diff --git a/Harden-Windows-Security Module/Main files/C#/CimInstances/MDM.cs b/Harden-Windows-Security Module/Main files/C#/CimInstances/MDM.cs index 2b6452466..4148e8ea1 100644 --- a/Harden-Windows-Security Module/Main files/C#/CimInstances/MDM.cs +++ b/Harden-Windows-Security Module/Main files/C#/CimInstances/MDM.cs @@ -46,12 +46,9 @@ private static async Task>>> foreach (MdmRecord record in records) { // Process only authorized records - if (record.Authorized?.Equals("TRUE", StringComparison.OrdinalIgnoreCase) == true) + if (record.Authorized.Equals("TRUE", StringComparison.OrdinalIgnoreCase)) { - // Debugging output - // Logger.LogMessage($"Namespace: {record.Namespace}, Class: {record.Class}"); - // Add a new task for each class query tasks.Add(Task.Run(() => { @@ -72,7 +69,7 @@ private static async Task>>> } // Create object query for the current class - string classQuery = record.Class?.Trim() ?? throw new InvalidOperationException("Record.Class is null"); + string classQuery = record.Class.Trim(); ObjectQuery query = new("SELECT * FROM " + classQuery); // Create management object searcher for the query @@ -125,14 +122,24 @@ private static async Task>>> return results; } - // Helper method to get property value as original type + + /// + /// Helper method to get property value as original type + /// + /// + /// private static object GetPropertyOriginalValue(PropertyData prop) { // Return the value of the property return prop.Value; } - // Helper method to read CSV file asynchronously + + /// + /// Helper method to read CSV file asynchronously + /// + /// + /// private static async Task> ReadCsvFileAsync(string filePath) { List records = []; @@ -149,9 +156,10 @@ private static async Task> ReadCsvFileAsync(string filePath) continue; // Skip the header line } - // This check is redundant but shows explicit handling if (line is null) + { continue; + } string[] values = line.Split(','); @@ -175,8 +183,8 @@ private static async Task> ReadCsvFileAsync(string filePath) // Class to represent a record in the CSV file private sealed class MdmRecord { - internal string? Namespace { get; set; } - internal string? Class { get; set; } - internal string? Authorized { get; set; } + internal required string Namespace { get; set; } + internal required string Class { get; set; } + internal required string Authorized { get; set; } } } diff --git a/Harden-Windows-Security Module/Main files/C#/GUI/Protection/EventHandlers.cs b/Harden-Windows-Security Module/Main files/C#/GUI/Protection/EventHandlers.cs index 7f100a5fd..346cea656 100644 --- a/Harden-Windows-Security Module/Main files/C#/GUI/Protection/EventHandlers.cs +++ b/Harden-Windows-Security Module/Main files/C#/GUI/Protection/EventHandlers.cs @@ -606,6 +606,10 @@ await Task.Run(() => case "TLSSecurity": { TLSSecurity.Invoke(); + if (SelectedSubCategories.Contains("TLSSecurity_BattleNetClient")) + { + TLSSecurity.TLSSecurity_BattleNetClient(); + } break; } case "LockScreen": diff --git a/Harden-Windows-Security Module/Main files/C#/GUI/Protection/Variables.cs b/Harden-Windows-Security Module/Main files/C#/GUI/Protection/Variables.cs index 8f84106b6..141569e66 100644 --- a/Harden-Windows-Security Module/Main files/C#/GUI/Protection/Variables.cs +++ b/Harden-Windows-Security Module/Main files/C#/GUI/Protection/Variables.cs @@ -43,6 +43,7 @@ public static partial class GUIProtectWinSecurity { "LockScreen", new string[] { "LockScreen_CtrlAltDel", "LockScreen_NoLastSignedIn" } }, { "UserAccountControl", new string[] { "UAC_NoFastSwitching", "UAC_OnlyElevateSigned" } }, { "WindowsNetworking", new string[] { "WindowsNetworking_BlockNTLM" } }, + { "TLSSecurity", new string[] { "TLSSecurity_BattleNetClient" } }, { "MiscellaneousConfigurations", new string[] { "Miscellaneous_WindowsProtectedPrint", "MiscellaneousConfigurations_LongPathSupport", "MiscellaneousConfigurations_StrongKeyProtection" } }, { "DeviceGuard", new string[] { "DeviceGuard_MandatoryVBS" } }, { "CountryIPBlocking", new string[] { "CountryIPBlocking_OFAC" } }, diff --git a/Harden-Windows-Security Module/Main files/C#/Others/CategoryProcessing.cs b/Harden-Windows-Security Module/Main files/C#/Others/CategoryProcessing.cs index 57d3cd965..b861f5955 100644 --- a/Harden-Windows-Security Module/Main files/C#/Others/CategoryProcessing.cs +++ b/Harden-Windows-Security Module/Main files/C#/Others/CategoryProcessing.cs @@ -10,21 +10,22 @@ namespace HardenWindowsSecurity; // Registry keys are case-insensitive // https://learn.microsoft.com/en-us/windows/win32/sysinfo/structure-of-the-registry -public static class CategoryProcessing +internal static class CategoryProcessing { // to store the structure of the Registry resources CSV data private sealed class CsvRecord { - public required string Origin { get; set; } - public required ComplianceCategories Category { get; set; } - public required string Hive { get; set; } - public required string Key { get; set; } - public required string Name { get; set; } - public required string FriendlyName { get; set; } - public required string Type { get; set; } - public required List Value { get; set; } - public required bool ValueIsList { get; set; } - public string? CSPLink { get; set; } + internal required string Origin { get; set; } + internal required ComplianceCategories Category { get; set; } + internal required string Hive { get; set; } + internal required string Key { get; set; } + internal required string Name { get; set; } + internal required string FriendlyName { get; set; } + internal required string Type { get; set; } + internal required List Value { get; set; } + internal required bool ValueIsList { get; set; } + internal required bool Exists { get; set; } + internal string? CSPLink { get; set; } } // method to parse the CSV file and return a list of CsvRecord objects @@ -59,40 +60,34 @@ private static List ReadCsv() string[] fields = ParseCsvLine(line); - if (fields.Length == 10) + if (fields.Length is not 11) { - // Determine if the ValueIsList field is true - bool valueIsList = bool.Parse(fields[8]); + throw new ArgumentException("The 'Registry resources.csv' file is not formatted correctly. There should be 11 fields in each line."); + } - // Split the value field by commas only if ValueIsList is true - List values = valueIsList - ? [.. fields[7].Trim('"').Split(',').Select(v => v.Trim())] - : [fields[7].Trim('"')]; + // Determine if the ValueIsList field is true + bool valueIsList = bool.Parse(fields[8]); + // Split the value field by commas only if ValueIsList is true + List values = valueIsList + ? [.. fields[7].Trim('"').Split(',').Select(v => v.Trim())] + : [fields[7].Trim('"')]; - if (!Enum.TryParse(fields[1], true, out ComplianceCategories categoryName)) - { - throw new InvalidDataException($"Invalid category name in the 'Registry resources.csv' file: {categoryName}"); - } - records.Add(new CsvRecord - { - Origin = fields[0], - Category = categoryName, - Hive = fields[2], - Key = fields[3], - Name = fields[4], - FriendlyName = fields[5], - Type = fields[6], - Value = values, - ValueIsList = valueIsList, - CSPLink = fields[9] - }); - } - else + records.Add(new CsvRecord { - throw new ArgumentException("The CSV file is not formatted correctly. There should be 10 fields in each line."); - } + Origin = fields[0], + Category = Enum.Parse(fields[1], true), + Hive = fields[2], + Key = fields[3], + Name = fields[4], + FriendlyName = fields[5], + Type = fields[6], + Value = values, + ValueIsList = valueIsList, + Exists = bool.Parse(fields[9]), + CSPLink = fields[10] + }); } } @@ -160,176 +155,208 @@ internal static List ProcessCategory(ComplianceCategories catN // Read the CSV data List csvData = ReadCsv(); - // Filter the items based on category and origin + // Filter the items based on category and origin/method var filteredItems = csvData.Where(item => item.Category == catName && - item.Origin?.Equals(method, StringComparison.OrdinalIgnoreCase) == true + item.Origin.Equals(method, StringComparison.OrdinalIgnoreCase) ); // Process each filtered item foreach (CsvRecord item in filteredItems) { - // Initialize variables - bool valueMatches = false; - string? regValueStr = null; + // If the registry key should not exist + if (!item.Exists) + { + bool keyExists = false; + + // Check in HKEY_CLASSES_ROOT + if (item.Hive.Equals("HKEY_CLASSES_ROOT", StringComparison.OrdinalIgnoreCase)) + { + if (item.Key is not null) + { + // Try to open the key in HKEY_CLASSES_ROOT + using RegistryKey? key = Registry.ClassesRoot.OpenSubKey(item.Key); + + // Determine if the key exists + keyExists = key is not null; + } + } + + // Will implement more if needed + - // If the type defined in the CSV is HKLM - if (item.Hive is not null && item.Hive.Equals("HKEY_LOCAL_MACHINE", StringComparison.OrdinalIgnoreCase)) + // Add the result to the output + output.Add(new IndividualResult + { + FriendlyName = item.FriendlyName, + Compliant = !keyExists, // Compliance is true if the key does NOT exist + Value = keyExists ? "Exists" : "Does not exist", // Report existence status + Name = item.Name, + Category = catName, + Method = Enum.Parse(method, true) + }); + + } + + // If the registry key should exist + else { - // Open the registry key in HKEY_LOCAL_MACHINE - if (item.Key is not null) + + // Initialize variables + bool valueMatches = false; + string? regValueStr = null; + + // If the type defined in the CSV is HKLM + if (item.Hive.Equals("HKEY_LOCAL_MACHINE", StringComparison.OrdinalIgnoreCase)) { // Open the registry key in HKEY_LOCAL_MACHINE - using RegistryKey? key = Registry.LocalMachine.OpenSubKey(item.Key); - - if (key is not null) + if (item.Key is not null) { - // Get the registry value - var regValue = key.GetValue(item.Name); + // Open the registry key in HKEY_LOCAL_MACHINE + using RegistryKey? key = Registry.LocalMachine.OpenSubKey(item.Key); - // Check if the registry value is an integer - if (regValue is int v) - { - // Handle the case where the DWORD value is returned as an int - // because DWORD is an UInt32 - // Then convert it to a string - regValueStr = unchecked((uint)v).ToString(CultureInfo.InvariantCulture); - } - else if (regValue is uint) - { - // Handle the case where the DWORD value is returned as a uint - regValueStr = regValue.ToString(); - } - else if (regValue is string[] v1) - { - // Convert MULTI_STRING (string[]) to a comma-separated string for display - regValueStr = string.Join(",", v1); - } - else + if (key is not null) { - // Convert the registry value to a string otherwise - regValueStr = regValue?.ToString(); - } - - // Parse the expected values based on their type in the CSV file - var parsedValues = item.Type is not null - ? item.Value?.Select(v => ParseRegistryValue(type: item.Type, value: v)).ToList() ?? [] - : []; + // Get the registry value + var regValue = key.GetValue(item.Name); - // Check if the registry value matches any of the expected values - if (regValue is not null && item.Type is not null) - { - // Convert regValueStr to uint if applicable - uint? regValueUInt = null; - if (uint.TryParse(regValueStr, NumberStyles.Integer, CultureInfo.InvariantCulture, out uint parsedRegValue)) + // Check if the registry value is an integer + if (regValue is int v) { - regValueUInt = parsedRegValue; + // Handle the case where the DWORD value is returned as an int + // because DWORD is an UInt32 + // Then convert it to a string + regValueStr = unchecked((uint)v).ToString(CultureInfo.InvariantCulture); } - - // Handle -1 case (which is equivalent to 4294967295 for DWORD) - // Because CompareRegistryValues doesn't do the comparison properly - if (regValueUInt == 4294967295 && item.Value is not null && item.Value.Contains("4294967295")) + else if (regValue is uint) { - valueMatches = true; + // Handle the case where the DWORD value is returned as a uint + regValueStr = regValue.ToString(); } - else if (regValueUInt == 2147483647 && item.Value is not null && item.Value.Contains("2147483647")) + else if (regValue is string[] v1) { - valueMatches = true; + // Convert MULTI_STRING (string[]) to a comma-separated string for display + regValueStr = string.Join(",", v1); } - // Used for any other value that is not DWORD max int32 or maxUint32 - else if (parsedValues.Any(parsedValue => CompareRegistryValues(type: item.Type, regValue: regValue, expectedValue: parsedValue))) + else { - valueMatches = true; + // Convert the registry value to a string otherwise + regValueStr = regValue?.ToString(); + } + + // Parse the expected values based on their type in the CSV file + var parsedValues = item.Value?.Select(v => ParseRegistryValue(type: item.Type, value: v)).ToList() ?? []; + + + // Check if the registry value matches any of the expected values + if (regValue is not null) + { + // Convert regValueStr to uint if applicable + uint? regValueUInt = null; + if (uint.TryParse(regValueStr, NumberStyles.Integer, CultureInfo.InvariantCulture, out uint parsedRegValue)) + { + regValueUInt = parsedRegValue; + } + + // Handle -1 case (which is equivalent to 4294967295 for DWORD) + // Because CompareRegistryValues doesn't do the comparison properly + if (regValueUInt == 4294967295 && item.Value is not null && item.Value.Contains("4294967295")) + { + valueMatches = true; + } + else if (regValueUInt == 2147483647 && item.Value is not null && item.Value.Contains("2147483647")) + { + valueMatches = true; + } + // Used for any other value that is not DWORD max int32 or maxUint32 + else if (parsedValues.Any(parsedValue => CompareRegistryValues(type: item.Type, regValue: regValue, expectedValue: parsedValue))) + { + valueMatches = true; + } } } } } - } - // If the type defined in the CSV is HKCU - else if (item.Hive?.Equals("HKEY_CURRENT_USER", StringComparison.OrdinalIgnoreCase) == true) - { - if (item.Key is not null) + // If the type defined in the CSV is HKCU + else if (item.Hive.Equals("HKEY_CURRENT_USER", StringComparison.OrdinalIgnoreCase)) { - // Open the registry key in HKEY_CURRENT_USER - using RegistryKey? key = Registry.CurrentUser.OpenSubKey(item.Key); - - if (key is not null) + if (item.Key is not null) { - // Get the registry value - var regValue = key.GetValue(item.Name); + // Open the registry key in HKEY_CURRENT_USER + using RegistryKey? key = Registry.CurrentUser.OpenSubKey(item.Key); - if (regValue is int v1) - { - // Handle the case where the DWORD value is returned as an int - regValueStr = unchecked((uint)v1).ToString(CultureInfo.InvariantCulture); - } - else if (regValue is uint) - { - // Handle the case where the DWORD value is returned as a uint - regValueStr = regValue.ToString(); - } - else if (regValue is string[] v) - { - // Convert MULTI_STRING (string[]) to a comma-separated string for display - regValueStr = string.Join(",", v); - } - else + if (key is not null) { - regValueStr = regValue?.ToString(); - } + // Get the registry value + var regValue = key.GetValue(item.Name); - // Parse the expected values based on their type in the CSV file - var parsedValues = item.Type is not null - ? item.Value?.Select(v => ParseRegistryValue(type: item.Type, value: v)).ToList() ?? [] - : []; - - // Check if the registry value matches any of the expected values - if (regValue is not null && item.Type is not null) - { - // Convert regValueStr to uint if applicable - uint? regValueUInt = null; - if (uint.TryParse(regValueStr, NumberStyles.Integer, CultureInfo.InvariantCulture, out uint parsedRegValue)) + if (regValue is int v1) { - regValueUInt = parsedRegValue; + // Handle the case where the DWORD value is returned as an int + regValueStr = unchecked((uint)v1).ToString(CultureInfo.InvariantCulture); } - - // Handle special DWORD cases manually - if (regValueUInt == 4294967295 && item.Value is not null && item.Value.Contains("4294967295")) + else if (regValue is uint) { - // DWORD -1 case, equivalent to max Uint32 - valueMatches = true; + // Handle the case where the DWORD value is returned as a uint + regValueStr = regValue.ToString(); } - else if (regValueUInt == 2147483647 && item.Value is not null && item.Value.Contains("2147483647")) + else if (regValue is string[] v) { - // DWORD maximum signed int32 case - valueMatches = true; + // Convert MULTI_STRING (string[]) to a comma-separated string for display + regValueStr = string.Join(",", v); } - // Fallback to general comparison using CompareRegistryValues - else if (parsedValues.Any(parsedValue => CompareRegistryValues(type: item.Type, regValue: regValue, expectedValue: parsedValue))) + else { - valueMatches = true; + regValueStr = regValue?.ToString(); + } + + // Parse the expected values based on their type in the CSV file + var parsedValues = item.Value?.Select(v => ParseRegistryValue(type: item.Type, value: v)).ToList() ?? []; + + // Check if the registry value matches any of the expected values + if (regValue is not null) + { + // Convert regValueStr to uint if applicable + uint? regValueUInt = null; + if (uint.TryParse(regValueStr, NumberStyles.Integer, CultureInfo.InvariantCulture, out uint parsedRegValue)) + { + regValueUInt = parsedRegValue; + } + + // Handle special DWORD cases manually + if (regValueUInt == 4294967295 && item.Value is not null && item.Value.Contains("4294967295")) + { + // DWORD -1 case, equivalent to max Uint32 + valueMatches = true; + } + else if (regValueUInt == 2147483647 && item.Value is not null && item.Value.Contains("2147483647")) + { + // DWORD maximum signed int32 case + valueMatches = true; + } + // Fallback to general comparison using CompareRegistryValues + else if (parsedValues.Any(parsedValue => CompareRegistryValues(type: item.Type, regValue: regValue, expectedValue: parsedValue))) + { + valueMatches = true; + } } } } } - } - if (!Enum.TryParse(method, true, out ConfirmSystemComplianceMethods.Method methodEnum)) - { - throw new InvalidDataException($"Invalid method name in the 'Registry resources.csv' file: {method}"); + // Add a new result to the output list + output.Add(new IndividualResult + { + FriendlyName = item.FriendlyName, + Compliant = valueMatches, + Value = regValueStr ?? string.Empty, + Name = item.Name, + Category = catName, + Method = Enum.Parse(method, true) + }); } - // Add a new result to the output list - output.Add(new IndividualResult - { - FriendlyName = item.FriendlyName ?? "Unknown", // Ensure FriendlyName is non-null - Compliant = valueMatches, - Value = regValueStr ?? string.Empty, - Name = item.Name ?? "Unknown", // Ensure Name is non-null - Category = catName, - Method = methodEnum - }); } // Return the output list diff --git a/Harden-Windows-Security Module/Main files/C#/Others/CiToolRunner.cs b/Harden-Windows-Security Module/Main files/C#/Others/CiToolHelper.cs similarity index 58% rename from Harden-Windows-Security Module/Main files/C#/Others/CiToolRunner.cs rename to Harden-Windows-Security Module/Main files/C#/Others/CiToolHelper.cs index 7b537c29e..59182fa65 100644 --- a/Harden-Windows-Security Module/Main files/C#/Others/CiToolRunner.cs +++ b/Harden-Windows-Security Module/Main files/C#/Others/CiToolHelper.cs @@ -3,18 +3,43 @@ using System.Diagnostics; using System.Globalization; using System.IO; +using System.Text; using System.Text.Json; +// The following code is exact mirror of the same code in AppControl Manager's codebase namespace HardenWindowsSecurity; -internal static class CiToolRunner +// Class to represent a policy with various attributes +public sealed class CiPolicyInfo +{ + public string? PolicyID { get; set; } // Unique identifier for the policy + public string? BasePolicyID { get; set; } // Identifier for the base policy + public string? FriendlyName { get; set; } // Human-readable name of the policy + public Version? Version { get; set; } // Version object representing the policy version + public string? VersionString { get; set; } // Original version string from the policy data + public bool IsSystemPolicy { get; set; } // Indicates if it's a system policy + public bool IsSignedPolicy { get; set; } // Indicates if the policy is signed + public bool IsOnDisk { get; set; } // Indicates if the policy is present on disk + public bool IsEnforced { get; set; } // Indicates if the policy is enforced + public bool IsAuthorized { get; set; } // Indicates if the policy is authorized + internal List? PolicyOptions { get; set; } // List of options or settings related to the policy + + + // A property to format PolicyOptions as a comma-separated string + public string PolicyOptionsDisplay => PolicyOptions is not null ? string.Join(", ", PolicyOptions) : string.Empty; +} + + +// This class contains all the necessary logics to interact with CiTool.exe +// Any code that wants to use CiTool.exe must go through this class rather than contacting it directly +internal static class CiToolHelper { /// /// Converts a 64-bit unsigned integer into a version type, used for converting the numbers from CiTool.exe output to proper versions. /// /// The 64-bit unsigned integer as a string. /// The parsed version - private static Version Measure(string number) + internal static Version Measure(string number) { try { @@ -45,27 +70,21 @@ private static Version Measure(string number) catch (Exception ex) { // Handle errors by printing an error message and returning a default version of 0.0.0.0 - Logger.LogMessage($"Error converting number to version: {ex.Message}", LogTypeIntel.Error); + Logger.LogMessage($"Error converting number to version: {ex.Message}", LogTypeIntel.Information); return new Version(0, 0, 0, 0); } } - internal static JsonSerializerOptions Options => new() - { - // Ignore case when matching JSON property names - PropertyNameCaseInsensitive = true, - }; - /// - /// Gets a list of AppControl policies on the system with filtering + /// Gets a list of App Control policies on the system with filtering /// /// Will include System policies in the output /// Will include Base policies in the output /// Will include Supplemental policies in the output /// /// - internal static List RunCiTool(JsonSerializerOptions options, bool SystemPolicies = false, bool BasePolicies = false, bool SupplementalPolicies = false) + internal static List GetPolicies(bool SystemPolicies = false, bool BasePolicies = false, bool SupplementalPolicies = false) { // Create an empty list of Policy objects to return at the end List policies = []; @@ -83,9 +102,8 @@ internal static List RunCiTool(JsonSerializerOptions options, bool CreateNoWindow = true // Run the process without creating a window }; - // Start the process and capture the output - using Process? process = Process.Start(processStartInfo) ?? throw new InvalidOperationException("There was a problem running the CiTool.exe in the RunCiTool method."); + using Process? process = Process.Start(processStartInfo) ?? throw new InvalidOperationException("There was a problem running the CiTool.exe in the GetPolicies method."); // Read all output as a string string jsonOutput = process.StandardOutput.ReadToEnd(); @@ -95,12 +113,13 @@ internal static List RunCiTool(JsonSerializerOptions options, bool if (process.ExitCode != 0) { - // Throw an exception with the error message throw new InvalidOperationException($"Command execution failed with error code {process.ExitCode}"); } - // Deserialize the JSON into a JsonElement for easy traversal - var rootElement = JsonSerializer.Deserialize(jsonOutput, options); + // Parse the JSON into a JsonElement for easy traversal + using JsonDocument document = JsonDocument.Parse(Encoding.UTF8.GetBytes(jsonOutput)); + + JsonElement rootElement = document.RootElement; // If "Policies" property exists and is an array, start processing each policy if (rootElement.TryGetProperty("Policies", out JsonElement policiesElement) && policiesElement.ValueKind == JsonValueKind.Array) @@ -145,9 +164,9 @@ internal static List RunCiTool(JsonSerializerOptions options, bool /// - /// Removes a deployed AppControl policy from the system + /// Removes a deployed App Control policy from the system /// - /// the GUID which is the policy ID of the policy to be removed, with the curly brackets {} wrapped with double quotes "" + /// The GUID which is the policy ID of the policy to be removed. /// internal static void RemovePolicy(string policyId) { @@ -156,6 +175,11 @@ internal static void RemovePolicy(string policyId) throw new ArgumentException("Policy ID cannot be null or empty.", nameof(policyId)); } + // Remove any curly brackets or double quotes from the policy ID + // They will be added automatically later by the method + policyId = policyId.Trim('"', '"'); + policyId = policyId.Trim('{', '}'); + // Combine the path to CiTool.exe using the system's special folder path string ciToolPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "CiTool.exe"); @@ -163,29 +187,171 @@ internal static void RemovePolicy(string policyId) ProcessStartInfo processStartInfo = new() { FileName = ciToolPath, - Arguments = $"--remove-policy \"{{{policyId}}}\" -json", // Arguments to remove a AppControl policy + Arguments = $"--remove-policy \"{{{policyId}}}\" -json", // Arguments to remove an App Control policy RedirectStandardOutput = true, // Capture the standard output UseShellExecute = false, // Do not use the OS shell to start the process CreateNoWindow = true // Run the process without creating a window }; // Start the process and capture the output - using Process? process = Process.Start(processStartInfo) ?? throw new InvalidOperationException("There was a problem running the CiTool.exe in the RunCiTool method."); + using Process? process = Process.Start(processStartInfo) ?? throw new InvalidOperationException("There was a problem running the CiTool.exe in the GetPolicies method."); - // Don't need the output if successful - _ = process.StandardOutput.ReadToEnd(); + // Read all output as a string + string jsonOutput = process.StandardOutput.ReadToEnd(); // Wait for the process to complete process.WaitForExit(); if (process.ExitCode != 0) { - // Throw an exception with the error message - throw new InvalidOperationException($"Command execution failed with error code {process.ExitCode}"); + throw new InvalidOperationException($"Command execution failed with error code {process.ExitCode}. Output: {jsonOutput}"); + } + } + + + + + /// + /// Removes multiple deployed App Control policy from the system + /// + /// The GUIDs which are the policy IDs of the policies to be removed. + /// + internal static void RemovePolicy(List policyIds) + { + + foreach (string policyId in policyIds) + { + + if (string.IsNullOrWhiteSpace(policyId)) + { + continue; + } + + // Remove any curly brackets or double quotes from the policy ID + // They will be added automatically later by the method + string ID = policyId.Trim('"', '"'); + ID = ID.Trim('{', '}'); + + // Combine the path to CiTool.exe using the system's special folder path + string ciToolPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "CiTool.exe"); + + // Set up the process start info to run CiTool.exe with necessary arguments + ProcessStartInfo processStartInfo = new() + { + FileName = ciToolPath, + Arguments = $"--remove-policy \"{{{ID}}}\" -json", // Arguments to remove an App Control policy + RedirectStandardOutput = true, // Capture the standard output + UseShellExecute = false, // Do not use the OS shell to start the process + CreateNoWindow = true // Run the process without creating a window + }; + + // Start the process and capture the output + using Process? process = Process.Start(processStartInfo) ?? throw new InvalidOperationException("There was a problem running the CiTool.exe in the GetPolicies method."); + + // Read all output as a string + string jsonOutput = process.StandardOutput.ReadToEnd(); + + // Wait for the process to complete + process.WaitForExit(); + + if (process.ExitCode != 0) + { + throw new InvalidOperationException($"Command execution failed with error code {process.ExitCode}. Output: {jsonOutput}"); + } + } + } + + + + /// + /// Deploys a Code Integrity policy on the system by accepting the .CIP file path + /// + /// + /// + /// + /// + internal static void UpdatePolicy(string CipPath) + { + if (string.IsNullOrWhiteSpace(CipPath)) + { + throw new ArgumentException("CipPath cannot be null or empty.", nameof(CipPath)); + } + + if (!File.Exists(CipPath)) + { + throw new FileNotFoundException($"The file '{CipPath}' does not exist.", CipPath); + } + + // Combine the path to CiTool.exe using the system's special folder path + string ciToolPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "CiTool.exe"); + + Logger.LogMessage($"Deploying the following CIP file: {CipPath}", LogTypeIntel.Information); + + // Set up the process start info to run CiTool.exe with necessary arguments + ProcessStartInfo processStartInfo = new() + { + FileName = ciToolPath, + Arguments = $"--update-policy \"{CipPath}\" -json", // Arguments to update the App Control policy + RedirectStandardOutput = true, // Capture the standard output + UseShellExecute = false, // Do not use the OS shell to start the process + CreateNoWindow = true // Run the process without creating a window + }; + + // Start the process and capture the output + using Process? process = Process.Start(processStartInfo) ?? throw new InvalidOperationException("There was a problem running the CiTool.exe in the UpdatePolicy method."); + + // Read all output as a string + string jsonOutput = process.StandardOutput.ReadToEnd(); + + // Wait for the process to complete + process.WaitForExit(); + + if (process.ExitCode != 0) + { + throw new InvalidOperationException($"Command execution failed with error code {process.ExitCode}. Output: {jsonOutput}"); + } + } + + + /// + /// Refreshes the currently deployed policies on the system + /// + /// + internal static void RefreshPolicy() + { + // Combine the path to CiTool.exe using the system's special folder path + string ciToolPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "CiTool.exe"); + + // Set up the process start info to run CiTool.exe with the refresh argument + ProcessStartInfo processStartInfo = new() + { + FileName = ciToolPath, + Arguments = "--refresh -json", // Arguments to refresh App Control policies + RedirectStandardOutput = true, // Capture the standard output + UseShellExecute = false, // Do not use the OS shell to start the process + CreateNoWindow = true // Run the process without creating a window + }; + + // Start the process and capture the output + using Process? process = Process.Start(processStartInfo) ?? throw new InvalidOperationException("There was a problem running the CiTool.exe in the RefreshPolicy method."); + + // Read all output as a string + string jsonOutput = process.StandardOutput.ReadToEnd(); + + // Wait for the process to complete + process.WaitForExit(); + + if (process.ExitCode != 0) + { + throw new InvalidOperationException($"Command execution failed with error code {process.ExitCode}. Output: {jsonOutput}"); } } + } + + + // Extension methods for JsonElement to simplify retrieving properties with default values internal static class JsonElementExtensions { diff --git a/Harden-Windows-Security Module/Main files/C#/Others/PolicyToCIPConverter.cs b/Harden-Windows-Security Module/Main files/C#/Others/PolicyToCIPConverter.cs new file mode 100644 index 000000000..5c3c3da57 --- /dev/null +++ b/Harden-Windows-Security Module/Main files/C#/Others/PolicyToCIPConverter.cs @@ -0,0 +1,28 @@ +namespace HardenWindowsSecurity; + +internal static class PolicyToCIPConverter +{ + /// + /// Converts a XML policy file to CIP binary file using the ConvertFrom-CIPolicy cmdlet of the ConfigCI module + /// + /// + /// + internal static void Convert(string XmlFilePath, string BinaryFilePath) + { + + // Escape the output policy path for PowerShell + string escapedXMLFile = $"\\\"{XmlFilePath}\\\""; + + // Escape the output policy path for PowerShell + string escapedOutputCIP = $"\\\"{BinaryFilePath}\\\""; + + // Construct the PowerShell script + string script = $"ConvertFrom-CIPolicy -XmlFilePath {escapedXMLFile} -BinaryFilePath {escapedOutputCIP}"; + + Logger.LogMessage($"PowerShell code that will be executed: {script}", LogTypeIntel.Information); + + // Execute the command + ProcessStarter.RunCommand("powershell.exe", $"-NoProfile -Command \"{script}\""); + } + +} diff --git a/Harden-Windows-Security Module/Main files/C#/Protect Methods/DangerousScriptHostsBlocking.cs b/Harden-Windows-Security Module/Main files/C#/Protect Methods/DangerousScriptHostsBlocking.cs index 6becae5f6..5be31aa06 100644 --- a/Harden-Windows-Security Module/Main files/C#/Protect Methods/DangerousScriptHostsBlocking.cs +++ b/Harden-Windows-Security Module/Main files/C#/Protect Methods/DangerousScriptHostsBlocking.cs @@ -1,4 +1,5 @@ using System; +using System.Collections.Generic; using System.IO; namespace HardenWindowsSecurity; @@ -6,7 +7,7 @@ namespace HardenWindowsSecurity; public static partial class DownloadsDefenseMeasures { /// - /// Blocks certain dangerous script hosts using AppControl policy + /// Blocks certain dangerous script hosts using App Control policy /// /// public static void DangerousScriptHostsBlocking() @@ -21,22 +22,31 @@ public static void DangerousScriptHostsBlocking() string CIPPath = Path.Combine(GlobalVars.WorkingDir, "Dangerous-Script-Hosts-Blocking.cip"); string XMLPath = Path.Combine(GlobalVars.path, "Resources", "Dangerous-Script-Hosts-Blocking.xml"); - // Use string interpolation without the @ symbol for multiline - string script = $@" - $CurrentBasePolicyNames = [System.Collections.Generic.HashSet[System.String]]@( - ((&""$env:SystemDrive\Windows\System32\CiTool.exe"" -lp -json | ConvertFrom-Json).Policies | - Where-Object -FilterScript {{ ($_.IsSystemPolicy -ne 'True') -and ($_.PolicyID -eq $_.BasePolicyID) }}).FriendlyName - ) - - if (($null -eq $CurrentBasePolicyNames) -or (-NOT ($CurrentBasePolicyNames.Contains('Dangerous-Script-Hosts-Blocking')))) {{ - $null = ConvertFrom-CIPolicy -XmlFilePath '{XMLPath}' -BinaryFilePath '{CIPPath}' - $null = CiTool.exe --update-policy '{CIPPath}' -json - }} - else {{ - Write-Verbose -Message 'The Dangerous-Script-Hosts-Blocking policy is already deployed' -Verbose - }} - "; - - _ = PowerShellExecutor.ExecuteScript(script); + // Run the CiTool and retrieve a list of base policies + List policies = CiToolHelper.GetPolicies(SystemPolicies: false, BasePolicies: true, SupplementalPolicies: false); + + bool isFound = false; + + // loop over all policies + foreach (CiPolicyInfo item in policies) + { + // find the policy with the right name + if (string.Equals(item.FriendlyName, "Dangerous-Script-Hosts-Blocking", StringComparison.OrdinalIgnoreCase)) + { + isFound = true; + break; + } + } + + // If the Dangerous-Script-Hosts-Blocking is not deployed + if (!isFound) + { + PolicyToCIPConverter.Convert(XMLPath, CIPPath); + CiToolHelper.UpdatePolicy(CIPPath); + } + else + { + Logger.LogMessage("The Dangerous-Script-Hosts-Blocking policy is already deployed", LogTypeIntel.Information); + } } } diff --git a/Harden-Windows-Security Module/Main files/C#/Protect Methods/DownloadsDefenseMeasures.cs b/Harden-Windows-Security Module/Main files/C#/Protect Methods/DownloadsDefenseMeasures.cs index f87415693..6451e7790 100644 --- a/Harden-Windows-Security Module/Main files/C#/Protect Methods/DownloadsDefenseMeasures.cs +++ b/Harden-Windows-Security Module/Main files/C#/Protect Methods/DownloadsDefenseMeasures.cs @@ -1,97 +1,128 @@ +using System; +using System.Collections.Generic; +using System.IO; +using System.Runtime.InteropServices; +using System.Xml; + namespace HardenWindowsSecurity; public static partial class DownloadsDefenseMeasures { + + // GUID for the Downloads folder + private static Guid FolderDownloads = new("374DE290-123F-4565-9164-39C4925E467B"); + + [DllImport("shell32.dll")] + [DefaultDllImportSearchPaths(DllImportSearchPath.System32)] + private static extern int SHGetKnownFolderPath( + ref Guid rfid, uint dwFlags, IntPtr hToken, out IntPtr ppszPath); + + /// /// Prevents executables originating from the Downloads folder from running, using AppControl policy /// public static void Invoke() { + if (GlobalVars.path is null) + { + throw new ArgumentNullException("GlobalVars.path cannot be null."); + } ChangePSConsoleTitle.Set("🎇 Downloads Defense Measures"); Logger.LogMessage("Running the Downloads Defense Measures category", LogTypeIntel.Information); - // PowerShell script with embedded {UserValue} directly in the string using @"" - string script = $@" -$VerbosePreference = 'Continue' -$script:ErrorActionPreference = 'Stop' - -#region Installation And Update - -# a flag indicating the WDACConfig module must be downloaded and installed on the system -[System.Boolean]$ShouldInstallWDACConfigModule = $true - -Write-Verbose -Message 'Getting the latest available version number of the WDACConfig module' -[System.Version]$WDACConfigLatestVersion = Invoke-RestMethod -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/WDACConfig/version.txt' - -Write-Verbose -Message 'Getting the latest available version of the WDACConfig module from the local system, if it exists' -[System.Management.Automation.PSModuleInfo]$WDACConfigModuleLocalStatus = Get-Module -ListAvailable -Name 'WDACConfig' -Verbose:$false | Sort-Object -Property Version -Descending | Select-Object -First 1 - -# If the WDACConfig module is already installed on the system and its version is greater than or equal to the latest version available on GitHub repo then don't install it again -if (($null -ne $WDACConfigModuleLocalStatus) -and ($WDACConfigModuleLocalStatus.count -gt 0)) {{ - if ($WDACConfigModuleLocalStatus.Version -ge $WDACConfigLatestVersion) {{ - $ShouldInstallWDACConfigModule = $false - Write-Verbose -Message 'Skipping WDACConfig module installation, it is already installed.' - }} - else {{ - [System.String]$ReasonToInstallWDACConfigModule = ""the installed WDACConfig module version $($WDACConfigModuleLocalStatus.Version) is less than the latest available version $($WDACConfigLatestVersion)"" - Write-Verbose -Message 'Removing the WDACConfig module' - try {{ - $null = Uninstall-Module -Name 'WDACConfig' -Force -Verbose:$false -AllVersions - }} - catch {{}} - }} -}} -else {{ - [System.String]$ReasonToInstallWDACConfigModule = 'it is not installed on the system' -}} - -if ($ShouldInstallWDACConfigModule) {{ - Write-Verbose -Message ""Installing the WDACConfig module because $ReasonToInstallWDACConfigModule"" - Install-Module -Name 'WDACConfig' -Force -Verbose:$false -Scope 'AllUsers' -RequiredVersion $WDACConfigLatestVersion -}} - -#endregion Installation And Update - -Write-Verbose -Message 'Getting the currently deployed base policy names' -$CurrentBasePolicyNames = [System.Collections.Generic.HashSet[System.String]](((&""$env:SystemDrive\Windows\System32\CiTool.exe"" -lp -json | ConvertFrom-Json).Policies | Where-Object -FilterScript {{ ($_.IsSystemPolicy -ne 'True') -and ($_.PolicyID -eq $_.BasePolicyID) }}).FriendlyName) - -# Only deploy the Downloads-Defense-Measures policy if it is not already deployed -if (($null -eq $CurrentBasePolicyNames) -or (-NOT ($CurrentBasePolicyNames.Contains('Downloads-Defense-Measures')))) {{ - - Write-Verbose -Message 'Detecting the Downloads folder path on system' - [System.IO.FileInfo]$DownloadsPathSystem = (New-Object -ComObject Shell.Application).NameSpace('shell:Downloads').Self.path - Write-Verbose -Message ""The Downloads folder path on system is $DownloadsPathSystem"" - - # Checking if the Edge preferences file exists - if ([System.IO.File]::Exists(""$env:SystemDrive\Users\{GlobalVars.userName}\AppData\Local\Microsoft\Edge\User Data\Default\Preferences"")) {{ - - Write-Verbose -Message 'Detecting the Downloads path in Edge' - [PSCustomObject]$CurrentUserEdgePreference = ConvertFrom-Json -InputObject (Get-Content -Raw -Path ""$env:SystemDrive\Users\{GlobalVars.userName}\AppData\Local\Microsoft\Edge\User Data\Default\Preferences"") - [System.IO.FileInfo]$DownloadsPathEdge = $CurrentUserEdgePreference.savefile.default_directory - - # Ensure there is an Edge browser profile and it was initialized - if ((-NOT [System.String]::IsNullOrWhitespace($DownloadsPathEdge.FullName))) {{ - - Write-Verbose -Message ""The Downloads path in Edge is $DownloadsPathEdge"" - - # Display a warning for now - if ($DownloadsPathEdge.FullName -ne $DownloadsPathSystem.FullName) {{ - Write-Warning -Message ""The Downloads path in Edge ($($DownloadsPathEdge.FullName)) is different than the system's Downloads path ($($DownloadsPathSystem.FullName))"" - }} - }} - }} - - Write-Verbose -Message 'Creating and deploying the Downloads-Defense-Measures policy' - New-DenyWDACConfig -PathWildCards -PolicyName 'Downloads-Defense-Measures' -FolderPath ""$DownloadsPathSystem\*"" -Deploy -Verbose:$Verbose -EmbeddedVerboseOutput - -}} -else {{ - Write-Verbose -Message 'The Downloads-Defense-Measures policy is already deployed' -}} -"; - - _ = PowerShellExecutor.ExecuteScript(script); + string CIPPath = Path.Combine(GlobalVars.WorkingDir, "Downloads-Defense-Measures.cip"); + string XMLPath = Path.Combine(GlobalVars.path, "Resources", "Downloads-Defense-Measures.xml"); + + // The path to use to save the modified XML policy file and deploy it + string XMLPathToDeploy = Path.Combine(GlobalVars.WorkingDir, "Downloads-Defense-Measures.xml"); + + // Run the CiTool and retrieve a list of base policies + List policies = CiToolHelper.GetPolicies(SystemPolicies: false, BasePolicies: true, SupplementalPolicies: false); + + bool isFound = false; + + // loop over all policies + foreach (CiPolicyInfo item in policies) + { + // find the policy with the right name + if (string.Equals(item.FriendlyName, "Downloads-Defense-Measures", StringComparison.OrdinalIgnoreCase)) + { + isFound = true; + break; + } + } + + // If the Downloads-Defense-Measures is not deployed + if (!isFound) + { + + IntPtr pathPtr = IntPtr.Zero; + + string? downloadsPath = null; + + try + { + // Get the System Downloads folder path + int result = SHGetKnownFolderPath(ref FolderDownloads, 0, IntPtr.Zero, out pathPtr); + + if (result is 0) // S_OK + { + downloadsPath = Marshal.PtrToStringUni(pathPtr); + + if (string.IsNullOrWhiteSpace(downloadsPath)) + { + Logger.LogMessage("The downloads folder path was empty, exiting.", LogTypeIntel.Error); + return; + } + + Logger.LogMessage($"Downloads folder path: {downloadsPath}", LogTypeIntel.Information); + } + else + { + Logger.LogMessage("Failed to retrieve Downloads folder path.", LogTypeIntel.Error); + return; + } + } + finally + { + if (pathPtr != IntPtr.Zero) + { + Marshal.FreeCoTaskMem(pathPtr); // Free memory allocated by SHGetKnownFolderPath + } + } + + string pathToUse = downloadsPath + @"\" + '*'; + + XmlDocument doc = new(); + doc.Load(XMLPath); + + XmlNamespaceManager nsmgr = new(doc.NameTable); + nsmgr.AddNamespace("sip", "urn:schemas-microsoft-com:sipolicy"); + + // Find all 'FileRules/Allow' or 'FileRules/Deny' elements + XmlNodeList fileRules = doc.SelectNodes("//sip:FileRules/*[@FilePath]", nsmgr)!; + + foreach (XmlNode node in fileRules) + { + XmlAttribute filePathAttr = node.Attributes!["FilePath"]!; + if (string.Equals(filePathAttr.Value, "To-Be-Detected", StringComparison.OrdinalIgnoreCase)) + { + filePathAttr.Value = pathToUse; + } + } + + // Save the modified XML to the working directory so we don't modify the module's files + doc.Save(XMLPathToDeploy); + + PolicyToCIPConverter.Convert(XMLPathToDeploy, CIPPath); + CiToolHelper.UpdatePolicy(CIPPath); + } + else + { + Logger.LogMessage("The Downloads-Defense-Measures policy is already deployed", LogTypeIntel.Information); + } + } } diff --git a/Harden-Windows-Security Module/Main files/C#/Protect Methods/TLSSecurity.cs b/Harden-Windows-Security Module/Main files/C#/Protect Methods/TLSSecurity.cs index 922d6d3f8..ebcd4cc0b 100644 --- a/Harden-Windows-Security Module/Main files/C#/Protect Methods/TLSSecurity.cs +++ b/Harden-Windows-Security Module/Main files/C#/Protect Methods/TLSSecurity.cs @@ -4,7 +4,7 @@ namespace HardenWindowsSecurity; -public static class TLSSecurity +public static partial class TLSSecurity { public static void Invoke() { @@ -55,16 +55,7 @@ public static void Invoke() Logger.LogMessage("Applying the TLS Security Group Policies", LogTypeIntel.Information); - // If BattleNet client is installed, use the policy that has the necessary, albeit insecure, cipher suite (TLS_RSA_WITH_AES_256_CBC_SHA) so that the client will be able to connect to the servers - if (File.Exists(@"C:\Program Files (x86)\Battle.net\Battle.net.exe") || File.Exists(@"C:\Program Files (x86)\Battle.net\Battle.net Launcher.exe")) - { - Logger.LogMessage("BattleNet client detected, will add the necessary cipher suite 'TLS_RSA_WITH_AES_256_CBC_SHA'", LogTypeIntel.Information); + LGPORunner.RunLGPOCommand(Path.Combine(GlobalVars.path, "Resources", "Security-Baselines-X", "TLS Security", "registry.pol"), LGPORunner.FileType.POL); - LGPORunner.RunLGPOCommand(Path.Combine(GlobalVars.path, "Resources", "Security-Baselines-X", "TLS Security", "For BattleNetClient", "registry.pol"), LGPORunner.FileType.POL); - } - else - { - LGPORunner.RunLGPOCommand(Path.Combine(GlobalVars.path, "Resources", "Security-Baselines-X", "TLS Security", "registry.pol"), LGPORunner.FileType.POL); - } } } diff --git a/Harden-Windows-Security Module/Main files/C#/Protect Methods/TLSSecurity_BattleNetClient.cs b/Harden-Windows-Security Module/Main files/C#/Protect Methods/TLSSecurity_BattleNetClient.cs new file mode 100644 index 000000000..61a84fc2c --- /dev/null +++ b/Harden-Windows-Security Module/Main files/C#/Protect Methods/TLSSecurity_BattleNetClient.cs @@ -0,0 +1,25 @@ +using System; +using System.IO; + +namespace HardenWindowsSecurity; + +public static partial class TLSSecurity +{ + /// + /// This method only applies (TLS_RSA_WITH_AES_256_CBC_SHA) cipher suite for the BattleNet Client + /// + /// + public static void TLSSecurity_BattleNetClient() + { + + if (GlobalVars.path is null) + { + throw new ArgumentNullException("GlobalVars.path cannot be null."); + } + + Logger.LogMessage("Adding (TLS_RSA_WITH_AES_256_CBC_SHA) cipher suite for the BattleNet Client", LogTypeIntel.Information); + + LGPORunner.RunLGPOCommand(Path.Combine(GlobalVars.path, "Resources", "Security-Baselines-X", "TLS Security", "For BattleNetClient", "registry.pol"), LGPORunner.FileType.POL); + } + +} diff --git a/Harden-Windows-Security Module/Main files/C#/Types/CiPolicyInfo.cs b/Harden-Windows-Security Module/Main files/C#/Types/CiPolicyInfo.cs deleted file mode 100644 index 2b0b2dd6f..000000000 --- a/Harden-Windows-Security Module/Main files/C#/Types/CiPolicyInfo.cs +++ /dev/null @@ -1,22 +0,0 @@ -using System; -using System.Collections.Generic; - -namespace HardenWindowsSecurity; - -/// -/// Class to represent a policy with various attributes -/// -public sealed class CiPolicyInfo -{ - public string? PolicyID { get; set; } // Unique identifier for the policy - public string? BasePolicyID { get; set; } // Identifier for the base policy - public string? FriendlyName { get; set; } // Human-readable name of the policy - public Version? Version { get; set; } // Version object representing the policy version - public string? VersionString { get; set; } // Original version string from the policy data - public bool IsSystemPolicy { get; set; } // Indicates if it's a system policy - public bool IsSignedPolicy { get; set; } // Indicates if the policy is signed - public bool IsOnDisk { get; set; } // Indicates if the policy is present on disk - public bool IsEnforced { get; set; } // Indicates if the policy is enforced - public bool IsAuthorized { get; set; } // Indicates if the policy is authorized - internal List? PolicyOptions { get; set; }// List of options or settings related to the policy -} diff --git a/Harden-Windows-Security Module/Main files/C#/Unprotect Methods/UnprotectWindowsSecurity.cs b/Harden-Windows-Security Module/Main files/C#/Unprotect Methods/UnprotectWindowsSecurity.cs index ed131e54c..f45f28b15 100644 --- a/Harden-Windows-Security Module/Main files/C#/Unprotect Methods/UnprotectWindowsSecurity.cs +++ b/Harden-Windows-Security Module/Main files/C#/Unprotect Methods/UnprotectWindowsSecurity.cs @@ -233,7 +233,7 @@ public static void RemoveExploitMitigations() public static void RemoveAppControlPolicies(bool DownloadsDefenseMeasures, bool DangerousScriptHostsBlocking) { // Run the CiTool and retrieve a list of base policies - List policies = CiToolRunner.RunCiTool(CiToolRunner.Options, SystemPolicies: false, BasePolicies: true, SupplementalPolicies: false); + List policies = CiToolHelper.GetPolicies(SystemPolicies: false, BasePolicies: true, SupplementalPolicies: false); if (DownloadsDefenseMeasures) { @@ -247,7 +247,7 @@ public static void RemoveAppControlPolicies(bool DownloadsDefenseMeasures, bool Logger.LogMessage("Removing the Downloads-Defense-Measures AppControl policy", LogTypeIntel.Information); // remove the policy - CiToolRunner.RemovePolicy(item.PolicyID!); + CiToolHelper.RemovePolicy(item.PolicyID!); } } } @@ -263,7 +263,7 @@ public static void RemoveAppControlPolicies(bool DownloadsDefenseMeasures, bool Logger.LogMessage("Removing the Dangerous-Script-Hosts-Blocking AppControl policy", LogTypeIntel.Information); // remove the policy - CiToolRunner.RemovePolicy(item.PolicyID!); + CiToolHelper.RemovePolicy(item.PolicyID!); } } } diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1 index c7f4da7bf..c2312966c 100644 --- a/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1 +++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1 @@ -2,7 +2,7 @@ # https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_module_manifests RootModule = 'Harden-Windows-Security-Module.psm1' - ModuleVersion = '0.7.0' + ModuleVersion = '0.7.1' CompatiblePSEditions = @('Core') GUID = 'afae7a0a-5eff-4a4d-9139-e1702b7ac426' Author = 'Violet Hansen' diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psm1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psm1 index 35a793d19..dba9c6885 100644 --- a/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psm1 +++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psm1 @@ -94,7 +94,7 @@ $ToastNotificationDLLs.Add([System.IO.Path]::Combine($PSScriptRoot, 'DLLs', 'Toa # Load all of the C# codes # for some reason it tries to use another version of the WindowsBase.dll unless i define its path explicitly like this # https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/ -Add-Type -Path ([System.IO.Directory]::GetFiles("$PSScriptRoot\C#", '*.*', [System.IO.SearchOption]::AllDirectories)) -ReferencedAssemblies @((Get-Content -Path "$PSScriptRoot\.NETAssembliesToLoad.txt") + "$($PSHOME)\WindowsBase.dll" + $ToastNotificationDLLs) -CompilerOptions '/langversion:preview', '/nowarn:1701', '/nullable:enable', '/checked' , '/optimize+' +Add-Type -Path ([System.IO.Directory]::GetFiles("$PSScriptRoot\C#", '*.*', [System.IO.SearchOption]::AllDirectories)) -ReferencedAssemblies @((Get-Content -Path "$PSScriptRoot\.NETAssembliesToLoad.txt") + "$($PSHOME)\WindowsBase.dll" + $ToastNotificationDLLs) -CompilerOptions '/langversion:preview', '/nowarn:1701', '/nullable:enable', '/checked' try { # when we use the -ReferencedAssemblies parameter of Add-Type, The DLLs are only added and made available to the C# compilation, not the PowerShell host itself diff --git a/Harden-Windows-Security Module/Main files/Resources/Dangerous-Script-Hosts-Blocking.xml b/Harden-Windows-Security Module/Main files/Resources/Dangerous-Script-Hosts-Blocking.xml index ef4f22e4f..789f86dd9 100644 --- a/Harden-Windows-Security Module/Main files/Resources/Dangerous-Script-Hosts-Blocking.xml +++ b/Harden-Windows-Security Module/Main files/Resources/Dangerous-Script-Hosts-Blocking.xml @@ -31,9 +31,7 @@ - - @@ -41,7 +39,6 @@ - @@ -51,16 +48,15 @@ - - + - + @@ -79,16 +75,6 @@ {9F0581B7-7E1D-4FDD-8D33-6DBE847D3130} {9F0581B7-7E1D-4FDD-8D33-6DBE847D3130} - - - true - - - - - 022422 - - Dangerous-Script-Hosts-Blocking diff --git a/Harden-Windows-Security Module/Main files/Resources/Downloads-Defense-Measures.xml b/Harden-Windows-Security Module/Main files/Resources/Downloads-Defense-Measures.xml new file mode 100644 index 000000000..b98c0343a --- /dev/null +++ b/Harden-Windows-Security Module/Main files/Resources/Downloads-Defense-Measures.xml @@ -0,0 +1,70 @@ + + + 1.0.0.0 + {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 2 + {98FC8E9B-A6B1-431C-B2BE-EB23A86B5DE5} + {98FC8E9B-A6B1-431C-B2BE-EB23A86B5DE5} + + + + Downloads-Defense-Measures + + + + \ No newline at end of file diff --git a/Harden-Windows-Security Module/Main files/Resources/MDMResultClasses.csv b/Harden-Windows-Security Module/Main files/Resources/MDMResultClasses.csv index 38e296ec3..e10dd797b 100644 --- a/Harden-Windows-Security Module/Main files/Resources/MDMResultClasses.csv +++ b/Harden-Windows-Security Module/Main files/Resources/MDMResultClasses.csv @@ -1,128 +1,128 @@ NameSpace,Class,Authorized,Comment -root\cimv2\mdm\dmmap,MDM_Policy_Result01_AboveLock02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Accounts02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_ActiveXControls02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_ApplicationDefaults02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_ApplicationManagement02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_AppRuntime02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_AppVirtualization02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Audit02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Authentication02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Autoplay02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Bitlocker02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_BITS02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Bluetooth02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Browser02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Camera02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Cellular02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Connectivity02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_ControlPolicyConflict02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_CredentialProviders02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_CredentialsDelegation02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_CredentialsUI02,TRUE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_AboveLock02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Accounts02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_ActiveXControls02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_ApplicationDefaults02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_ApplicationManagement02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_AppRuntime02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_AppVirtualization02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Audit02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Authentication02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Autoplay02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Bitlocker02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_BITS02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Bluetooth02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Browser02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Camera02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Cellular02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Connectivity02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_ControlPolicyConflict02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_CredentialProviders02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_CredentialsDelegation02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_CredentialsUI02,FALSE, root\cimv2\mdm\dmmap,MDM_Policy_Result01_Cryptography02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_DataProtection02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_DataUsage02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Defender02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_DeliveryOptimization02,TRUE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_DataProtection02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_DataUsage02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Defender02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_DeliveryOptimization02,FALSE, root\cimv2\mdm\dmmap,MDM_Policy_Result01_DeviceGuard02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_DeviceHealthMonitoring02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_DeviceInstallation02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_DeviceLock02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Display02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_DisplayEnhancement02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_DmaGuard02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Eap02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_ErrorReporting02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_EventLogService02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Experience02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_ExploitGuard02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Feeds02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_FileExplorer02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Games02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Handwriting02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_HumanPresence02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_InternetExplorer02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Kerberos02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_KioskBrowser02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_LanmanWorkstation02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Licensing02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_LocalPoliciesSecurityOptions02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_LocalUsersAndGroups02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_LockDown02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Maps02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_MemoryDump02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Messaging02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_MixedReality02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_MSSecurityGuide02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_MSSLegacy02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_NetworkIsolation02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_NetworkListManager02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_NewsAndInterests02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Notifications02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Power02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Printers02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Privacy02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteAssistance02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteDesktop02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteDesktopServices02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteManagement02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteProcedureCall02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteShell02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_RestrictedGroups02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Search02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Security02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_ServiceControlManager02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Settings02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_SmartScreen02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Speech02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Start02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Storage02,TRUE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_DeviceHealthMonitoring02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_DeviceInstallation02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_DeviceLock02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Display02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_DisplayEnhancement02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_DmaGuard02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Eap02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_ErrorReporting02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_EventLogService02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Experience02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_ExploitGuard02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Feeds02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_FileExplorer02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Games02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Handwriting02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_HumanPresence02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_InternetExplorer02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Kerberos02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_KioskBrowser02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_LanmanWorkstation02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Licensing02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_LocalPoliciesSecurityOptions02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_LocalUsersAndGroups02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_LockDown02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Maps02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_MemoryDump02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Messaging02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_MixedReality02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_MSSecurityGuide02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_MSSLegacy02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_NetworkIsolation02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_NetworkListManager02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_NewsAndInterests02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Notifications02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Power02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Printers02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Privacy02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteAssistance02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteDesktop02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteDesktopServices02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteManagement02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteProcedureCall02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteShell02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_RestrictedGroups02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Search02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Security02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_ServiceControlManager02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Settings02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_SmartScreen02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Speech02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Start02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Storage02,FALSE, root\cimv2\mdm\dmmap,MDM_Policy_Result01_System02,FALSE,This class only outputs accurate info when queried with SYSTEM privileges -root\cimv2\mdm\dmmap,MDM_Policy_Result01_TaskManager02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_TaskScheduler02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_TenantRestrictions02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_TextInput02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Theme02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_TimeLanguageSettings02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Troubleshooting02,TRUE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_TaskManager02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_TaskScheduler02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_TenantRestrictions02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_TextInput02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Theme02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_TimeLanguageSettings02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Troubleshooting02,FALSE, root\cimv2\mdm\dmmap,MDM_Policy_Result01_Update02,FALSE,This class only outputs accurate info when queried with SYSTEM privileges -root\cimv2\mdm\dmmap,MDM_Policy_Result01_UserModel02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_UserRights02,TRUE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_UserModel02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_UserRights02,FALSE, root\cimv2\mdm\dmmap,MDM_Policy_Result01_VirtualizationBasedTechnology02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Wifi02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsAutopilot02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsConnectionManager02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsDefenderSecurityCenter02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsInkWorkspace02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsLogon02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsPowerShell02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsSandbox02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_WirelessDisplay02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_ApplicationManagement02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_AttachmentManager02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Authentication02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Browser02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_CredentialsUI02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Desktop02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Display02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Education02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_EnterpriseCloudPrint02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Experience02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_FileExplorer02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_InternetExplorer02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Multitasking02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Notifications02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Printers02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Privacy02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_RemoteDesktop02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Security02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Settings02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Start02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Storage02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_System02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_TimeLanguageSettings02,TRUE, -ROOT\Microsoft\Windows\DeviceGuard,Win32_DeviceGuard,TRUE, -ROOT\Microsoft\SecurityClient,Win32_ProviderEx,TRUE, -ROOT\Microsoft\SecurityClient,ProtectionTechnologyStatus,TRUE, -ROOT\Microsoft\HomeNet,HNet_FwIcmpSettings,TRUE, \ No newline at end of file +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Wifi02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsAutopilot02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsConnectionManager02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsDefenderSecurityCenter02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsInkWorkspace02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsLogon02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsPowerShell02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsSandbox02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_WirelessDisplay02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_ApplicationManagement02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_AttachmentManager02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Authentication02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Browser02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_CredentialsUI02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Desktop02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Display02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Education02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_EnterpriseCloudPrint02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Experience02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_FileExplorer02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_InternetExplorer02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Multitasking02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Notifications02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Printers02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Privacy02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_RemoteDesktop02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Security02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Settings02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Start02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Storage02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_System02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_TimeLanguageSettings02,FALSE, +ROOT\Microsoft\Windows\DeviceGuard,Win32_DeviceGuard,FALSE, +ROOT\Microsoft\SecurityClient,Win32_ProviderEx,FALSE, +ROOT\Microsoft\SecurityClient,ProtectionTechnologyStatus,FALSE, +ROOT\Microsoft\HomeNet,HNet_FwIcmpSettings,FALSE, \ No newline at end of file diff --git a/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv b/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv index fb3ec3e6c..9a45dffa9 100644 --- a/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv +++ b/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv @@ -1,165 +1,165 @@ -Origin,Category,Hive,Key,Name,FriendlyName,Type,Value,ValueIsList,CSPLink -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WTDS\Components,ServiceEnabled,Enhanced Phishing Protection,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#serviceenabled -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WTDS\Components,NotifyUnsafeApp,Enhanced Phishing Protection: Notify Unsafe App,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#notifyunsafeapp -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WTDS\Components,NotifyPasswordReuse,Enhanced Phishing Protection: Notify Password Reuse,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#notifypasswordreuse -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WTDS\Components,NotifyMalicious,Enhanced Phishing Protection: Notify Malicious,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#notifymalicious -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WTDS\Components,CaptureThreatWindow,Enhanced Phishing Protection: Capture Threat Window,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#automaticdatacollection -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Quarantine,PurgeItemsAfterDelay,Purge Items After Delay,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#quarantine_purgeitemsafterdelay -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Real-Time Protection,IOAVMaxSize,Maximum size of downloaded files and attachments to be scanned,DWORD,10000000,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#realtimeprotection_ioavmaxsize -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Scan,DisableScanningMappedNetworkDrivesForFullScan,Scanning Mapped Network Drives For Full Scan,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowfullscanonmappednetworkdrives -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Scan,DisableScanningNetworkFiles,Scanning Network Files,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowscanningnetworkfiles -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Scan,DisableRemovableDriveScanning,Removable Drive Scanning,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowfullscanremovabledrivescanning -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Scan,DisableReparsePointScanning,Reparse Point Scanning,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#scan_disablereparsepointscanning -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Scan,ArchiveMaxDepth,Maximum depth to scan archive files,DWORD,"4294967295,2147483647",true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#scan_archivemaxdepth -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Signature Updates,UpdateOnStartUp,Check for the latest virus and spyware security intelligence on startup,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#signatureupdate_updateonstartup -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Signature Updates,AVSignatureDue,Define the number of days before virus security intelligence is considered out of date,DWORD,2,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#signatureupdate_avsignaturedue -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Signature Updates,ASSignatureDue,Define the number of days before spyware security intelligence is considered out of date,DWORD,2,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#signatureupdate_assignaturedue -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Spynet,DisableBlockAtFirstSeen,Block At First Sight,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#disableblockatfirstseen -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,Optional Diagnostic Data Required for Smart App Control etc.,DWORD,3,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#allowtelemetry -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\DataCollection,DisableTelemetryOptInSettingsUx,Configure diagnostic data opt-in settings user interface,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#configuretelemetryoptinsettingsux -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,5,Severe Threat level default action = Remove,String,3,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#threatseveritydefaultaction -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,4,High Threat level default action = Remove,String,3,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#threatseveritydefaultaction -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,2,Moderate Threat level default action = Quarantine,String,2,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#threatseveritydefaultaction -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,1,Low Threat level default action = Quarantine,String,2,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#threatseveritydefaultaction -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,DisallowStandardUserPINReset,Disallow Standard User PIN Reset,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesdisallowstandarduserscanchangepin -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseAdvancedStartup,Require additional authentication at startup,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,EnableBDEWithNoTPM,Don't allow Bitlocker without TPM,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseTPM,Don't Allow using TPM alone,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseTPMPIN,Allow using TPM + PIN,DWORD,2,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseTPMKey,Allow using TPM + key,DWORD,2,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseTPMKeyPIN,Allow using TPM + Startup Key + PIN,DWORD,2,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsOs,Correct Encryption method for OS drive,DWORD,7,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsFdv,Correct Encryption method for fixed data drives,DWORD,7,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsRdv,Correct Encryption method for removable drives,DWORD,7,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseEnhancedPin,Use Enhanced PIN,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesenhancedpin -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,OSEncryptionType,Full disk encryption for OS drive,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesencryptiontype -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,RDVEncryptionType,Full disk encryption for removable drives,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#removabledrivesencryptiontype -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,RDVDiscoveryVolumeType,Prevent access to BitLocker-protected removable data drives from earlier versions of Windows,String,,false, -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,RDVNoBitLockerToGoReader,Do not install BitLocker To Go Reader on FAT formatted removable drives,DWORD,0,false, -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,MinimumPIN,Configure minimum PIN length for startup,DWORD,10,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesminimumpinlength -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,ACSettingIndex,Disallow standby states (S1-S3) when sleeping (plugged in),DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-power#allowstandbywhensleepingpluggedin -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,DCSettingIndex,Disallow standby states (S1-S3) when sleeping (on battery),DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingonbattery -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\Explorer,ShowHibernateOption,Show Hibernate Option,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-windowsexplorer#showhibernateoption -GroupPolicy,TLSSecurity,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002,Functions,Configure the correct TLS Cipher Suites,String,"TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#tlsciphersuites -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client,DisabledByDefault,Disable TLS 1.0 client - Disabled By Default,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionclient -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client,Enabled,Disable TLS 1.0 client - Enabled,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionclient -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server,DisabledByDefault,Disable TLS 1.0 server - Disabled By Default,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionserver -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server,Enabled,Disable TLS 1.0 server - Enabled,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionserver -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client,DisabledByDefault,Disable TLS 1.1 client - Disabled By Default,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionclient -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client,Enabled,Disable TLS 1.1 client - Enabled,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionclient -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server,DisabledByDefault,Disable TLS 1.1 server - Disabled By Default,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionserver -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server,Enabled,Disable TLS 1.1 server - Enabled,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionserver -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL\,Enabled,Disable NULL Cipher Suite,DWORD,0,false, -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56,Enabled,Disable 56/56 Cipher Suite,DWORD,0,false, -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128,Enabled,Disable 40/128 Cipher Suite,DWORD,0,false, -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128,Enabled,Disable RC2 56/128 Cipher Suite,DWORD,0,false, -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128,Enabled,Disable RC2 128/128 Cipher Suite,DWORD,0,false, -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128,Enabled,Disable RC4 40/128 Cipher Suite,DWORD,0,false, -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128,Enabled,Disable RC4 56/128 Cipher Suite,DWORD,0,false, -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128,Enabled,Disable RC4 64/128 Cipher Suite,DWORD,0,false, -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128,Enabled,Disable RC4 128/128 Cipher Suite,DWORD,0,false, -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168,Enabled,Disable Triple DES 168 Cipher Suite,DWORD,0,false, -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5,Enabled,Disable MD5 Hashing Algorithm,DWORD,0,false, -GroupPolicy,LockScreen,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\PassportForWork\PINComplexity,Digits,Require digits in Windows Hello PIN,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexitydigits -GroupPolicy,LockScreen,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\PassportForWork\PINComplexity,LowercaseLetters,Require lower case letters in Windows Hello PIN,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexitylowercaseletters -GroupPolicy,LockScreen,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\PassportForWork\PINComplexity,Expiration,Set Expiration for Windows Hello PIN,DWORD,180,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityexpiration -GroupPolicy,LockScreen,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\PassportForWork\PINComplexity,History,Save history of Windows Hello PIN,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityhistory -GroupPolicy,LockScreen,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,Don't Display Network Selection UI on lock screen,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon#dontdisplaynetworkselectionui -GroupPolicy,UserAccountControl,HKEY_LOCAL_MACHINE,Software\Microsoft\Windows\CurrentVersion\Policies\System,HideFastUserSwitching,Hide Fast User Switching entry points,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon#hidefastuserswitching -GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,Enable Virtualization Based Security,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#enablevirtualizationbasedsecurity -GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,Require Platform Security Features,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#requireplatformsecurityfeatures -GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,Hypervisor Enforced Code Integrity - UEFI Lock,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-VirtualizationBasedTechnology?WT.mc_id=Portal-fx#hypervisorenforcedcodeintegrity -GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,Require HVCI MAT (Memory Attribute Table),DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-VirtualizationBasedTechnology?WT.mc_id=Portal-fx#requireuefimemoryattributestable -GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,Credential Guard Configuration - UEFI Lock,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#lsacfgflags -GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureSystemGuardLaunch,System Guard Launch,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#configuresystemguardlaunch -GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureKernelShadowStacksLaunch,Configure Kernel Shadow Stacks Launch,DWORD,1,false, -GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\Lsa,RunAsPPL,Enable Local Security Authority (LSA) process Protection with UEFI Lock,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-lsa#configurelsaprotectedprocess -GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,MachineIdentityIsolation,Configure Machine Identity Isolation Configuration,DWORD,2,false, -RegistryKeys,DeviceGuard,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\DeviceGuard,Mandatory,Enable VBS and Memory Integrity in Mandatory Mode,DWORD,1,false,https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=reg -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,EnableFirewall,Enable Windows Firewall for Domain profile,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileenablefirewall -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultOutboundAction,Set Default Outbound Action for Domain profile,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofiledefaultoutboundaction -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultInboundAction,Set Default Inbound Action for Domain profile,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofiledefaultinboundaction -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DoNotAllowExceptions,Block all Domain profile connections,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileshielded -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFilePath,Configure Log file path for domain profile,String,%systemroot%\system32\logfiles\firewall\domainfirewall.log,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofilelogfilepath -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFileSize,Configure Log file size for domain profile,DWORD,32767,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofilelogmaxfilesize -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogDroppedPackets,Log blocked connections for domain profile,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileenablelogdroppedpackets -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogSuccessfulConnections,Log successful connections for domain profile,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileenablelogsuccessconnections -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,EnableFirewall,Enable Windows Firewall for Private profile,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofileenablefirewall -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DisableNotifications,Display notifications for Private profile,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofiledisableinboundnotifications -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFileSize,Configure Log file size for Private profile,DWORD,32767,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofilelogmaxfilesize -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogDroppedPackets,Log blocked connections for Private profile,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofileenablelogdroppedpackets -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFilePath,Configure Log file path for Private profile,String,%systemroot%\system32\logfiles\firewall\privatefirewall.log,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofilelogfilepath -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,Enable Windows Firewall for Public profile,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofileenablefirewall -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DisableNotifications,Display notifications for Public profile,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofiledisableinboundnotifications -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFileSize,Configure Log file size for Public profile,DWORD,32767,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofilelogmaxfilesize -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,Log blocked connections for Public profile,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofileenablelogdroppedpackets -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFilePath,Configure Log file path for Public profile,String,%systemroot%\system32\logfiles\firewall\publicfirewall.log,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofilelogfilepath -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\DNSClient,EnableNetbios,Disable Netbios,DWORD,0,false, -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\DNSClient,DisableSmartNameResolution,Disable Smart Name Resolution,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-dnsclient#dns_smartmultihomednameresolution -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\DNSClient,EnableMulticast,Disable Multicast,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-dnsclient#turn_off_multicast -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\Printers,DisableHTTPPrinting,Disable HTTP Printing,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-connectivity?WT.mc_id=Portal-fx#diableprintingoverhttp -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\Printers,DisableWebPnPDownload,Disable Web PnP Download,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-icm#disablewebpnpdownload_1 -RegistryKeys,WindowsNetworking,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\NetBT\Parameters,EnableLMHOSTS,Disable LMHOSTS lookup protocol on all network adapters,DWORD,0,false, -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanServer,EnableSMBQUIC,Enable SMB Server Over QUIC,DWORD,1,false, -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,EnableSMBQUIC,Enable SMB Client Over QUIC,DWORD,1,false, -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanServer,CipherSuiteOrder,SMB Server Cipher Suite Order,MULTI_STRING,"AES_256_GCM,AES_256_CCM,AES_128_GCM,AES_128_CCM",false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-lanmanserver#pol_ciphersuiteorder -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,CipherSuiteOrder,SMB Client Cipher Suite Order,MULTI_STRING,"AES_256_GCM,AES_256_CCM,AES_128_GCM,AES_128_CCM",false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-lanmanworkstation#pol_ciphersuiteorder -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanServer,MinSmb2Dialect,Sets the minimum SMB server version,DWORD,785,false, -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,MinSmb2Dialect,Sets the minimum SMB client version,DWORD,785,false, -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,BlockNTLM,Blocks NTLM for SMB,DWORD,1,false, -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,RequireEncryption,Requires encryption for SMB client,DWORD,1,false, -RegistryKeys,WindowsNetworking,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,EncryptData,Enable SMB Server Encryption,DWORD,1,false, -GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,Include command line in process creation events,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-auditsettings#includecmdline -GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,Disable Location,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-System?WT.mc_id=Portal-fx#allowlocation -GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LocationAndSensors,DisableLocationScripting,Disable Location Scripting,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-sensors#disablelocationscripting_2 -GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LocationAndSensors,DisableWindowsLocationProvider,Disable Windows Location Provider,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-locationprovideradm#disablewindowslocationprovider_1 -GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\Rpc,EnableAuthEpResolution,Enable RPC Endpoint Mapper Client Authentication,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-remoteprocedurecall#rpcendpointmapperclientauthentication -GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,System\CurrentControlSet\Control\SCMConfig,EnableSvchostMitigationPolicy,Enable Svchost Mitigation,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-servicecontrolmanager#svchostprocessmitigation -GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,Boot-Start Driver Initialization Policy set to Good only,DWORD,8,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#bootstartdriverinitialization -RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows Search,EnableFindMyFiles,Enable enhanced search in Window,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#allowfindmyfiles -RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062},allowautoupdatesmetered,Set Microsoft Edge (Stable) to update over Metered connections,DWORD,1,false, -RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{2CD8A007-E189-409D-A2C8-9AF4EF3C72AA},allowautoupdatesmetered,Set Microsoft Edge (Beta) to update over Metered connections,DWORD,1,false, -RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{0D50BFEC-CD6A-4F9A-964C-C7416E3ACB10},allowautoupdatesmetered,Set Microsoft Edge (Dev) to update over Metered connections,DWORD,1,false, -RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Microsoft\Cryptography\Wintrust\Config,EnableCertPaddingCheck,WinVerifyTrust Signature Validation part 1,String,1,false, -RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config,EnableCertPaddingCheck,WinVerifyTrust Signature Validation part 2,String,1,false, -GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,EnableCbacAndArmor,Request claims and compound authentication for DAC and Kerberos armoring,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-kerberos#kerberosclientsupportsclaimscompoundarmor -GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\Printers\WPP,WindowsProtectedPrintGroupPolicyState,Enable Windows Protected Print,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-printers#configurewindowsprotectedprint -GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\FileSystem,LongPathsEnabled,Enable support for long paths,DWORD,1,false,https://learn.microsoft.com/en-us/windows/win32/fileio/maximum-file-path-limitation -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,AllowAutoWindowsUpdateDownloadOverMeteredNetwork,Allow updates to be downloaded automatically over metered connections,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#allowautowindowsupdatedownloadovermeterednetwork -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,AllowTemporaryEnterpriseFeatureControl,Enable features introduced via servicing that are off by default,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#allowtemporaryenterprisefeaturecontrol -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineNoAutoRebootForFeatureUpdates,Specify the number of days before feature updates are installed on devices automatically,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlinenoautorebootforfeatureupdates -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineNoAutoRebootForQualityUpdates,Specify the number of days before quality updates are installed on devices automatically,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlinenoautorebootforqualityupdates -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineForQualityUpdates,Number of days before quality updates are installed on devices automatically,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlineforqualityupdates -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineGracePeriod,Number of grace period days before quality updates are installed on devices automatically,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiod -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineForFeatureUpdates,Number of days before feature updates are installed on devices automatically,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlineforfeatureupdates -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineGracePeriodForFeatureUpdates,Number of grace period days before feature updates are installed on devices automatically,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,NoAutoUpdate,Set the computer to receive security updates and other important downloads through Windows update,DWORD,0,false, -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,AUOptions,Automatically download updates and install them on maintenance day,DWORD,4,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#allowautoupdate -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,AutomaticMaintenanceEnabled,Install updates during automatic maintenance,DWORD,1,false, -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,ScheduledInstallDay,Set scheduled install day to every day,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#scheduledinstallday -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,ScheduledInstallTime,Set scheduled install time to any time,DWORD,24,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#scheduledinstalltime -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,AllowMUUpdateService,Install updates for other Microsoft products,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-Update?WT.mc_id=Portal-fx#allowmuupdateservice -RegistryKeys,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\WindowsUpdate\UX\Settings,RestartNotificationsAllowed2,Enable restart notification for Windows update,DWORD,1,false, -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\Recommended,BlockThirdPartyCookies,Block 3rd party cookies,DWORD,1,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,DnsOverHttpsMode,Set Dns Over Https Mode to use system DoH settings,String,automatic,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,AutomaticHttpsDefault,Automatically upgrade HTTP connections to HTTPS,DWORD,2,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,EncryptedClientHelloEnabled,Enable Encrypted Client Hello,DWORD,1,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,BasicAuthOverHttpEnabled,Block Basic authentication for HTTP,DWORD,0,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,ExperimentationAndConfigurationServiceControl,Allow Edge to receive new features even after using policies,DWORD,2,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,AudioSandboxEnabled,Enforces the audio process to run sandboxed,DWORD,1,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\Recommended,DefaultShareAdditionalOSRegionSetting,Recommends that the share additional operating system region setting to be set to never,DWORD,2,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,1,Disable TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - (CBC - SHA1),String,0xc013,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,2,Disable TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - (CBC - SHA1),String,0xc014,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,3,Disable TLS_RSA_WITH_AES_256_CBC_SHA - (NO PFS - CBC - SHA1),String,0x0035,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,4,Disable TLS_RSA_WITH_AES_128_CBC_SHA - (NO PFS - CBC - SHA1),String,0x002f,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,5,Disable TLS_RSA_WITH_AES_128_GCM_SHA256 - (NO PFS),String,0x009c,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,6,Disable TLS_RSA_WITH_AES_256_GCM_SHA384 - (NO PFS),String,0x009d,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,HideFileExt,Show File extensions,DWORD,0,false, -RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Hidden,Show hidden files,DWORD,1,false, -RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Control Panel\International\User Profile,HttpAcceptLanguageOptOut,Disable websites accessing local language list,DWORD,1,false, -RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings,SafeSearchMode,Turn off safe search in Windows search,DWORD,0,false, -RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Clipboard,EnableClipboardHistory,Enable Clipboard History,DWORD,1,false, -RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Input\Settings,EnableHwkbTextPrediction,Turn on Show text suggestions when typing on the physical keyboard,DWORD,1,false, -RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Input\Settings,MultilingualEnabled,Turn on Multilingual text suggestions,DWORD,1,false, -RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Control Panel\Accessibility\StickyKeys,Flags,Turn off sticky key shortcut of pressing shift key 5 time fast,String,506,false, -RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Windows\CurrentVersion\Notifications\Settings,NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK,Disables show reminders and incoming VoIP calls on the lock screen,DWORD,0,false, \ No newline at end of file +Origin,Category,Hive,Key,Name,FriendlyName,Type,Value,ValueIsList,Exists,CSPLink +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WTDS\Components,ServiceEnabled,Enhanced Phishing Protection,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#serviceenabled +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WTDS\Components,NotifyUnsafeApp,Enhanced Phishing Protection: Notify Unsafe App,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#notifyunsafeapp +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WTDS\Components,NotifyPasswordReuse,Enhanced Phishing Protection: Notify Password Reuse,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#notifypasswordreuse +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WTDS\Components,NotifyMalicious,Enhanced Phishing Protection: Notify Malicious,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#notifymalicious +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WTDS\Components,CaptureThreatWindow,Enhanced Phishing Protection: Capture Threat Window,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#automaticdatacollection +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Quarantine,PurgeItemsAfterDelay,Purge Items After Delay,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#quarantine_purgeitemsafterdelay +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Real-Time Protection,IOAVMaxSize,Maximum size of downloaded files and attachments to be scanned,DWORD,10000000,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#realtimeprotection_ioavmaxsize +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Scan,DisableScanningMappedNetworkDrivesForFullScan,Scanning Mapped Network Drives For Full Scan,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowfullscanonmappednetworkdrives +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Scan,DisableScanningNetworkFiles,Scanning Network Files,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowscanningnetworkfiles +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Scan,DisableRemovableDriveScanning,Removable Drive Scanning,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowfullscanremovabledrivescanning +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Scan,DisableReparsePointScanning,Reparse Point Scanning,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#scan_disablereparsepointscanning +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Scan,ArchiveMaxDepth,Maximum depth to scan archive files,DWORD,"4294967295,2147483647",true,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#scan_archivemaxdepth +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Signature Updates,UpdateOnStartUp,Check for the latest virus and spyware security intelligence on startup,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#signatureupdate_updateonstartup +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Signature Updates,AVSignatureDue,Define the number of days before virus security intelligence is considered out of date,DWORD,2,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#signatureupdate_avsignaturedue +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Signature Updates,ASSignatureDue,Define the number of days before spyware security intelligence is considered out of date,DWORD,2,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#signatureupdate_assignaturedue +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Spynet,DisableBlockAtFirstSeen,Block At First Sight,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#disableblockatfirstseen +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,Optional Diagnostic Data Required for Smart App Control etc.,DWORD,3,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#allowtelemetry +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\DataCollection,DisableTelemetryOptInSettingsUx,Configure diagnostic data opt-in settings user interface,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#configuretelemetryoptinsettingsux +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,5,Severe Threat level default action = Remove,String,3,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#threatseveritydefaultaction +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,4,High Threat level default action = Remove,String,3,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#threatseveritydefaultaction +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,2,Moderate Threat level default action = Quarantine,String,2,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#threatseveritydefaultaction +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,1,Low Threat level default action = Quarantine,String,2,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#threatseveritydefaultaction +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,DisallowStandardUserPINReset,Disallow Standard User PIN Reset,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesdisallowstandarduserscanchangepin +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseAdvancedStartup,Require additional authentication at startup,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,EnableBDEWithNoTPM,Don't allow Bitlocker without TPM,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseTPM,Don't Allow using TPM alone,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseTPMPIN,Allow using TPM + PIN,DWORD,2,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseTPMKey,Allow using TPM + key,DWORD,2,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseTPMKeyPIN,Allow using TPM + Startup Key + PIN,DWORD,2,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsOs,Correct Encryption method for OS drive,DWORD,7,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsFdv,Correct Encryption method for fixed data drives,DWORD,7,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsRdv,Correct Encryption method for removable drives,DWORD,7,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseEnhancedPin,Use Enhanced PIN,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesenhancedpin +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,OSEncryptionType,Full disk encryption for OS drive,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesencryptiontype +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,RDVEncryptionType,Full disk encryption for removable drives,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#removabledrivesencryptiontype +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,RDVDiscoveryVolumeType,Prevent access to BitLocker-protected removable data drives from earlier versions of Windows,String,,false,true, +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,RDVNoBitLockerToGoReader,Do not install BitLocker To Go Reader on FAT formatted removable drives,DWORD,0,false,true, +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,MinimumPIN,Configure minimum PIN length for startup,DWORD,10,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesminimumpinlength +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,ACSettingIndex,Disallow standby states (S1-S3) when sleeping (plugged in),DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-power#allowstandbywhensleepingpluggedin +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,DCSettingIndex,Disallow standby states (S1-S3) when sleeping (on battery),DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingonbattery +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\Explorer,ShowHibernateOption,Show Hibernate Option,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-windowsexplorer#showhibernateoption +GroupPolicy,TLSSecurity,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002,Functions,Configure the correct TLS Cipher Suites,String,"TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#tlsciphersuites +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client,DisabledByDefault,Disable TLS 1.0 client - Disabled By Default,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionclient +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client,Enabled,Disable TLS 1.0 client - Enabled,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionclient +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server,DisabledByDefault,Disable TLS 1.0 server - Disabled By Default,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionserver +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server,Enabled,Disable TLS 1.0 server - Enabled,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionserver +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client,DisabledByDefault,Disable TLS 1.1 client - Disabled By Default,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionclient +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client,Enabled,Disable TLS 1.1 client - Enabled,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionclient +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server,DisabledByDefault,Disable TLS 1.1 server - Disabled By Default,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionserver +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server,Enabled,Disable TLS 1.1 server - Enabled,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionserver +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL\,Enabled,Disable NULL Cipher Suite,DWORD,0,false,true, +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56,Enabled,Disable 56/56 Cipher Suite,DWORD,0,false,true, +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128,Enabled,Disable 40/128 Cipher Suite,DWORD,0,false,true, +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128,Enabled,Disable RC2 56/128 Cipher Suite,DWORD,0,false,true, +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128,Enabled,Disable RC2 128/128 Cipher Suite,DWORD,0,false,true, +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128,Enabled,Disable RC4 40/128 Cipher Suite,DWORD,0,false,true, +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128,Enabled,Disable RC4 56/128 Cipher Suite,DWORD,0,false,true, +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128,Enabled,Disable RC4 64/128 Cipher Suite,DWORD,0,false,true, +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128,Enabled,Disable RC4 128/128 Cipher Suite,DWORD,0,false,true, +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168,Enabled,Disable Triple DES 168 Cipher Suite,DWORD,0,false,true, +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5,Enabled,Disable MD5 Hashing Algorithm,DWORD,0,false,true, +GroupPolicy,LockScreen,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\PassportForWork\PINComplexity,Digits,Require digits in Windows Hello PIN,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexitydigits +GroupPolicy,LockScreen,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\PassportForWork\PINComplexity,LowercaseLetters,Require lower case letters in Windows Hello PIN,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexitylowercaseletters +GroupPolicy,LockScreen,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\PassportForWork\PINComplexity,Expiration,Set Expiration for Windows Hello PIN,DWORD,180,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityexpiration +GroupPolicy,LockScreen,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\PassportForWork\PINComplexity,History,Save history of Windows Hello PIN,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityhistory +GroupPolicy,LockScreen,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,Don't Display Network Selection UI on lock screen,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon#dontdisplaynetworkselectionui +GroupPolicy,UserAccountControl,HKEY_LOCAL_MACHINE,Software\Microsoft\Windows\CurrentVersion\Policies\System,HideFastUserSwitching,Hide Fast User Switching entry points,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon#hidefastuserswitching +GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,Enable Virtualization Based Security,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#enablevirtualizationbasedsecurity +GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,Require Platform Security Features,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#requireplatformsecurityfeatures +GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,Hypervisor Enforced Code Integrity - UEFI Lock,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-VirtualizationBasedTechnology?WT.mc_id=Portal-fx#hypervisorenforcedcodeintegrity +GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,Require HVCI MAT (Memory Attribute Table),DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-VirtualizationBasedTechnology?WT.mc_id=Portal-fx#requireuefimemoryattributestable +GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,Credential Guard Configuration - UEFI Lock,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#lsacfgflags +GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureSystemGuardLaunch,System Guard Launch,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#configuresystemguardlaunch +GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureKernelShadowStacksLaunch,Configure Kernel Shadow Stacks Launch,DWORD,1,false,true, +GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\Lsa,RunAsPPL,Enable Local Security Authority (LSA) process Protection with UEFI Lock,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-lsa#configurelsaprotectedprocess +GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,MachineIdentityIsolation,Configure Machine Identity Isolation Configuration,DWORD,2,false,true, +RegistryKeys,DeviceGuard,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\DeviceGuard,Mandatory,Enable VBS and Memory Integrity in Mandatory Mode,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=reg +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,EnableFirewall,Enable Windows Firewall for Domain profile,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileenablefirewall +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultOutboundAction,Set Default Outbound Action for Domain profile,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofiledefaultoutboundaction +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultInboundAction,Set Default Inbound Action for Domain profile,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofiledefaultinboundaction +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DoNotAllowExceptions,Block all Domain profile connections,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileshielded +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFilePath,Configure Log file path for domain profile,String,%systemroot%\system32\logfiles\firewall\domainfirewall.log,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofilelogfilepath +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFileSize,Configure Log file size for domain profile,DWORD,32767,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofilelogmaxfilesize +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogDroppedPackets,Log blocked connections for domain profile,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileenablelogdroppedpackets +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogSuccessfulConnections,Log successful connections for domain profile,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileenablelogsuccessconnections +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,EnableFirewall,Enable Windows Firewall for Private profile,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofileenablefirewall +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DisableNotifications,Display notifications for Private profile,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofiledisableinboundnotifications +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFileSize,Configure Log file size for Private profile,DWORD,32767,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofilelogmaxfilesize +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogDroppedPackets,Log blocked connections for Private profile,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofileenablelogdroppedpackets +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFilePath,Configure Log file path for Private profile,String,%systemroot%\system32\logfiles\firewall\privatefirewall.log,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofilelogfilepath +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,Enable Windows Firewall for Public profile,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofileenablefirewall +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DisableNotifications,Display notifications for Public profile,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofiledisableinboundnotifications +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFileSize,Configure Log file size for Public profile,DWORD,32767,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofilelogmaxfilesize +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,Log blocked connections for Public profile,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofileenablelogdroppedpackets +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFilePath,Configure Log file path for Public profile,String,%systemroot%\system32\logfiles\firewall\publicfirewall.log,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofilelogfilepath +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\DNSClient,EnableNetbios,Disable Netbios,DWORD,0,false,true, +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\DNSClient,DisableSmartNameResolution,Disable Smart Name Resolution,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-dnsclient#dns_smartmultihomednameresolution +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\DNSClient,EnableMulticast,Disable Multicast,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-dnsclient#turn_off_multicast +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\Printers,DisableHTTPPrinting,Disable HTTP Printing,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-connectivity?WT.mc_id=Portal-fx#diableprintingoverhttp +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\Printers,DisableWebPnPDownload,Disable Web PnP Download,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-icm#disablewebpnpdownload_1 +RegistryKeys,WindowsNetworking,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\NetBT\Parameters,EnableLMHOSTS,Disable LMHOSTS lookup protocol on all network adapters,DWORD,0,false,true, +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanServer,EnableSMBQUIC,Enable SMB Server Over QUIC,DWORD,1,false,true, +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,EnableSMBQUIC,Enable SMB Client Over QUIC,DWORD,1,false,true, +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanServer,CipherSuiteOrder,SMB Server Cipher Suite Order,MULTI_STRING,"AES_256_GCM,AES_256_CCM,AES_128_GCM,AES_128_CCM",false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-lanmanserver#pol_ciphersuiteorder +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,CipherSuiteOrder,SMB Client Cipher Suite Order,MULTI_STRING,"AES_256_GCM,AES_256_CCM,AES_128_GCM,AES_128_CCM",false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-lanmanworkstation#pol_ciphersuiteorder +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanServer,MinSmb2Dialect,Sets the minimum SMB server version,DWORD,785,false,true, +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,MinSmb2Dialect,Sets the minimum SMB client version,DWORD,785,false,true, +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,BlockNTLM,Blocks NTLM for SMB,DWORD,1,false,true, +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,RequireEncryption,Requires encryption for SMB client,DWORD,1,false,true, +RegistryKeys,WindowsNetworking,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,EncryptData,Enable SMB Server Encryption,DWORD,1,false,true, +GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,Include command line in process creation events,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-auditsettings#includecmdline +GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,Disable Location,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-System?WT.mc_id=Portal-fx#allowlocation +GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LocationAndSensors,DisableLocationScripting,Disable Location Scripting,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-sensors#disablelocationscripting_2 +GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LocationAndSensors,DisableWindowsLocationProvider,Disable Windows Location Provider,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-locationprovideradm#disablewindowslocationprovider_1 +GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\Rpc,EnableAuthEpResolution,Enable RPC Endpoint Mapper Client Authentication,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-remoteprocedurecall#rpcendpointmapperclientauthentication +GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,System\CurrentControlSet\Control\SCMConfig,EnableSvchostMitigationPolicy,Enable Svchost Mitigation,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-servicecontrolmanager#svchostprocessmitigation +GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,Boot-Start Driver Initialization Policy set to Good only,DWORD,8,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#bootstartdriverinitialization +RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows Search,EnableFindMyFiles,Enable enhanced search in Window,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#allowfindmyfiles +RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062},allowautoupdatesmetered,Set Microsoft Edge (Stable) to update over Metered connections,DWORD,1,false,true, +RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{2CD8A007-E189-409D-A2C8-9AF4EF3C72AA},allowautoupdatesmetered,Set Microsoft Edge (Beta) to update over Metered connections,DWORD,1,false,true, +RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{0D50BFEC-CD6A-4F9A-964C-C7416E3ACB10},allowautoupdatesmetered,Set Microsoft Edge (Dev) to update over Metered connections,DWORD,1,false,true, +RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Microsoft\Cryptography\Wintrust\Config,EnableCertPaddingCheck,WinVerifyTrust Signature Validation part 1,String,1,false,true, +RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config,EnableCertPaddingCheck,WinVerifyTrust Signature Validation part 2,String,1,false,true, +GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,EnableCbacAndArmor,Request claims and compound authentication for DAC and Kerberos armoring,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-kerberos#kerberosclientsupportsclaimscompoundarmor +GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\Printers\WPP,WindowsProtectedPrintGroupPolicyState,Enable Windows Protected Print,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-printers#configurewindowsprotectedprint +GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\FileSystem,LongPathsEnabled,Enable support for long paths,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/win32/fileio/maximum-file-path-limitation +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,AllowAutoWindowsUpdateDownloadOverMeteredNetwork,Allow updates to be downloaded automatically over metered connections,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#allowautowindowsupdatedownloadovermeterednetwork +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,AllowTemporaryEnterpriseFeatureControl,Enable features introduced via servicing that are off by default,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#allowtemporaryenterprisefeaturecontrol +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineNoAutoRebootForFeatureUpdates,Specify the number of days before feature updates are installed on devices automatically,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlinenoautorebootforfeatureupdates +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineNoAutoRebootForQualityUpdates,Specify the number of days before quality updates are installed on devices automatically,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlinenoautorebootforqualityupdates +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineForQualityUpdates,Number of days before quality updates are installed on devices automatically,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlineforqualityupdates +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineGracePeriod,Number of grace period days before quality updates are installed on devices automatically,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiod +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineForFeatureUpdates,Number of days before feature updates are installed on devices automatically,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlineforfeatureupdates +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineGracePeriodForFeatureUpdates,Number of grace period days before feature updates are installed on devices automatically,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,NoAutoUpdate,Set the computer to receive security updates and other important downloads through Windows update,DWORD,0,false,true, +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,AUOptions,Automatically download updates and install them on maintenance day,DWORD,4,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#allowautoupdate +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,AutomaticMaintenanceEnabled,Install updates during automatic maintenance,DWORD,1,false,true, +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,ScheduledInstallDay,Set scheduled install day to every day,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#scheduledinstallday +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,ScheduledInstallTime,Set scheduled install time to any time,DWORD,24,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#scheduledinstalltime +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,AllowMUUpdateService,Install updates for other Microsoft products,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-Update?WT.mc_id=Portal-fx#allowmuupdateservice +RegistryKeys,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\WindowsUpdate\UX\Settings,RestartNotificationsAllowed2,Enable restart notification for Windows update,DWORD,1,false,true, +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\Recommended,BlockThirdPartyCookies,Block 3rd party cookies,DWORD,1,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,DnsOverHttpsMode,Set Dns Over Https Mode to use system DoH settings,String,automatic,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,AutomaticHttpsDefault,Automatically upgrade HTTP connections to HTTPS,DWORD,2,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,EncryptedClientHelloEnabled,Enable Encrypted Client Hello,DWORD,1,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,BasicAuthOverHttpEnabled,Block Basic authentication for HTTP,DWORD,0,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,ExperimentationAndConfigurationServiceControl,Allow Edge to receive new features even after using policies,DWORD,2,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,AudioSandboxEnabled,Enforces the audio process to run sandboxed,DWORD,1,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\Recommended,DefaultShareAdditionalOSRegionSetting,Recommends that the share additional operating system region setting to be set to never,DWORD,2,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,1,Disable TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - (CBC - SHA1),String,0xc013,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,2,Disable TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - (CBC - SHA1),String,0xc014,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,3,Disable TLS_RSA_WITH_AES_256_CBC_SHA - (NO PFS - CBC - SHA1),String,0x0035,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,4,Disable TLS_RSA_WITH_AES_128_CBC_SHA - (NO PFS - CBC - SHA1),String,0x002f,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,5,Disable TLS_RSA_WITH_AES_128_GCM_SHA256 - (NO PFS),String,0x009c,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,6,Disable TLS_RSA_WITH_AES_256_GCM_SHA384 - (NO PFS),String,0x009d,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,HideFileExt,Show File extensions,DWORD,0,false,true, +RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Hidden,Show hidden files,DWORD,1,false,true, +RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Control Panel\International\User Profile,HttpAcceptLanguageOptOut,Disable websites accessing local language list,DWORD,1,false,true, +RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings,SafeSearchMode,Turn off safe search in Windows search,DWORD,0,false,true, +RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Clipboard,EnableClipboardHistory,Enable Clipboard History,DWORD,1,false,true, +RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Input\Settings,EnableHwkbTextPrediction,Turn on Show text suggestions when typing on the physical keyboard,DWORD,1,false,true, +RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Input\Settings,MultilingualEnabled,Turn on Multilingual text suggestions,DWORD,1,false,true, +RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Control Panel\Accessibility\StickyKeys,Flags,Turn off sticky key shortcut of pressing shift key 5 time fast,String,506,false,true, +RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Windows\CurrentVersion\Notifications\Settings,NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK,Disables show reminders and incoming VoIP calls on the lock screen,DWORD,0,false,true, \ No newline at end of file diff --git a/Harden-Windows-Security Module/Main files/Resources/XAML/Protect.xaml b/Harden-Windows-Security Module/Main files/Resources/XAML/Protect.xaml index c3f58711f..6d2a6958d 100644 --- a/Harden-Windows-Security Module/Main files/Resources/XAML/Protect.xaml +++ b/Harden-Windows-Security Module/Main files/Resources/XAML/Protect.xaml @@ -214,6 +214,9 @@ + + + diff --git a/Harden-Windows-Security Module/version.txt b/Harden-Windows-Security Module/version.txt index bcaffe19b..7deb86fee 100644 --- a/Harden-Windows-Security Module/version.txt +++ b/Harden-Windows-Security Module/version.txt @@ -1 +1 @@ -0.7.0 \ No newline at end of file +0.7.1 \ No newline at end of file diff --git a/Intune Files/Hardening Policies/TLS Settings.json b/Intune Files/Hardening Policies/TLS Settings.json index 1fcf36e2e..8c660ca4d 100644 --- a/Intune Files/Hardening Policies/TLS Settings.json +++ b/Intune Files/Hardening Policies/TLS Settings.json @@ -1,9 +1,9 @@ { "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity", - "createdDateTime": "2024-07-12T14:52:08.4917639Z", + "createdDateTime": "2025-01-02T07:52:18.9754212Z", "creationSource": null, "description": "TLS Settings Category", - "lastModifiedDateTime": "2024-07-12T14:56:14.7388844Z", + "lastModifiedDateTime": "2025-01-02T08:03:48.2719491Z", "name": "TLS Settings", "platforms": "windows10", "priorityMetaData": null, @@ -12,7 +12,7 @@ ], "settingCount": 2, "technologies": "mdm", - "id": "95419642-e19e-4c2f-aae2-b3bab7313f7f", + "id": "f0131daa-abf4-41dd-b706-28c36c045a29", "templateReference": { "templateId": "", "templateFamily": "none", @@ -64,14 +64,16 @@ { "id": "1", "settingInstance": { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance", + "@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance", "settingDefinitionId": "device_vendor_msft_policy_config_cryptography_tlsciphersuites", "settingInstanceTemplateReference": null, - "simpleSettingValue": { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationStringSettingValue", - "settingValueTemplateReference": null, - "value": "TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" - } + "simpleSettingCollectionValue": [ + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationStringSettingValue", + "settingValueTemplateReference": null, + "value": "TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" + } + ] } } ] diff --git a/README.md b/README.md index 4c4bff54d..dc36e4e8b 100644 --- a/README.md +++ b/README.md @@ -333,6 +333,8 @@ From Top to bottom in order: - Blue Check mark denoting Group Policy Clears Quarantined items after 1 day instead of the default behavior of keeping them indefinitely. Rotating green checkmark denoting CSP [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#quarantine_purgeitemsafterdelay) + * Quarantine involves isolating potentially harmful files in a non-executable area of your system to prevent any risk of execution. To further minimize potential threats, quarantined files are automatically removed after 1 day, rather than being retained indefinitely. This precaution helps mitigate the possibility of these files exploiting unforeseen vulnerabilities in the future, ensuring a proactive approach to system security. +
- Blue Check mark denoting Group Policy Allows Microsoft Defender to download security updates even on a metered connection. Rotating green checkmark denoting CSP [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp?WT.mc_id=Portal-fx#configurationmeteredconnectionupdates) @@ -814,9 +816,6 @@ Changes made by this category only affect things that use [Schannel SSP](https:/ If you want to read more: [Demystifying Schannel](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-schannel/ba-p/259233) -> [!NOTE]\ -> This category checks whether Battle.net client is installed on the system and if it is then includes `TLS_RSA_WITH_AES_256_CBC_SHA` as an additional cipher suite in the policy due to [a known issue](https://github.com/HotCakeX/Harden-Windows-Security/issues/38). The way Battle.net client is detected is by checking the presence of `Battle.net.exe` or `Battle.net Launcher.exe` in `C:\Program Files (x86)\Battle.net\` folder. -
- Rotating pink checkmark denoting registry or cmdlet Disables TLS 1 and TLS 1.1 security protocols that only **exist for backward compatibility**. All modern software should and do use `TLS 1.2` and `TLS 1.3`. Rotating green checkmark denoting CSP [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionclient) Rotating green checkmark denoting CSP [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionserver) @@ -847,6 +846,10 @@ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+- Blue Check mark denoting Group Policy Rotating green checkmark denoting Subcategory Use the ***TLS for BattleNet*** sub-category if you have the BattleNet game client installed on your system. This client utilizes the `TLS_RSA_WITH_AES_256_CBC_SHA` cipher suite to establish connections with its servers. Since this cipher suite is less secure, it is excluded from the secure cipher-suites list by default. However, enabling this sub-category will include the required cipher suite, allowing you to use BattleNet without interruptions. + +
+ - Blue Check mark denoting Group Policy [Configures](https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tls) TLS ECC Curves to [use the following](https://github.com/HotCakeX/Harden-Windows-Security/commit/5b5be1fcab8f7bf5d364f48459aecfc54c6eff9d#commitcomment-115982586) prioritized Curves order: Rotating green checkmark denoting CSP [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#configureellipticcurvecryptography) ```