1
0
mirror of https://github.com/TommyTran732/Windows-Setup.git synced 2024-11-13 19:51:43 -05:00

Compare commits

...

15 Commits

Author SHA1 Message Date
493ec19f14
Microsoft Edge
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-31 02:56:20 -07:00
4a6076d649
Finish reorganizing group policies
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-31 01:58:30 -07:00
d5fde9da05
Service Control Manager Settings
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-31 01:35:37 -07:00
13a893a454
Update policies
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-31 01:31:37 -07:00
0505ca6279
Update policies
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-31 00:53:27 -07:00
72bc97f861
Update policies
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 23:20:38 -07:00
f5b221b107
Move Windows Calendar
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 23:10:13 -07:00
8e72176fab
Update Legacy Microsoft Edge Policy
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 23:01:34 -07:00
9465fed6d3
Merge File Explorer policies
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 22:46:30 -07:00
ef591f17da
Prompt for MAPS
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 22:43:41 -07:00
b94f2e2cd5
Move MAPS
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 22:40:58 -07:00
0bb371b09a
Update policies
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 22:39:37 -07:00
0eb34f5278
Update policies
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 22:27:37 -07:00
88ce7fd6c0
Typo Fix
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 21:55:53 -07:00
5906bad9b8
Update policies
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 21:54:28 -07:00
45 changed files with 104 additions and 70 deletions

View File

@ -25,3 +25,4 @@ These contains some settings that are not in the Settings app (and vice versa).
- Let Windows apps activate with voice -> Enabled -> Force Deny - Let Windows apps activate with voice -> Enabled -> Force Deny
- Let Windows apps activate with voice while the system is locked -> Enabled -> Force Deny - Let Windows apps activate with voice while the system is locked -> Enabled -> Force Deny
- Let Windows apps access diagnostic information about other apps -> Enabled -> Force Deny - Let Windows apps access diagnostic information about other apps -> Enabled -> Force Deny
- Let Winodws apps communicate with unpaired devices -> Enabled -> Force Deny

View File

@ -1,5 +0,0 @@
# Allow Online Tips
`Computer Configuration\Administrative Templates\Control Panel`
- Allow Online Tips -> Disabled (Not sure about privacy implications, but no reason for it to be on)

View File

@ -1,5 +0,0 @@
# Personalization
`Computer Configuration\Administrative Templates\Control Panel\Personalization`
- Prevent enabling lock screen camera -> Enabled (Probably not invasive, though I don't see a reason for it to be on)

View File

@ -1,6 +0,0 @@
# Regional and Language Options
`Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options`
- Allow users to enable online speech recognition services -> Disabled
- Handwriting personalization -> Turn off automatic learning -> Enabled

View File

@ -1,5 +0,0 @@
# Device Guard
`Computer Configuration\Administrative Templates\System\Device Guard`
- Turn On Virtualization Based Security -> Enabled (**Only do this if you are running Windows on bare metal or with nested virtualization**)

View File

@ -1,6 +0,0 @@
# User Profiles
`Computer Configuration\Administrative Templates\System\User Profiles`
- Turn off the advertising ID -> Enabled
- Only allow local user profiles -> Enabled (You probably aren't going to use roaming profiles unless you are in some niche environment like a university, are you? Might as well just disable them because why not?)

View File

@ -1,5 +0,0 @@
# Controlled Folder Access
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access`
- Configure Controlled folder access -> Enabled -> Block

View File

@ -1,5 +0,0 @@
# File Explorer
`Computer Configuration\Administrative Templates\Windows Components\File Explorer`
- Turn off account-based insights, recent, favorite, and recommended files in File Explorer -> Enabled (Not sure if this is actually privacy invasive or not, but best to keep it off anyways.)

View File

@ -1,7 +0,0 @@
# MAPS
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS`
Microsoft Defender Antivirus MAPS is an interesting case. You should configure it depending on your threat model, and treat it like SmartScreen. We will disable automatic sample submission regardless because that could be privacy invasive.
- Send file samples when further analysis is required -> Enabled -> Never send

View File

@ -1,12 +0,0 @@
# Legacy Microsoft Edge
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge`
**Legacy Microsoft Edge, not the Chromium based one. Obsolete.**
- Configure Autofill -> Disable (Password Manager is off so no reason for autofill to be on)
- Configure Do Not Track -> Enable
- Allow Extensions -> Disable (I do not use extensions, and they reduce security in a lot of cases. Don't disable this if you need extensions, of course.)
- Allow Adobe Flash -> Disable (Dead technology, dangerous)
- Configure Password Manager -> Disable (**The password manager does NOT have E2EE**)
- Prevent using Localhost IP address for WebRTC -> Enable

View File

@ -1,12 +0,0 @@
# Network Protection
Only relevant if SmartScreen is used.
Documentation:
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection`
This settings controls whether Network protection is allowed to be configured into block or audit mode on Windows -> Enabled (Only relevant if running Windows Server)
Prevent users and apps from accessing dangerous websites -> Enabled -> Block

View File

@ -0,0 +1,19 @@
# Control Panel
`Computer Configuration\Administrative Templates\Control Panel`
- Allow Online Tips -> Disabled (Not sure about privacy implications, but no reason for it to be on)
## Personalization
`Computer Configuration\Administrative Templates\Control Panel\Personalization`
- Prevent enabling lock screen camera -> Enabled (Probably not invasive, though I don't see a reason for it to be on)
- Prevent enabling lock screen slide show -> Enabled (I just don't want it)
## Regional and Language Options
`Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options`
- Allow users to enable online speech recognition services -> Disabled
- Handwriting personalization -> Turn off automatic learning -> Enabled

View File

@ -0,0 +1,11 @@
# Device Guard
`Computer Configuration\Administrative Templates\System\Device Guard`
- Turn On Virtualization Based Security -> Enabled
1. Select Platform Security Level: Secure Boot and DMA Protection
2. Virtualization Based Protection of Code Integrity: Enabled with UEFI lock
3. Credential Guard Configuration: Enabled with UEFI lock
4. Secure Launch Configuration: Enabled
5. Kernel-mode Hardware-enforced Stack Protection: Enabled in enforcement mode

View File

@ -1,5 +1,9 @@
# File Explorer # File Explorer
`Computer Configuration\Administrative Templates\Windows Components\File Explorer`
- Turn off account-based insights, recent, favorite, and recommended files in File Explorer -> Enabled (Not sure if this is actually privacy invasive or not, but best to keep it off anyways.)
`User Configuration\Administrative Templates\Windows Components\File Explorer` `User Configuration\Administrative Templates\Windows Components\File Explorer`
- Turn off display of recent search entries in the File Explorer search box -> Enabled (**EXTREMELY INVASIVE**. This stores your search history in the registry according to the docs, and is also responsible for the Bing search in the Start Menu just like the policies in Search even though the description does not mention it.) - Turn off display of recent search entries in the File Explorer search box -> Enabled (**EXTREMELY INVASIVE**. This stores your search history in the registry according to the docs, and is also responsible for the Bing search in the Start Menu just like the policies in Search even though the description does not mention it.)

View File

@ -0,0 +1,5 @@
# Mitigation Options
`Computer Configuration\Administrative Templates\System\Mitigation Options`
- Untrusted Font Blocking -> Disabled

View File

@ -0,0 +1,5 @@
# Windows Game Recording and Broadcasting
`Computer Configuration\Administrative Templates\Windows Components\Windows Game Recording and Broadcasting`
- Enables or disables Windows Game Windows Game Recording and Broadcasting -> Enabled

View File

@ -5,9 +5,10 @@
**Old and very likely to be obsolete.** **Old and very likely to be obsolete.**
- Turn off Windows Customer Experience Improvement Program -> Enabled - Turn off Windows Customer Experience Improvement Program -> Enabled
- Turn off downloading of print drivers over HTTP -> Enabled
- Turn off printing over HTTP -> Enabled - Turn off printing over HTTP -> Enabled
- Turn off downloading of print drivers over HTTP -> Enabled
- Turn off Help and Support Center "Did you know?" content -> Enabled (These are probably not that useful and will just be annoying) - Turn off Help and Support Center "Did you know?" content -> Enabled (These are probably not that useful and will just be annoying)
- Turn off Windows Error Reporting -> Enabled - Turn off Windows Error Reporting -> Enabled
- turn off Search Companion content file updates -> Enabled - turn off Search Companion content file updates -> Enabled
- Turn off Windows Messenger Customer Experience Improvement Program -> Enabled - Turn off Windows Messenger Customer Experience Improvement Program -> Enabled
- Turn off handwriting personalization and data sharing -> Enabled

View File

@ -0,0 +1,14 @@
# Legacy Microsoft Edge
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge`
**Legacy Microsoft Edge, not the Chromium based one. Obsolete.**
- Allow Address bar drop-down list suggestions -> Disabled
- Configure Autofill -> Disabled (Password Manager is off so no reason for autofill to be on)
- Configure Do Not Track -> Enabled
- Allow Extensions -> Disabled (I do not use extensions, and they reduce security in a lot of cases. Don't disable this if you need extensions, of course.)
- Allow Adobe Flash -> Disabled (Dead technology, dangerous)
- Configure Password Manager -> Disabled (**The password manager does NOT have E2EE**)
- Configure SmartScreen -> Disabled
- Prevent using Localhost IP address for WebRTC -> Enabled

View File

@ -0,0 +1,30 @@
# Microsoft Defender Antivirus
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus`
## MAPS
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS`
Microsoft Defender Antivirus MAPS is an interesting case. You should configure it depending on your threat model, and treat it like SmartScreen. We will disable automatic sample submission regardless because that could be privacy invasive.
- Send file samples when further analysis is required -> Enabled -> Always Prompt
## Network Protection
Only relevant if SmartScreen is used.
Documentation:
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection`
This settings controls whether Network protection is allowed to be configured into block or audit mode on Windows -> Enabled (Only relevant if running Windows Server)
Prevent users and apps from accessing dangerous websites -> Enabled -> Block
## Controlled Folder Access
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access`
- Configure Controlled folder access -> Enabled -> Block

View File

@ -0,0 +1,5 @@
# Microsoft Edge
You will need to download the Edge policies from https://www.microsoft.com/en-us/edge/business/download?form=MA13FJ and install it.
For the actual policies to set, you can follow my repo at https://github.com/TommyTran732/Microsoft-Edge-Policies at set the equivalent group policies of what is being set there.

View File

@ -0,0 +1,5 @@
# Device Guard
`Computer Configuration\Administrative Templates\System\Device Guard`
- Turn On Virtualization Based Security -> Disabled

View File

@ -1,5 +1,5 @@
# Text Input # Text Input
`Computer Configuration\Administrative Templates\Windows Components\Widgets` `Computer Configuration\Administrative Templates\Windows Components\Text Input`
- Improve inking and typing recognition -> Disabled - Improve inking and typing recognition -> Disabled

View File

@ -2,6 +2,8 @@
`Computer Configuration\Administrative Templates\Windows Components\Windows Calendar` `Computer Configuration\Administrative Templates\Windows Components\Windows Calendar`
**Obsolete**
Probably not a huge privacy/security issue. I just disable it because I do not want it. Probably not a huge privacy/security issue. I just disable it because I do not want it.
- Turn off Windows Calendar -> Enabled - Turn off Windows Calendar -> Enabled