1
0
mirror of https://github.com/TommyTran732/Windows-Setup.git synced 2024-11-09 17:51:43 -05:00

Compare commits

...

21 Commits

Author SHA1 Message Date
5fc82e27fc
Remove unnecessary file
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 21:19:53 -07:00
dc22416f11
Update to 23H2 admx
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 21:19:11 -07:00
3e9368a62a
Move AutoPlay
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 20:00:10 -07:00
1c1c21da32
Update Copilot description
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 19:42:36 -07:00
d9e01d8aef
Move smartscreen
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 19:42:23 -07:00
eafb0be8e2
Update MDM
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 19:36:59 -07:00
f5eac7286f
Typo Fix
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 19:32:54 -07:00
e00504f94d
Cloud Content
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 19:32:40 -07:00
18b842ba24
Move search and co-pilot policies
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 19:29:01 -07:00
4191a8d3dd
Move User Account Control
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 19:23:33 -07:00
9de5998b58
Reorganization
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 19:19:05 -07:00
ffcf4a32f5
Update Printers Group Policy
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 19:18:07 -07:00
8581700300
Reorganize Data Collection and Preview Builds
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 19:10:10 -07:00
a500e38846
Require additional authentication at startup (Windows Server 2008 and Windows Vista)
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 18:35:00 -07:00
4fc874485f
Bitlocker note for domain controller
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 17:28:29 -07:00
76bf7fe088
Remove MDAG
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 17:21:57 -07:00
08ec7ab09f
Core Isolation
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 17:19:40 -07:00
9a87f9219b
Disallow standard users from changing the PIN or password
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 17:09:42 -07:00
b2e77c5331
Update comment regarding DMA protection
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 17:03:08 -07:00
ffd7c1499a
Rename Bitlocker GPO
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 16:59:41 -07:00
a2ada1ba15
Move Bitlocker to its own GPO
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 16:58:55 -07:00
54 changed files with 46 additions and 43 deletions

View File

@ -0,0 +1,17 @@
# Bitlocker Drive Encryption
**On Domain Controllers, Bitlocker and tools need to be installed as a feature in Server Manager first.**
`Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption`
Choose drive encryption method and cipher strength-> Enable -> XTS-AES 256-bit for operating system, fixed data, and removable drives. For Windows Vista, Windows Server 2008, etc... use AES 256-bit if you wanna set it.
**The disable new DMA devices when computer is locked should only be enabled if the specific computer does not support kernel DMA protection. Do not set this at the domain level.**
## Operating System Drives
- Disallow standard users from changing the PIN or password -> Enabled
- Require additional authentication at startup -> Enabled -> Do not allow TPM, Allow startup PIN with TPM, Do not allow startup key with TPM, Allow startup key and PIN with TPM. (**This is especially important as we do not want the TPM to automatically release the encryption key at boot.**)
- Require additional authentication at startup (Windows Server 2008 and Windows Vista) -> Enabled -> Uncheck "Allow Bitlocker without a compatible TPM". Not necessary because you shouldn't be running these versions anyways, but just in case you do have them.
- Allow enhanced PINs for startup -> Enabled.
- Configure TPM platform validation profile for native UEFI firmware configurations -> Enabled -> PCR 0,1,2,3,3,4,5,6,7,11

View File

@ -1,9 +1,16 @@
# Cloud Content
`User Configuration\Administrative Templates\Windows Components\Cloud Content`
I mostly disable all cloud content because they are way too annoying. There are also a few group policies relating to "personalization", so I am not entirely sure on the privacy implication of that either.
`Computer Configuration\Administrative Templates\Windows Components\Cloud Content`
- Turn off cloud optimized content -> Enabled
- Turn off cloud consumer account state content -> Enabled
- Do not show Windows tips -> Enabled
- Turn of Microsoft consumer experiences -> Enabled
`User Configuration\Administrative Templates\Windows Components\Cloud Content`
- Do not use diagnostic data for tailored experiences -> Enabled
- Turn off all Windows spotlight features -> Enabled
- Turn off the Windows Welcome Experience -> Enabled

View File

@ -4,5 +4,4 @@
Unless you run your own MDM system or something, this probably should not be on with a personal computer.
- Enable automatic MDM enrollment using default Azure AD credentials -> Disabled (Probably redundant because of the next policy, but it will also **disenroll** you from Azure AD)
- Disable MDM enrollment -> Enabled (This will not disenroll you though)
- Enable automatic MDM enrollment using default Azure AD credentials -> Disabled (Mostly because I do not use Azure for MDM)

View File

@ -0,0 +1,8 @@
# Printers
`Computer Configuration\Administrative Templates\Printers`
- Isolate print drivers from applications -> Enabled
- Configure Redirection Guard -> Enabled
- Execute print drivers in isolated processes -> Enabled
- Limit print driver installation to Administrators

View File

@ -0,0 +1,4 @@
# Group Policy Objects
- Make Central Store for policies: https://learn.microsoft.com/en-us/troubleshoot/windows-client/group-policy/create-and-manage-central-store
- Windows 23H2 template can be found here: https://www.microsoft.com/en-us/download/details.aspx?id=105667

View File

@ -2,7 +2,7 @@
`Computer Configuration\Administrative Templates\Windows Components\Windows Defender SmartScreen`
- Enhanced Phishing Protection -> Service Enabled -> Disabled
- Enhanced Phishing Protection -> Service Enabled -> Disabled (**Does not show on Windows Server 2022 by default**)
**For a corporate scenario or when you cannot trust the user you are configuring it for and you choose to have SmartScreen enabled, do the followings:**,

View File

@ -1,5 +0,0 @@
# Printers
`Computer Configuration\Administrative Templates\Printers`
- Isolate print drivers from applications -> Enabled

View File

@ -1,13 +0,0 @@
# Bitlocker Drive Encryption
`Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption`
Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) -> Enable -> XTS-AES 256-bit for operating system, fixed data, and removable drives.
**The disable new DMA devices when computer is locked should only be enabled if your computer does not support kernel DMA protection.**
## Operating System Drives
- Require additional authentication at startup -> Enabled -> Do not allow TPM, Allow startup PIN with TPM, Do not allow startup key with TPM, Allow startup key and PIN with TPM. (**This is especially important as we do not want the TPM to automatically release the encryption key at boot.**)
- Allow enhanced PINs for startup -> Enabled.
- Configure TPM platform validation profile for native UEFI firmware configurations -> Enabled -> PCR 0,1,2,3,3,4,5,6,7,11

View File

@ -1,10 +0,0 @@
# Cloud Content
`Computer Configuration\Administrative Templates\Windows Components\Cloud Content`
I mostly disable all cloud content because they are way too annoying. There are also a few group policies relating to "personalization", so I am not entirely sure on the privacy implication of that either.
- Turn off cloud optimized content -> Enabled
- Turn off cloud consumer account state content -> Enabled
- Do not show Windows tips -> Enabled
- Turn of Microsoft consumer experiences -> Enabled

View File

@ -1,9 +0,0 @@
# Microsoft Defender Application Guard
Only relevant if running on bare metal or with nested virtualization. Extremely handy for visiting untrusted websites (which should be all websites). This also works with Office Enterprise, but I do not have Office Enterprise so I cant't play with it.
Documentation: https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview
Video demo for Edge in MDAG: https://www.youtube.com/watch?v=OFEdoCWZjaI
**Microsoft Edge running in MDAG will bypass your VPN!!!**

View File

@ -4,7 +4,7 @@
### Cloud-delivered protection
This sends hashes and file paths to Microsoft. Whether to keep this on or not depends on the threat model.
This sends hashes and file paths to Microsoft. Whether to keep this on or not depends on the threat model. I recommend keeping it on on a domain controller and gaming machines.
One caveat with this is that if it takes the cloud too long to scan, the computer will just run the executable. Might wanna increase the timeout later to make it less theatric:
@ -65,6 +65,11 @@ Turn Force randomization for images (Mandatory ALSR) to "On by default".
# Device Security
## Core Isolation
- Memory integrity -> Turn on
- Firmware protection -> Turn on
## Security Processor & Secure Boot
If theres aren't on, check the firmware settings. On Parallels, both should pass by default.