1
0
mirror of https://github.com/TommyTran732/Windows-Setup.git synced 2024-11-09 17:51:43 -05:00

Compare commits

...

5 Commits

Author SHA1 Message Date
2cd6e5a4ea
Mention advanced membership
Signed-off-by: Tommy <contact@tommytran.io>
2024-01-06 05:41:21 -07:00
03d0152037
Disable Co Installer
Signed-off-by: Tommy <contact@tommytran.io>
2024-01-06 05:06:26 -07:00
3ef71b86dc
Defender for gaming
Signed-off-by: Tommy <contact@tommytran.io>
2024-01-06 04:53:57 -07:00
ee9ce3a019
Fix policy path to match AD
Signed-off-by: Tommy <contact@tommytran.io>
2024-01-06 04:43:40 -07:00
9d01449374
LDAPS Enforcement
Signed-off-by: Tommy <contact@tommytran.io>
2024-01-06 04:29:12 -07:00
50 changed files with 81 additions and 56 deletions

View File

@ -1,7 +0,0 @@
# Windows Copilot
`User Configuration\Administrative Templates\Windows Components\Windows Copilot`
**This somehow still doesn't show up in the latest policy template
- Turn off Windows Copilot -> Enabled

View File

@ -1,6 +1,6 @@
# App Privacy
`Computer Configuration\Administrative Templates\Windows Components\App Privacy`
`Computer Configuration\Policies\Administrative Templates\Windows Components\App Privacy`
These contains some settings that are not in the Settings app (and vice versa). Most of these stuff I will never use, therefore I am forcing them to be off. You do not need to follow me on this, but you should at least check out all of the policies there.

View File

@ -1,6 +1,6 @@
# Application Compatibility
`Computer Configuration\Administrative Templates\Windows Components\Application Compatibility`
`Computer Configuration\Policies\Administrative Templates\Windows Components\Application Compatibility`
**These look quite old so I am not sure if they apply to modern Windows versions or not. It doesn't hurt to set them either ways.**

View File

@ -1,5 +1,5 @@
# AutoPlay Policies
`Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies`
`Computer Configuration\Policies\Administrative Templates\Windows Components\AutoPlay Policies`
- Turn off Autoplay -> Enabled

View File

@ -1,5 +1,5 @@
# AutoPlay Policies
`Computer Configuration\Administrative Templates\Windows Components\Biometrics\Facial Features`
`Computer Configuration\Policies\Administrative Templates\Windows Components\Biometrics\Facial Features`
- Configure enhanced anti-spoofing -> Enabled

View File

@ -2,7 +2,7 @@
**On Domain Controllers, Bitlocker and tools need to be installed as a feature in Server Manager first.**
`Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption`
`Computer Configuration\Policies\Administrative Templates\Windows Components\Bitlocker Drive Encryption`
Choose drive encryption method and cipher strength-> Enable -> XTS-AES 256-bit for operating system, fixed data, and removable drives. For Windows Vista, Windows Server 2008, etc... use AES 256-bit if you wanna set it.

View File

@ -2,14 +2,14 @@
I mostly disable all cloud content because they are way too annoying. There are also a few group policies relating to "personalization", so I am not entirely sure on the privacy implication of that either.
`Computer Configuration\Administrative Templates\Windows Components\Cloud Content`
`Computer Configuration\Policies\Administrative Templates\Windows Components\Cloud Content`
- Turn off cloud optimized content -> Enabled
- Turn off cloud consumer account state content -> Enabled
- Do not show Windows tips -> Enabled
- Turn of Microsoft consumer experiences -> Enabled
`User Configuration\Administrative Templates\Windows Components\Cloud Content`
`User Configuration\Policies\Administrative Templates\Windows Components\Cloud Content`
- Do not use diagnostic data for tailored experiences -> Enabled
- Turn off all Windows spotlight features -> Enabled

View File

@ -1,6 +1,6 @@
# Control Panel
`Computer Configuration\Administrative Templates\Control Panel`
`Computer Configuration\Policies\Administrative Templates\Control Panel`
- Allow Online Tips -> Disabled (Not sure about privacy implications, but no reason for it to be on)

View File

@ -1,5 +1,5 @@
# Credentials Delegation
`Computer Configuration\Administrative Templates\System\Credentials Delegation`
`Computer Configuration\Policies\Administrative Templates\System\Credentials Delegation`
- Encryption Oracle Remediation -> Enabled -> Force Updated Clients

View File

@ -1,6 +1,6 @@
# Data Collection and Preview Builds
`Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds`
`Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds`
- Toggle user control over Insider builds -> Disabled
- Allow Diagnostic Data -> Enabled -> Diagnostic Data off (Only affects Enterprise, Education, and Server)

View File

@ -1,6 +1,6 @@
# Device Guard
`Computer Configuration\Administrative Templates\System\Device Guard`
`Computer Configuration\Policies\Administrative Templates\System\Device Guard`
- Turn On Virtualization Based Security -> Enabled

View File

@ -1,5 +1,5 @@
# Device Health Attestation Service
`Computer Configuration\Administrative Templates\System\Device Health Attestation Service`
`Computer Configuration\Policies\Administrative Templates\System\Device Health Attestation Service`
- Enable Device Health Attestation Monitoring and Reporting -> Disabled (Not inherently bad, but unless you have access to the cloud based reporting portal, why even bother keeping it on?)

View File

@ -1,6 +1,6 @@
# Early Launch Antimalware
`Computer Configuration\Administrative Templates\System\Early Launch Antimalware`
`Computer Configuratio\Policiesn\Administrative Templates\System\Early Launch Antimalware`
Probably doesn't do anything unless you use a 3rd party Antimalware with this feature, but there is no harm in enabling it just in case you need it.

View File

@ -1,9 +1,9 @@
# File Explorer
`Computer Configuration\Administrative Templates\Windows Components\File Explorer`
`Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer`
- Turn off account-based insights, recent, favorite, and recommended files in File Explorer -> Enabled (Not sure if this is actually privacy invasive or not, but best to keep it off anyways.)
`User Configuration\Administrative Templates\Windows Components\File Explorer`
`User Configuration\Policies\Administrative Templates\Windows Components\File Explorer`
- Turn off display of recent search entries in the File Explorer search box -> Enabled (**EXTREMELY INVASIVE**. This stores your search history in the registry according to the docs, and is also responsible for the Bing search in the Start Menu just like the policies in Search even though the description does not mention it.)

View File

@ -1,5 +1,5 @@
# Filesystem
`Computer Configuration\Administrative Templates\System\Filesystem`
`Computer Configuration\Policies\Administrative Templates\System\Filesystem`
- Enable Dev drive -> Disabled

View File

@ -1,5 +1,5 @@
# Find My Device
`Computer Configuration\Administrative Templates\Windows Components\Find My Device`
`Computer Configuration\Policies\Administrative Templates\Windows Components\Find My Device`
- Turn On/Off Find My Device -> Disabled

View File

@ -1,6 +1,6 @@
# Internet Communication settings
`Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings`
`Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings`
**Old and very likely to be obsolete.**

View File

@ -1,5 +1,5 @@
# Kernel DMA Protection
`Computer Configuration\Administrative Templates\System\Kernel DMA Protection`
`Computer Configuration\Policies\Administrative Templates\System\Kernel DMA Protection`
- Enumeration policy for external devices incompatible with Kernel DMA Protection -> Enabled -> Block all

View File

@ -1,6 +1,6 @@
# Legacy Microsoft Edge
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge`
`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Edge`
**Legacy Microsoft Edge, not the Chromium based one. Obsolete.**

View File

@ -1,6 +1,6 @@
# Location and Sensors
`Computer Configuration\Administrative Templates\Windows Components\Location and Sensors`
`Computer Configuration\Policies\Administrative Templates\Windows Components\Location and Sensors`
I do not see these ever being used on my system, therefore they are disabled. Obviously, you don't have to apply them if you want to use location and sensors.

View File

@ -1,6 +1,6 @@
# MDM
`Computer Configuration\Administrative Templates\Windows Components\MDM`
`Computer Configuration\Policies\Administrative Templates\Windows Components\MDM`
Unless you run your own MDM system or something, this probably should not be on with a personal computer.

View File

@ -1,5 +1,5 @@
# Messaging
`Computer Configuration\Administrative Templates\Windows Components\Messaging`
`Computer Configuration\Policies\Administrative Templates\Windows Components\Messaging`
- Allow Message Service Cloud Sync -> Disabled

View File

@ -2,7 +2,7 @@
**MAPS and features dependent on it are not enabled using this policy. It just configures how aggressive MAPS should be. This is quite invasive so I will only enable it for certain OUs.**
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus`
`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus`
## MAPS

View File

@ -1,5 +1,8 @@
# Microsoft Edge
`Computer Configuration\Policies\Administrative Templates\Microsoft Edge`
`Computer Configuration\Policies\Administrative Templates\Microsoft Edge - Default Settings (users can override)`
You will need to download the Edge policies from https://www.microsoft.com/en-us/edge/business/download?form=MA13FJ and install it.
For the actual policies to set, you can follow my repo at https://github.com/TommyTran732/Microsoft-Edge-Policies at set the equivalent group policies of what is being set there.

View File

@ -1,5 +1,5 @@
# Microsoft account
`Computer Configuration\Administrative Templates\Windows Components\Microsoft account`
`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft account`
- Block all consumer Microsoft account user authentication -> Enabled

View File

@ -1,5 +1,5 @@
# Mitigation Options
`Computer Configuration\Administrative Templates\System\Mitigation Options`
`Computer Configuration\Policies\Administrative Templates\System\Mitigation Options`
- Untrusted Font Blocking -> Enabled -> Block untrusted fonts and log events (This may break some games)

View File

@ -1,6 +1,6 @@
# OS Policies
`Computer Configuration\Administrative Templates\System\OS Policies`
`Computer Configuration\Policies\Administrative Templates\System\OS Policies`
- ALlow Clipboard History -> Disabled
- Allow Clipboard synchronization across devices -> Disabled

View File

@ -1,6 +1,6 @@
# Printers
`Computer Configuration\Administrative Templates\Printers`
`Computer Configuration\Policies\Administrative Templates\Printers`
- Isolate print drivers from applications -> Enabled
- Configure Redirection Guard -> Enabled

View File

@ -0,0 +1,9 @@
# Registries
## Disable Co Installer
`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Installer`
DisableCoInstallers -> REG_DWORD -> 1
https://www.bleepingcomputer.com/news/microsoft/how-to-block-windows-plug-and-play-auto-installing-insecure-apps/

View File

@ -1,5 +1,5 @@
# Remote Assistance
`Computer Configuration\Administrative Templates\System\Remote Assistance`
`Computer Configuration\Policies\Administrative Templates\System\Remote Assistance`
- Allow only Windows Vista or later connections -> Enabled

View File

@ -1,6 +1,6 @@
# Search
`Computer Configuration\Administrative Templates\Windows Components\Search`
`Computer Configuration\Policies\Administrative Templates\Windows Components\Search`
Very confusing, you need to consult https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies

View File

@ -1,9 +1,10 @@
# User Account Control
# Security Options
Documentation: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/settings-and-configuration?tabs=gpo
`Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options`
`Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options`
- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode -> Prompt for credentials
- User Account Control: Only elevate executables that are signed and validated -> Enabled
- User Account Control: Switch to the secure desktop when prompting for elevation -> Enabled (Docs says it is enabled by default, but it is off on my Parallels VM somehow)
- Security setting -> Define -> Require signing (**Follow this guide to setup LDAPS if you do not have key server: https://www.dvolve.net/blog/2019/12/using-lets-encrypt-for-active-directory-domain-controller-certificates/**)

View File

@ -1,5 +1,5 @@
# Service Control Manager Settings
`Computer Configuration\Administrative Templates\System\Service Control Manager Settings`
`Computer Configuration\Policies\Administrative Templates\System\Service Control Manager Settings`
- Security Settings -> Enable svchost.exe mitigation options -> Enabled

View File

@ -1,5 +1,5 @@
# Software Protection Platform
`Computer Configuration\Administrative Templates\Windows Components\Software Protection Platform`
`Computer Configuration\Policies\Administrative Templates\Windows Components\Software Protection Platform`
- Turn off KMS Client Online AVS Validation -> Enabled

View File

@ -1,6 +1,6 @@
# Start Menu and Taskbar
`Computer Configuration\Administrative Templates\Start Menu and Taskbar`
`Computer Configuration\Policies\Administrative Templates\Start Menu and Taskbar`
This is not strictly problematic, though I get quite irritated with most used apps/recently added apps/recently opened documents/etc showing up on my start menu. Someone may inadvertently see something when I show them my screen.

View File

@ -1,5 +1,5 @@
# Sync your settings
`Computer Configuration\Administrative Templates\Windows Components\Sync your settings`
`Computer Configuration\Policies\Administrative Templates\Windows Components\Sync your settings`
- Do not sync -> Enabled

View File

@ -1,5 +1,5 @@
# Text Input
`Computer Configuration\Administrative Templates\Windows Components\Text Input`
`Computer Configuration\Policies\Administrative Templates\Windows Components\Text Input`
- Improve inking and typing recognition -> Disabled

View File

@ -1,6 +1,6 @@
# Widgets
`Computer Configuration\Administrative Templates\Windows Components\Widgets`
`Computer Configuration\Policies\Administrative Templates\Windows Components\Widgets`
Probably not a huge privacy/security issue, it just fetches news and stuff from the internet. I disable it as it is extremely annoying.

View File

@ -1,6 +1,6 @@
# Windows Calendar
`Computer Configuration\Administrative Templates\Windows Components\Windows Calendar`
`Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Calendar`
**Obsolete**

View File

@ -0,0 +1,5 @@
# Windows Copilot
`User Configuration\Policies\Administrative Templates\Windows Components\Windows Copilot`
- Turn off Windows Copilot -> Enabled

View File

@ -1,6 +1,6 @@
# Windows Defender SmartScreen
`Computer Configuration\Administrative Templates\Windows Components\Windows Defender SmartScreen`
`Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender SmartScreen`
- Enhanced Phishing Protection -> Service Enabled -> Disabled (**Does not show on Windows Server 2022 by default**)
- Microsoft Edge -> Configure Windows Defender SmartScreen -> Disabled

View File

@ -1,5 +1,5 @@
# Windows Error Reporting
`Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting`
`Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Error Reporting`
- Disable Windows Error Reporting -> Enable

View File

@ -1,6 +1,6 @@
# Windows Game Recording and Broadcasting
`Computer Configuration\Administrative Templates\Windows Components\Windows Game Recording and Broadcasting`
`Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Game Recording and Broadcasting`
If you wanna record your screen and stuff, don't apply this. Otherwise, why not just disable it? Unnecessary stuff.

View File

@ -1,6 +1,6 @@
# Windows Media Digital Rights Management
`Computer Configuration\Administrative Templates\Windows Components\Windows Media Digital Rights Management`
`Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Media Digital Rights Management`
Obviously do not set this if you need Windows Media DRM, but I have never seen this being used so I don't see a reason for it to be allowed.

View File

@ -1,6 +1,6 @@
# Windows Messenger
`Computer Configuration\Administrative Templates\Windows Components\Windows Messenger`
`Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Messenger`
**Old and very likely to be obsolete.**

View File

@ -1,6 +1,6 @@
# Windows Update
`Computer Configuration\Administrative Templates\Windows Components\Windows Update`
`Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update`
- Manage updates offered from Windows Update -> Enable optional updates -> Enabled -> Automatically receive optional updates
- Manage updates offered from Windows Update -> Select when Quality Updates are received -> Enabled -> Defer for 0 days

View File

@ -0,0 +1,14 @@
# Microsoft Edge
`Computer Configuration\Policies\Administrative Templates\Microsoft Edge`
- SmartScreen settings -> Configure Microsoft Defender SmartScreen -> Enabled
- SmartScreen settings -> Configure Microsoft SmartScreen to block potentially unwanted apps -> Enabled
- TyposuqattingChecker settings -> Configure Edge TyposquattingChecker -> Enabled
# Microsoft Defender Antivirus
`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus`
- Join Microsoft MAPS -> Enabled -> Advanced Membership

View File

@ -2,4 +2,4 @@
`Computer Configuration\Administrative Templates\System\Mitigation Options`
- Untrusted Font Blocking -> Disabled
- Untrusted Font Blocking -> Enabled -> Do not block untrusted fonts

View File

@ -1,5 +1,5 @@
# Device Guard
`Computer Configuration\Administrative Templates\System\Device Guard`
`Computer Configuration\Policies\Administrative Templates\System\Device Guard`
- Turn On Virtualization Based Security -> Disabled

View File

@ -1,5 +1,5 @@
# Windows Time Service
`Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers`
`Computer Configuration\Policies\Administrative Templates\System\Windows Time Service\Time Providers`
Enable Windows NTP Client -> Disabled (**Read my notes on Date & Time. I am disabling time sync here because it is already handled by my guest agent**.)