mirror of
https://github.com/TommyTran732/Windows-Setup.git
synced 2024-11-22 16:11:45 -05:00
Compare commits
No commits in common. "2b9b6261863ba722e97b65590cc49b7f88bd02da" and "122674463ac2b404da4bcf28cfaede0d8ac4803a" have entirely different histories.
2b9b626186
...
122674463a
@ -5,6 +5,3 @@
|
||||
- Toggle user control over Insider builds -> Disabled
|
||||
- Allow Diagnostic Data -> Enabled -> Diagnostic Data off (Only affects Enterprise, Education, and Server)
|
||||
- Do not show feedback notification -> Enabled
|
||||
|
||||
`User Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds`
|
||||
- Allow Diagnostic Data -> Enabled -> Diagnostic Data off (Only affects Enterprise, Education, and Server)
|
@ -1,5 +0,0 @@
|
||||
# Filesystem
|
||||
|
||||
`Computer Configuration\Administrative Templates\System\Filesystem`
|
||||
|
||||
- Enable Dev drive -> Disabled
|
@ -1,59 +0,0 @@
|
||||
# Microsoft Defender Antivirus
|
||||
|
||||
**MAPS and features dependent on it are not enabled using this policy. It just configures how aggressive MAPS should be. This is quite invasive so I will only enable it for certain OUs.**
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus`
|
||||
|
||||
## MAPS
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS`
|
||||
|
||||
- Configure the 'Block at First Sight' feature -> Enabled
|
||||
- Send file samples when further analysis is required -> Enabled -> Always Prompt (Send safe sample works better with 'Block at First Sight, but I really, really do not trust Microsoft on this one)
|
||||
|
||||
## Controlled Folder Access
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access`
|
||||
|
||||
- Configure Controlled folder access -> Enabled -> Block
|
||||
|
||||
## Network Protection
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection`
|
||||
|
||||
Only relevant if SmartScreen is used.
|
||||
|
||||
Documentation:
|
||||
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide
|
||||
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide
|
||||
|
||||
This settings controls whether Network protection is allowed to be configured into block or audit mode on Windows -> Enabled (Only relevant if running Windows Server)
|
||||
Prevent users and apps from accessing dangerous websites -> Enabled -> Block
|
||||
|
||||
## MpEngine
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine`
|
||||
|
||||
Only relevant if MAPS is used
|
||||
|
||||
- Enable file hash computation feature -> Enabled
|
||||
- Configure extended cloud check -> Specify the extended cloud check time in seconds -> 50
|
||||
- Select cloud protection level -> Zero tolerance blocking level
|
||||
|
||||
## Quarantine
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Quarantine`
|
||||
|
||||
- Configure local settings override for the removal of items from Quarantine folder -> Enabled
|
||||
- Configure removal of items from Quarantine folder -> 1 day
|
||||
|
||||
## Scan
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Scan`
|
||||
|
||||
- Scan for the latest virus and spyware security intelligence before running a scheduled scan -> Enabled
|
||||
- Turn on catch-up quick scan -> Enabled
|
||||
|
||||
## Security Intelligence Updates
|
||||
|
||||
- Check for the latest virus and spyware security intelligence on startup -> Enabled
|
@ -4,12 +4,11 @@
|
||||
|
||||
**Old and very likely to be obsolete.**
|
||||
|
||||
- Turn off handwriting personalization and data sharing -> Enabled
|
||||
- Turn off Windows Messenger Customer Experience Improvement Program -> Enabled
|
||||
- Turn off Windows Customer Experience Improvement Program -> Enabled
|
||||
- Turn off printing over HTTP -> Enabled
|
||||
- Turn off downloading of print drivers over HTTP -> Enabled
|
||||
- Turn off Help and Support Center "Did you know?" content -> Enabled (These are probably not that useful and will just be annoying)
|
||||
- Turn off Windows Error Reporting -> Enabled
|
||||
- Turn off Search Companion content file updates -> Enabled
|
||||
- Turn off Windows Customer Experience Improvement Program -> Enabled
|
||||
- Turn off handwriting recognition error reporting -> Enabled
|
||||
- turn off Search Companion content file updates -> Enabled
|
||||
- Turn off Windows Messenger Customer Experience Improvement Program -> Enabled
|
||||
- Turn off handwriting personalization and data sharing -> Enabled
|
@ -10,7 +10,5 @@
|
||||
- Allow Extensions -> Disabled (I do not use extensions, and they reduce security in a lot of cases. Don't disable this if you need extensions, of course.)
|
||||
- Allow Adobe Flash -> Disabled (Dead technology, dangerous)
|
||||
- Configure Password Manager -> Disabled (**The password manager does NOT have E2EE**)
|
||||
- Configure Windows Defender SmartScreen -> Disabled
|
||||
- Allow extended telemetry for the Books tab -> Disabled
|
||||
- Configure SmartScreen -> Disabled
|
||||
- Prevent using Localhost IP address for WebRTC -> Enabled
|
||||
- Prevent Microsoft Edge from gather Live Tile information when pinning a site to Start
|
30
Group Policies Objects/Microsoft Defender Antivirus
Normal file
30
Group Policies Objects/Microsoft Defender Antivirus
Normal file
@ -0,0 +1,30 @@
|
||||
# Microsoft Defender Antivirus
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus`
|
||||
|
||||
## MAPS
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS`
|
||||
|
||||
Microsoft Defender Antivirus MAPS is an interesting case. You should configure it depending on your threat model, and treat it like SmartScreen. We will disable automatic sample submission regardless because that could be privacy invasive.
|
||||
|
||||
- Send file samples when further analysis is required -> Enabled -> Always Prompt
|
||||
|
||||
## Network Protection
|
||||
|
||||
Only relevant if SmartScreen is used.
|
||||
|
||||
Documentation:
|
||||
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide
|
||||
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection`
|
||||
|
||||
This settings controls whether Network protection is allowed to be configured into block or audit mode on Windows -> Enabled (Only relevant if running Windows Server)
|
||||
Prevent users and apps from accessing dangerous websites -> Enabled -> Block
|
||||
|
||||
## Controlled Folder Access
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access`
|
||||
|
||||
- Configure Controlled folder access -> Enabled -> Block
|
@ -1,5 +0,0 @@
|
||||
# LDAPS
|
||||
|
||||
**Only relevant if you are using Active Directory.**
|
||||
|
||||
Active Directory by default only uses LDAP, which is unencrypted and unverified. You should set up LDAPS. Traditionally, you have to setup a server for key management. However, if you only have Domain Controllers, you may be able to get away with this guide: https://www.dvolve.net/blog/2019/12/using-lets-encrypt-for-active-directory-domain-controller-certificates/
|
Loading…
Reference in New Issue
Block a user