\Windows\AppPrivacy;LetAppsActivateWithVoiceAboveLock;;;][Software\Policies\Microsoft\Windows\DataCollection;DisableOneSettingsDownloads;;;][Software\Policies\Microsoft\Windows\System;AllowCrossDeviceClipboard;;;][SOFTWARE\Policies\Microsoft\Windows\Windows Feeds;EnableFeeds;;;][SOFTWARE\Policies\Microsoft\Windows\Troubleshooting\AllowRecommendations;TroubleshootingAllowRecommendations;;;] -------------------------------------------------------------------------------- /Install.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Applies a Windows privacy and security configuration baseline to local group policy. 4 | 5 | .DESCRIPTION 6 | Applies a Windows privacy and security configuration baseline to local group policy. 7 | 8 | Execute this script with one of these options to install the corresponding baseline: 9 | -Level Basic - [default] Basic security and privacy 10 | -Level HighSecurity - High security settings (assumes basic security setting are in place) 11 | Advanced use and more granular control: 12 | -Level BasicSecurity - Basic security, with no privacy settings added 13 | -Level BasicPrivacy - Basic privacy, with no security settings added 14 | -Level HighSecurityBitlocker - A subset of high security settings: Disk encryption settings 15 | -Level HighSecurityCredGuard - A subset of high security settings: Virtualization-based security settings 16 | -Level HighSecurityComputer - A subset of high security settings: Computer settings 17 | -Level HighSecurityDomain - A subset of high security settings: Domain computer settings 18 | -Level ExtremePrivacy - [experimental] Privacy settings that degrade security and usability 19 | 20 | REQUIREMENTS: 21 | 22 | * PowerShell execution policy must be configured to allow script execution; for example, 23 | with a command such as the following: 24 | Set-ExecutionPolicy RemoteSigned 25 | 26 | * LGPO.exe must be in the Tools subdirectory. LGPO.exe is part of 27 | the Security Compliance Toolkit and can be downloaded from this URL: 28 | https://www.microsoft.com/download/details.aspx?id=55319 29 | 30 | .PARAMETER Level 31 | Select level of security and privacy settings. "Basic" is the default level 32 | 33 | #> 34 | 35 | [CmdletBinding()] 36 | param( 37 | [ValidateSet("Basic","BasicSecurity","BasicPrivacy","HighSecurity","HighSecurityCredGuard", ` 38 | "HighSecurityComputer","HighSecurityDomain","HighSecurityBitlocker","ExtremePrivacy")] 39 | [string]$Level, 40 | [string]$LgpoPath = ".\Tools" 41 | ) 42 | 43 | function Warn([string]$Msg){ 44 | $Resp = $Host.UI.PromptForChoice("Warning",$Msg,@("&Yes","&No"),1) 45 | if ($Resp -eq 1){ 46 | exit 47 | } 48 | } 49 | 50 | # Check if supported Windows build 51 | # Windows 11 23H2 - 22631 52 | # Windows 11 22H2 - 22621 53 | # Windows 11 21H2 - 22000 54 | # Windows 10 22H2 - 19045 55 | # Windows 10 21H2 - 19044 56 | # Windows 10 21H1 - 19043 57 | $OSVersion = [environment]::OSVersion 58 | if (-not $OSVersion.Version.Build -in @(19043,19044,19045,22000,22621,22631)){ 59 | $Msg = "Unsupported version of Windows detected. Some settings might not work as intended. " ` 60 | + "Do you want to continue?" 61 | Warn $Msg 62 | } 63 | 64 | $IsAdmin = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544") 65 | if (-not $IsAdmin){ 66 | throw "Script is not running with administrative privileges. Failed to apply policies" 67 | } 68 | 69 | if ((Get-WmiObject Win32_OperatingSystem).ProductType -eq 2){ 70 | throw "Execution of this local-policy script is not supported on domain controllers. Exiting." 71 | } 72 | 73 | if (-not $Level){ 74 | $Msg = "Selecting default level: Basic`r`n" ` 75 | + "This will apply basic privacy and security settings. " ` 76 | + "Do you want to continue?" 77 | Warn $Msg 78 | $Level = "Basic" 79 | } 80 | 81 | 82 | ############# Start copied code from Microsoft Windows Security Baseline ############# 83 | 84 | # Get location of this script 85 | $rootDir = [System.IO.Path]::GetDirectoryName($MyInvocation.MyCommand.Path) 86 | 87 | # Verify availability of LGPO.exe; if not in path, but in Tools subdirectory, add Tools subdirectory to the path. 88 | $origPath = "" 89 | if ($null -eq (Get-Command LGPO.exe -ErrorAction Ignore)){ 90 | if (Test-Path -Path $rootDir\Tools\LGPO.exe) { 91 | $origPath = $env:Path 92 | $env:Path = "$rootDir\Tools;" + $origPath 93 | Write-Verbose $env:Path 94 | Write-Verbose (Get-Command LGPO.exe) 95 | } else { 96 | $lgpoErr = @" 97 | 98 | ============================================================================================ 99 | LGPO.exe must be in the Tools subdirectory or somewhere in the Path. LGPO.exe is part of 100 | the Security Compliance Toolkit and can be downloaded from this URL: 101 | https://www.microsoft.com/download/details.aspx?id=55319 102 | ============================================================================================ 103 | "@ 104 | Write-Error $lgpoErr 105 | return 106 | } 107 | } 108 | 109 | # All log output in Unicode 110 | $OutputEncodingPrevious = $OutputEncoding 111 | $OutputEncoding = [System.Text.ASCIIEncoding]::Unicode 112 | 113 | Push-Location $rootDir 114 | 115 | # Log file full path 116 | $logfile = [System.IO.Path]::Combine($rootDir, "PrivateSecureWindows-" + [datetime]::Now.ToString("yyyyMMdd-HHmm-ss") + ".log") 117 | Write-Host "Logging to $logfile ..." -ForegroundColor Cyan 118 | $MyInvocation.MyCommand.Name + ", " + [datetime]::Now.ToString() | Out-File -LiteralPath $logfile 119 | 120 | # Functions to simplify logging and reporting progress to the display 121 | $dline = "==================================================================================================" 122 | $sline = "--------------------------------------------------------------------------------------------------" 123 | function Log([string] $line){ 124 | $line | Out-File -LiteralPath $logfile -Append 125 | } 126 | function LogA([string[]] $lines){ 127 | $lines | foreach { Log $_ } 128 | } 129 | function ShowProgress([string] $line){ 130 | Write-Host $line -ForegroundColor Cyan 131 | } 132 | function ShowProgressA([string[]] $lines){ 133 | $lines | foreach { ShowProgress $_ } 134 | } 135 | function LogAndShowProgress([string] $line){ 136 | Log $line 137 | ShowProgress $line 138 | } 139 | function LogAndShowProgressA([string[]] $lines){ 140 | $lines | foreach { LogAndShowProgress $_ } 141 | } 142 | # Wrapper to run LGPO.exe so that both stdout and stderr are redirected and 143 | # PowerShell doesn't complain about content going to stderr. 144 | function RunLGPO([string] $lgpoParams){ 145 | ShowProgress "Running LGPO.exe $lgpoParams" 146 | LogA (cmd.exe /c "LGPO.exe $lgpoParams 2>&1") 147 | } 148 | 149 | ############# End copied code from Microsoft Windows Security Baseline ################ 150 | Log $dline 151 | 152 | $BasicPrivacy = ".\GPOs\BasicPrivacy\Version 21H2_Win10\Enterprise\GPO" 153 | $BasicSecBitlocker = ".\GPOs\BasicSecBitlocker\{283903C7-6FA6-4078-92A2-25C026324F68}\DomainSysvol\GPO" 154 | $BasicSecComputer = ".\GPOs\BasicSecComputer\{70CF3C23-9F4D-4E50-8D2A-DEAD79D5A724}\DomainSysvol\GPO" 155 | $BasicSecDefender = ".\GPOs\BasicSecDefender\{72D1AD12-B481-44E3-9529-AC7C658508B2}\DomainSysvol\GPO" 156 | $BasicSecDomain = ".\GPOs\BasicSecDomain\{14144BB4-26AC-4A90-B4E1-BE99F58A4FFF}\DomainSysvol\GPO" 157 | $BasicSecUser = ".\GPOs\BasicSecUser\{065B86DC-5229-4FC1-A8C2-BF989FDAEEB4}\DomainSysvol\GPO" 158 | $HighSecBitlocker = ".\GPOs\HighSecBitlocker\{98ECD203-A3B2-4419-B1F0-E5A68F4044CB}\DomainSysvol\GPO" 159 | $HighSecComputer = ".\GPOs\HighSecComputer\{FB5B4EEE-3202-4D88-B70D-B0EDE21699D3}\DomainSysvol\GPO" 160 | $HighSecCredGuard = ".\GPOs\HighSecCredGuard\{1C44F912-2A2E-444E-81E9-005FDB9018FC}\DomainSysvol\GPO" 161 | $HighSecDomain = ".\GPOs\HighSecDomain\{0CC6A02E-2EFE-4774-B3C7-209B1C102367}\DomainSysvol\GPO" 162 | $ExtremePrivacy = ".\GPOs\ExtremePrivacy\Version 21H2_Win10\Enterprise\GPO" 163 | 164 | # Extra settings for other versions of Windows 165 | $DeltaW11_21H2BasicPrivacy = ".\GPOs\Deltas\W11_21H2\BasicPrivacy.txt" 166 | $DeltaW11_21H2BasicSecurity = ".\GPOs\Deltas\W11_21H2\BasicSecurity.txt" 167 | 168 | $DeltaW11_22H2BasicSecComputer = ".\GPOs\Deltas\W11_22H2\BasicSecComputer.txt" 169 | $DeltaW11_22H2BasicSecDomain = ".\GPOs\Deltas\W11_22H2\BasicSecDomain\GptTmpl.inf" 170 | $DeltaW11_22H2HighSecComputer = ".\GPOs\Deltas\W11_22H2\HighSecComputer.txt" 171 | $DeltaW11_22H2HighSecCredGuard = ".\GPOs\Deltas\W11_22H2\HighSecCredGuard.txt" 172 | 173 | $DeltaW10_22H2BasicSecDomain = ".\GPOs\Deltas\W10_22H2\BasicSecDomain\GptTmpl.inf" 174 | $DeltaW10_22H2BasicSecComputer = ".\GPOs\Deltas\W10_22H2\BasicSecComputer.txt" 175 | $DeltaW10_22H2HighSecComputer = ".\GPOs\Deltas\W10_22H2\HighSecComputer.txt" 176 | 177 | # Determine which GPOs to import 178 | $GPOs = @() 179 | $Deltas = @() 180 | 181 | if ($Level -in @("Basic","BasicSecurity")){ 182 | $GPOs += $BasicSecBitlocker 183 | $GPOs += $BasicSecComputer 184 | $GPOs += $BasicSecDefender 185 | $GPOs += $BasicSecDomain 186 | $GPOs += $BasicSecUser 187 | 188 | if ($OSVersion.Version.Build -ge 22000){ 189 | $Deltas += $DeltaW11_21H2BasicSecurity 190 | } 191 | 192 | if ($OSVersion.Version.Build -ge 22621){ 193 | $Deltas += $DeltaW11_22H2BasicSecComputer 194 | $AddW11_22H2BasicSecDomain = $true 195 | } 196 | 197 | if ($OSVersion.Version.Build -eq 19045){ 198 | $Deltas += $DeltaW10_22H2BasicSecComputer 199 | $AddW10_22H2BasicSecDomain = $true 200 | } 201 | 202 | # Warn against self-lockout if user is connected remotely on a public network 203 | if ("Public" -in (Get-NetConnectionProfile).NetworkCategory){ 204 | $Msg = 'You are on a "Public" network profile and are about to apply settings that ' ` 205 | + 'closes all inbound network connections. If you are remotely connected, you might ' ` 206 | + 'lose access. Consider changing the network to "Private" profile before proceeding. ' ` 207 | + 'Do you want to continue?' 208 | Warn $Msg 209 | } 210 | } 211 | 212 | if ($Level -in @("HighSecurity")){ 213 | $GPOs += $HighSecBitlocker 214 | $GPOs += $HighSecComputer 215 | $GPOs += $HighSecCredGuard 216 | $GPOs += $HighSecDomain 217 | 218 | if ($OSVersion.Version.Build -ge 22621){ 219 | $Deltas += $DeltaW11_22H2HighSecComputer 220 | $Deltas += $DeltaW11_22H2HighSecCredGuard 221 | } 222 | 223 | if ($OSVersion.Version.Build -eq 19045){ 224 | $Deltas += $DeltaW10_22H2HighSecComputer 225 | } 226 | } 227 | 228 | if ($Level -in @("HighSecurityBitlocker")){ $GPOs += $HighSecBitlocker } 229 | if ($Level -in @("HighSecurityDomain")) { $GPOs += $HighSecDomain } 230 | if ($Level -in @("HighSecurityComputer")) { 231 | $GPOs += $HighSecComputer 232 | if ($OSVersion.Version.Build -ge 22621){ 233 | $Deltas += $DeltaW11_22H2HighSecComputer 234 | } 235 | if ($OSVersion.Version.Build -eq 19045){ 236 | $Deltas += $DeltaW10_22H2HighSecComputer 237 | } 238 | } 239 | if ($Level -in @("HighSecurityCredGuard")){ 240 | $GPOs += $HighSecCredGuard 241 | if ($OSVersion.Version.Build -ge 22621){ 242 | $Deltas += $DeltaW11_22H2HighSecCredGuard 243 | } 244 | } 245 | 246 | 247 | if ($Level -in @("Basic","BasicPrivacy")){ 248 | $GPOs += $BasicPrivacy 249 | 250 | if ($OSVersion.Version.Build -ge 22000){ 251 | $Deltas += $DeltaW11_21H2BasicPrivacy 252 | } 253 | 254 | LogAndShowProgress "Removing preinstalled apps" 255 | # This cannot be done with GPO/Registry, but is a part of the restricted traffic baseline: 256 | # https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#17-preinstalled-apps 257 | Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName} 258 | Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage 259 | Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName} 260 | Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage 261 | Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName} 262 | Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage 263 | Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName} 264 | Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage 265 | Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName} 266 | Get-AppxPackage *.Twitter | Remove-AppxPackage 267 | Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName} 268 | Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage 269 | Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName} 270 | Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage 271 | Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName} 272 | Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage 273 | Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName} 274 | Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage 275 | Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName} 276 | Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage 277 | Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.MicrosoftStickyNotes"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $_.PackageName} 278 | Get-AppxPackage Microsoft.MicrosoftStickyNotes | Remove-AppxPackage 279 | Log $dline 280 | } 281 | 282 | LogAndShowProgress "Copying Custom Administrative Templates" 283 | # todo: use templates for Windows 11 22H2 on newer systems 284 | Copy-Item -Force -Path .\Templates\*.admx -Destination "$Env:Systemroot\PolicyDefinitions" 285 | Copy-Item -Force -Path .\Templates\en-US\*.adml -Destination "$Env:Systemroot\PolicyDefinitions\en-US" 286 | Log $dline 287 | 288 | LogAndShowProgress "Configuring Client Side Extensions" 289 | RunLGPO "/v /e mitigation /e audit /e zone /e DGVBS /e DGCI" 290 | Log $dline 291 | 292 | if ($Level -in @("Basic","High","BasicSecurityOnly","BasicSecurityComputerOnly")){ 293 | LogAndShowProgress "Disabling Xbox scheduled task" $Logfile 294 | LogA (SCHTASKS.EXE /Change /TN \Microsoft\XblGameSave\XblGameSaveTask /DISABLE) 295 | Log $dline 296 | } 297 | 298 | foreach ($g in $GPOs){ 299 | LogAndShowProgress "Applying GPO: $g" 300 | RunLGPO "/v /g `"$g`"" 301 | Log $dline 302 | } 303 | 304 | foreach ($d in $Deltas){ 305 | LogAndShowProgress "Applying GPO: $d" 306 | RunLGPO "/v /t `"$d`"" 307 | Log $dline 308 | } 309 | 310 | if ($AddW11_22H2BasicSecDomain){ 311 | LogAndShowProgress "Applying GPO: $DeltaW11_22H2BasicSecDomain" 312 | RunLGPO "/v /s `"$DeltaW11_22H2BasicSecDomain`"" 313 | Log $dline 314 | } 315 | 316 | if ($AddW10_22H2BasicSecDomain){ 317 | LogAndShowProgress "Applying GPO: $DeltaW10_22H2BasicSecDomain" 318 | RunLGPO "/v /s `"$DeltaW10_22H2BasicSecDomain`"" 319 | Log $dline 320 | } 321 | 322 | # Experimental / untested 323 | if ($Level -eq "ExtremePrivacy"){ 324 | 325 | $Msg = 'You are about to implement privacy settings that reduces security and usability. ' ` 326 | + 'Please review the machine.txt and GptTmpl.inf files, and only continue if you know what you are doing. ' ` 327 | + 'Do you want to continue?' 328 | Warn $Msg 329 | 330 | LogAndShowProgress "Applying extreme privacy GPO's" 331 | RunLGPO "/v /t `"$ExtremePrivacy\Machine\machine.txt`"" 332 | RunLGPO "/v /s `"$ExtremePrivacy\Machine\GptTmpl.inf`"" 333 | RunLGPO "/v /t `"$ExtremePrivacy\User\user.txt`"" 334 | Log $dline 335 | } 336 | 337 | # Restore original path if modified 338 | if ($origPath.Length -gt 0) 339 | { 340 | $env:Path = $origPath 341 | } 342 | # Restore original output encoding 343 | $OutputEncoding = $OutputEncodingPrevious 344 | 345 | # Restore original directory location 346 | Pop-Location 347 | 348 | LogAndShowProgress "Done. Please reboot your device to apply all settings" 349 | -------------------------------------------------------------------------------- /Templates/en-US/MSS-legacy.adml: -------------------------------------------------------------------------------- 1 | 2 | MSS (Legacy) 3 | The legacy "MSS" settings that had been exposed in Secpol, Security Options, using LocalGPO.wsf /ConfigSCE. 4 | 5 | 6 | MSS (Legacy) 7 | 8 | MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments) 9 | MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments) 10 | MSS: (AutoShareServer) Enable Administrative Shares (recommended except for highly secure environments) 11 | MSS: (AutoShareServer) Enable Administrative Shares (recommended except for highly secure environments) 12 | MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments) 13 | MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments) 14 | MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) 15 | MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) 16 | MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) 17 | MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) 18 | No additional protection, source routed packets are allowed 19 | Medium, source routed packets ignored when IP forwarding is enabled 20 | Highest protection, source routing is completely disabled 21 | MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) 22 | MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) 23 | MSS: (DisableSavePassword) Prevent the dial-up passsword from being saved (recommended) 24 | MSS: (DisableSavePassword) Prevent the dial-up passsword from being saved (recommended) 25 | MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS) 26 | MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS) 27 | MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes 28 | MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes 29 | MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) 30 | MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) 31 | MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds 32 | MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds 33 | 150000 or 2.5 minutes 34 | 300000 or 5 minutes (recommended) 35 | 600000 or 10 minutes 36 | 1200000 or 20 minutes 37 | 2400000 or 40 minutes 38 | 3600000 or 1 hour 39 | 7200000 or 2 hours (default value) 40 | MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic. 41 | MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic. 42 | Allow all exemptions (least secure). 43 | Multicast, broadcast, & ISAKMP exempt (best for Windows XP). 44 | RSVP, Kerberos, and ISAKMP are exempt. 45 | Only ISAKMP is exempt (recommended for Windows Server 2003). 46 | MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers 47 | MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers 48 | MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames 49 | MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames 50 | Enable 8Dot3 Creation on all Volumes 51 | Disable 8Dot3 Creation on all Volumes 52 | Set 8dot3 name creation per volume using FSUTIL (Windows 7 or later) 53 | Disable 8Dot3 name creation on all volumes except system volume (Windows 7 or later) 54 | MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) 55 | MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) 56 | MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) 57 | MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) 58 | MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) 59 | MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) 60 | MSS: (SynAttackProtect) Syn attack protection level (protects against DoS) 61 | MSS: (SynAttackProtect) Syn attack protection level (protects against DoS) 62 | No additional protection, use default settings 63 | Connections time out sooner if a SYN attack is detected 64 | MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged 65 | MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged 66 | No retransmission, half-open connections dropped after 3 seconds 67 | 3 seconds, half-open connections dropped after 9 seconds 68 | 3 & 6 seconds, half-open connections dropped after 21 seconds 69 | 3, 6, & 9 seconds, half-open connections dropped after 45 seconds 70 | MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) 71 | MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) 72 | MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) 73 | MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) 74 | MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning 75 | MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning 76 | 50% 77 | 60% 78 | 70% 79 | 80% 80 | 90% 81 | 82 | 83 | 84 | 85 | 86 | DisableIPSourceRouting 87 | 88 | 89 | DisableIPSourceRoutingIPv6 90 | 91 | 92 | KeepAliveTime 93 | 94 | 95 | NoDefaultExempt 96 | 97 | 98 | NtfsDisable8dot3NameCreation 99 | 100 | 101 | ScreenSaverGracePeriod 102 | 103 | 104 | SynAttackProtect 105 | 106 | 107 | TcpMaxConnectResponseRetransmissions 108 | 109 | 110 | TcpMaxDataRetransmissions 111 | 112 | 113 | WarningLevel 114 | 115 | 116 | 117 | 118 | 119 | 174 | -------------------------------------------------------------------------------- /Templates/en-US/SecGuide.adml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | MS Security Guide 5 | MS Security Guide mitigations 6 | 7 | 8 | 9 | Only Windows 7, Windows Server 2008, Windows Server 2008R2, Windows Server 2012 10 | Windows Server 2008 and newer 11 | 12 | MS Security Guide 13 | Apply UAC restrictions to local accounts on network logons 14 | This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk. 15 | 16 | Enabled (recommended): Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows. 17 | 18 | Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1. 19 | 20 | For more information about local accounts and credential theft, see "Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques": http://www.microsoft.com/en-us/download/details.aspx?id=36036. 21 | 22 | For more information about LocalAccountTokenFilterPolicy, see http://support.microsoft.com/kb/951016. 23 | 24 | WDigest Authentication (disabling may require KB2871997) 25 | When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. Microsoft recommends disabling WDigest authentication unless it is needed. 26 | 27 | If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server. 28 | 29 | Update KB2871997 must first be installed to disable WDigest authentication using this setting in Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012. 30 | 31 | Enabled: Enables WDigest authentication. 32 | 33 | Disabled (recommended): Disables WDigest authentication. For this setting to work on Windows 7, Windows 8, Windows Server 2008 R2 or Windows Server 2012, KB2871997 must first be installed. 34 | 35 | For more information, see http://support.microsoft.com/kb/2871997 and http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx . 36 | 37 | Lsass.exe audit mode 38 | Enable auditing of Lsass.exe to evaluate feasibility of enabling LSA protection. For more information, see http://technet.microsoft.com/en-us/library/dn408187.aspx 39 | LSA Protection 40 | For Windows 11, version 22H2 and beyond a new setting is used to configure this. IT can be located at 'System\Local Security Authority\Configures LSASS to run as a protected process' which provides additional configuration options. 41 | 42 | Enable LSA protection. 43 | 44 | For more information, see http://technet.microsoft.com/en-us/library/dn408187.aspx 45 | Remove "Run As Different User" from context menus 46 | This setting controls whether "Run As Different User" appears on the Shift+RightClick context menu for .bat, .cmd, .exe, and .msc files. 47 | 48 | Enabled (recommended): Keeps "Run As Different User" from appearing in the context menu when the user holds Shift while right-clicking on a .bat, .cmd, .exe, or .msc file in Explorer. 49 | 50 | Disabled: Restores the Windows default behavior for "Run As Different User." 51 | 52 | 53 | Turn on Windows Defender protection against Potentially Unwanted Applications (DEPRECATED) 54 | Beginning with Windows 10 v1809 and Windows Server v1809, this functionality should instead be configured through the following Group Policy setting: 55 | Computer Configuration\Administrative Templates\Windows Components\Windows Defender Antivirus\Configure detection for potentially unwanted applications. 56 | 57 | 58 | Enable Structured Exception Handling Overwrite Protection (SEHOP) 59 | If this setting is enabled, SEHOP is enforced. For more information, see https://support.microsoft.com/en-us/help/956607/how-to-enable-structured-exception-handling-overwrite-protection-sehop-in-windows-operating-systems. 60 | 61 | If this setting is disabled or not configured, SEHOP is not enforced for 32-bit processes. 62 | 63 | Limits print driver installation to Administrators (DEPRECATED) 64 | 65 | This setting has moved to a new inbox location which can be found at Printers\Limits print driver installation to Administrators. 66 | 67 | NOTE - This derecated setting shares the same registry entry as the new one. 68 | 69 | Determines whether users that aren't Administrator can install print drivers on this computer. 70 | 71 | By default, users that aren't Administrators can't install print drivers on this computer. 72 | 73 | If you enable this setting or do not configure it, the system will limit installation of print drivers to Administrators of this computer. 74 | 75 | If you disable this setting, the system will not limit installation of print drivers to this computer. 76 | 77 | Additional Information: https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7 for additional information. 78 | 79 | Configure SMB v1 server 80 | Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended.) 81 | 82 | Enabling this setting enables server-side processing of the SMBv1 protocol. (Default.) 83 | 84 | Changes to this setting require a reboot to take effect. 85 | 86 | For more information, see https://support.microsoft.com/kb/2696547 87 | 88 | Configure SMB v1 client driver 89 | Configures the SMB v1 client driver's start type. 90 | 91 | To disable client-side processing of the SMBv1 protocol, select the "Enabled" radio button, then select "Disable driver" from the dropdown. 92 | WARNING: DO NOT SELECT THE "DISABLED" RADIO BUTTON UNDER ANY CIRCUMSTANCES! 93 | 94 | For Windows 7 and Servers 2008, 2008R2, and 2012, you must also configure the "Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2)" setting. 95 | 96 | To restore default SMBv1 client-side behavior, select "Enabled" and choose the correct default from the dropdown: 97 | * "Manual start" for Windows 7 and Windows Servers 2008, 2008R2, and 2012; 98 | * "Automatic start" for Windows 8.1 and Windows Server 2012R2 and newer. 99 | 100 | Changes to this setting require a reboot to take effect. 101 | 102 | For more information, see https://support.microsoft.com/kb/2696547 103 | 104 | Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2) 105 | APPLIES ONLY TO: Windows 7 and Windows Servers 2008, 2008R2 and 2012 (NOT 2012R2): 106 | 107 | To disable client-side processing of the SMBv1 protocol (recommended), do ALL of the following: 108 | * Set the SMBv1 client driver to "Disable driver" using the "Configure SMB v1 client driver" setting; 109 | * Enable this setting; 110 | * In the "Configure LanmanWorkstation dependencies" text box, enter the following three lines of text: 111 | Bowser 112 | MRxSmb20 113 | NSI 114 | 115 | To restore the default behavior for client-side SMBv1 protocol processing, do ALL of the following: 116 | * Set the SMBv1 client driver to "Manual start" using the "Configure SMB v1 client driver" setting; 117 | * Enable this setting; 118 | * In the "Configure LanmanWorkstation dependencies" text box, enter the following four lines of text: 119 | Bowser 120 | MRxSmb10 121 | MRxSmb20 122 | NSI 123 | 124 | WARNING: DO NOT SELECT THE "DISABLED" RADIO BUTTON UNDER ANY CIRCUMSTANCES! 125 | 126 | Changes to this setting require a reboot to take effect. 127 | 128 | For more information, see https://support.microsoft.com/kb/2696547 129 | 130 | Disable driver (recommended) 131 | Manual start (default for Win7/2008/2008R2/2012) 132 | Automatic start (default for Win8.1/2012R2/newer) 133 | 134 | 135 | 136 | NetBT NodeType configuration 137 | The NetBT NodeType setting determines what methods NetBT uses to register and resolve names: 138 | * A B-node computer uses broadcasts. 139 | * A P-node computer uses only point-to-point name queries to a name server (WINS). 140 | * An M-node computer broadcasts first, and then queries the name server. 141 | * An H-node computer queries the name server first, and then broadcasts. 142 | Resolution through LMHOSTS or DNS follows these methods. If the NodeType value is present, it overrides any DhcpNodeType value. 143 | If neither NodeType nor DhcpNodeType is present, the computer uses B-node if there are no WINS servers configured for the network, or H-node if there is at least one WINS server configured. 144 | 145 | B-node 146 | P-node (recommended) 147 | M-node 148 | H-node 149 | 150 | 151 | 152 | Extended Protection for LDAP Authentication (Domain Controllers only) (DEPRECATED) 153 | Beginning with the Windows 10 and Windows Server v2004 security baseline this setting has been moved to Security Options\Domain controller: LDAP server channel binding token requirements. 154 | 155 | Enabled, always (recommended) 156 | Enabled, when supported 157 | Disabled 158 | 159 | 160 | Block Flash activation in Office documents 161 | This policy setting controls whether the Adobe Flash control can be activated by Office documents. Note that activation blocking applies only within Office processes. 162 | 163 | If you enable this policy setting, you can choose from three options to control whether and how Flash is blocked from activation: 164 | 165 | 1. "Block all activation" prevents the Flash control from being loaded, whether directly referenced by the document or indirectly by another embedded object. 166 | 167 | 2. "Block embedding/linking, allow other activation" prevents the Flash control from being loaded when directly referenced by the document, but does not prevent activation through another object. 168 | 169 | 3. "Allow all activation" restores Office's default behavior, allowing the Flash control to be activated. 170 | 171 | Because this setting is not a true Group Policy setting and "tattoos" the registry, enabling the "Allow all activation" option is the only way to restore default behavior after either of the "Block" options has been applied. We do not recommend configuring this setting to "Disabled," nor to "Not Configured" after it has been enabled. 172 | 173 | Block all activation 174 | Block embedding/linking, allow other activation 175 | Allow all activation 176 | Restrict legacy JScript execution for Office 177 | This policy setting controls JScript execution per Security Zone within Internet Explorer and WebBrowser Control (WebOC) for Office applications. 178 | 179 | It's important to determine whether legacy JScript is being used to provide business-critical functionality before you enable this setting. 180 | 181 | If Enabled, Office applications will not execute legacy JScript for the Internet or Restricted Sites zones and users aren’t notified by the application that legacy JScript execution is restricted. Modern JScript9 will continue to function for all zones. 182 | 183 | If Disabled or Not Configured JScript will function without any restrictions. 184 | 185 | The values are set in hexadecimal and should be converted prior to changing the setting value. To learn more about Internet Explorer Feature Control Key and the Restrict JScript process-level policy for Windows, please refer to: https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/general-info/ee330734(v=vs.85)#restrict-jscript-at-a-process-level 186 | 187 | Configure RPC packet level privacy setting for incoming connections 188 | 189 | This policy setting controls whether packet level privacy is enabled for RPC for incoming connections. 190 | 191 | By default packet level privacy is enabled for RPC for incoming connections. 192 | 193 | If you enable or do not configure this policy setting, packet level privacy is enabled for RPC for incoming connections. 194 | 195 | Manage processing of Queue-specific files 196 | Allow all Queue-specfic files 197 | Do not allow Queue-specific files 198 | 199 | Manages how Queue-specific files are processed during printer installation. At printer installation time, a vendor-supplied installation application can specify a set of files, of any type, to be associated with a particular print queue. The files are downloaded to each client that connects to the print server. 200 | 201 | You can enable this setting to change the default behavior involving queue-specific files. To use this setting, select one of the options below from the "Manage processing of Queue-specific files" box. 202 | 203 | If you disable or do not configure this policy setting, the default behavior is "Limit Queue-specific files to Color profiles". 204 | 205 | -- "Do not allow Queue-specific files" specifies that no queue-specific files will be allowed/processed during print queue/printer connection installation. 206 | 207 | -- "Limit Queue-specific files to Color profiles" specifies that only queue-specific files that adhere to the standard color profile scheme will be allowed. This means entries using the Registry Key CopyFiles\ICM, containing a Directory value of COLOR and supporting mscms.dll as the Module value. "Limit Queue-specific files to Color profiles" is the default behavior. 208 | 209 | -- "Allow all Queue-specific files" specifies that all queue-specific files will be allowed/processed during print queue/printer connection installation. 210 | 211 | Limit Queue-specific files to Color profiles 212 | 213 | 214 | 215 | 216 | 217 | 218 | Configure MrxSmb10 driver 219 | 220 | 221 | Configure LanmanWorkstation dependencies 222 | 223 | 224 | Configure NetBT NodeType 225 | 226 | 227 | Configure LdapEnforceChannelBinding 228 | 229 | 230 | Block Flash player in Office 231 | 232 | 233 | Excel: 234 | Publisher: 235 | PowerPoint: 236 | OneNote: 237 | Visio: 238 | Project: 239 | Word: 240 | Outlook: 241 | Access: 242 | 243 | 244 | Select the method by which Queue-specific files will be processed. 245 | Manage processing of Queue-Specific files: 246 | 247 | 248 | 249 | 250 | 251 | 252 | -------------------------------------------------------------------------------- /Templates/MSS-legacy.admx: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 1 19 | 20 | 21 | 0 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 293 | --------------------------------------------------------------------------------