mirror of
https://github.com/TommyTran732/Windows-Setup.git
synced 2024-12-22 06:41:47 -05:00
parent
16fee76e53
commit
721d50aa4b
@ -2,7 +2,7 @@
|
||||
|
||||
`Computer Configuration\Administrative Templates\Start Menu and Taskbar`
|
||||
|
||||
This is not strictly problematic, though I get quite irritated with most used apps/recently added apps/recently opened documents/etc showing up on my start menu. Someone may iadvertedly see something when I show them my screen.
|
||||
This is not strictly problematic, though I get quite irritated with most used apps/recently added apps/recently opened documents/etc showing up on my start menu. Someone may inadvertently see something when I show them my screen.
|
||||
|
||||
- Remove "Recently added" list from Start Menu -> Enabled
|
||||
- Remove Personalized Website Recommendation section in the Start Menu -> Enabled
|
||||
@ -10,4 +10,4 @@ This is not strictly problematic, though I get quite irritated with most used ap
|
||||
- Remove frequent program list from Start Menu -> Enabled
|
||||
- Do not keep history of recently opened documents -> Enabled
|
||||
- Show or hide "Most used" list from Start menu -> Enabled -> Hide
|
||||
- Pin Apps to Start when installed -> Disabled
|
||||
- Pin Apps to Start when installed -> Disabled
|
||||
|
@ -1,5 +1,5 @@
|
||||
# Credentials Delegation
|
||||
|
||||
`Computer Configuration\Administrative Templates\System\Credentials Delegration`
|
||||
`Computer Configuration\Administrative Templates\System\Credentials Delegation`
|
||||
|
||||
- Encryption Oracle Remediation -> Enabled -> Force Updated Clients
|
||||
- Encryption Oracle Remediation -> Enabled -> Force Updated Clients
|
||||
|
@ -4,10 +4,10 @@
|
||||
|
||||
**Old and very likely to be obsolete.**
|
||||
|
||||
- Turn off Windows Customer Experience mprovement Program -> Enabled
|
||||
- Turn off Windows Customer Experience Improvement Program -> Enabled
|
||||
- Turn off downloading of print drivers over HTTP -> Enabled
|
||||
Turn off printing over HTTP -> Enabled
|
||||
- Turn off Help and Support Center "Did you know?" content -> Enabled (These are probably not that useful and will just be annoying)
|
||||
- Turn off Windows Error Reporting -> Enabled
|
||||
- turn off Search Companion content file updates -> Enabled
|
||||
- Turn off Windows Messenger Customer Experience Improvement Program -> Enabled
|
||||
- Turn off Windows Messenger Customer Experience Improvement Program -> Enabled
|
||||
|
@ -3,4 +3,4 @@
|
||||
`Computer Configuration\Administrative Templates\System\User Profiles`
|
||||
|
||||
- Turn off the advertising ID -> Enabled
|
||||
- Only allow local user profiles -> Enabled (You probably aren't going to use roaming profiles unless you are in some niche environment like a univeristy, are you? Might as well just disable them because why not?)
|
||||
- Only allow local user profiles -> Enabled (You probably aren't going to use roaming profiles unless you are in some niche environment like a university, are you? Might as well just disable them because why not?)
|
||||
|
@ -1,5 +1,5 @@
|
||||
# AutoPlay Policies
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\AutoPlay {p;ocoesy`
|
||||
`Computer Configuration\Administrative Templates\Windows Components\AutoPlay`
|
||||
|
||||
- Turn off Autoplay -> Enabled
|
||||
- Turn off Autoplay -> Enabled
|
||||
|
@ -4,6 +4,6 @@
|
||||
|
||||
I do not see these ever being used on my system, therefore they are disabled. Obviously, you don't have to apply them if you want to use location and sensors.
|
||||
|
||||
- Turn off location scription -> Enabled
|
||||
- Turn off location scripting -> Enabled
|
||||
- Turn off location -> Enabled
|
||||
- Turn off sensors -> Enabled
|
||||
- Turn off sensors -> Enabled
|
||||
|
@ -5,4 +5,4 @@
|
||||
Unless you run your own MDM system or something, this probably should not be on with a personal computer.
|
||||
|
||||
- Enable automatic MDM enrollment using default Azure AD credentials -> Disabled (Probably redundant because of the next policy, but it will also **unenroll** you from Azure AD)
|
||||
- Disable MDM enrollment -> Enabled (This will not unenroll you though)
|
||||
- Disable MDM enrollment -> Enabled (This will not disenroll you though)
|
||||
|
@ -2,11 +2,11 @@
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Windows Defender SmartScreen`
|
||||
|
||||
- Enhanced Phising Protection -> Service Enabled -> Disabled
|
||||
- Enhanced Phishing Protection -> Service Enabled -> Disabled
|
||||
|
||||
**For a corporate scenario or when you cannot trust the user you are configuring it for and you choose to have SmartScreen enabled, do the followings:**,
|
||||
|
||||
- Explorer -> Configure Windows Defender SmartScreen -> Enabled -> Warn and prevent bypass
|
||||
- Microsoft Edge -> Prevent bypassing Windws Defender SmartScreen prompts for sites -> Enabled
|
||||
- Microsoft Edge -> Prevent bypassing Windows Defender SmartScreen prompts for sites -> Enabled
|
||||
|
||||
There is also Explorer -> Configure App Install Control that you might want to look into. Probably theatre though, it doesn't appear to block anything, or anything meaningful at least.
|
||||
There is also Explorer -> Configure App Install Control that you might want to look into. Probably theatre though, it doesn't appear to block anything, or anything meaningful at least.
|
||||
|
@ -2,6 +2,6 @@
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Windows Game Recording and Broadcasting`
|
||||
|
||||
If you wanna record your screen and stuff, don't apply this. Otherwise, why not just disable it? Unnecesary stuff.
|
||||
If you wanna record your screen and stuff, don't apply this. Otherwise, why not just disable it? Unnecessary stuff.
|
||||
|
||||
- Enables or disables Windows Game Windows Game Recording and Broadcasting -> Disabled
|
||||
|
@ -2,5 +2,5 @@
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Windows Update`
|
||||
|
||||
- Manage updates offered from Windows Update -> Enable optional updates -> Enabled -> Automatically recieve optional updates
|
||||
- Manage updates offered from Windows Update -> Select when Quality Updates are recieved -> Enabled -> Defer for 0 days
|
||||
- Manage updates offered from Windows Update -> Enable optional updates -> Enabled -> Automatically receive optional updates
|
||||
- Manage updates offered from Windows Update -> Select when Quality Updates are received -> Enabled -> Defer for 0 days
|
||||
|
@ -15,7 +15,7 @@ One caveat with this is that if it takes the cloud too long to scan, the compute
|
||||
|
||||
Should be turned off. Supposedly will prompt if the files it want to submit are document files, but why not just make it prompt for every file it wants to submit?
|
||||
|
||||
## Ransomeware protection
|
||||
## Ransomware protection
|
||||
|
||||
Turn on Controlled folder access. This will protect certain dirs and prevent direct writes to the disk.
|
||||
|
||||
@ -39,11 +39,11 @@ This sends hashes and file paths to Microsoft. It will also sends the URL of whe
|
||||
|
||||
### SmartScreen for Microsoft Edge
|
||||
|
||||
This setting is independant from Smart App Control. Extremely privacy invasive. Sends **FULL URLs** to Microsoft. Whether to keep this on or not depends on the threat model, though it probably should be off in most cases.
|
||||
This setting is independent from Smart App Control. Extremely privacy invasive. Sends **FULL URLs** to Microsoft. Whether to keep this on or not depends on the threat model, though it probably should be off in most cases.
|
||||
|
||||
Consider scenarios where you use Proton Drive/Mega/PrivateBin which append the encryption key in the URL. Now you are sending both the URL and the key to Microsoft. Something that's supposed to be private / end-to-end encrypted now gets leaked just like that. Or if you use PHPMyAdmin with the username & password appended for logins - now you are leaking access to your database.
|
||||
|
||||
### Phising protection
|
||||
### Phishing protection
|
||||
|
||||
This is extremely invasive to the point where I do not think it's okay to keep it on under any circumstances, with any kind of threat model.
|
||||
|
||||
@ -73,4 +73,4 @@ If theres aren't on, check the firmware settings. On Parallels, both should pass
|
||||
|
||||
Poor man's Bitlocker. Unless you are using Home edition, turn this off and use Bitlocker proper.
|
||||
|
||||
If you sign in with a Microsoft account, "Data Encryption" will submit the key protector to Microsoft (which means that Microsoft can decrypt your device should they get physical access to it). Not sure what happens when you do not login with a Microsoft account, but it is worse than a proper Bitlocker setup anyways (no TPM + PIN/USB drive etc), so just disable it.
|
||||
If you sign in with a Microsoft account, "Data Encryption" will submit the key protector to Microsoft (which means that Microsoft can decrypt your device should they get physical access to it). Not sure what happens when you do not login with a Microsoft account, but it is worse than a proper Bitlocker setup anyways (no TPM + PIN/USB drive etc), so just disable it.
|
||||
|
@ -3,7 +3,7 @@
|
||||
Make sure the followings are selected:
|
||||
|
||||
- Uncheck update as soon as possible (this is essentially the same as auto update with gradual release - we will configure the group pol to be auto update without gradual release)
|
||||
- Advanced option -> Recieve updates for other Microsoft products
|
||||
- Advanced option -> Receive updates for other Microsoft products
|
||||
- Notify when restart is required to finish updating
|
||||
- Install optional updates
|
||||
|
||||
@ -12,4 +12,4 @@ Make sure the followings are selected:
|
||||
- If you are using Parallels, make sure to install Parallels Tools to enable the Microsoft Store.
|
||||
- Go to the Microsoft Store and update all apps. Apps are outdated almost by guarantee. If winget is acting finicky, this might just be because it is not updated.
|
||||
|
||||
Think about whether you want to login with a Microsoft Account with or not. If you do not login, app installs are tied to your hardware ID. If you do, then they will be tied to your Microsoft Account.
|
||||
Think about whether you want to login with a Microsoft Account with or not. If you do not login, app installs are tied to your hardware ID. If you do, then they will be tied to your Microsoft Account.
|
||||
|
Loading…
Reference in New Issue
Block a user