From b6757154fb04a954425f5b379881a3b9e54679bf Mon Sep 17 00:00:00 2001 From: oppressor1761 <163018825+oppressor1761@users.noreply.github.com> Date: Thu, 28 Nov 2024 11:19:23 +0800 Subject: [PATCH] Update Windows Overview.md Signed-off-by: oppressor1761 <163018825+oppressor1761@users.noreply.github.com> --- content/posts/windows/Windows Overview.md | 363 ++-------------------- 1 file changed, 25 insertions(+), 338 deletions(-) diff --git a/content/posts/windows/Windows Overview.md b/content/posts/windows/Windows Overview.md index 61eb518..6d8cd40 100644 --- a/content/posts/windows/Windows Overview.md +++ b/content/posts/windows/Windows Overview.md @@ -1,7 +1,7 @@ --- -title: "Windows Overview" +title: "Windows Security Overview" date: 2024-10-26 -tags: ['Windows', 'Security', 'Privacy'] +tags: ['Windows', 'Security'] author: oppressor1761 --- @@ -9,35 +9,37 @@ author: oppressor1761 ### Hardware Security -[Secured-Core PCs](https://www.microsoft.com/en-us/windows/business/windows-11-secured-core-computers) ensure the hardwares have some essential security [features](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure-11#what-makes-a-secured-core-pc) including Secure Boot, Trusted Platform Module 2.0 (TPM), Direct Memory Access (DMA) Protection, Enhanced Sign-in Security (ESS), Virtualization-based Security (VBS) and System Guard Secure Launch with System Management Mode (SMM) isolation/Firmware Attack Surface Reduction (FASR). Microsoft Pluton and Total Memory Encryption are also good to have. +[Secured-Core PCs](https://www.microsoft.com/en-us/windows/business/windows-11-secured-core-computers) ensure the hardware has some essential security [features](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure-11#what-makes-a-secured-core-pc) including Secure Boot, Trusted Platform Module 2.0 (TPM), Direct Memory Access (DMA) Protection, Enhanced Sign-in Security (ESS), Virtualization-based Security (VBS) and System Guard Secure Launch with System Management Mode (SMM) isolation/Firmware Attack Surface Reduction (FASR). Microsoft Pluton and Total Memory Encryption are also good to have. -[Secure Boot](https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/trusted-boot) makes a safe and trusted path from the firmware to the Windows bootloader. Trusted Boot, which is not a hardware feature, picks up the process that started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your anti-malware product's early-launch anti-malware (ELAM) driver. These mechanism does not protect the firmware itself. +[Secure Boot](https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/trusted-boot) makes a safe and trusted path from the firmware to the Windows bootloader by making the firmware to examine the bootloader's digital signature to verify that it hasn't been modified. It may also allow drivers and applications from 3rd parties to run on the PC, which increases the attack surface of systems. You can disable Microsoft 3rd Party UEFI CAs (Microsoft Corporation UEFI CA 2011, Microsoft UEFI CA 2023) and Microsoft Option ROM CA (Microsoft Option ROM UEFI CA 2023) if you are not using third party operating system. Trusted Boot, which is not a hardware feature, picks up the process that started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your anti-malware product's early-launch anti-malware (ELAM) driver. These mechanisms does not protect the firmware itself. [Trusted Platform Module 2.0 (TPM)](https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/trusted-platform-module-overview) is a secure crypto-processor that is designed to carry out cryptographic operations. Some features rely on TPM such as BitLocker, Windows Hello, and System Guard Secure Launch. -[Direct Memory Access (DMA) Protection](https://learn.microsoft.com/en-us/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt) Protection protects against external peripherals from gaining unauthorized access to memory. +[Direct Memory Access (DMA) Protection](https://learn.microsoft.com/en-us/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt) protects against external peripherals from gaining unauthorized access to memory. [Enhanced Sign-in Security (ESS)](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) provides an additional level of security to biometric data with the use of specialized hardware and software components. -Memory Integrity is a [Virtualization-based Security (VBS)](https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity) feature that uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. +Memory Integrity is a [Virtualization-based Security (VBS)](https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity) feature that uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. VBS requires [virtualization](https://support.microsoft.com/en-us/windows/enable-virtualization-on-windows-c5578302-6e43-4b4b-a449-8ced115f58e1) to be enabled. [System Guard Secure Launch with SMM isolation](https://learn.microsoft.com/en-us/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows) leverage Dynamic Root of Trust for Measurement (DRTM) to protect the firmware. It depends on CPU to function. Its equivalent without CPU dependency is [FASR](https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/firmware-attack-surface-reduction) which leverage Static Root of Trust for Measurement (SRTM) and Standalone Management Mode (MM) with MM Supervisor. [Microsoft Pluton](https://learn.microsoft.com/en-us/windows/security/hardware-security/pluton/microsoft-pluton-security-processor) is a secure crypto-processor built into the CPU to provide the functionality of the TPM and deliver other security functionality beyond what is possible with the TPM 2.0 specification, and allows for other Pluton firmware and OS features to be delivered over time via Windows Update. -Total Memory Encryption encrypts all data passing to and from a computer's CPU. +Total Memory Encryption encrypts all data passing to and from a PC's CPU. Thus, the data on memory is encrypted. ### Firmware Security -Hardware security features often requires related settings in firmware. For example, VBS requires [virtualization](https://support.microsoft.com/en-us/windows/enable-virtualization-on-windows-c5578302-6e43-4b4b-a449-8ced115f58e1) to be enabled. +Hardware security features often requires related settings in firmware. You can also set a firmware password to protect firmware settings from being changed unexpectedly. -You should also choose a computer that has a long lifecycle of driver and firmware updates. You may find the lifecycle policy in Product Security and Telecommunication Infrastructure (PSTI) compliance report from OEM. +To reduce attack surface and prevent firmware to boot from external devices, you can configure Boot Sequence to exclusively boot from your hard drive while disabling all other items. + +You should also choose a PC that has a long lifecycle of driver and firmware updates. You may find the lifecycle policy in Product Security and Telecommunication Infrastructure (PSTI) compliance report from OEM. ## Operating System Security ### Version and Edition -You should use the [latest version](https://learn.microsoft.com/en-us/windows/release-health/windows11-release-information) of Windows Enterprise edition as it provides the most complete security and privacy features. +You should use the [latest version](https://learn.microsoft.com/en-us/windows/release-health/windows11-release-information) of Windows Enterprise edition, as it provides the most complete security and privacy features. ### Updates @@ -45,7 +47,7 @@ Installing updates is crucial. Windows Update delivers updates to Windows automa You can track update packages for Windows operating system, Windows RE and Windows PE using [this](https://support.microsoft.com/en-us/feed/rss/4ec863cc-2ecd-e187-6cb3-b50c6545db92) RSS feed. *Compatibility update for installing and recovering Windows* denotes updates for Windows RE. *Setup Dynamic Update for Windows* denotes updates for Windows PE. You can download update packages from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). -You should also enable automatic updates in Microsoft Store in Start → Microsoft Store → Personal Profile → Settings → App Updates. You can also obtain drivers and firmware updates from original equipment manufacturers (OEMs). +You should also enable automatic updates in Microsoft Store in Start → Microsoft Store → Personal Profile → Settings → App Updates. **Feature updates** are released annually to add new features and functionality to Windows. @@ -53,66 +55,35 @@ You should also enable automatic updates in Microsoft Store in Start → Microso ### Security Baselines -A [security baseline](https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines) is a group of Microsoft-recommended configuration settings that explains their security implication. +A [security baseline](https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines) is a group of Microsoft-recommended configuration settings that explains their security implication. It uses [Group Policy](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-policy/group-policy-overview), which is a type of configuration method that takes precedence over user-facing UI. You can leverage the [Local Group Policy Object (LGPO)](https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool) tool to deploy the security baseline. Apart from Windows, Microsoft Edge and Microsoft Office also have corresponding security baselines. -* [Download](https://www.microsoft.com/en-us/download/details.aspx?id=55319) the following files: `Windows 11 v23H2 Security Baseline.zip` and `LGPO.zip`. - -* Unzip both files. In `LGPO\LGPO_30`, copy `LGPO.exe` to `Windows 11 v23H2 Security Baseline\Scripts\Tools`. - -* In `Windows 11 v23H2 Security Baseline\Scripts`, execute the following command from an elevated command prompt: - - Set-ExecutionPolicy -Scope Process Unrestricted - .\Baseline-LocalInstall.ps1 -Win11NonDomainJoined - -* EP-reset.xml - -You can track security baseline updates using [this](https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=Microsoft-Security-Baselines) RSS feed. +You can track security baseline updates using [this](https://techcommunity.microsoft.com/t5/s/gxcuf89792/rss/board?board.id=Microsoft-Security-Baselines) RSS feed. It's essential to keep security baseline updated after you update the operating system or applications. ### Application Security -Most applications on Windows are not sandboxed. In Microsoft Store, only the apps without the permission "This app can access all your files, peripheral devices, apps, programs, and registry" are sandboxed. If you sideload apps, only those with the file extensions `.msix`, `.msixbundle`, `.appx`, `.appxbundle`, and without the permission "This app can access all your files, peripheral devices, apps, programs, and registry" are sandboxed. +Most applications on Windows are not sandboxed. In Microsoft Store, only the apps without the permission “This app can access all your files, peripheral devices, apps, programs, and registry” are sandboxed. If you sideload apps, only those with the file extensions `.msix`, `.msixbundle`, `.appx`, `.appxbundle`, and without the permission "This app can access all your files, peripheral devices, apps, programs, and registry" are sandboxed. If you are a developer or are skilled, you may deploy sandboxing to unsandboxed applications using [Win32 app isolation](https://learn.microsoft.com/en-us/windows/win32/secauthz/app-isolation-overview). -Smart App Control can check the security of apps while they are running. You should enable Smart App Control in Start → Windows Security → App & Browser Control → Smart App Control. +[Smart App Control](https://support.microsoft.com/en-us/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) can check the security of apps while they are running. -You can also use Windows Sandbox to run untrusted apps. Enable Windows Sandbox in Start → Settings → System → Optional Fetures → More Windows Features. Open Windows Sandbox in Start → Windows Sandbox. You can transfer files and apps into Windows Sandbox by copying them. +You can also use [Windows Sandbox](https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview) to run untrusted apps. It provides a lightweight virtual machine to safely run applications in isolation. You can transfer files and apps into Windows Sandbox by copying them. ### Device Encryption -BitLocker is a disk encryption feature. Before enabling Bitlocker, you should configure it to use stronger encryption methods as well as allow for more secure unlocking methods: +[BitLocker](https://support.microsoft.com/en-us/windows/bitlocker-overview-44c0c61c-989d-4a69-8822-b95cd49b1bbf) is a disk encryption feature. Before enabling Bitlocker, you should configure it to use [stronger encryption methods](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/configure?tabs=common#choose-drive-encryption-method-and-cipher-strength), [stronger PIN complexity](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/configure?tabs=os#allow-enhanced-pins-for-startup) as well as allow for more [secure unlocking methods](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/configure?tabs=os#require-additional-authentication-at-startup). PIN leverages TPM thus have anti brute force feature while passwords do not. You should set a strong PIN/password for BitLocker and encrypt the entire disk space. You can also [prevent](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/configure?tabs=os#disallow-standard-users-from-changing-the-pin-or-password) standard users from changing PIN/password. There's more [contermeatures](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/countermeasures) you can implent such as disabling Standby depending on your threat model. -* Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)` and set the options to `XTS-AES 256-bit`, `XTS-AES 256-bit`, `AES-CBC 256-bit` respectively. +### Antivirus Protection and Firewall -* Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Require additional authentication at startup` and set the options to unchecked, `Allow TPM`, `Allow startup PIN with TPM`, `Allow startup key with TPM` and `Allow startup key and PIN with TPM` respectively. +Windows include [Windows Security](https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963), which provides the latest antivirus protection, system security settings, Exploit Protection and Controlled Folder Access. Some settings may not be changed in the UI if you have deployed security baselines. -* Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Allow enhanced PINs for startup`. +You can manage applications and process connections in the [Firewall](https://support.microsoft.com/en-us/windows/turn-microsoft-defender-firewall-on-or-off-ec0844f7-aebd-0583-67fe-601ecf5d774f). You can also block all inbound connections. -* Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Disallow standard users from changing the PIN or password`. - -You should enable Bitlocker in Start → Windows Security → Device Security → Data Encryption. You should set a strong PIN for BitLocker and encrypt the entire disk space. - -### Antivirus Protection - -Windows include Windows Security, which provides the latest antivirus protection. - -* Enable all options in Start → Windows Security → App & Browser Control → Reputation Based Protection. - -* Enable all options in Start → Windows Security → App & Browser Control → Exploit Protection → System Settings. - -* Enable all options in Start → Windows Security → Virus & Threat Protection → Virus & Threat Protection Settings. - -* Enable the option in Start → Windows Security → Virus & Threat Protection → Ransomware Protection → Controlled Folder Access. - -* Enable `Block all inbound connections` options in Start → Windows Security → Firewall and Network Protection → Public Network/Private Network/Domain Network. - -* Check if `Memory access protection` is displayed in Start → Windows Security → Device Security → Core Isolation. If not, enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Disable new DMA devices when this computer is locked`. Otherwise disable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Disable new DMA devices when this computer is locked`. - -* Execute `setx /M MP_FORCE_USE_SANDBOX 1` from an elevated command prompt. +For better security, you should [run Windows Security in a sandbox](https://learn.microsoft.com/en-us/defender-endpoint/sandbox-mdav). ### Account & Identity Security -You should use a local user account for daily tasks. Use complex passwords for your accounts. You can create a local user account in Start → Settings → Accounts → Other users → Add account → I don't have this person's sign-in information → Add a user without a Microsoft account. You should add security questions to your local account in case you forget your password in Start → Settings → Accounts → Sign-in options → Update your security questions. You can also create a password reset disk for your local account. In the search box on the taskbar, type `Control Panel`, and then choose it from the list of results. In the Control Panel search box, type `create password reset`. Select `Create a password reset disk`, and follow the remaining instructions. +You should use a local user account for daily tasks. Use complex passwords for your accounts. You can create a local user account in Start → Settings → Accounts → Other users → Add account → I don't have this person's sign-in information → Add a user without a Microsoft account. + -You can hide your account info when logging in by enabling the Group Policy `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Don’t display last signed-in` and `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Don’t display username at sign-in`. You can also find the related option in Start → Settings → Accounts → Sign-in Options → Show account details such as my email address on the sign-in screen. lock screen after 10 min @@ -201,288 +172,4 @@ In addition to the security baselines, there are some additional attack surface reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v RetsPredictedFromRsbOnly /t REG_DWORD /d 1 /f -## Privacy Settings -Windows collects [three categories](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1iLkl) of personal data to send to Microsoft: Windows Diagnostic Data, Account Data, and Windows Required Service Data. - -### Windows Diagnostic Data - -Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Data Collection And Preview Builds\Allow Diagnostic Data` and set it to `Diagnostic data off (not recommended)`. - -### Account Data - -Use local accounts instead of online accounts like Microsoft accounts to sign in to your devices and enable the Group Policy `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft accounts` and set it to `Users can’t add Microsoft accounts`. You can still log on apps likw Microsoft Store with Microsoft accounts. If you have logged on apps using a Microsoft account, you can limit its use in Start → Settings → Accounts → Email & accounts → (Your Microsoft Account) → Sign-in Options and select the option to `Apps need to ask me to use this account`. - -If the Group Policy `Accounts: Block Microsoft accounts` is set to `Users can’t add or log on with Microsoft accounts`, attempting to restore the System in Windows Recovery Environment (Windows RE) will [fail](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference?view=windows-11#known-issue) with the error message "You need to sign in as an administrator to continue, but there aren't any administrator accounts on this PC." - -### Windows Required Service Data - -Some Required Service Data is necessary for Windows security and should be retained. - -* Uninstall pre-installed apps you won't use in Start → Settings → Apps → Installed Apps and Start → Settings → System → System Components. - -* Disable all options in Start → Settings → Privacy & Security → Windows Permissions. - -* Do not join the Windows Insider Program in Start → Settings → Windows Update → Windows Insider Program. - -* Disable suggestions and recommendations in Start → Settings → Personalization → Start. - -* Disable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana`. - -* Disable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cloud Search`. - -* Disable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location`. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Search\Do not allow web search`. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results in Search`. - -* Enable all Group Policy objects under `Computer Configuration\Administrative Templates\Windows Components\Cloud Content`. - -* Enable the Group Policy `User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not use diagnostic data for tailored experiences`. - -* Enable the Group Policy `User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off the Windows Welcome Experience`. - -* Configure the Group Policy `User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows spotlight features` according to your needs. - -* Enable Group Policy `User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight`. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\File Explorer\Turn off account-based insights, recent, favorite, and recommended files in File Explorer`. - -* Enable the Group Policy `User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box`. - -* Enable the Group Policy `User Configuration\Administrative Templates\Windows Components\File Explorer\Common Open File Dialog\Hide the dropdown list of recent files`. - -* Disable the Group Policy `Computer Configuration\Administrative Templates\Control Panel\Allow Online Tips`. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove Personalized Website Recommendations from the Recommended section in the Start Menu`. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove "Recently added" list from Start Menu`. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Do not keep history of recently opened documents`. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Show or hide "Most used" list from Start menu` and select the option to `Hide`. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Disable Windows Error Reporting`. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Software Protection Platform\Turn off KMS Client Online AVS Validation`. - -* Disable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Messaging\Allow Message Service Cloud Sync`. - -* Execute `reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Messaging" /v CloudServiceSyncEnabled /t REG_DWORD /d 0 /f` from an elevated command prompt. - -* Execute `reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MRT" /v DontReportInfectionInformation /t REG_DWORD /d 1 /f` from an elevated command prompt. - -* Disable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Windows Defender Antivirus\Reporting\Configure Watson events`. - -* In Start → Settings → Apps → Advanced app settings, set `Choose where to get apps` to `Anywhere`. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization\Download Mode` and set it to `Simple (99)`. - -* Execute `reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v "EnableFeeds" /t REG_DWORD /d 0 /f` from an elevated command prompt. - -* Execute `setx /M DOTNET_CLI_TELEMETRY_OPTOUT 1` from an elevated command prompt. - -* Execute `setx /M POWERSHELL_TELEMETRY_OPTOUT 1` from an elevated command prompt. - -* Execute `setx /M MSEDGEDRIVER_TELEMETRY_OPTOUT 1` from an elevated command prompt. - -* Disable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Widgets\Allow Widgets`. - -* If you are using a Input Method Editors (IME), disable the option in Start → Settings → Time & Language → Language & Region → (Your Language) → Language Options → (Your IME) → Keyboard Options → Lexicon and Self-Learning → Try text suggestions from Bing. - -* You can manage Copilot in Windows by configuring the Group Policy `User Configuration\Administrative Templates\Windows Components\Windows Copilot\Turn off Windows Copilot`. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\OneDrive\Prevent OneDrive from generating network traffic until the user signs in to OneDrive`. - -## Microsoft Edge - -* [Download](https://www.microsoft.com/en-us/edge/business/download) the Microsoft Edge policy and unzip the file. - -* Copy `MicrosoftEdgePolicyTemplates.cab\MicrosoftEdgePolicyTemplates.zip\windows\admx\msedge.admx` to `C:\Windows\PolicyDefinitions`. Copy `MicrosoftEdgePolicyTemplates.cab\MicrosoftEdgePolicyTemplates.zip\windows\admx\(Your locale ID)\msedge.adml` to `C:\Windows\PolicyDefinitions\(Your locale ID)`. - -* Copy `MicrosoftEdgePolicyTemplates.cab\MicrosoftEdgePolicyTemplates.zip\windows\admx\msedgewebview2.admx` to `C:\Windows\PolicyDefinitions`. Copy `MicrosoftEdgePolicyTemplates.cab\MicrosoftEdgePolicyTemplates.zip\windows\admx\(Your locale ID)\msedgewebview2.adml` to `C:\Windows\PolicyDefinitions\(Your locale ID)`. - -* You can track security baseline updates using [this](https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=Microsoft-Security-Baselines) RSS feed. - -### Microsoft Edge Security - -* [Download](https://www.microsoft.com/en-us/download/details.aspx?id=55319) the following files: `Microsoft Edge v117 Security Baseline.zip` and `LGPO.zip`.Unzip both files. In `LGPO\LGPO_30`, copy `LGPO.exe` to `Microsoft Edge v117 Security Baseline\Scripts\Tools`. In `Microsoft Edge v117 Security Baseline\Scripts`, execute the following command from an elevated command prompt: - - Set-ExecutionPolicy -Scope Process Unrestricted - .\Baseline-LocalInstall.ps1 - -* Microsoft Edge automatically updates itself. You can also update it manually in `edge://settings/help`. - -* Enable the option(s) `Microsoft Defender SmartScreen` in `edge://settings/privacy`. - -* Enable the option(s) `Block potentially unwanted apps` in `edge://settings/privacy`. - -* Enable the option(s) `Website typo protection` in `edge://settings/privacy`. - -* Enable the option(s) `Enhance your security on the web` in `edge://settings/privacy` and set it to `Strict`. - -* Enable the option(s) `Allow extensions from other stores` in `edge://extensions/`. Prioritize installing extensions from Chrome Web Store, as Chrome Web Store more aggressively uses Manifest V3. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Configure browser process code integrity guard setting` and set it to `Enable code integrity guard enforcement in the browser process`. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Enable online OCSP/CRL checks`. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Enable the network service sandbox`. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge Webview2\Check RSA key usage for server certificates issued by local trust anchors`. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge Webview2\Enable built-in PDF reader powered by Adobe Acrobat for WebView2`. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Check RSA key usage for server certificates issued by local trust anchors`. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Restrict exposure of local IP address by WebRTC` and set it to `Use TCP unless proxy server supports UDP`. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Configure Automatic HTTPS` and set it to `All navigations delivered over HTTP are switched to HTTPS`. - -* Disable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Extension\Control Manifest v2 extension availability`. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Control the mode of DNS-over-HTTPS` and set it to `Enable DNS-over-HTTPS without insecure fallback`. Configure the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Specify URI template of desired DNS-over-HTTPS resolver` according to your needs. - -### Microsoft Edge Privacy - -For diagnostic data, enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Send required and optional diagnostic data about browser usage` and set the option to `off`. - -For account data, use local profiles instead of online accounts like Microsoft accounts to sign in to Microsoft Edge. Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Browser sign-in settings` and set the option to `Disable browser sign-in`. Then disable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Configure whether a user always has a default profile automatically signed in with their work or school account`. - -For required service data: - -* Disable the option(s) in `edge://settings/profiles/rewards`. - -* Disable the option(s) in `edge://settings/profiles/multiProfileSettings`. - -* Disable the option(s) in `edge://settings/profiles/localBrowserDataShare`. - -* Disable the option(s) in `edge://wallet/settings`. - -* Enable the option(s) `Tracking Prevention` in `edge://settings/privacy` and set the option to `Strict`. - -* Enable the option(s) in `edge://settings/clearBrowsingDataOnClose`. - -* Enable the option(s) `Send "Do Not Track" requests` in `edge://settings/privacy`. - -* Disable the option(s) `Allow sites to check if you have payment methods saved` in `edge://settings/privacy`. - -* Disable the option(s) `Allow sites to check if you have payment methods saved` in `edge://settings/privacy`. - -* Disable the option(s) `Help improve Microsoft products by sending the results from searches on the web` in `edge://settings/privacy`. - -* Disable the option(s) `Allow Microsoft to save your browsing activity including history, usage, favorites, web content, and other browsing data to personalize Microsoft Edge and Microsoft services like ads, search, shopping and news.` in `edge://settings/privacy`. - -* Disable all option(s) under the `Services` section in `edge://settings/privacy`. - -* Disable the option(s) `Show me search and site suggestions using my typed characters` in `edge://settings/searchFilters`. - -* Disable the option(s) `Show me suggestions from history, favorites and other data on this device using my typed characters` in `edge://settings/searchFilters`. - -* Disable the option(s) `Personalize my top sites in customize sidebar` in `edge://settings/sidebar`. - -* Disable the option(s) `Allow Microsoft to access page content` and `Show shopping notifications` in `edge://settings/sidebar/appSettings?hubApp=cd4688a9-e888-48ea-ad81-76193d56b1be`. - -* Disable the option(s) `Allow access to page URLs` in `edge://settings/sidebar/appSettings?hubApp=96defd79-4015-4a32-bd09-794ff72183ef`. - -* Disable the option(s) `Preload your new tab page for a faster experience` in `edge://settings/startHomeNTP`. - -* Configure the option(s) `Customize your new tab page layout and content` in `edge://settings/startHomeNTP` according to your needs. - -* Enable the option(s) `Block third-party cookies` in `edge://settings/content/cookies`. - -* Disable the option(s) `Preload pages for faster browsing and searching` in `edge://settings/content/cookies`. - -* Disable the option(s) `Use text prediction` in `edge://settings/languages`. - -* Disable the option(s) `Enable grammar and spellcheck assistance` or enable it with `Basic` in `edge://settings/languages`. - -* Configure the option(s) `Share additional operating system region` to `Never` in `edge://settings/languages`. - -* Disable the option(s) `Get image descriptions from Microsoft for screen readers` in `edge://settings/accessibility`. - -* Disable the option(s) `Allow identifiers for protected content (computer restart may be required)` in `edge://settings/content/protectedContent`. - -* Configure `edge://flags/#edge-widevine-drm` according to your needs. - -* Disable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Enables default browser settings campaigns`. - -* Disable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Edge 3P SERP Telemetry Enabled`. - -* Disable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Native Messaging\Hide App Launcher on Microsoft Edge new tab page`. - -* Disable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Native Messaging\Disable Bing chat entry-points on Microsoft Edge Enterprise new tab page`. - -* Disable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Native Messaging\Allow Microsoft content on the new tab page`. - -* Disable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Startup, home page and new tab page\Allow user-level native messaging hosts (installed without admin permissions)`. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Enable network prediction` and set it to `Don’t predict network actions on any network connection`. - -* Disable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Cast\Enable Google Cast`. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Microsoft Edge built-in PDF reader powered by Adobe Acrobat enabled`. - -* Disable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Shows button on native PDF viewer in Microsoft Edge that allows users to sign up for Adobe Acrobat subscription`. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Secure mode and Certificate-based Digital Signature validation in native PDF reader`. - -* Disable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Content settings\Choose whether users can receive customized background images and text, suggestions, notifications, and tips for Microsoft services`. - -* Disable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Manageability\Microsoft Edge management enabled`. - -* Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Configure InPrivate mode availability` and set it to `Forced`. - - Setting `Configure InPrivate mode availability` to `Forced` will prevent you from accessing `edge://settings`. - -* If you are using others’ PC, use Guest mode in Start → Microsoft Edge → Personal Profile icon → Other Profiles → Browse as Guest. - -* You can manage Copilot in Windows by configuring the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Show Hubs Sidebar`. - -## Office - -* The advice in this guide does not apply to Office downloaded from the Microsoft Store. - -* [Download](https://www.microsoft.com/en-us/download/details.aspx?id=49030) the corresponding Office policy and execute it to extract the files. - -* Copy `(Extracted Files)\admx\(Your Office Apps).admx` to `C:\Windows\PolicyDefinitions`. Copy `(Extracted Files)\admx\(Your locale ID)\(Your Office Apps).adml` to `C:\Windows\PolicyDefinitions\(Your locale ID)`. - -* You can track security baseline updates using [this](https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=Microsoft-Security-Baselines) RSS feed. - -You can buy and download [Office Home & Student 2021](https://go.microsoft.com/fwlink/?linkid=2022066), [Office Home & Business 2021](https://go.microsoft.com/fwlink/?linkid=2022187) or [Office Professional 2021](https://go.microsoft.com/fwlink/?linkid=2022071) online. - -To install Office LTSC 2021, download the [Office Deployment Tool](https://www.microsoft.com/en-us/download/details.aspx?id=49117) and execute it to extract the files. Create and download a configuration file using the [Office Customization Tool](https://config.office.com/deploymentsettings). Copy `your-created-config-file.xml` to `(Extracted Files Folder)`. In `(Extracted Files Folder)`, execute the following command from an elevated command prompt: - - setup /download your-created-config-file.xml - -For Key Management Service (KMS) activation, execute the following command from an elevated command prompt: - - cd "c:\Program Files\Microsoft Office\Office16" - cscript ospp.vbs /sethst:your.kms.server.here - cscript ospp.vbs /act - -For Multiple Activation Key (MAK) activation, execute the following command from an elevated command prompt: - - cd "c:\Program Files\Microsoft Office\Office16" - cscript ospp.vbs /inpkey:input-your-mak-key-here - cscript ospp.vbs /act - -### Office Security - -* [Download](https://www.microsoft.com/en-us/download/details.aspx?id=55319) the following files: `Microsoft 365 Apps for Enterprise 2306.zip` and `LGPO.zip`.Unzip both files. In `LGPO\LGPO_30`, copy `LGPO.exe` to `Microsoft 365 Apps for Enterprise 2306\Scripts\Tools`. In `Microsoft 365 Apps for Enterprise 2306\Scripts`, execute the following command from an elevated command prompt: - - Set-ExecutionPolicy -Scope Process Unrestricted - .\Baseline-LocalInstall.ps1 - -* Office automatically updates itself. You can also update it manually in Start → (Your Office Apps) → File → Account → Update Options. - -### Office Privacy - -For diagnostic data, enable the Group Policy `User Configuration\Administrative Templates\Microsoft Office 2016\Privacy\Trust Center\Configure the level of client software diagnostic data sent by Office to Microsoft` and set the option to `Neither`. - -For account data, enable the Group Policy `User Configuration\Administrative Templates\Microsoft Office 2016\Miscellaneous\Block signing into Office`. - -You cannot disable the subscription version of Office, Microsoft 365. - -For required service data, disable the Group Policy `User Configuration\Administrative Templates\Microsoft Office 2016\Privacy\Trust Center\Allow the use of connected experiences in Office`.