mirror of
https://github.com/TommyTran732/Windows-Setup.git
synced 2024-11-22 16:11:45 -05:00
Compare commits
No commits in common. "ab9f1d258cfbf614cebe1ff062ea0d57f722966d" and "2f0ff65e76e240d0c6944df826fe488c873ff278" have entirely different histories.
ab9f1d258c
...
2f0ff65e76
@ -1,13 +1,15 @@
|
||||
# Microsoft Defender Antivirus
|
||||
|
||||
**MAPS and features dependent on it disabled using this policy. It is quite invasive so I will only enable it for certain OUs.**
|
||||
**MAPS and features dependent on it are not enabled using this policy. It just configures how aggressive MAPS should be. This is quite invasive so I will only enable it for certain OUs.**
|
||||
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus`
|
||||
|
||||
## MAPS
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS`
|
||||
- Join Microsoft MAPS -> Enabled -> Disabled
|
||||
|
||||
- Configure the 'Block at First Sight' feature -> Enabled
|
||||
- Send file samples when further analysis is required -> Enabled -> Always Prompt (Send safe sample works better with 'Block at First Sight, but I really, really do not trust Microsoft on this one)
|
||||
|
||||
## Controlled Folder Access
|
||||
|
||||
@ -15,11 +17,28 @@
|
||||
|
||||
- Configure Controlled folder access -> Enabled -> Block
|
||||
|
||||
## Network Protection
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection`
|
||||
|
||||
Only relevant if SmartScreen is used.
|
||||
|
||||
Documentation:
|
||||
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide
|
||||
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide
|
||||
|
||||
This settings controls whether Network protection is allowed to be configured into block or audit mode on Windows -> Enabled (Only relevant if running Windows Server)
|
||||
Prevent users and apps from accessing dangerous websites -> Enabled -> Block
|
||||
|
||||
## MpEngine
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine`
|
||||
|
||||
Only relevant if MAPS is used
|
||||
|
||||
- Enable file hash computation feature -> Enabled
|
||||
- Configure extended cloud check -> Specify the extended cloud check time in seconds -> 50
|
||||
- Select cloud protection level -> Zero tolerance blocking level
|
||||
|
||||
## Quarantine
|
||||
|
||||
|
@ -0,0 +1,8 @@
|
||||
# Microsoft Edge
|
||||
|
||||
`Computer Configuration\Policies\Administrative Templates\Microsoft Edge`
|
||||
`Computer Configuration\Policies\Administrative Templates\Microsoft Edge - Default Settings (users can override)`
|
||||
|
||||
You will need to download the Edge policies from https://www.microsoft.com/en-us/edge/business/download?form=MA13FJ and install it.
|
||||
|
||||
For the actual policies to set, you can follow my repo at https://github.com/TommyTran732/Microsoft-Edge-Policies at set the equivalent group policies of what is being set there.
|
@ -1,5 +0,0 @@
|
||||
# Cast
|
||||
|
||||
`Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Cast`
|
||||
|
||||
- Enabled Google Cast -> Disabled `EnableMediaRouter: false`
|
@ -1,13 +0,0 @@
|
||||
# Content Settings
|
||||
|
||||
`Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Content Settings`
|
||||
|
||||
- Block cookies on specific sites -> ntp.msn.com `CookiesBlockedForUrls": [ "ntp.msn.com" ]`
|
||||
- Default geolocation setting -> Enabled -> Don't allow any site to track users' physical location `DefaultGeolocationSetting: 2`
|
||||
- Control use of insecure content Exceptions -> Enabled -> Do not allow any sites to load mixed content `DefaultInsecureContentSetting: 2`
|
||||
- Configure cookies -> Enabled -> Keep cookies for the duration of the session, except ones listed in "SaveCookiesOnExit" `DefaultCookiesSetting: 4`
|
||||
- Default setting for third-party storage partitioning -> Let third-party storage partitioning to be enabled. `DefaultThirdPartyStoragePartitioningSetting: 1`
|
||||
- Control the use of File System API for reading -> Don't allow any site to request and read access to files and directories via the File System API `DefaultFileSystemReadGuardSetting: 2`
|
||||
- Control the use of File System API for writing -> Don't allow any site to request and write access to files and directories via the File System API `DefaultFileSystemWriteGuardSetting: 2`
|
||||
- Control use of the Web Bluetooth API -> Don't allow any site to request access to Bluetooth devices via the Web Bluetooth API `DefaultWebBluetoothGuardSetting: 2`
|
||||
- Allow notifications to set Microsoft Edge as default PDF reader -> Disabled `ShowPDFDefaultRecommendationsEnabled: false`
|
@ -1,7 +0,0 @@
|
||||
# Microsoft Edge
|
||||
|
||||
`Computer Configuration\Policies\Administrative Templates\Microsoft Edge`
|
||||
|
||||
You will need to download the Edge policies from https://www.microsoft.com/en-us/edge/business/download?form=MA13FJ and install it.
|
||||
|
||||
SmartScreen and Typosquatting as recommeded settings doesn't seem to apply consistently, therefore I force them to be disabled in my Domain Default Policy.
|
@ -7,4 +7,4 @@ Documentation: https://learn.microsoft.com/en-us/windows/security/application-se
|
||||
- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode -> Prompt for credentials
|
||||
- User Account Control: Only elevate executables that are signed and validated -> Enabled
|
||||
- User Account Control: Switch to the secure desktop when prompting for elevation -> Enabled (Docs says it is enabled by default, but it is off on my Parallels VM somehow)
|
||||
- Network security: LDAP client signing requirements: Require signing (**Follow this guide to setup LDAPS if you do not have key server: https://www.dvolve.net/blog/2019/12/using-lets-encrypt-for-active-directory-domain-controller-certificates/**)
|
||||
- Security setting -> Define -> Require signing (**Follow this guide to setup LDAPS if you do not have key server: https://www.dvolve.net/blog/2019/12/using-lets-encrypt-for-active-directory-domain-controller-certificates/**)
|
@ -1,9 +1,6 @@
|
||||
# Windows Defender SmartScreen
|
||||
|
||||
**SmartScreen and features dependent on it disabled using this policy. It is quite invasive so I will only enable it for certain OUs.**
|
||||
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender SmartScreen`
|
||||
|
||||
- Enhanced Phishing Protection -> Service Enabled -> Disabled
|
||||
- Explorer -> Configure Windows Defender SmartScreen -> Disabled
|
||||
- Enhanced Phishing Protection -> Service Enabled -> Disabled (**Does not show on Windows Server 2022 by default**)
|
||||
- Microsoft Edge -> Configure Windows Defender SmartScreen -> Disabled
|
||||
|
@ -1,5 +0,0 @@
|
||||
# Microsoft account
|
||||
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft account`
|
||||
|
||||
- Block all consumer Microsoft account user authentication -> Disabled
|
@ -1,47 +0,0 @@
|
||||
# Microsoft Edge
|
||||
|
||||
`Computer Configuration\Policies\Administrative Templates\Microsoft Edge`
|
||||
|
||||
- SmartScreen settings -> Configure Microsoft Defender SmartScreen -> Enabled
|
||||
- SmartScreen settings -> Configure Microsoft SmartScreen to block potentially unwanted apps -> Enabled
|
||||
- TyposuqattingChecker settings -> Configure Edge TyposquattingChecker -> Enabled
|
||||
|
||||
|
||||
# Microsoft Defender Antivirus
|
||||
|
||||
## MAPS
|
||||
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus`
|
||||
- Join Microsoft MAPS -> Enabled -> Advanced Membership
|
||||
- Configure the 'Block at First Sight' feature -> Enabled
|
||||
- Send file samples when further analysis is required -> Enabled -> Always Prompt (Send safe sample works better with 'Block at First Sight, but I really, really do not trust Microsoft on this one)
|
||||
|
||||
## Network Protection
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection`
|
||||
|
||||
Only relevant if SmartScreen is used.
|
||||
|
||||
Documentation:
|
||||
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide
|
||||
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide
|
||||
|
||||
This settings controls whether Network protection is allowed to be configured into block or audit mode on Windows -> Enabled (Only relevant if running Windows Server)
|
||||
Prevent users and apps from accessing dangerous websites -> Enabled -> Block
|
||||
|
||||
## MpEngine
|
||||
|
||||
`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine`
|
||||
|
||||
Only relevant if MAPS is used
|
||||
|
||||
- Configure extended cloud check -> Specify the extended cloud check time in seconds -> 50
|
||||
- Select cloud protection level -> Zero tolerance blocking level
|
||||
|
||||
|
||||
# Windows Defender SmartScreen
|
||||
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender SmartScreen`
|
||||
|
||||
- Explorer -> Configure Windows Defender SmartScreen -> Enabled -> Warn
|
||||
- Microsoft Edge -> Configure Windows Defender SmartScreen -> Enabled
|
@ -0,0 +1,14 @@
|
||||
# Microsoft Edge
|
||||
|
||||
`Computer Configuration\Policies\Administrative Templates\Microsoft Edge`
|
||||
|
||||
- SmartScreen settings -> Configure Microsoft Defender SmartScreen -> Enabled
|
||||
- SmartScreen settings -> Configure Microsoft SmartScreen to block potentially unwanted apps -> Enabled
|
||||
- TyposuqattingChecker settings -> Configure Edge TyposquattingChecker -> Enabled
|
||||
|
||||
|
||||
# Microsoft Defender Antivirus
|
||||
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus`
|
||||
|
||||
- Join Microsoft MAPS -> Enabled -> Advanced Membership
|
@ -1,5 +0,0 @@
|
||||
# Microsoft account
|
||||
|
||||
`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft account`
|
||||
|
||||
- Block all consumer Microsoft account user authentication -> Disabled
|
@ -1,5 +0,0 @@
|
||||
# Security Options
|
||||
|
||||
`Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options`
|
||||
|
||||
- User Account Control: Only elevate executables that are signed and validated -> Disabled
|
Loading…
Reference in New Issue
Block a user