Microsoft Edge

Signed-off-by: Tommy <contact@tommytran.io>

Group Policies Objects/App Privacy.md

@@ -25,3 +25,4 @@ These contains some settings that are not in the Settings app (and vice versa).
 - Let Windows apps activate with voice -> Enabled -> Force Deny
 - Let Windows apps activate with voice while the system is locked -> Enabled -> Force Deny
 - Let Windows apps access diagnostic information about other apps -> Enabled -> Force Deny
+- Let Winodws apps communicate with unpaired devices -> Enabled -> Force Deny

Group Policies Objects/Computer Configuration/Control Panel/Allow Online Tips.md

@@ -1,5 +0,0 @@
-# Allow Online Tips
-
-`Computer Configuration\Administrative Templates\Control Panel`
-
-- Allow Online Tips -> Disabled (Not sure about privacy implications, but no reason for it to be on)

Group Policies Objects/Computer Configuration/Control Panel/Personalization.md

@@ -1,5 +0,0 @@
-# Personalization
-
-`Computer Configuration\Administrative Templates\Control Panel\Personalization`
-
-- Prevent enabling lock screen camera -> Enabled (Probably not invasive, though I don't see a reason for it to be on)

Group Policies Objects/Computer Configuration/Control Panel/Regional and Language options.md

@@ -1,6 +0,0 @@
-# Regional and Language Options
-
-`Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options`
-
-- Allow users to enable online speech recognition services -> Disabled
-- Handwriting personalization -> Turn off automatic learning -> Enabled

Group Policies Objects/Computer Configuration/System/Device Guard.md

@@ -1,5 +0,0 @@
-# Device Guard
-
-`Computer Configuration\Administrative Templates\System\Device Guard`
-
-- Turn On Virtualization Based Security -> Enabled (**Only do this if you are running Windows on bare metal or with nested virtualization**)

Group Policies Objects/Computer Configuration/System/User Profiles.md

@@ -1,6 +0,0 @@
-# User Profiles
-
-`Computer Configuration\Administrative Templates\System\User Profiles`
-
-- Turn off the advertising ID -> Enabled
-- Only allow local user profiles -> Enabled (You probably aren't going to use roaming profiles unless you are in some niche environment like a university, are you? Might as well just disable them because why not?)

Group Policies Objects/Computer Configuration/Windows Components/Controlled Folder Access.md

@@ -1,5 +0,0 @@
-# Controlled Folder Access
-
-`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access`
-
-- Configure Controlled folder access -> Enabled -> Block

Group Policies Objects/Computer Configuration/Windows Components/File Explorer.md

@@ -1,5 +0,0 @@
-# File Explorer
-
-`Computer Configuration\Administrative Templates\Windows Components\File Explorer`
-
-- Turn off account-based insights, recent, favorite, and recommended files in File Explorer -> Enabled (Not sure if this is actually privacy invasive or not, but best to keep it off anyways.)

Group Policies Objects/Computer Configuration/Windows Components/MAPS.md

@@ -1,7 +0,0 @@
-# MAPS
-
-`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS`
-
-Microsoft Defender Antivirus MAPS is an interesting case. You should configure it depending on your threat model, and treat it like SmartScreen. We will disable automatic sample submission regardless because that could be privacy invasive.
-
-- Send file samples when further analysis is required -> Enabled -> Never send

Group Policies Objects/Computer Configuration/Windows Components/Microsoft Edge.md

@@ -1,12 +0,0 @@
-# Legacy Microsoft Edge
-
-`Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge`
-
-**Legacy Microsoft Edge, not the Chromium based one. Obsolete.**
-
-- Configure Autofill -> Disable (Password Manager is off so no reason for autofill to be on)
-- Configure Do Not Track -> Enable
-- Allow Extensions -> Disable (I do not use extensions, and they reduce security in a lot of cases. Don't disable this if you need extensions, of course.)
-- Allow Adobe Flash -> Disable (Dead technology, dangerous)
-- Configure Password Manager -> Disable (**The password manager does NOT have E2EE**)
-- Prevent using Localhost IP address for WebRTC -> Enable

Group Policies Objects/Computer Configuration/Windows Components/Network Protection.md

@@ -1,12 +0,0 @@
-# Network Protection
-
-Only relevant if SmartScreen is used.
-
-Documentation:
-- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide
-- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide
-
-`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection`
-
-This settings controls whether Network protection is allowed to be configured into block or audit mode on Windows -> Enabled (Only relevant if running Windows Server)
-Prevent users and apps from accessing dangerous websites -> Enabled -> Block

Group Policies Objects/Control Panel.md

@@ -0,0 +1,19 @@
+# Control Panel
+
+`Computer Configuration\Administrative Templates\Control Panel`
+
+- Allow Online Tips -> Disabled (Not sure about privacy implications, but no reason for it to be on)
+
+## Personalization
+
+`Computer Configuration\Administrative Templates\Control Panel\Personalization`
+
+- Prevent enabling lock screen camera -> Enabled (Probably not invasive, though I don't see a reason for it to be on)
+- Prevent enabling lock screen slide show -> Enabled (I just don't want it)
+
+## Regional and Language Options
+
+`Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options`
+
+- Allow users to enable online speech recognition services -> Disabled
+- Handwriting personalization -> Turn off automatic learning -> Enabled

Group Policies Objects/Device Guard.md

@@ -0,0 +1,11 @@
+# Device Guard
+
+`Computer Configuration\Administrative Templates\System\Device Guard`
+
+- Turn On Virtualization Based Security -> Enabled
+
+1. Select Platform Security Level: Secure Boot and DMA Protection
+2. Virtualization Based Protection of Code Integrity: Enabled with UEFI lock
+3. Credential Guard Configuration: Enabled with UEFI lock
+4. Secure Launch Configuration: Enabled
+5. Kernel-mode Hardware-enforced Stack Protection: Enabled in enforcement mode

Group Policies Objects/File Explorer.md

@@ -1,5 +1,9 @@
 # File Explorer
 
+`Computer Configuration\Administrative Templates\Windows Components\File Explorer`
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer -> Enabled (Not sure if this is actually privacy invasive or not, but best to keep it off anyways.)
+
 `User Configuration\Administrative Templates\Windows Components\File Explorer`
 
 - Turn off display of recent search entries in the File Explorer search box -> Enabled (**EXTREMELY INVASIVE**. This stores your search history in the registry according to the docs, and is also responsible for the Bing search in the Start Menu just like the policies in Search even though the description does not mention it.)

Group Policies Objects/Gaming/Mitigation Options (Gaming).md

@@ -0,0 +1,5 @@
+# Mitigation Options
+
+`Computer Configuration\Administrative Templates\System\Mitigation Options`
+
+- Untrusted Font Blocking -> Disabled

Group Policies Objects/Gaming/Windows Game Recording and Broadcasting (Gaming).md

@@ -0,0 +1,5 @@
+# Windows Game Recording and Broadcasting
+
+`Computer Configuration\Administrative Templates\Windows Components\Windows Game Recording and Broadcasting`
+
+- Enables or disables Windows Game Windows Game Recording and Broadcasting -> Enabled

Group Policies Objects/Internet Communication settings.md

@@ -5,9 +5,10 @@
 **Old and very likely to be obsolete.**
 
 - Turn off Windows Customer Experience Improvement Program -> Enabled
-- Turn off downloading of print drivers over HTTP -> Enabled
 - Turn off printing over HTTP -> Enabled
+- Turn off downloading of print drivers over HTTP -> Enabled
 - Turn off Help and Support Center "Did you know?" content -> Enabled (These are probably not that useful and will just be annoying)
 - Turn off Windows Error Reporting -> Enabled
 - turn off Search Companion content file updates -> Enabled
 - Turn off Windows Messenger Customer Experience Improvement Program -> Enabled
+- Turn off handwriting personalization and data sharing -> Enabled

Group Policies Objects/Legacy Microsoft Edge.md

@@ -0,0 +1,14 @@
+# Legacy Microsoft Edge
+
+`Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge`
+
+**Legacy Microsoft Edge, not the Chromium based one. Obsolete.**
+
+- Allow Address bar drop-down list suggestions -> Disabled
+- Configure Autofill -> Disabled (Password Manager is off so no reason for autofill to be on)
+- Configure Do Not Track -> Enabled
+- Allow Extensions -> Disabled (I do not use extensions, and they reduce security in a lot of cases. Don't disable this if you need extensions, of course.)
+- Allow Adobe Flash -> Disabled (Dead technology, dangerous)
+- Configure Password Manager -> Disabled (**The password manager does NOT have E2EE**)
+- Configure SmartScreen -> Disabled
+- Prevent using Localhost IP address for WebRTC -> Enabled

Group Policies Objects/Microsoft Defender Antivirus

@@ -0,0 +1,30 @@
+# Microsoft Defender Antivirus
+
+`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus`
+
+## MAPS
+
+`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS`
+
+Microsoft Defender Antivirus MAPS is an interesting case. You should configure it depending on your threat model, and treat it like SmartScreen. We will disable automatic sample submission regardless because that could be privacy invasive.
+
+- Send file samples when further analysis is required -> Enabled -> Always Prompt
+
+## Network Protection
+
+Only relevant if SmartScreen is used.
+
+Documentation:
+- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide
+- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide
+
+`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection`
+
+This settings controls whether Network protection is allowed to be configured into block or audit mode on Windows -> Enabled (Only relevant if running Windows Server)
+Prevent users and apps from accessing dangerous websites -> Enabled -> Block
+
+## Controlled Folder Access
+
+`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access`
+
+- Configure Controlled folder access -> Enabled -> Block

Group Policies Objects/Microsoft Edge.md

@@ -0,0 +1,5 @@
+# Microsoft Edge
+
+You will need to download the Edge policies from https://www.microsoft.com/en-us/edge/business/download?form=MA13FJ and install it.
+
+For the actual policies to set, you can follow my repo at https://github.com/TommyTran732/Microsoft-Edge-Policies at set the equivalent group policies of what is being set there.

Group Policies Objects/Parallels/Device Guard (Parallels).md

@@ -0,0 +1,5 @@
+# Device Guard
+
+`Computer Configuration\Administrative Templates\System\Device Guard`
+
+- Turn On Virtualization Based Security -> Disabled

Group Policies Objects/Text Input.md

@@ -1,5 +1,5 @@
 # Text Input
 
-`Computer Configuration\Administrative Templates\Windows Components\Widgets`
+`Computer Configuration\Administrative Templates\Windows Components\Text Input`
 
 - Improve inking and typing recognition -> Disabled

Group Policies Objects/Windows Calendar.md

@@ -2,6 +2,8 @@
 
 `Computer Configuration\Administrative Templates\Windows Components\Windows Calendar`
 
+**Obsolete**
+
 Probably not a huge privacy/security issue. I just disable it because I do not want it.
 
 - Turn off Windows Calendar -> Enabled