mirror of
https://github.com/TommyTran732/Windows-Setup.git
synced 2024-11-09 09:41:46 -05:00
Compare commits
15 Commits
5fc82e27fc
...
493ec19f14
Author | SHA1 | Date | |
---|---|---|---|
493ec19f14 | |||
4a6076d649 | |||
d5fde9da05 | |||
13a893a454 | |||
0505ca6279 | |||
72bc97f861 | |||
f5b221b107 | |||
8e72176fab | |||
9465fed6d3 | |||
ef591f17da | |||
b94f2e2cd5 | |||
0bb371b09a | |||
0eb34f5278 | |||
88ce7fd6c0 | |||
5906bad9b8 |
@ -25,3 +25,4 @@ These contains some settings that are not in the Settings app (and vice versa).
|
||||
- Let Windows apps activate with voice -> Enabled -> Force Deny
|
||||
- Let Windows apps activate with voice while the system is locked -> Enabled -> Force Deny
|
||||
- Let Windows apps access diagnostic information about other apps -> Enabled -> Force Deny
|
||||
- Let Winodws apps communicate with unpaired devices -> Enabled -> Force Deny
|
@ -1,5 +0,0 @@
|
||||
# Allow Online Tips
|
||||
|
||||
`Computer Configuration\Administrative Templates\Control Panel`
|
||||
|
||||
- Allow Online Tips -> Disabled (Not sure about privacy implications, but no reason for it to be on)
|
@ -1,5 +0,0 @@
|
||||
# Personalization
|
||||
|
||||
`Computer Configuration\Administrative Templates\Control Panel\Personalization`
|
||||
|
||||
- Prevent enabling lock screen camera -> Enabled (Probably not invasive, though I don't see a reason for it to be on)
|
@ -1,6 +0,0 @@
|
||||
# Regional and Language Options
|
||||
|
||||
`Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options`
|
||||
|
||||
- Allow users to enable online speech recognition services -> Disabled
|
||||
- Handwriting personalization -> Turn off automatic learning -> Enabled
|
@ -1,5 +0,0 @@
|
||||
# Device Guard
|
||||
|
||||
`Computer Configuration\Administrative Templates\System\Device Guard`
|
||||
|
||||
- Turn On Virtualization Based Security -> Enabled (**Only do this if you are running Windows on bare metal or with nested virtualization**)
|
@ -1,6 +0,0 @@
|
||||
# User Profiles
|
||||
|
||||
`Computer Configuration\Administrative Templates\System\User Profiles`
|
||||
|
||||
- Turn off the advertising ID -> Enabled
|
||||
- Only allow local user profiles -> Enabled (You probably aren't going to use roaming profiles unless you are in some niche environment like a university, are you? Might as well just disable them because why not?)
|
@ -1,5 +0,0 @@
|
||||
# Controlled Folder Access
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access`
|
||||
|
||||
- Configure Controlled folder access -> Enabled -> Block
|
@ -1,5 +0,0 @@
|
||||
# File Explorer
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\File Explorer`
|
||||
|
||||
- Turn off account-based insights, recent, favorite, and recommended files in File Explorer -> Enabled (Not sure if this is actually privacy invasive or not, but best to keep it off anyways.)
|
@ -1,7 +0,0 @@
|
||||
# MAPS
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS`
|
||||
|
||||
Microsoft Defender Antivirus MAPS is an interesting case. You should configure it depending on your threat model, and treat it like SmartScreen. We will disable automatic sample submission regardless because that could be privacy invasive.
|
||||
|
||||
- Send file samples when further analysis is required -> Enabled -> Never send
|
@ -1,12 +0,0 @@
|
||||
# Legacy Microsoft Edge
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge`
|
||||
|
||||
**Legacy Microsoft Edge, not the Chromium based one. Obsolete.**
|
||||
|
||||
- Configure Autofill -> Disable (Password Manager is off so no reason for autofill to be on)
|
||||
- Configure Do Not Track -> Enable
|
||||
- Allow Extensions -> Disable (I do not use extensions, and they reduce security in a lot of cases. Don't disable this if you need extensions, of course.)
|
||||
- Allow Adobe Flash -> Disable (Dead technology, dangerous)
|
||||
- Configure Password Manager -> Disable (**The password manager does NOT have E2EE**)
|
||||
- Prevent using Localhost IP address for WebRTC -> Enable
|
@ -1,12 +0,0 @@
|
||||
# Network Protection
|
||||
|
||||
Only relevant if SmartScreen is used.
|
||||
|
||||
Documentation:
|
||||
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide
|
||||
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection`
|
||||
|
||||
This settings controls whether Network protection is allowed to be configured into block or audit mode on Windows -> Enabled (Only relevant if running Windows Server)
|
||||
Prevent users and apps from accessing dangerous websites -> Enabled -> Block
|
19
Group Policies Objects/Control Panel.md
Normal file
19
Group Policies Objects/Control Panel.md
Normal file
@ -0,0 +1,19 @@
|
||||
# Control Panel
|
||||
|
||||
`Computer Configuration\Administrative Templates\Control Panel`
|
||||
|
||||
- Allow Online Tips -> Disabled (Not sure about privacy implications, but no reason for it to be on)
|
||||
|
||||
## Personalization
|
||||
|
||||
`Computer Configuration\Administrative Templates\Control Panel\Personalization`
|
||||
|
||||
- Prevent enabling lock screen camera -> Enabled (Probably not invasive, though I don't see a reason for it to be on)
|
||||
- Prevent enabling lock screen slide show -> Enabled (I just don't want it)
|
||||
|
||||
## Regional and Language Options
|
||||
|
||||
`Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options`
|
||||
|
||||
- Allow users to enable online speech recognition services -> Disabled
|
||||
- Handwriting personalization -> Turn off automatic learning -> Enabled
|
11
Group Policies Objects/Device Guard.md
Normal file
11
Group Policies Objects/Device Guard.md
Normal file
@ -0,0 +1,11 @@
|
||||
# Device Guard
|
||||
|
||||
`Computer Configuration\Administrative Templates\System\Device Guard`
|
||||
|
||||
- Turn On Virtualization Based Security -> Enabled
|
||||
|
||||
1. Select Platform Security Level: Secure Boot and DMA Protection
|
||||
2. Virtualization Based Protection of Code Integrity: Enabled with UEFI lock
|
||||
3. Credential Guard Configuration: Enabled with UEFI lock
|
||||
4. Secure Launch Configuration: Enabled
|
||||
5. Kernel-mode Hardware-enforced Stack Protection: Enabled in enforcement mode
|
@ -1,5 +1,9 @@
|
||||
# File Explorer
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\File Explorer`
|
||||
|
||||
- Turn off account-based insights, recent, favorite, and recommended files in File Explorer -> Enabled (Not sure if this is actually privacy invasive or not, but best to keep it off anyways.)
|
||||
|
||||
`User Configuration\Administrative Templates\Windows Components\File Explorer`
|
||||
|
||||
- Turn off display of recent search entries in the File Explorer search box -> Enabled (**EXTREMELY INVASIVE**. This stores your search history in the registry according to the docs, and is also responsible for the Bing search in the Start Menu just like the policies in Search even though the description does not mention it.)
|
@ -0,0 +1,5 @@
|
||||
# Mitigation Options
|
||||
|
||||
`Computer Configuration\Administrative Templates\System\Mitigation Options`
|
||||
|
||||
- Untrusted Font Blocking -> Disabled
|
@ -0,0 +1,5 @@
|
||||
# Windows Game Recording and Broadcasting
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Windows Game Recording and Broadcasting`
|
||||
|
||||
- Enables or disables Windows Game Windows Game Recording and Broadcasting -> Enabled
|
@ -5,9 +5,10 @@
|
||||
**Old and very likely to be obsolete.**
|
||||
|
||||
- Turn off Windows Customer Experience Improvement Program -> Enabled
|
||||
- Turn off downloading of print drivers over HTTP -> Enabled
|
||||
- Turn off printing over HTTP -> Enabled
|
||||
- Turn off downloading of print drivers over HTTP -> Enabled
|
||||
- Turn off Help and Support Center "Did you know?" content -> Enabled (These are probably not that useful and will just be annoying)
|
||||
- Turn off Windows Error Reporting -> Enabled
|
||||
- turn off Search Companion content file updates -> Enabled
|
||||
- Turn off Windows Messenger Customer Experience Improvement Program -> Enabled
|
||||
- Turn off handwriting personalization and data sharing -> Enabled
|
14
Group Policies Objects/Legacy Microsoft Edge.md
Normal file
14
Group Policies Objects/Legacy Microsoft Edge.md
Normal file
@ -0,0 +1,14 @@
|
||||
# Legacy Microsoft Edge
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge`
|
||||
|
||||
**Legacy Microsoft Edge, not the Chromium based one. Obsolete.**
|
||||
|
||||
- Allow Address bar drop-down list suggestions -> Disabled
|
||||
- Configure Autofill -> Disabled (Password Manager is off so no reason for autofill to be on)
|
||||
- Configure Do Not Track -> Enabled
|
||||
- Allow Extensions -> Disabled (I do not use extensions, and they reduce security in a lot of cases. Don't disable this if you need extensions, of course.)
|
||||
- Allow Adobe Flash -> Disabled (Dead technology, dangerous)
|
||||
- Configure Password Manager -> Disabled (**The password manager does NOT have E2EE**)
|
||||
- Configure SmartScreen -> Disabled
|
||||
- Prevent using Localhost IP address for WebRTC -> Enabled
|
30
Group Policies Objects/Microsoft Defender Antivirus
Normal file
30
Group Policies Objects/Microsoft Defender Antivirus
Normal file
@ -0,0 +1,30 @@
|
||||
# Microsoft Defender Antivirus
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus`
|
||||
|
||||
## MAPS
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS`
|
||||
|
||||
Microsoft Defender Antivirus MAPS is an interesting case. You should configure it depending on your threat model, and treat it like SmartScreen. We will disable automatic sample submission regardless because that could be privacy invasive.
|
||||
|
||||
- Send file samples when further analysis is required -> Enabled -> Always Prompt
|
||||
|
||||
## Network Protection
|
||||
|
||||
Only relevant if SmartScreen is used.
|
||||
|
||||
Documentation:
|
||||
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide
|
||||
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection`
|
||||
|
||||
This settings controls whether Network protection is allowed to be configured into block or audit mode on Windows -> Enabled (Only relevant if running Windows Server)
|
||||
Prevent users and apps from accessing dangerous websites -> Enabled -> Block
|
||||
|
||||
## Controlled Folder Access
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access`
|
||||
|
||||
- Configure Controlled folder access -> Enabled -> Block
|
5
Group Policies Objects/Microsoft Edge.md
Normal file
5
Group Policies Objects/Microsoft Edge.md
Normal file
@ -0,0 +1,5 @@
|
||||
# Microsoft Edge
|
||||
|
||||
You will need to download the Edge policies from https://www.microsoft.com/en-us/edge/business/download?form=MA13FJ and install it.
|
||||
|
||||
For the actual policies to set, you can follow my repo at https://github.com/TommyTran732/Microsoft-Edge-Policies at set the equivalent group policies of what is being set there.
|
@ -0,0 +1,5 @@
|
||||
# Device Guard
|
||||
|
||||
`Computer Configuration\Administrative Templates\System\Device Guard`
|
||||
|
||||
- Turn On Virtualization Based Security -> Disabled
|
@ -1,5 +1,5 @@
|
||||
# Text Input
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Widgets`
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Text Input`
|
||||
|
||||
- Improve inking and typing recognition -> Disabled
|
@ -2,6 +2,8 @@
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Windows Calendar`
|
||||
|
||||
**Obsolete**
|
||||
|
||||
Probably not a huge privacy/security issue. I just disable it because I do not want it.
|
||||
|
||||
- Turn off Windows Calendar -> Enabled
|
Loading…
Reference in New Issue
Block a user