mirror of
https://github.com/TommyTran732/Windows-Setup.git
synced 2024-11-22 08:01:46 -05:00
Compare commits
21 Commits
71198a64ef
...
5fc82e27fc
Author | SHA1 | Date | |
---|---|---|---|
5fc82e27fc | |||
dc22416f11 | |||
3e9368a62a | |||
1c1c21da32 | |||
d9e01d8aef | |||
eafb0be8e2 | |||
f5eac7286f | |||
e00504f94d | |||
18b842ba24 | |||
4191a8d3dd | |||
9de5998b58 | |||
ffcf4a32f5 | |||
8581700300 | |||
a500e38846 | |||
4fc874485f | |||
76bf7fe088 | |||
08ec7ab09f | |||
9a87f9219b | |||
b2e77c5331 | |||
ffd7c1499a | |||
a2ada1ba15 |
17
Group Policies Objects/Bitlocker.md
Normal file
17
Group Policies Objects/Bitlocker.md
Normal file
@ -0,0 +1,17 @@
|
||||
# Bitlocker Drive Encryption
|
||||
|
||||
**On Domain Controllers, Bitlocker and tools need to be installed as a feature in Server Manager first.**
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption`
|
||||
|
||||
Choose drive encryption method and cipher strength-> Enable -> XTS-AES 256-bit for operating system, fixed data, and removable drives. For Windows Vista, Windows Server 2008, etc... use AES 256-bit if you wanna set it.
|
||||
|
||||
**The disable new DMA devices when computer is locked should only be enabled if the specific computer does not support kernel DMA protection. Do not set this at the domain level.**
|
||||
|
||||
## Operating System Drives
|
||||
|
||||
- Disallow standard users from changing the PIN or password -> Enabled
|
||||
- Require additional authentication at startup -> Enabled -> Do not allow TPM, Allow startup PIN with TPM, Do not allow startup key with TPM, Allow startup key and PIN with TPM. (**This is especially important as we do not want the TPM to automatically release the encryption key at boot.**)
|
||||
- Require additional authentication at startup (Windows Server 2008 and Windows Vista) -> Enabled -> Uncheck "Allow Bitlocker without a compatible TPM". Not necessary because you shouldn't be running these versions anyways, but just in case you do have them.
|
||||
- Allow enhanced PINs for startup -> Enabled.
|
||||
- Configure TPM platform validation profile for native UEFI firmware configurations -> Enabled -> PCR 0,1,2,3,3,4,5,6,7,11
|
@ -1,9 +1,16 @@
|
||||
# Cloud Content
|
||||
|
||||
`User Configuration\Administrative Templates\Windows Components\Cloud Content`
|
||||
|
||||
I mostly disable all cloud content because they are way too annoying. There are also a few group policies relating to "personalization", so I am not entirely sure on the privacy implication of that either.
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Cloud Content`
|
||||
|
||||
- Turn off cloud optimized content -> Enabled
|
||||
- Turn off cloud consumer account state content -> Enabled
|
||||
- Do not show Windows tips -> Enabled
|
||||
- Turn of Microsoft consumer experiences -> Enabled
|
||||
|
||||
`User Configuration\Administrative Templates\Windows Components\Cloud Content`
|
||||
|
||||
- Do not use diagnostic data for tailored experiences -> Enabled
|
||||
- Turn off all Windows spotlight features -> Enabled
|
||||
- Turn off the Windows Welcome Experience -> Enabled
|
@ -4,5 +4,4 @@
|
||||
|
||||
Unless you run your own MDM system or something, this probably should not be on with a personal computer.
|
||||
|
||||
- Enable automatic MDM enrollment using default Azure AD credentials -> Disabled (Probably redundant because of the next policy, but it will also **disenroll** you from Azure AD)
|
||||
- Disable MDM enrollment -> Enabled (This will not disenroll you though)
|
||||
- Enable automatic MDM enrollment using default Azure AD credentials -> Disabled (Mostly because I do not use Azure for MDM)
|
8
Group Policies Objects/Printers.md
Normal file
8
Group Policies Objects/Printers.md
Normal file
@ -0,0 +1,8 @@
|
||||
# Printers
|
||||
|
||||
`Computer Configuration\Administrative Templates\Printers`
|
||||
|
||||
- Isolate print drivers from applications -> Enabled
|
||||
- Configure Redirection Guard -> Enabled
|
||||
- Execute print drivers in isolated processes -> Enabled
|
||||
- Limit print driver installation to Administrators
|
4
Group Policies Objects/README.md
Normal file
4
Group Policies Objects/README.md
Normal file
@ -0,0 +1,4 @@
|
||||
# Group Policy Objects
|
||||
|
||||
- Make Central Store for policies: https://learn.microsoft.com/en-us/troubleshoot/windows-client/group-policy/create-and-manage-central-store
|
||||
- Windows 23H2 template can be found here: https://www.microsoft.com/en-us/download/details.aspx?id=105667
|
@ -2,7 +2,7 @@
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Windows Defender SmartScreen`
|
||||
|
||||
- Enhanced Phishing Protection -> Service Enabled -> Disabled
|
||||
- Enhanced Phishing Protection -> Service Enabled -> Disabled (**Does not show on Windows Server 2022 by default**)
|
||||
|
||||
**For a corporate scenario or when you cannot trust the user you are configuring it for and you choose to have SmartScreen enabled, do the followings:**,
|
||||
|
@ -1,5 +0,0 @@
|
||||
# Printers
|
||||
|
||||
`Computer Configuration\Administrative Templates\Printers`
|
||||
|
||||
- Isolate print drivers from applications -> Enabled
|
@ -1,13 +0,0 @@
|
||||
# Bitlocker Drive Encryption
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption`
|
||||
|
||||
Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) -> Enable -> XTS-AES 256-bit for operating system, fixed data, and removable drives.
|
||||
|
||||
**The disable new DMA devices when computer is locked should only be enabled if your computer does not support kernel DMA protection.**
|
||||
|
||||
## Operating System Drives
|
||||
|
||||
- Require additional authentication at startup -> Enabled -> Do not allow TPM, Allow startup PIN with TPM, Do not allow startup key with TPM, Allow startup key and PIN with TPM. (**This is especially important as we do not want the TPM to automatically release the encryption key at boot.**)
|
||||
- Allow enhanced PINs for startup -> Enabled.
|
||||
- Configure TPM platform validation profile for native UEFI firmware configurations -> Enabled -> PCR 0,1,2,3,3,4,5,6,7,11
|
@ -1,10 +0,0 @@
|
||||
# Cloud Content
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Cloud Content`
|
||||
|
||||
I mostly disable all cloud content because they are way too annoying. There are also a few group policies relating to "personalization", so I am not entirely sure on the privacy implication of that either.
|
||||
|
||||
- Turn off cloud optimized content -> Enabled
|
||||
- Turn off cloud consumer account state content -> Enabled
|
||||
- Do not show Windows tips -> Enabled
|
||||
- Turn of Microsoft consumer experiences -> Enabled
|
@ -1,9 +0,0 @@
|
||||
# Microsoft Defender Application Guard
|
||||
|
||||
Only relevant if running on bare metal or with nested virtualization. Extremely handy for visiting untrusted websites (which should be all websites). This also works with Office Enterprise, but I do not have Office Enterprise so I cant't play with it.
|
||||
|
||||
Documentation: https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview
|
||||
|
||||
Video demo for Edge in MDAG: https://www.youtube.com/watch?v=OFEdoCWZjaI
|
||||
|
||||
**Microsoft Edge running in MDAG will bypass your VPN!!!**
|
@ -4,7 +4,7 @@
|
||||
|
||||
### Cloud-delivered protection
|
||||
|
||||
This sends hashes and file paths to Microsoft. Whether to keep this on or not depends on the threat model.
|
||||
This sends hashes and file paths to Microsoft. Whether to keep this on or not depends on the threat model. I recommend keeping it on on a domain controller and gaming machines.
|
||||
|
||||
One caveat with this is that if it takes the cloud too long to scan, the computer will just run the executable. Might wanna increase the timeout later to make it less theatric:
|
||||
|
||||
@ -65,6 +65,11 @@ Turn Force randomization for images (Mandatory ALSR) to "On by default".
|
||||
|
||||
# Device Security
|
||||
|
||||
## Core Isolation
|
||||
|
||||
- Memory integrity -> Turn on
|
||||
- Firmware protection -> Turn on
|
||||
|
||||
## Security Processor & Secure Boot
|
||||
|
||||
If theres aren't on, check the firmware settings. On Parallels, both should pass by default.
|
||||
|
Loading…
Reference in New Issue
Block a user