1
0
mirror of https://github.com/TommyTran732/Windows-Setup.git synced 2024-11-22 16:11:45 -05:00

Compare commits

..

No commits in common. "5fc82e27fc2f5a521205f60f265a23a9838245dd" and "71198a64ef2a289d2a2f1730236962ef9083fcb5" have entirely different histories.

54 changed files with 43 additions and 46 deletions

View File

@ -1,17 +0,0 @@
# Bitlocker Drive Encryption
**On Domain Controllers, Bitlocker and tools need to be installed as a feature in Server Manager first.**
`Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption`
Choose drive encryption method and cipher strength-> Enable -> XTS-AES 256-bit for operating system, fixed data, and removable drives. For Windows Vista, Windows Server 2008, etc... use AES 256-bit if you wanna set it.
**The disable new DMA devices when computer is locked should only be enabled if the specific computer does not support kernel DMA protection. Do not set this at the domain level.**
## Operating System Drives
- Disallow standard users from changing the PIN or password -> Enabled
- Require additional authentication at startup -> Enabled -> Do not allow TPM, Allow startup PIN with TPM, Do not allow startup key with TPM, Allow startup key and PIN with TPM. (**This is especially important as we do not want the TPM to automatically release the encryption key at boot.**)
- Require additional authentication at startup (Windows Server 2008 and Windows Vista) -> Enabled -> Uncheck "Allow Bitlocker without a compatible TPM". Not necessary because you shouldn't be running these versions anyways, but just in case you do have them.
- Allow enhanced PINs for startup -> Enabled.
- Configure TPM platform validation profile for native UEFI firmware configurations -> Enabled -> PCR 0,1,2,3,3,4,5,6,7,11

View File

@ -1,8 +0,0 @@
# Printers
`Computer Configuration\Administrative Templates\Printers`
- Isolate print drivers from applications -> Enabled
- Configure Redirection Guard -> Enabled
- Execute print drivers in isolated processes -> Enabled
- Limit print driver installation to Administrators

View File

@ -1,4 +0,0 @@
# Group Policy Objects
- Make Central Store for policies: https://learn.microsoft.com/en-us/troubleshoot/windows-client/group-policy/create-and-manage-central-store
- Windows 23H2 template can be found here: https://www.microsoft.com/en-us/download/details.aspx?id=105667

View File

@ -0,0 +1,5 @@
# Printers
`Computer Configuration\Administrative Templates\Printers`
- Isolate print drivers from applications -> Enabled

View File

@ -0,0 +1,13 @@
# Bitlocker Drive Encryption
`Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption`
Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) -> Enable -> XTS-AES 256-bit for operating system, fixed data, and removable drives.
**The disable new DMA devices when computer is locked should only be enabled if your computer does not support kernel DMA protection.**
## Operating System Drives
- Require additional authentication at startup -> Enabled -> Do not allow TPM, Allow startup PIN with TPM, Do not allow startup key with TPM, Allow startup key and PIN with TPM. (**This is especially important as we do not want the TPM to automatically release the encryption key at boot.**)
- Allow enhanced PINs for startup -> Enabled.
- Configure TPM platform validation profile for native UEFI firmware configurations -> Enabled -> PCR 0,1,2,3,3,4,5,6,7,11

View File

@ -0,0 +1,10 @@
# Cloud Content
`Computer Configuration\Administrative Templates\Windows Components\Cloud Content`
I mostly disable all cloud content because they are way too annoying. There are also a few group policies relating to "personalization", so I am not entirely sure on the privacy implication of that either.
- Turn off cloud optimized content -> Enabled
- Turn off cloud consumer account state content -> Enabled
- Do not show Windows tips -> Enabled
- Turn of Microsoft consumer experiences -> Enabled

View File

@ -4,4 +4,5 @@
Unless you run your own MDM system or something, this probably should not be on with a personal computer. Unless you run your own MDM system or something, this probably should not be on with a personal computer.
- Enable automatic MDM enrollment using default Azure AD credentials -> Disabled (Mostly because I do not use Azure for MDM) - Enable automatic MDM enrollment using default Azure AD credentials -> Disabled (Probably redundant because of the next policy, but it will also **disenroll** you from Azure AD)
- Disable MDM enrollment -> Enabled (This will not disenroll you though)

View File

@ -2,7 +2,7 @@
`Computer Configuration\Administrative Templates\Windows Components\Windows Defender SmartScreen` `Computer Configuration\Administrative Templates\Windows Components\Windows Defender SmartScreen`
- Enhanced Phishing Protection -> Service Enabled -> Disabled (**Does not show on Windows Server 2022 by default**) - Enhanced Phishing Protection -> Service Enabled -> Disabled
**For a corporate scenario or when you cannot trust the user you are configuring it for and you choose to have SmartScreen enabled, do the followings:**, **For a corporate scenario or when you cannot trust the user you are configuring it for and you choose to have SmartScreen enabled, do the followings:**,

View File

@ -1,16 +1,9 @@
# Cloud Content # Cloud Content
I mostly disable all cloud content because they are way too annoying. There are also a few group policies relating to "personalization", so I am not entirely sure on the privacy implication of that either.
`Computer Configuration\Administrative Templates\Windows Components\Cloud Content`
- Turn off cloud optimized content -> Enabled
- Turn off cloud consumer account state content -> Enabled
- Do not show Windows tips -> Enabled
- Turn of Microsoft consumer experiences -> Enabled
`User Configuration\Administrative Templates\Windows Components\Cloud Content` `User Configuration\Administrative Templates\Windows Components\Cloud Content`
I mostly disable all cloud content because they are way too annoying. There are also a few group policies relating to "personalization", so I am not entirely sure on the privacy implication of that either.
- Do not use diagnostic data for tailored experiences -> Enabled - Do not use diagnostic data for tailored experiences -> Enabled
- Turn off all Windows spotlight features -> Enabled - Turn off all Windows spotlight features -> Enabled
- Turn off the Windows Welcome Experience -> Enabled - Turn off the Windows Welcome Experience -> Enabled

View File

@ -0,0 +1,9 @@
# Microsoft Defender Application Guard
Only relevant if running on bare metal or with nested virtualization. Extremely handy for visiting untrusted websites (which should be all websites). This also works with Office Enterprise, but I do not have Office Enterprise so I cant't play with it.
Documentation: https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview
Video demo for Edge in MDAG: https://www.youtube.com/watch?v=OFEdoCWZjaI
**Microsoft Edge running in MDAG will bypass your VPN!!!**

View File

@ -4,7 +4,7 @@
### Cloud-delivered protection ### Cloud-delivered protection
This sends hashes and file paths to Microsoft. Whether to keep this on or not depends on the threat model. I recommend keeping it on on a domain controller and gaming machines. This sends hashes and file paths to Microsoft. Whether to keep this on or not depends on the threat model.
One caveat with this is that if it takes the cloud too long to scan, the computer will just run the executable. Might wanna increase the timeout later to make it less theatric: One caveat with this is that if it takes the cloud too long to scan, the computer will just run the executable. Might wanna increase the timeout later to make it less theatric:
@ -65,11 +65,6 @@ Turn Force randomization for images (Mandatory ALSR) to "On by default".
# Device Security # Device Security
## Core Isolation
- Memory integrity -> Turn on
- Firmware protection -> Turn on
## Security Processor & Secure Boot ## Security Processor & Secure Boot
If theres aren't on, check the firmware settings. On Parallels, both should pass by default. If theres aren't on, check the firmware settings. On Parallels, both should pass by default.