mirror of
https://github.com/TommyTran732/Windows-Setup.git
synced 2024-11-25 09:31:44 -05:00
Compare commits
5 Commits
79b0c7c402
...
2cd6e5a4ea
Author | SHA1 | Date | |
---|---|---|---|
2cd6e5a4ea | |||
03d0152037 | |||
3ef71b86dc | |||
ee9ce3a019 | |||
9d01449374 |
@ -1,7 +0,0 @@
|
||||
# Windows Copilot
|
||||
|
||||
`User Configuration\Administrative Templates\Windows Components\Windows Copilot`
|
||||
|
||||
**This somehow still doesn't show up in the latest policy template
|
||||
|
||||
- Turn off Windows Copilot -> Enabled
|
@ -1,6 +1,6 @@
|
||||
# App Privacy
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\App Privacy`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\App Privacy`
|
||||
|
||||
These contains some settings that are not in the Settings app (and vice versa). Most of these stuff I will never use, therefore I am forcing them to be off. You do not need to follow me on this, but you should at least check out all of the policies there.
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
# Application Compatibility
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Application Compatibility`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Application Compatibility`
|
||||
|
||||
**These look quite old so I am not sure if they apply to modern Windows versions or not. It doesn't hurt to set them either ways.**
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# AutoPlay Policies
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\AutoPlay Policies`
|
||||
|
||||
- Turn off Autoplay -> Enabled
|
||||
|
@ -1,5 +1,5 @@
|
||||
# AutoPlay Policies
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Biometrics\Facial Features`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Biometrics\Facial Features`
|
||||
|
||||
- Configure enhanced anti-spoofing -> Enabled
|
@ -2,7 +2,7 @@
|
||||
|
||||
**On Domain Controllers, Bitlocker and tools need to be installed as a feature in Server Manager first.**
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Bitlocker Drive Encryption`
|
||||
|
||||
Choose drive encryption method and cipher strength-> Enable -> XTS-AES 256-bit for operating system, fixed data, and removable drives. For Windows Vista, Windows Server 2008, etc... use AES 256-bit if you wanna set it.
|
||||
|
||||
|
@ -2,14 +2,14 @@
|
||||
|
||||
I mostly disable all cloud content because they are way too annoying. There are also a few group policies relating to "personalization", so I am not entirely sure on the privacy implication of that either.
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Cloud Content`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Cloud Content`
|
||||
|
||||
- Turn off cloud optimized content -> Enabled
|
||||
- Turn off cloud consumer account state content -> Enabled
|
||||
- Do not show Windows tips -> Enabled
|
||||
- Turn of Microsoft consumer experiences -> Enabled
|
||||
|
||||
`User Configuration\Administrative Templates\Windows Components\Cloud Content`
|
||||
`User Configuration\Policies\Administrative Templates\Windows Components\Cloud Content`
|
||||
|
||||
- Do not use diagnostic data for tailored experiences -> Enabled
|
||||
- Turn off all Windows spotlight features -> Enabled
|
||||
|
@ -1,6 +1,6 @@
|
||||
# Control Panel
|
||||
|
||||
`Computer Configuration\Administrative Templates\Control Panel`
|
||||
`Computer Configuration\Policies\Administrative Templates\Control Panel`
|
||||
|
||||
- Allow Online Tips -> Disabled (Not sure about privacy implications, but no reason for it to be on)
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# Credentials Delegation
|
||||
|
||||
`Computer Configuration\Administrative Templates\System\Credentials Delegation`
|
||||
`Computer Configuration\Policies\Administrative Templates\System\Credentials Delegation`
|
||||
|
||||
- Encryption Oracle Remediation -> Enabled -> Force Updated Clients
|
||||
|
@ -1,6 +1,6 @@
|
||||
# Data Collection and Preview Builds
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds`
|
||||
|
||||
- Toggle user control over Insider builds -> Disabled
|
||||
- Allow Diagnostic Data -> Enabled -> Diagnostic Data off (Only affects Enterprise, Education, and Server)
|
||||
|
@ -1,6 +1,6 @@
|
||||
# Device Guard
|
||||
|
||||
`Computer Configuration\Administrative Templates\System\Device Guard`
|
||||
`Computer Configuration\Policies\Administrative Templates\System\Device Guard`
|
||||
|
||||
- Turn On Virtualization Based Security -> Enabled
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# Device Health Attestation Service
|
||||
|
||||
`Computer Configuration\Administrative Templates\System\Device Health Attestation Service`
|
||||
`Computer Configuration\Policies\Administrative Templates\System\Device Health Attestation Service`
|
||||
|
||||
- Enable Device Health Attestation Monitoring and Reporting -> Disabled (Not inherently bad, but unless you have access to the cloud based reporting portal, why even bother keeping it on?)
|
@ -1,6 +1,6 @@
|
||||
# Early Launch Antimalware
|
||||
|
||||
`Computer Configuration\Administrative Templates\System\Early Launch Antimalware`
|
||||
`Computer Configuratio\Policiesn\Administrative Templates\System\Early Launch Antimalware`
|
||||
|
||||
Probably doesn't do anything unless you use a 3rd party Antimalware with this feature, but there is no harm in enabling it just in case you need it.
|
||||
|
||||
|
@ -1,9 +1,9 @@
|
||||
# File Explorer
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\File Explorer`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer`
|
||||
|
||||
- Turn off account-based insights, recent, favorite, and recommended files in File Explorer -> Enabled (Not sure if this is actually privacy invasive or not, but best to keep it off anyways.)
|
||||
|
||||
`User Configuration\Administrative Templates\Windows Components\File Explorer`
|
||||
`User Configuration\Policies\Administrative Templates\Windows Components\File Explorer`
|
||||
|
||||
- Turn off display of recent search entries in the File Explorer search box -> Enabled (**EXTREMELY INVASIVE**. This stores your search history in the registry according to the docs, and is also responsible for the Bing search in the Start Menu just like the policies in Search even though the description does not mention it.)
|
@ -1,5 +1,5 @@
|
||||
# Filesystem
|
||||
|
||||
`Computer Configuration\Administrative Templates\System\Filesystem`
|
||||
`Computer Configuration\Policies\Administrative Templates\System\Filesystem`
|
||||
|
||||
- Enable Dev drive -> Disabled
|
@ -1,5 +1,5 @@
|
||||
# Find My Device
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Find My Device`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Find My Device`
|
||||
|
||||
- Turn On/Off Find My Device -> Disabled
|
@ -1,6 +1,6 @@
|
||||
# Internet Communication settings
|
||||
|
||||
`Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings`
|
||||
`Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings`
|
||||
|
||||
**Old and very likely to be obsolete.**
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# Kernel DMA Protection
|
||||
|
||||
`Computer Configuration\Administrative Templates\System\Kernel DMA Protection`
|
||||
`Computer Configuration\Policies\Administrative Templates\System\Kernel DMA Protection`
|
||||
|
||||
- Enumeration policy for external devices incompatible with Kernel DMA Protection -> Enabled -> Block all
|
@ -1,6 +1,6 @@
|
||||
# Legacy Microsoft Edge
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Edge`
|
||||
|
||||
**Legacy Microsoft Edge, not the Chromium based one. Obsolete.**
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
# Location and Sensors
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Location and Sensors`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Location and Sensors`
|
||||
|
||||
I do not see these ever being used on my system, therefore they are disabled. Obviously, you don't have to apply them if you want to use location and sensors.
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
# MDM
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\MDM`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\MDM`
|
||||
|
||||
Unless you run your own MDM system or something, this probably should not be on with a personal computer.
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# Messaging
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Messaging`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Messaging`
|
||||
|
||||
- Allow Message Service Cloud Sync -> Disabled
|
@ -2,7 +2,7 @@
|
||||
|
||||
**MAPS and features dependent on it are not enabled using this policy. It just configures how aggressive MAPS should be. This is quite invasive so I will only enable it for certain OUs.**
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus`
|
||||
|
||||
## MAPS
|
||||
|
||||
|
@ -1,5 +1,8 @@
|
||||
# Microsoft Edge
|
||||
|
||||
`Computer Configuration\Policies\Administrative Templates\Microsoft Edge`
|
||||
`Computer Configuration\Policies\Administrative Templates\Microsoft Edge - Default Settings (users can override)`
|
||||
|
||||
You will need to download the Edge policies from https://www.microsoft.com/en-us/edge/business/download?form=MA13FJ and install it.
|
||||
|
||||
For the actual policies to set, you can follow my repo at https://github.com/TommyTran732/Microsoft-Edge-Policies at set the equivalent group policies of what is being set there.
|
@ -1,5 +1,5 @@
|
||||
# Microsoft account
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft account`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft account`
|
||||
|
||||
- Block all consumer Microsoft account user authentication -> Enabled
|
@ -1,5 +1,5 @@
|
||||
# Mitigation Options
|
||||
|
||||
`Computer Configuration\Administrative Templates\System\Mitigation Options`
|
||||
`Computer Configuration\Policies\Administrative Templates\System\Mitigation Options`
|
||||
|
||||
- Untrusted Font Blocking -> Enabled -> Block untrusted fonts and log events (This may break some games)
|
@ -1,6 +1,6 @@
|
||||
# OS Policies
|
||||
|
||||
`Computer Configuration\Administrative Templates\System\OS Policies`
|
||||
`Computer Configuration\Policies\Administrative Templates\System\OS Policies`
|
||||
|
||||
- ALlow Clipboard History -> Disabled
|
||||
- Allow Clipboard synchronization across devices -> Disabled
|
||||
|
@ -1,6 +1,6 @@
|
||||
# Printers
|
||||
|
||||
`Computer Configuration\Administrative Templates\Printers`
|
||||
`Computer Configuration\Policies\Administrative Templates\Printers`
|
||||
|
||||
- Isolate print drivers from applications -> Enabled
|
||||
- Configure Redirection Guard -> Enabled
|
||||
|
@ -0,0 +1,9 @@
|
||||
# Registries
|
||||
|
||||
## Disable Co Installer
|
||||
|
||||
`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Installer`
|
||||
|
||||
DisableCoInstallers -> REG_DWORD -> 1
|
||||
|
||||
https://www.bleepingcomputer.com/news/microsoft/how-to-block-windows-plug-and-play-auto-installing-insecure-apps/
|
@ -1,5 +1,5 @@
|
||||
# Remote Assistance
|
||||
|
||||
`Computer Configuration\Administrative Templates\System\Remote Assistance`
|
||||
`Computer Configuration\Policies\Administrative Templates\System\Remote Assistance`
|
||||
|
||||
- Allow only Windows Vista or later connections -> Enabled
|
@ -1,6 +1,6 @@
|
||||
# Search
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Search`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Search`
|
||||
|
||||
Very confusing, you need to consult https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies
|
||||
|
||||
|
@ -1,9 +1,10 @@
|
||||
# User Account Control
|
||||
# Security Options
|
||||
|
||||
Documentation: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/settings-and-configuration?tabs=gpo
|
||||
|
||||
`Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options`
|
||||
`Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options`
|
||||
|
||||
- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode -> Prompt for credentials
|
||||
- User Account Control: Only elevate executables that are signed and validated -> Enabled
|
||||
- User Account Control: Switch to the secure desktop when prompting for elevation -> Enabled (Docs says it is enabled by default, but it is off on my Parallels VM somehow)
|
||||
- Security setting -> Define -> Require signing (**Follow this guide to setup LDAPS if you do not have key server: https://www.dvolve.net/blog/2019/12/using-lets-encrypt-for-active-directory-domain-controller-certificates/**)
|
@ -1,5 +1,5 @@
|
||||
# Service Control Manager Settings
|
||||
|
||||
`Computer Configuration\Administrative Templates\System\Service Control Manager Settings`
|
||||
`Computer Configuration\Policies\Administrative Templates\System\Service Control Manager Settings`
|
||||
|
||||
- Security Settings -> Enable svchost.exe mitigation options -> Enabled
|
@ -1,5 +1,5 @@
|
||||
# Software Protection Platform
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Software Protection Platform`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Software Protection Platform`
|
||||
|
||||
- Turn off KMS Client Online AVS Validation -> Enabled
|
@ -1,6 +1,6 @@
|
||||
# Start Menu and Taskbar
|
||||
|
||||
`Computer Configuration\Administrative Templates\Start Menu and Taskbar`
|
||||
`Computer Configuration\Policies\Administrative Templates\Start Menu and Taskbar`
|
||||
|
||||
This is not strictly problematic, though I get quite irritated with most used apps/recently added apps/recently opened documents/etc showing up on my start menu. Someone may inadvertently see something when I show them my screen.
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# Sync your settings
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Sync your settings`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Sync your settings`
|
||||
|
||||
- Do not sync -> Enabled
|
@ -1,5 +1,5 @@
|
||||
# Text Input
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Text Input`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Text Input`
|
||||
|
||||
- Improve inking and typing recognition -> Disabled
|
@ -1,6 +1,6 @@
|
||||
# Widgets
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Widgets`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Widgets`
|
||||
|
||||
Probably not a huge privacy/security issue, it just fetches news and stuff from the internet. I disable it as it is extremely annoying.
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
# Windows Calendar
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Windows Calendar`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Calendar`
|
||||
|
||||
**Obsolete**
|
||||
|
||||
|
@ -0,0 +1,5 @@
|
||||
# Windows Copilot
|
||||
|
||||
`User Configuration\Policies\Administrative Templates\Windows Components\Windows Copilot`
|
||||
|
||||
- Turn off Windows Copilot -> Enabled
|
@ -1,6 +1,6 @@
|
||||
# Windows Defender SmartScreen
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Windows Defender SmartScreen`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender SmartScreen`
|
||||
|
||||
- Enhanced Phishing Protection -> Service Enabled -> Disabled (**Does not show on Windows Server 2022 by default**)
|
||||
- Microsoft Edge -> Configure Windows Defender SmartScreen -> Disabled
|
||||
|
@ -1,5 +1,5 @@
|
||||
# Windows Error Reporting
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Error Reporting`
|
||||
|
||||
- Disable Windows Error Reporting -> Enable
|
@ -1,6 +1,6 @@
|
||||
# Windows Game Recording and Broadcasting
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Windows Game Recording and Broadcasting`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Game Recording and Broadcasting`
|
||||
|
||||
If you wanna record your screen and stuff, don't apply this. Otherwise, why not just disable it? Unnecessary stuff.
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
# Windows Media Digital Rights Management
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Windows Media Digital Rights Management`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Media Digital Rights Management`
|
||||
|
||||
Obviously do not set this if you need Windows Media DRM, but I have never seen this being used so I don't see a reason for it to be allowed.
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
# Windows Messenger
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Windows Messenger`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Messenger`
|
||||
|
||||
**Old and very likely to be obsolete.**
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
# Windows Update
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Windows Update`
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update`
|
||||
|
||||
- Manage updates offered from Windows Update -> Enable optional updates -> Enabled -> Automatically receive optional updates
|
||||
- Manage updates offered from Windows Update -> Select when Quality Updates are received -> Enabled -> Defer for 0 days
|
||||
|
@ -0,0 +1,14 @@
|
||||
# Microsoft Edge
|
||||
|
||||
`Computer Configuration\Policies\Administrative Templates\Microsoft Edge`
|
||||
|
||||
- SmartScreen settings -> Configure Microsoft Defender SmartScreen -> Enabled
|
||||
- SmartScreen settings -> Configure Microsoft SmartScreen to block potentially unwanted apps -> Enabled
|
||||
- TyposuqattingChecker settings -> Configure Edge TyposquattingChecker -> Enabled
|
||||
|
||||
|
||||
# Microsoft Defender Antivirus
|
||||
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus`
|
||||
|
||||
- Join Microsoft MAPS -> Enabled -> Advanced Membership
|
@ -2,4 +2,4 @@
|
||||
|
||||
`Computer Configuration\Administrative Templates\System\Mitigation Options`
|
||||
|
||||
- Untrusted Font Blocking -> Disabled
|
||||
- Untrusted Font Blocking -> Enabled -> Do not block untrusted fonts
|
@ -1,5 +1,5 @@
|
||||
# Device Guard
|
||||
|
||||
`Computer Configuration\Administrative Templates\System\Device Guard`
|
||||
`Computer Configuration\Policies\Administrative Templates\System\Device Guard`
|
||||
|
||||
- Turn On Virtualization Based Security -> Disabled
|
@ -1,5 +1,5 @@
|
||||
# Windows Time Service
|
||||
|
||||
`Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers`
|
||||
`Computer Configuration\Policies\Administrative Templates\System\Windows Time Service\Time Providers`
|
||||
|
||||
Enable Windows NTP Client -> Disabled (**Read my notes on Date & Time. I am disabling time sync here because it is already handled by my guest agent**.)
|
||||
|
Loading…
Reference in New Issue
Block a user