From 3ea3b8d60b6c6cde99a60d3b63508646095288bf Mon Sep 17 00:00:00 2001 From: Violet Hansen Date: Thu, 2 Jan 2025 20:24:14 +0200 Subject: [PATCH] Harden Windows Security v0.7.1 (#494) During the compliance checking, MDM results that are not used by the module are no longer collected, improving the performance and speed, especially on lower end hardware. Adjusted the TLS Category's Intune Json config to match the new schema. Added a new sub-category for the TLS category, called "TLS for BattleNet". When selected, the TLS category will deploy the group policy that has the extra cipher suite TLS_RSA_WITH_AES_256_CBC_SHA which is less secure but required for BattleNet client to connect to its servers. Fixes -> [BUG?]: TLS Security fix for Battle.net not working #489 This means BattleNet client is no longer automatically detected on the system because there are times when it's installed in non-default location. Now the user is in control to decide whether to use the extra cipher suite or not. WDACConfig module is no longer used/installed for Downloads Defense Measures category. All the necessary logic for policy creation is now implemented natively. This substantially improves the performance and allows for full offline usage of this category and its sub-categories. This also facilitates the deprecation of the WDACConfig module which is replaced with the new modern AppControl Manager. --- .../Main files/C#/CimInstances/MDM.cs | 30 +- .../C#/GUI/Protection/EventHandlers.cs | 4 + .../Main files/C#/GUI/Protection/Variables.cs | 1 + .../C#/Others/CategoryProcessing.cs | 353 ++++++++++-------- .../{CiToolRunner.cs => CiToolHelper.cs} | 214 +++++++++-- .../C#/Others/PolicyToCIPConverter.cs | 28 ++ .../DangerousScriptHostsBlocking.cs | 46 ++- .../DownloadsDefenseMeasures.cs | 193 ++++++---- .../C#/Protect Methods/TLSSecurity.cs | 13 +- .../TLSSecurity_BattleNetClient.cs | 25 ++ .../Main files/C#/Types/CiPolicyInfo.cs | 22 -- .../UnprotectWindowsSecurity.cs | 6 +- .../Harden-Windows-Security-Module.psd1 | 2 +- .../Harden-Windows-Security-Module.psm1 | 2 +- .../Dangerous-Script-Hosts-Blocking.xml | 18 +- .../Resources/Downloads-Defense-Measures.xml | 70 ++++ .../Main files/Resources/MDMResultClasses.csv | 244 ++++++------ .../Resources/Registry resources.csv | 330 ++++++++-------- .../Main files/Resources/XAML/Protect.xaml | 3 + Harden-Windows-Security Module/version.txt | 2 +- .../Hardening Policies/TLS Settings.json | 20 +- README.md | 9 +- 22 files changed, 984 insertions(+), 651 deletions(-) rename Harden-Windows-Security Module/Main files/C#/Others/{CiToolRunner.cs => CiToolHelper.cs} (58%) create mode 100644 Harden-Windows-Security Module/Main files/C#/Others/PolicyToCIPConverter.cs create mode 100644 Harden-Windows-Security Module/Main files/C#/Protect Methods/TLSSecurity_BattleNetClient.cs delete mode 100644 Harden-Windows-Security Module/Main files/C#/Types/CiPolicyInfo.cs create mode 100644 Harden-Windows-Security Module/Main files/Resources/Downloads-Defense-Measures.xml diff --git a/Harden-Windows-Security Module/Main files/C#/CimInstances/MDM.cs b/Harden-Windows-Security Module/Main files/C#/CimInstances/MDM.cs index 2b6452466..4148e8ea1 100644 --- a/Harden-Windows-Security Module/Main files/C#/CimInstances/MDM.cs +++ b/Harden-Windows-Security Module/Main files/C#/CimInstances/MDM.cs @@ -46,12 +46,9 @@ private static async Task>>> foreach (MdmRecord record in records) { // Process only authorized records - if (record.Authorized?.Equals("TRUE", StringComparison.OrdinalIgnoreCase) == true) + if (record.Authorized.Equals("TRUE", StringComparison.OrdinalIgnoreCase)) { - // Debugging output - // Logger.LogMessage($"Namespace: {record.Namespace}, Class: {record.Class}"); - // Add a new task for each class query tasks.Add(Task.Run(() => { @@ -72,7 +69,7 @@ private static async Task>>> } // Create object query for the current class - string classQuery = record.Class?.Trim() ?? throw new InvalidOperationException("Record.Class is null"); + string classQuery = record.Class.Trim(); ObjectQuery query = new("SELECT * FROM " + classQuery); // Create management object searcher for the query @@ -125,14 +122,24 @@ private static async Task>>> return results; } - // Helper method to get property value as original type + + /// + /// Helper method to get property value as original type + /// + /// + /// private static object GetPropertyOriginalValue(PropertyData prop) { // Return the value of the property return prop.Value; } - // Helper method to read CSV file asynchronously + + /// + /// Helper method to read CSV file asynchronously + /// + /// + /// private static async Task> ReadCsvFileAsync(string filePath) { List records = []; @@ -149,9 +156,10 @@ private static async Task> ReadCsvFileAsync(string filePath) continue; // Skip the header line } - // This check is redundant but shows explicit handling if (line is null) + { continue; + } string[] values = line.Split(','); @@ -175,8 +183,8 @@ private static async Task> ReadCsvFileAsync(string filePath) // Class to represent a record in the CSV file private sealed class MdmRecord { - internal string? Namespace { get; set; } - internal string? Class { get; set; } - internal string? Authorized { get; set; } + internal required string Namespace { get; set; } + internal required string Class { get; set; } + internal required string Authorized { get; set; } } } diff --git a/Harden-Windows-Security Module/Main files/C#/GUI/Protection/EventHandlers.cs b/Harden-Windows-Security Module/Main files/C#/GUI/Protection/EventHandlers.cs index 7f100a5fd..346cea656 100644 --- a/Harden-Windows-Security Module/Main files/C#/GUI/Protection/EventHandlers.cs +++ b/Harden-Windows-Security Module/Main files/C#/GUI/Protection/EventHandlers.cs @@ -606,6 +606,10 @@ await Task.Run(() => case "TLSSecurity": { TLSSecurity.Invoke(); + if (SelectedSubCategories.Contains("TLSSecurity_BattleNetClient")) + { + TLSSecurity.TLSSecurity_BattleNetClient(); + } break; } case "LockScreen": diff --git a/Harden-Windows-Security Module/Main files/C#/GUI/Protection/Variables.cs b/Harden-Windows-Security Module/Main files/C#/GUI/Protection/Variables.cs index 8f84106b6..141569e66 100644 --- a/Harden-Windows-Security Module/Main files/C#/GUI/Protection/Variables.cs +++ b/Harden-Windows-Security Module/Main files/C#/GUI/Protection/Variables.cs @@ -43,6 +43,7 @@ public static partial class GUIProtectWinSecurity { "LockScreen", new string[] { "LockScreen_CtrlAltDel", "LockScreen_NoLastSignedIn" } }, { "UserAccountControl", new string[] { "UAC_NoFastSwitching", "UAC_OnlyElevateSigned" } }, { "WindowsNetworking", new string[] { "WindowsNetworking_BlockNTLM" } }, + { "TLSSecurity", new string[] { "TLSSecurity_BattleNetClient" } }, { "MiscellaneousConfigurations", new string[] { "Miscellaneous_WindowsProtectedPrint", "MiscellaneousConfigurations_LongPathSupport", "MiscellaneousConfigurations_StrongKeyProtection" } }, { "DeviceGuard", new string[] { "DeviceGuard_MandatoryVBS" } }, { "CountryIPBlocking", new string[] { "CountryIPBlocking_OFAC" } }, diff --git a/Harden-Windows-Security Module/Main files/C#/Others/CategoryProcessing.cs b/Harden-Windows-Security Module/Main files/C#/Others/CategoryProcessing.cs index 57d3cd965..b861f5955 100644 --- a/Harden-Windows-Security Module/Main files/C#/Others/CategoryProcessing.cs +++ b/Harden-Windows-Security Module/Main files/C#/Others/CategoryProcessing.cs @@ -10,21 +10,22 @@ namespace HardenWindowsSecurity; // Registry keys are case-insensitive // https://learn.microsoft.com/en-us/windows/win32/sysinfo/structure-of-the-registry -public static class CategoryProcessing +internal static class CategoryProcessing { // to store the structure of the Registry resources CSV data private sealed class CsvRecord { - public required string Origin { get; set; } - public required ComplianceCategories Category { get; set; } - public required string Hive { get; set; } - public required string Key { get; set; } - public required string Name { get; set; } - public required string FriendlyName { get; set; } - public required string Type { get; set; } - public required List Value { get; set; } - public required bool ValueIsList { get; set; } - public string? CSPLink { get; set; } + internal required string Origin { get; set; } + internal required ComplianceCategories Category { get; set; } + internal required string Hive { get; set; } + internal required string Key { get; set; } + internal required string Name { get; set; } + internal required string FriendlyName { get; set; } + internal required string Type { get; set; } + internal required List Value { get; set; } + internal required bool ValueIsList { get; set; } + internal required bool Exists { get; set; } + internal string? CSPLink { get; set; } } // method to parse the CSV file and return a list of CsvRecord objects @@ -59,40 +60,34 @@ private static List ReadCsv() string[] fields = ParseCsvLine(line); - if (fields.Length == 10) + if (fields.Length is not 11) { - // Determine if the ValueIsList field is true - bool valueIsList = bool.Parse(fields[8]); + throw new ArgumentException("The 'Registry resources.csv' file is not formatted correctly. There should be 11 fields in each line."); + } - // Split the value field by commas only if ValueIsList is true - List values = valueIsList - ? [.. fields[7].Trim('"').Split(',').Select(v => v.Trim())] - : [fields[7].Trim('"')]; + // Determine if the ValueIsList field is true + bool valueIsList = bool.Parse(fields[8]); + // Split the value field by commas only if ValueIsList is true + List values = valueIsList + ? [.. fields[7].Trim('"').Split(',').Select(v => v.Trim())] + : [fields[7].Trim('"')]; - if (!Enum.TryParse(fields[1], true, out ComplianceCategories categoryName)) - { - throw new InvalidDataException($"Invalid category name in the 'Registry resources.csv' file: {categoryName}"); - } - records.Add(new CsvRecord - { - Origin = fields[0], - Category = categoryName, - Hive = fields[2], - Key = fields[3], - Name = fields[4], - FriendlyName = fields[5], - Type = fields[6], - Value = values, - ValueIsList = valueIsList, - CSPLink = fields[9] - }); - } - else + records.Add(new CsvRecord { - throw new ArgumentException("The CSV file is not formatted correctly. There should be 10 fields in each line."); - } + Origin = fields[0], + Category = Enum.Parse(fields[1], true), + Hive = fields[2], + Key = fields[3], + Name = fields[4], + FriendlyName = fields[5], + Type = fields[6], + Value = values, + ValueIsList = valueIsList, + Exists = bool.Parse(fields[9]), + CSPLink = fields[10] + }); } } @@ -160,176 +155,208 @@ internal static List ProcessCategory(ComplianceCategories catN // Read the CSV data List csvData = ReadCsv(); - // Filter the items based on category and origin + // Filter the items based on category and origin/method var filteredItems = csvData.Where(item => item.Category == catName && - item.Origin?.Equals(method, StringComparison.OrdinalIgnoreCase) == true + item.Origin.Equals(method, StringComparison.OrdinalIgnoreCase) ); // Process each filtered item foreach (CsvRecord item in filteredItems) { - // Initialize variables - bool valueMatches = false; - string? regValueStr = null; + // If the registry key should not exist + if (!item.Exists) + { + bool keyExists = false; + + // Check in HKEY_CLASSES_ROOT + if (item.Hive.Equals("HKEY_CLASSES_ROOT", StringComparison.OrdinalIgnoreCase)) + { + if (item.Key is not null) + { + // Try to open the key in HKEY_CLASSES_ROOT + using RegistryKey? key = Registry.ClassesRoot.OpenSubKey(item.Key); + + // Determine if the key exists + keyExists = key is not null; + } + } + + // Will implement more if needed + - // If the type defined in the CSV is HKLM - if (item.Hive is not null && item.Hive.Equals("HKEY_LOCAL_MACHINE", StringComparison.OrdinalIgnoreCase)) + // Add the result to the output + output.Add(new IndividualResult + { + FriendlyName = item.FriendlyName, + Compliant = !keyExists, // Compliance is true if the key does NOT exist + Value = keyExists ? "Exists" : "Does not exist", // Report existence status + Name = item.Name, + Category = catName, + Method = Enum.Parse(method, true) + }); + + } + + // If the registry key should exist + else { - // Open the registry key in HKEY_LOCAL_MACHINE - if (item.Key is not null) + + // Initialize variables + bool valueMatches = false; + string? regValueStr = null; + + // If the type defined in the CSV is HKLM + if (item.Hive.Equals("HKEY_LOCAL_MACHINE", StringComparison.OrdinalIgnoreCase)) { // Open the registry key in HKEY_LOCAL_MACHINE - using RegistryKey? key = Registry.LocalMachine.OpenSubKey(item.Key); - - if (key is not null) + if (item.Key is not null) { - // Get the registry value - var regValue = key.GetValue(item.Name); + // Open the registry key in HKEY_LOCAL_MACHINE + using RegistryKey? key = Registry.LocalMachine.OpenSubKey(item.Key); - // Check if the registry value is an integer - if (regValue is int v) - { - // Handle the case where the DWORD value is returned as an int - // because DWORD is an UInt32 - // Then convert it to a string - regValueStr = unchecked((uint)v).ToString(CultureInfo.InvariantCulture); - } - else if (regValue is uint) - { - // Handle the case where the DWORD value is returned as a uint - regValueStr = regValue.ToString(); - } - else if (regValue is string[] v1) - { - // Convert MULTI_STRING (string[]) to a comma-separated string for display - regValueStr = string.Join(",", v1); - } - else + if (key is not null) { - // Convert the registry value to a string otherwise - regValueStr = regValue?.ToString(); - } - - // Parse the expected values based on their type in the CSV file - var parsedValues = item.Type is not null - ? item.Value?.Select(v => ParseRegistryValue(type: item.Type, value: v)).ToList() ?? [] - : []; + // Get the registry value + var regValue = key.GetValue(item.Name); - // Check if the registry value matches any of the expected values - if (regValue is not null && item.Type is not null) - { - // Convert regValueStr to uint if applicable - uint? regValueUInt = null; - if (uint.TryParse(regValueStr, NumberStyles.Integer, CultureInfo.InvariantCulture, out uint parsedRegValue)) + // Check if the registry value is an integer + if (regValue is int v) { - regValueUInt = parsedRegValue; + // Handle the case where the DWORD value is returned as an int + // because DWORD is an UInt32 + // Then convert it to a string + regValueStr = unchecked((uint)v).ToString(CultureInfo.InvariantCulture); } - - // Handle -1 case (which is equivalent to 4294967295 for DWORD) - // Because CompareRegistryValues doesn't do the comparison properly - if (regValueUInt == 4294967295 && item.Value is not null && item.Value.Contains("4294967295")) + else if (regValue is uint) { - valueMatches = true; + // Handle the case where the DWORD value is returned as a uint + regValueStr = regValue.ToString(); } - else if (regValueUInt == 2147483647 && item.Value is not null && item.Value.Contains("2147483647")) + else if (regValue is string[] v1) { - valueMatches = true; + // Convert MULTI_STRING (string[]) to a comma-separated string for display + regValueStr = string.Join(",", v1); } - // Used for any other value that is not DWORD max int32 or maxUint32 - else if (parsedValues.Any(parsedValue => CompareRegistryValues(type: item.Type, regValue: regValue, expectedValue: parsedValue))) + else { - valueMatches = true; + // Convert the registry value to a string otherwise + regValueStr = regValue?.ToString(); + } + + // Parse the expected values based on their type in the CSV file + var parsedValues = item.Value?.Select(v => ParseRegistryValue(type: item.Type, value: v)).ToList() ?? []; + + + // Check if the registry value matches any of the expected values + if (regValue is not null) + { + // Convert regValueStr to uint if applicable + uint? regValueUInt = null; + if (uint.TryParse(regValueStr, NumberStyles.Integer, CultureInfo.InvariantCulture, out uint parsedRegValue)) + { + regValueUInt = parsedRegValue; + } + + // Handle -1 case (which is equivalent to 4294967295 for DWORD) + // Because CompareRegistryValues doesn't do the comparison properly + if (regValueUInt == 4294967295 && item.Value is not null && item.Value.Contains("4294967295")) + { + valueMatches = true; + } + else if (regValueUInt == 2147483647 && item.Value is not null && item.Value.Contains("2147483647")) + { + valueMatches = true; + } + // Used for any other value that is not DWORD max int32 or maxUint32 + else if (parsedValues.Any(parsedValue => CompareRegistryValues(type: item.Type, regValue: regValue, expectedValue: parsedValue))) + { + valueMatches = true; + } } } } } - } - // If the type defined in the CSV is HKCU - else if (item.Hive?.Equals("HKEY_CURRENT_USER", StringComparison.OrdinalIgnoreCase) == true) - { - if (item.Key is not null) + // If the type defined in the CSV is HKCU + else if (item.Hive.Equals("HKEY_CURRENT_USER", StringComparison.OrdinalIgnoreCase)) { - // Open the registry key in HKEY_CURRENT_USER - using RegistryKey? key = Registry.CurrentUser.OpenSubKey(item.Key); - - if (key is not null) + if (item.Key is not null) { - // Get the registry value - var regValue = key.GetValue(item.Name); + // Open the registry key in HKEY_CURRENT_USER + using RegistryKey? key = Registry.CurrentUser.OpenSubKey(item.Key); - if (regValue is int v1) - { - // Handle the case where the DWORD value is returned as an int - regValueStr = unchecked((uint)v1).ToString(CultureInfo.InvariantCulture); - } - else if (regValue is uint) - { - // Handle the case where the DWORD value is returned as a uint - regValueStr = regValue.ToString(); - } - else if (regValue is string[] v) - { - // Convert MULTI_STRING (string[]) to a comma-separated string for display - regValueStr = string.Join(",", v); - } - else + if (key is not null) { - regValueStr = regValue?.ToString(); - } + // Get the registry value + var regValue = key.GetValue(item.Name); - // Parse the expected values based on their type in the CSV file - var parsedValues = item.Type is not null - ? item.Value?.Select(v => ParseRegistryValue(type: item.Type, value: v)).ToList() ?? [] - : []; - - // Check if the registry value matches any of the expected values - if (regValue is not null && item.Type is not null) - { - // Convert regValueStr to uint if applicable - uint? regValueUInt = null; - if (uint.TryParse(regValueStr, NumberStyles.Integer, CultureInfo.InvariantCulture, out uint parsedRegValue)) + if (regValue is int v1) { - regValueUInt = parsedRegValue; + // Handle the case where the DWORD value is returned as an int + regValueStr = unchecked((uint)v1).ToString(CultureInfo.InvariantCulture); } - - // Handle special DWORD cases manually - if (regValueUInt == 4294967295 && item.Value is not null && item.Value.Contains("4294967295")) + else if (regValue is uint) { - // DWORD -1 case, equivalent to max Uint32 - valueMatches = true; + // Handle the case where the DWORD value is returned as a uint + regValueStr = regValue.ToString(); } - else if (regValueUInt == 2147483647 && item.Value is not null && item.Value.Contains("2147483647")) + else if (regValue is string[] v) { - // DWORD maximum signed int32 case - valueMatches = true; + // Convert MULTI_STRING (string[]) to a comma-separated string for display + regValueStr = string.Join(",", v); } - // Fallback to general comparison using CompareRegistryValues - else if (parsedValues.Any(parsedValue => CompareRegistryValues(type: item.Type, regValue: regValue, expectedValue: parsedValue))) + else { - valueMatches = true; + regValueStr = regValue?.ToString(); + } + + // Parse the expected values based on their type in the CSV file + var parsedValues = item.Value?.Select(v => ParseRegistryValue(type: item.Type, value: v)).ToList() ?? []; + + // Check if the registry value matches any of the expected values + if (regValue is not null) + { + // Convert regValueStr to uint if applicable + uint? regValueUInt = null; + if (uint.TryParse(regValueStr, NumberStyles.Integer, CultureInfo.InvariantCulture, out uint parsedRegValue)) + { + regValueUInt = parsedRegValue; + } + + // Handle special DWORD cases manually + if (regValueUInt == 4294967295 && item.Value is not null && item.Value.Contains("4294967295")) + { + // DWORD -1 case, equivalent to max Uint32 + valueMatches = true; + } + else if (regValueUInt == 2147483647 && item.Value is not null && item.Value.Contains("2147483647")) + { + // DWORD maximum signed int32 case + valueMatches = true; + } + // Fallback to general comparison using CompareRegistryValues + else if (parsedValues.Any(parsedValue => CompareRegistryValues(type: item.Type, regValue: regValue, expectedValue: parsedValue))) + { + valueMatches = true; + } } } } } - } - if (!Enum.TryParse(method, true, out ConfirmSystemComplianceMethods.Method methodEnum)) - { - throw new InvalidDataException($"Invalid method name in the 'Registry resources.csv' file: {method}"); + // Add a new result to the output list + output.Add(new IndividualResult + { + FriendlyName = item.FriendlyName, + Compliant = valueMatches, + Value = regValueStr ?? string.Empty, + Name = item.Name, + Category = catName, + Method = Enum.Parse(method, true) + }); } - // Add a new result to the output list - output.Add(new IndividualResult - { - FriendlyName = item.FriendlyName ?? "Unknown", // Ensure FriendlyName is non-null - Compliant = valueMatches, - Value = regValueStr ?? string.Empty, - Name = item.Name ?? "Unknown", // Ensure Name is non-null - Category = catName, - Method = methodEnum - }); } // Return the output list diff --git a/Harden-Windows-Security Module/Main files/C#/Others/CiToolRunner.cs b/Harden-Windows-Security Module/Main files/C#/Others/CiToolHelper.cs similarity index 58% rename from Harden-Windows-Security Module/Main files/C#/Others/CiToolRunner.cs rename to Harden-Windows-Security Module/Main files/C#/Others/CiToolHelper.cs index 7b537c29e..59182fa65 100644 --- a/Harden-Windows-Security Module/Main files/C#/Others/CiToolRunner.cs +++ b/Harden-Windows-Security Module/Main files/C#/Others/CiToolHelper.cs @@ -3,18 +3,43 @@ using System.Diagnostics; using System.Globalization; using System.IO; +using System.Text; using System.Text.Json; +// The following code is exact mirror of the same code in AppControl Manager's codebase namespace HardenWindowsSecurity; -internal static class CiToolRunner +// Class to represent a policy with various attributes +public sealed class CiPolicyInfo +{ + public string? PolicyID { get; set; } // Unique identifier for the policy + public string? BasePolicyID { get; set; } // Identifier for the base policy + public string? FriendlyName { get; set; } // Human-readable name of the policy + public Version? Version { get; set; } // Version object representing the policy version + public string? VersionString { get; set; } // Original version string from the policy data + public bool IsSystemPolicy { get; set; } // Indicates if it's a system policy + public bool IsSignedPolicy { get; set; } // Indicates if the policy is signed + public bool IsOnDisk { get; set; } // Indicates if the policy is present on disk + public bool IsEnforced { get; set; } // Indicates if the policy is enforced + public bool IsAuthorized { get; set; } // Indicates if the policy is authorized + internal List? PolicyOptions { get; set; } // List of options or settings related to the policy + + + // A property to format PolicyOptions as a comma-separated string + public string PolicyOptionsDisplay => PolicyOptions is not null ? string.Join(", ", PolicyOptions) : string.Empty; +} + + +// This class contains all the necessary logics to interact with CiTool.exe +// Any code that wants to use CiTool.exe must go through this class rather than contacting it directly +internal static class CiToolHelper { /// /// Converts a 64-bit unsigned integer into a version type, used for converting the numbers from CiTool.exe output to proper versions. /// /// The 64-bit unsigned integer as a string. /// The parsed version - private static Version Measure(string number) + internal static Version Measure(string number) { try { @@ -45,27 +70,21 @@ private static Version Measure(string number) catch (Exception ex) { // Handle errors by printing an error message and returning a default version of 0.0.0.0 - Logger.LogMessage($"Error converting number to version: {ex.Message}", LogTypeIntel.Error); + Logger.LogMessage($"Error converting number to version: {ex.Message}", LogTypeIntel.Information); return new Version(0, 0, 0, 0); } } - internal static JsonSerializerOptions Options => new() - { - // Ignore case when matching JSON property names - PropertyNameCaseInsensitive = true, - }; - /// - /// Gets a list of AppControl policies on the system with filtering + /// Gets a list of App Control policies on the system with filtering /// /// Will include System policies in the output /// Will include Base policies in the output /// Will include Supplemental policies in the output /// /// - internal static List RunCiTool(JsonSerializerOptions options, bool SystemPolicies = false, bool BasePolicies = false, bool SupplementalPolicies = false) + internal static List GetPolicies(bool SystemPolicies = false, bool BasePolicies = false, bool SupplementalPolicies = false) { // Create an empty list of Policy objects to return at the end List policies = []; @@ -83,9 +102,8 @@ internal static List RunCiTool(JsonSerializerOptions options, bool CreateNoWindow = true // Run the process without creating a window }; - // Start the process and capture the output - using Process? process = Process.Start(processStartInfo) ?? throw new InvalidOperationException("There was a problem running the CiTool.exe in the RunCiTool method."); + using Process? process = Process.Start(processStartInfo) ?? throw new InvalidOperationException("There was a problem running the CiTool.exe in the GetPolicies method."); // Read all output as a string string jsonOutput = process.StandardOutput.ReadToEnd(); @@ -95,12 +113,13 @@ internal static List RunCiTool(JsonSerializerOptions options, bool if (process.ExitCode != 0) { - // Throw an exception with the error message throw new InvalidOperationException($"Command execution failed with error code {process.ExitCode}"); } - // Deserialize the JSON into a JsonElement for easy traversal - var rootElement = JsonSerializer.Deserialize(jsonOutput, options); + // Parse the JSON into a JsonElement for easy traversal + using JsonDocument document = JsonDocument.Parse(Encoding.UTF8.GetBytes(jsonOutput)); + + JsonElement rootElement = document.RootElement; // If "Policies" property exists and is an array, start processing each policy if (rootElement.TryGetProperty("Policies", out JsonElement policiesElement) && policiesElement.ValueKind == JsonValueKind.Array) @@ -145,9 +164,9 @@ internal static List RunCiTool(JsonSerializerOptions options, bool /// - /// Removes a deployed AppControl policy from the system + /// Removes a deployed App Control policy from the system /// - /// the GUID which is the policy ID of the policy to be removed, with the curly brackets {} wrapped with double quotes "" + /// The GUID which is the policy ID of the policy to be removed. /// internal static void RemovePolicy(string policyId) { @@ -156,6 +175,11 @@ internal static void RemovePolicy(string policyId) throw new ArgumentException("Policy ID cannot be null or empty.", nameof(policyId)); } + // Remove any curly brackets or double quotes from the policy ID + // They will be added automatically later by the method + policyId = policyId.Trim('"', '"'); + policyId = policyId.Trim('{', '}'); + // Combine the path to CiTool.exe using the system's special folder path string ciToolPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "CiTool.exe"); @@ -163,29 +187,171 @@ internal static void RemovePolicy(string policyId) ProcessStartInfo processStartInfo = new() { FileName = ciToolPath, - Arguments = $"--remove-policy \"{{{policyId}}}\" -json", // Arguments to remove a AppControl policy + Arguments = $"--remove-policy \"{{{policyId}}}\" -json", // Arguments to remove an App Control policy RedirectStandardOutput = true, // Capture the standard output UseShellExecute = false, // Do not use the OS shell to start the process CreateNoWindow = true // Run the process without creating a window }; // Start the process and capture the output - using Process? process = Process.Start(processStartInfo) ?? throw new InvalidOperationException("There was a problem running the CiTool.exe in the RunCiTool method."); + using Process? process = Process.Start(processStartInfo) ?? throw new InvalidOperationException("There was a problem running the CiTool.exe in the GetPolicies method."); - // Don't need the output if successful - _ = process.StandardOutput.ReadToEnd(); + // Read all output as a string + string jsonOutput = process.StandardOutput.ReadToEnd(); // Wait for the process to complete process.WaitForExit(); if (process.ExitCode != 0) { - // Throw an exception with the error message - throw new InvalidOperationException($"Command execution failed with error code {process.ExitCode}"); + throw new InvalidOperationException($"Command execution failed with error code {process.ExitCode}. Output: {jsonOutput}"); + } + } + + + + + /// + /// Removes multiple deployed App Control policy from the system + /// + /// The GUIDs which are the policy IDs of the policies to be removed. + /// + internal static void RemovePolicy(List policyIds) + { + + foreach (string policyId in policyIds) + { + + if (string.IsNullOrWhiteSpace(policyId)) + { + continue; + } + + // Remove any curly brackets or double quotes from the policy ID + // They will be added automatically later by the method + string ID = policyId.Trim('"', '"'); + ID = ID.Trim('{', '}'); + + // Combine the path to CiTool.exe using the system's special folder path + string ciToolPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "CiTool.exe"); + + // Set up the process start info to run CiTool.exe with necessary arguments + ProcessStartInfo processStartInfo = new() + { + FileName = ciToolPath, + Arguments = $"--remove-policy \"{{{ID}}}\" -json", // Arguments to remove an App Control policy + RedirectStandardOutput = true, // Capture the standard output + UseShellExecute = false, // Do not use the OS shell to start the process + CreateNoWindow = true // Run the process without creating a window + }; + + // Start the process and capture the output + using Process? process = Process.Start(processStartInfo) ?? throw new InvalidOperationException("There was a problem running the CiTool.exe in the GetPolicies method."); + + // Read all output as a string + string jsonOutput = process.StandardOutput.ReadToEnd(); + + // Wait for the process to complete + process.WaitForExit(); + + if (process.ExitCode != 0) + { + throw new InvalidOperationException($"Command execution failed with error code {process.ExitCode}. Output: {jsonOutput}"); + } + } + } + + + + /// + /// Deploys a Code Integrity policy on the system by accepting the .CIP file path + /// + /// + /// + /// + /// + internal static void UpdatePolicy(string CipPath) + { + if (string.IsNullOrWhiteSpace(CipPath)) + { + throw new ArgumentException("CipPath cannot be null or empty.", nameof(CipPath)); + } + + if (!File.Exists(CipPath)) + { + throw new FileNotFoundException($"The file '{CipPath}' does not exist.", CipPath); + } + + // Combine the path to CiTool.exe using the system's special folder path + string ciToolPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "CiTool.exe"); + + Logger.LogMessage($"Deploying the following CIP file: {CipPath}", LogTypeIntel.Information); + + // Set up the process start info to run CiTool.exe with necessary arguments + ProcessStartInfo processStartInfo = new() + { + FileName = ciToolPath, + Arguments = $"--update-policy \"{CipPath}\" -json", // Arguments to update the App Control policy + RedirectStandardOutput = true, // Capture the standard output + UseShellExecute = false, // Do not use the OS shell to start the process + CreateNoWindow = true // Run the process without creating a window + }; + + // Start the process and capture the output + using Process? process = Process.Start(processStartInfo) ?? throw new InvalidOperationException("There was a problem running the CiTool.exe in the UpdatePolicy method."); + + // Read all output as a string + string jsonOutput = process.StandardOutput.ReadToEnd(); + + // Wait for the process to complete + process.WaitForExit(); + + if (process.ExitCode != 0) + { + throw new InvalidOperationException($"Command execution failed with error code {process.ExitCode}. Output: {jsonOutput}"); + } + } + + + /// + /// Refreshes the currently deployed policies on the system + /// + /// + internal static void RefreshPolicy() + { + // Combine the path to CiTool.exe using the system's special folder path + string ciToolPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "CiTool.exe"); + + // Set up the process start info to run CiTool.exe with the refresh argument + ProcessStartInfo processStartInfo = new() + { + FileName = ciToolPath, + Arguments = "--refresh -json", // Arguments to refresh App Control policies + RedirectStandardOutput = true, // Capture the standard output + UseShellExecute = false, // Do not use the OS shell to start the process + CreateNoWindow = true // Run the process without creating a window + }; + + // Start the process and capture the output + using Process? process = Process.Start(processStartInfo) ?? throw new InvalidOperationException("There was a problem running the CiTool.exe in the RefreshPolicy method."); + + // Read all output as a string + string jsonOutput = process.StandardOutput.ReadToEnd(); + + // Wait for the process to complete + process.WaitForExit(); + + if (process.ExitCode != 0) + { + throw new InvalidOperationException($"Command execution failed with error code {process.ExitCode}. Output: {jsonOutput}"); } } + } + + + // Extension methods for JsonElement to simplify retrieving properties with default values internal static class JsonElementExtensions { diff --git a/Harden-Windows-Security Module/Main files/C#/Others/PolicyToCIPConverter.cs b/Harden-Windows-Security Module/Main files/C#/Others/PolicyToCIPConverter.cs new file mode 100644 index 000000000..5c3c3da57 --- /dev/null +++ b/Harden-Windows-Security Module/Main files/C#/Others/PolicyToCIPConverter.cs @@ -0,0 +1,28 @@ +namespace HardenWindowsSecurity; + +internal static class PolicyToCIPConverter +{ + /// + /// Converts a XML policy file to CIP binary file using the ConvertFrom-CIPolicy cmdlet of the ConfigCI module + /// + /// + /// + internal static void Convert(string XmlFilePath, string BinaryFilePath) + { + + // Escape the output policy path for PowerShell + string escapedXMLFile = $"\\\"{XmlFilePath}\\\""; + + // Escape the output policy path for PowerShell + string escapedOutputCIP = $"\\\"{BinaryFilePath}\\\""; + + // Construct the PowerShell script + string script = $"ConvertFrom-CIPolicy -XmlFilePath {escapedXMLFile} -BinaryFilePath {escapedOutputCIP}"; + + Logger.LogMessage($"PowerShell code that will be executed: {script}", LogTypeIntel.Information); + + // Execute the command + ProcessStarter.RunCommand("powershell.exe", $"-NoProfile -Command \"{script}\""); + } + +} diff --git a/Harden-Windows-Security Module/Main files/C#/Protect Methods/DangerousScriptHostsBlocking.cs b/Harden-Windows-Security Module/Main files/C#/Protect Methods/DangerousScriptHostsBlocking.cs index 6becae5f6..5be31aa06 100644 --- a/Harden-Windows-Security Module/Main files/C#/Protect Methods/DangerousScriptHostsBlocking.cs +++ b/Harden-Windows-Security Module/Main files/C#/Protect Methods/DangerousScriptHostsBlocking.cs @@ -1,4 +1,5 @@ using System; +using System.Collections.Generic; using System.IO; namespace HardenWindowsSecurity; @@ -6,7 +7,7 @@ namespace HardenWindowsSecurity; public static partial class DownloadsDefenseMeasures { /// - /// Blocks certain dangerous script hosts using AppControl policy + /// Blocks certain dangerous script hosts using App Control policy /// /// public static void DangerousScriptHostsBlocking() @@ -21,22 +22,31 @@ public static void DangerousScriptHostsBlocking() string CIPPath = Path.Combine(GlobalVars.WorkingDir, "Dangerous-Script-Hosts-Blocking.cip"); string XMLPath = Path.Combine(GlobalVars.path, "Resources", "Dangerous-Script-Hosts-Blocking.xml"); - // Use string interpolation without the @ symbol for multiline - string script = $@" - $CurrentBasePolicyNames = [System.Collections.Generic.HashSet[System.String]]@( - ((&""$env:SystemDrive\Windows\System32\CiTool.exe"" -lp -json | ConvertFrom-Json).Policies | - Where-Object -FilterScript {{ ($_.IsSystemPolicy -ne 'True') -and ($_.PolicyID -eq $_.BasePolicyID) }}).FriendlyName - ) - - if (($null -eq $CurrentBasePolicyNames) -or (-NOT ($CurrentBasePolicyNames.Contains('Dangerous-Script-Hosts-Blocking')))) {{ - $null = ConvertFrom-CIPolicy -XmlFilePath '{XMLPath}' -BinaryFilePath '{CIPPath}' - $null = CiTool.exe --update-policy '{CIPPath}' -json - }} - else {{ - Write-Verbose -Message 'The Dangerous-Script-Hosts-Blocking policy is already deployed' -Verbose - }} - "; - - _ = PowerShellExecutor.ExecuteScript(script); + // Run the CiTool and retrieve a list of base policies + List policies = CiToolHelper.GetPolicies(SystemPolicies: false, BasePolicies: true, SupplementalPolicies: false); + + bool isFound = false; + + // loop over all policies + foreach (CiPolicyInfo item in policies) + { + // find the policy with the right name + if (string.Equals(item.FriendlyName, "Dangerous-Script-Hosts-Blocking", StringComparison.OrdinalIgnoreCase)) + { + isFound = true; + break; + } + } + + // If the Dangerous-Script-Hosts-Blocking is not deployed + if (!isFound) + { + PolicyToCIPConverter.Convert(XMLPath, CIPPath); + CiToolHelper.UpdatePolicy(CIPPath); + } + else + { + Logger.LogMessage("The Dangerous-Script-Hosts-Blocking policy is already deployed", LogTypeIntel.Information); + } } } diff --git a/Harden-Windows-Security Module/Main files/C#/Protect Methods/DownloadsDefenseMeasures.cs b/Harden-Windows-Security Module/Main files/C#/Protect Methods/DownloadsDefenseMeasures.cs index f87415693..6451e7790 100644 --- a/Harden-Windows-Security Module/Main files/C#/Protect Methods/DownloadsDefenseMeasures.cs +++ b/Harden-Windows-Security Module/Main files/C#/Protect Methods/DownloadsDefenseMeasures.cs @@ -1,97 +1,128 @@ +using System; +using System.Collections.Generic; +using System.IO; +using System.Runtime.InteropServices; +using System.Xml; + namespace HardenWindowsSecurity; public static partial class DownloadsDefenseMeasures { + + // GUID for the Downloads folder + private static Guid FolderDownloads = new("374DE290-123F-4565-9164-39C4925E467B"); + + [DllImport("shell32.dll")] + [DefaultDllImportSearchPaths(DllImportSearchPath.System32)] + private static extern int SHGetKnownFolderPath( + ref Guid rfid, uint dwFlags, IntPtr hToken, out IntPtr ppszPath); + + /// /// Prevents executables originating from the Downloads folder from running, using AppControl policy /// public static void Invoke() { + if (GlobalVars.path is null) + { + throw new ArgumentNullException("GlobalVars.path cannot be null."); + } ChangePSConsoleTitle.Set("🎇 Downloads Defense Measures"); Logger.LogMessage("Running the Downloads Defense Measures category", LogTypeIntel.Information); - // PowerShell script with embedded {UserValue} directly in the string using @"" - string script = $@" -$VerbosePreference = 'Continue' -$script:ErrorActionPreference = 'Stop' - -#region Installation And Update - -# a flag indicating the WDACConfig module must be downloaded and installed on the system -[System.Boolean]$ShouldInstallWDACConfigModule = $true - -Write-Verbose -Message 'Getting the latest available version number of the WDACConfig module' -[System.Version]$WDACConfigLatestVersion = Invoke-RestMethod -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/WDACConfig/version.txt' - -Write-Verbose -Message 'Getting the latest available version of the WDACConfig module from the local system, if it exists' -[System.Management.Automation.PSModuleInfo]$WDACConfigModuleLocalStatus = Get-Module -ListAvailable -Name 'WDACConfig' -Verbose:$false | Sort-Object -Property Version -Descending | Select-Object -First 1 - -# If the WDACConfig module is already installed on the system and its version is greater than or equal to the latest version available on GitHub repo then don't install it again -if (($null -ne $WDACConfigModuleLocalStatus) -and ($WDACConfigModuleLocalStatus.count -gt 0)) {{ - if ($WDACConfigModuleLocalStatus.Version -ge $WDACConfigLatestVersion) {{ - $ShouldInstallWDACConfigModule = $false - Write-Verbose -Message 'Skipping WDACConfig module installation, it is already installed.' - }} - else {{ - [System.String]$ReasonToInstallWDACConfigModule = ""the installed WDACConfig module version $($WDACConfigModuleLocalStatus.Version) is less than the latest available version $($WDACConfigLatestVersion)"" - Write-Verbose -Message 'Removing the WDACConfig module' - try {{ - $null = Uninstall-Module -Name 'WDACConfig' -Force -Verbose:$false -AllVersions - }} - catch {{}} - }} -}} -else {{ - [System.String]$ReasonToInstallWDACConfigModule = 'it is not installed on the system' -}} - -if ($ShouldInstallWDACConfigModule) {{ - Write-Verbose -Message ""Installing the WDACConfig module because $ReasonToInstallWDACConfigModule"" - Install-Module -Name 'WDACConfig' -Force -Verbose:$false -Scope 'AllUsers' -RequiredVersion $WDACConfigLatestVersion -}} - -#endregion Installation And Update - -Write-Verbose -Message 'Getting the currently deployed base policy names' -$CurrentBasePolicyNames = [System.Collections.Generic.HashSet[System.String]](((&""$env:SystemDrive\Windows\System32\CiTool.exe"" -lp -json | ConvertFrom-Json).Policies | Where-Object -FilterScript {{ ($_.IsSystemPolicy -ne 'True') -and ($_.PolicyID -eq $_.BasePolicyID) }}).FriendlyName) - -# Only deploy the Downloads-Defense-Measures policy if it is not already deployed -if (($null -eq $CurrentBasePolicyNames) -or (-NOT ($CurrentBasePolicyNames.Contains('Downloads-Defense-Measures')))) {{ - - Write-Verbose -Message 'Detecting the Downloads folder path on system' - [System.IO.FileInfo]$DownloadsPathSystem = (New-Object -ComObject Shell.Application).NameSpace('shell:Downloads').Self.path - Write-Verbose -Message ""The Downloads folder path on system is $DownloadsPathSystem"" - - # Checking if the Edge preferences file exists - if ([System.IO.File]::Exists(""$env:SystemDrive\Users\{GlobalVars.userName}\AppData\Local\Microsoft\Edge\User Data\Default\Preferences"")) {{ - - Write-Verbose -Message 'Detecting the Downloads path in Edge' - [PSCustomObject]$CurrentUserEdgePreference = ConvertFrom-Json -InputObject (Get-Content -Raw -Path ""$env:SystemDrive\Users\{GlobalVars.userName}\AppData\Local\Microsoft\Edge\User Data\Default\Preferences"") - [System.IO.FileInfo]$DownloadsPathEdge = $CurrentUserEdgePreference.savefile.default_directory - - # Ensure there is an Edge browser profile and it was initialized - if ((-NOT [System.String]::IsNullOrWhitespace($DownloadsPathEdge.FullName))) {{ - - Write-Verbose -Message ""The Downloads path in Edge is $DownloadsPathEdge"" - - # Display a warning for now - if ($DownloadsPathEdge.FullName -ne $DownloadsPathSystem.FullName) {{ - Write-Warning -Message ""The Downloads path in Edge ($($DownloadsPathEdge.FullName)) is different than the system's Downloads path ($($DownloadsPathSystem.FullName))"" - }} - }} - }} - - Write-Verbose -Message 'Creating and deploying the Downloads-Defense-Measures policy' - New-DenyWDACConfig -PathWildCards -PolicyName 'Downloads-Defense-Measures' -FolderPath ""$DownloadsPathSystem\*"" -Deploy -Verbose:$Verbose -EmbeddedVerboseOutput - -}} -else {{ - Write-Verbose -Message 'The Downloads-Defense-Measures policy is already deployed' -}} -"; - - _ = PowerShellExecutor.ExecuteScript(script); + string CIPPath = Path.Combine(GlobalVars.WorkingDir, "Downloads-Defense-Measures.cip"); + string XMLPath = Path.Combine(GlobalVars.path, "Resources", "Downloads-Defense-Measures.xml"); + + // The path to use to save the modified XML policy file and deploy it + string XMLPathToDeploy = Path.Combine(GlobalVars.WorkingDir, "Downloads-Defense-Measures.xml"); + + // Run the CiTool and retrieve a list of base policies + List policies = CiToolHelper.GetPolicies(SystemPolicies: false, BasePolicies: true, SupplementalPolicies: false); + + bool isFound = false; + + // loop over all policies + foreach (CiPolicyInfo item in policies) + { + // find the policy with the right name + if (string.Equals(item.FriendlyName, "Downloads-Defense-Measures", StringComparison.OrdinalIgnoreCase)) + { + isFound = true; + break; + } + } + + // If the Downloads-Defense-Measures is not deployed + if (!isFound) + { + + IntPtr pathPtr = IntPtr.Zero; + + string? downloadsPath = null; + + try + { + // Get the System Downloads folder path + int result = SHGetKnownFolderPath(ref FolderDownloads, 0, IntPtr.Zero, out pathPtr); + + if (result is 0) // S_OK + { + downloadsPath = Marshal.PtrToStringUni(pathPtr); + + if (string.IsNullOrWhiteSpace(downloadsPath)) + { + Logger.LogMessage("The downloads folder path was empty, exiting.", LogTypeIntel.Error); + return; + } + + Logger.LogMessage($"Downloads folder path: {downloadsPath}", LogTypeIntel.Information); + } + else + { + Logger.LogMessage("Failed to retrieve Downloads folder path.", LogTypeIntel.Error); + return; + } + } + finally + { + if (pathPtr != IntPtr.Zero) + { + Marshal.FreeCoTaskMem(pathPtr); // Free memory allocated by SHGetKnownFolderPath + } + } + + string pathToUse = downloadsPath + @"\" + '*'; + + XmlDocument doc = new(); + doc.Load(XMLPath); + + XmlNamespaceManager nsmgr = new(doc.NameTable); + nsmgr.AddNamespace("sip", "urn:schemas-microsoft-com:sipolicy"); + + // Find all 'FileRules/Allow' or 'FileRules/Deny' elements + XmlNodeList fileRules = doc.SelectNodes("//sip:FileRules/*[@FilePath]", nsmgr)!; + + foreach (XmlNode node in fileRules) + { + XmlAttribute filePathAttr = node.Attributes!["FilePath"]!; + if (string.Equals(filePathAttr.Value, "To-Be-Detected", StringComparison.OrdinalIgnoreCase)) + { + filePathAttr.Value = pathToUse; + } + } + + // Save the modified XML to the working directory so we don't modify the module's files + doc.Save(XMLPathToDeploy); + + PolicyToCIPConverter.Convert(XMLPathToDeploy, CIPPath); + CiToolHelper.UpdatePolicy(CIPPath); + } + else + { + Logger.LogMessage("The Downloads-Defense-Measures policy is already deployed", LogTypeIntel.Information); + } + } } diff --git a/Harden-Windows-Security Module/Main files/C#/Protect Methods/TLSSecurity.cs b/Harden-Windows-Security Module/Main files/C#/Protect Methods/TLSSecurity.cs index 922d6d3f8..ebcd4cc0b 100644 --- a/Harden-Windows-Security Module/Main files/C#/Protect Methods/TLSSecurity.cs +++ b/Harden-Windows-Security Module/Main files/C#/Protect Methods/TLSSecurity.cs @@ -4,7 +4,7 @@ namespace HardenWindowsSecurity; -public static class TLSSecurity +public static partial class TLSSecurity { public static void Invoke() { @@ -55,16 +55,7 @@ public static void Invoke() Logger.LogMessage("Applying the TLS Security Group Policies", LogTypeIntel.Information); - // If BattleNet client is installed, use the policy that has the necessary, albeit insecure, cipher suite (TLS_RSA_WITH_AES_256_CBC_SHA) so that the client will be able to connect to the servers - if (File.Exists(@"C:\Program Files (x86)\Battle.net\Battle.net.exe") || File.Exists(@"C:\Program Files (x86)\Battle.net\Battle.net Launcher.exe")) - { - Logger.LogMessage("BattleNet client detected, will add the necessary cipher suite 'TLS_RSA_WITH_AES_256_CBC_SHA'", LogTypeIntel.Information); + LGPORunner.RunLGPOCommand(Path.Combine(GlobalVars.path, "Resources", "Security-Baselines-X", "TLS Security", "registry.pol"), LGPORunner.FileType.POL); - LGPORunner.RunLGPOCommand(Path.Combine(GlobalVars.path, "Resources", "Security-Baselines-X", "TLS Security", "For BattleNetClient", "registry.pol"), LGPORunner.FileType.POL); - } - else - { - LGPORunner.RunLGPOCommand(Path.Combine(GlobalVars.path, "Resources", "Security-Baselines-X", "TLS Security", "registry.pol"), LGPORunner.FileType.POL); - } } } diff --git a/Harden-Windows-Security Module/Main files/C#/Protect Methods/TLSSecurity_BattleNetClient.cs b/Harden-Windows-Security Module/Main files/C#/Protect Methods/TLSSecurity_BattleNetClient.cs new file mode 100644 index 000000000..61a84fc2c --- /dev/null +++ b/Harden-Windows-Security Module/Main files/C#/Protect Methods/TLSSecurity_BattleNetClient.cs @@ -0,0 +1,25 @@ +using System; +using System.IO; + +namespace HardenWindowsSecurity; + +public static partial class TLSSecurity +{ + /// + /// This method only applies (TLS_RSA_WITH_AES_256_CBC_SHA) cipher suite for the BattleNet Client + /// + /// + public static void TLSSecurity_BattleNetClient() + { + + if (GlobalVars.path is null) + { + throw new ArgumentNullException("GlobalVars.path cannot be null."); + } + + Logger.LogMessage("Adding (TLS_RSA_WITH_AES_256_CBC_SHA) cipher suite for the BattleNet Client", LogTypeIntel.Information); + + LGPORunner.RunLGPOCommand(Path.Combine(GlobalVars.path, "Resources", "Security-Baselines-X", "TLS Security", "For BattleNetClient", "registry.pol"), LGPORunner.FileType.POL); + } + +} diff --git a/Harden-Windows-Security Module/Main files/C#/Types/CiPolicyInfo.cs b/Harden-Windows-Security Module/Main files/C#/Types/CiPolicyInfo.cs deleted file mode 100644 index 2b0b2dd6f..000000000 --- a/Harden-Windows-Security Module/Main files/C#/Types/CiPolicyInfo.cs +++ /dev/null @@ -1,22 +0,0 @@ -using System; -using System.Collections.Generic; - -namespace HardenWindowsSecurity; - -/// -/// Class to represent a policy with various attributes -/// -public sealed class CiPolicyInfo -{ - public string? PolicyID { get; set; } // Unique identifier for the policy - public string? BasePolicyID { get; set; } // Identifier for the base policy - public string? FriendlyName { get; set; } // Human-readable name of the policy - public Version? Version { get; set; } // Version object representing the policy version - public string? VersionString { get; set; } // Original version string from the policy data - public bool IsSystemPolicy { get; set; } // Indicates if it's a system policy - public bool IsSignedPolicy { get; set; } // Indicates if the policy is signed - public bool IsOnDisk { get; set; } // Indicates if the policy is present on disk - public bool IsEnforced { get; set; } // Indicates if the policy is enforced - public bool IsAuthorized { get; set; } // Indicates if the policy is authorized - internal List? PolicyOptions { get; set; }// List of options or settings related to the policy -} diff --git a/Harden-Windows-Security Module/Main files/C#/Unprotect Methods/UnprotectWindowsSecurity.cs b/Harden-Windows-Security Module/Main files/C#/Unprotect Methods/UnprotectWindowsSecurity.cs index ed131e54c..f45f28b15 100644 --- a/Harden-Windows-Security Module/Main files/C#/Unprotect Methods/UnprotectWindowsSecurity.cs +++ b/Harden-Windows-Security Module/Main files/C#/Unprotect Methods/UnprotectWindowsSecurity.cs @@ -233,7 +233,7 @@ public static void RemoveExploitMitigations() public static void RemoveAppControlPolicies(bool DownloadsDefenseMeasures, bool DangerousScriptHostsBlocking) { // Run the CiTool and retrieve a list of base policies - List policies = CiToolRunner.RunCiTool(CiToolRunner.Options, SystemPolicies: false, BasePolicies: true, SupplementalPolicies: false); + List policies = CiToolHelper.GetPolicies(SystemPolicies: false, BasePolicies: true, SupplementalPolicies: false); if (DownloadsDefenseMeasures) { @@ -247,7 +247,7 @@ public static void RemoveAppControlPolicies(bool DownloadsDefenseMeasures, bool Logger.LogMessage("Removing the Downloads-Defense-Measures AppControl policy", LogTypeIntel.Information); // remove the policy - CiToolRunner.RemovePolicy(item.PolicyID!); + CiToolHelper.RemovePolicy(item.PolicyID!); } } } @@ -263,7 +263,7 @@ public static void RemoveAppControlPolicies(bool DownloadsDefenseMeasures, bool Logger.LogMessage("Removing the Dangerous-Script-Hosts-Blocking AppControl policy", LogTypeIntel.Information); // remove the policy - CiToolRunner.RemovePolicy(item.PolicyID!); + CiToolHelper.RemovePolicy(item.PolicyID!); } } } diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1 index c7f4da7bf..c2312966c 100644 --- a/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1 +++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1 @@ -2,7 +2,7 @@ # https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_module_manifests RootModule = 'Harden-Windows-Security-Module.psm1' - ModuleVersion = '0.7.0' + ModuleVersion = '0.7.1' CompatiblePSEditions = @('Core') GUID = 'afae7a0a-5eff-4a4d-9139-e1702b7ac426' Author = 'Violet Hansen' diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psm1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psm1 index 35a793d19..dba9c6885 100644 --- a/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psm1 +++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psm1 @@ -94,7 +94,7 @@ $ToastNotificationDLLs.Add([System.IO.Path]::Combine($PSScriptRoot, 'DLLs', 'Toa # Load all of the C# codes # for some reason it tries to use another version of the WindowsBase.dll unless i define its path explicitly like this # https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/ -Add-Type -Path ([System.IO.Directory]::GetFiles("$PSScriptRoot\C#", '*.*', [System.IO.SearchOption]::AllDirectories)) -ReferencedAssemblies @((Get-Content -Path "$PSScriptRoot\.NETAssembliesToLoad.txt") + "$($PSHOME)\WindowsBase.dll" + $ToastNotificationDLLs) -CompilerOptions '/langversion:preview', '/nowarn:1701', '/nullable:enable', '/checked' , '/optimize+' +Add-Type -Path ([System.IO.Directory]::GetFiles("$PSScriptRoot\C#", '*.*', [System.IO.SearchOption]::AllDirectories)) -ReferencedAssemblies @((Get-Content -Path "$PSScriptRoot\.NETAssembliesToLoad.txt") + "$($PSHOME)\WindowsBase.dll" + $ToastNotificationDLLs) -CompilerOptions '/langversion:preview', '/nowarn:1701', '/nullable:enable', '/checked' try { # when we use the -ReferencedAssemblies parameter of Add-Type, The DLLs are only added and made available to the C# compilation, not the PowerShell host itself diff --git a/Harden-Windows-Security Module/Main files/Resources/Dangerous-Script-Hosts-Blocking.xml b/Harden-Windows-Security Module/Main files/Resources/Dangerous-Script-Hosts-Blocking.xml index ef4f22e4f..789f86dd9 100644 --- a/Harden-Windows-Security Module/Main files/Resources/Dangerous-Script-Hosts-Blocking.xml +++ b/Harden-Windows-Security Module/Main files/Resources/Dangerous-Script-Hosts-Blocking.xml @@ -31,9 +31,7 @@ - - @@ -41,7 +39,6 @@ - @@ -51,16 +48,15 @@ - - + - + @@ -79,16 +75,6 @@ {9F0581B7-7E1D-4FDD-8D33-6DBE847D3130} {9F0581B7-7E1D-4FDD-8D33-6DBE847D3130} - - - true - - - - - 022422 - - Dangerous-Script-Hosts-Blocking diff --git a/Harden-Windows-Security Module/Main files/Resources/Downloads-Defense-Measures.xml b/Harden-Windows-Security Module/Main files/Resources/Downloads-Defense-Measures.xml new file mode 100644 index 000000000..b98c0343a --- /dev/null +++ b/Harden-Windows-Security Module/Main files/Resources/Downloads-Defense-Measures.xml @@ -0,0 +1,70 @@ + + + 1.0.0.0 + {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 2 + {98FC8E9B-A6B1-431C-B2BE-EB23A86B5DE5} + {98FC8E9B-A6B1-431C-B2BE-EB23A86B5DE5} + + + + Downloads-Defense-Measures + + + + \ No newline at end of file diff --git a/Harden-Windows-Security Module/Main files/Resources/MDMResultClasses.csv b/Harden-Windows-Security Module/Main files/Resources/MDMResultClasses.csv index 38e296ec3..e10dd797b 100644 --- a/Harden-Windows-Security Module/Main files/Resources/MDMResultClasses.csv +++ b/Harden-Windows-Security Module/Main files/Resources/MDMResultClasses.csv @@ -1,128 +1,128 @@ NameSpace,Class,Authorized,Comment -root\cimv2\mdm\dmmap,MDM_Policy_Result01_AboveLock02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Accounts02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_ActiveXControls02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_ApplicationDefaults02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_ApplicationManagement02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_AppRuntime02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_AppVirtualization02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Audit02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Authentication02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Autoplay02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Bitlocker02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_BITS02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Bluetooth02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Browser02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Camera02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Cellular02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Connectivity02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_ControlPolicyConflict02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_CredentialProviders02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_CredentialsDelegation02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_CredentialsUI02,TRUE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_AboveLock02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Accounts02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_ActiveXControls02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_ApplicationDefaults02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_ApplicationManagement02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_AppRuntime02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_AppVirtualization02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Audit02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Authentication02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Autoplay02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Bitlocker02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_BITS02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Bluetooth02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Browser02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Camera02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Cellular02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Connectivity02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_ControlPolicyConflict02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_CredentialProviders02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_CredentialsDelegation02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_CredentialsUI02,FALSE, root\cimv2\mdm\dmmap,MDM_Policy_Result01_Cryptography02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_DataProtection02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_DataUsage02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Defender02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_DeliveryOptimization02,TRUE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_DataProtection02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_DataUsage02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Defender02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_DeliveryOptimization02,FALSE, root\cimv2\mdm\dmmap,MDM_Policy_Result01_DeviceGuard02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_DeviceHealthMonitoring02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_DeviceInstallation02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_DeviceLock02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Display02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_DisplayEnhancement02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_DmaGuard02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Eap02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_ErrorReporting02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_EventLogService02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Experience02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_ExploitGuard02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Feeds02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_FileExplorer02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Games02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Handwriting02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_HumanPresence02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_InternetExplorer02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Kerberos02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_KioskBrowser02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_LanmanWorkstation02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Licensing02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_LocalPoliciesSecurityOptions02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_LocalUsersAndGroups02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_LockDown02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Maps02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_MemoryDump02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Messaging02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_MixedReality02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_MSSecurityGuide02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_MSSLegacy02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_NetworkIsolation02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_NetworkListManager02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_NewsAndInterests02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Notifications02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Power02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Printers02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Privacy02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteAssistance02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteDesktop02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteDesktopServices02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteManagement02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteProcedureCall02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteShell02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_RestrictedGroups02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Search02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Security02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_ServiceControlManager02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Settings02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_SmartScreen02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Speech02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Start02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Storage02,TRUE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_DeviceHealthMonitoring02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_DeviceInstallation02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_DeviceLock02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Display02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_DisplayEnhancement02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_DmaGuard02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Eap02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_ErrorReporting02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_EventLogService02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Experience02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_ExploitGuard02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Feeds02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_FileExplorer02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Games02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Handwriting02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_HumanPresence02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_InternetExplorer02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Kerberos02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_KioskBrowser02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_LanmanWorkstation02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Licensing02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_LocalPoliciesSecurityOptions02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_LocalUsersAndGroups02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_LockDown02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Maps02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_MemoryDump02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Messaging02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_MixedReality02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_MSSecurityGuide02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_MSSLegacy02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_NetworkIsolation02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_NetworkListManager02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_NewsAndInterests02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Notifications02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Power02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Printers02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Privacy02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteAssistance02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteDesktop02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteDesktopServices02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteManagement02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteProcedureCall02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_RemoteShell02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_RestrictedGroups02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Search02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Security02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_ServiceControlManager02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Settings02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_SmartScreen02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Speech02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Start02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Storage02,FALSE, root\cimv2\mdm\dmmap,MDM_Policy_Result01_System02,FALSE,This class only outputs accurate info when queried with SYSTEM privileges -root\cimv2\mdm\dmmap,MDM_Policy_Result01_TaskManager02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_TaskScheduler02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_TenantRestrictions02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_TextInput02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Theme02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_TimeLanguageSettings02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Troubleshooting02,TRUE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_TaskManager02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_TaskScheduler02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_TenantRestrictions02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_TextInput02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Theme02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_TimeLanguageSettings02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Troubleshooting02,FALSE, root\cimv2\mdm\dmmap,MDM_Policy_Result01_Update02,FALSE,This class only outputs accurate info when queried with SYSTEM privileges -root\cimv2\mdm\dmmap,MDM_Policy_Result01_UserModel02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_UserRights02,TRUE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_UserModel02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_UserRights02,FALSE, root\cimv2\mdm\dmmap,MDM_Policy_Result01_VirtualizationBasedTechnology02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_Wifi02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsAutopilot02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsConnectionManager02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsDefenderSecurityCenter02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsInkWorkspace02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsLogon02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsPowerShell02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsSandbox02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_Result01_WirelessDisplay02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_ApplicationManagement02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_AttachmentManager02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Authentication02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Browser02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_CredentialsUI02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Desktop02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Display02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Education02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_EnterpriseCloudPrint02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Experience02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_FileExplorer02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_InternetExplorer02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Multitasking02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Notifications02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Printers02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Privacy02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_RemoteDesktop02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Security02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Settings02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Start02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Storage02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_System02,TRUE, -root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_TimeLanguageSettings02,TRUE, -ROOT\Microsoft\Windows\DeviceGuard,Win32_DeviceGuard,TRUE, -ROOT\Microsoft\SecurityClient,Win32_ProviderEx,TRUE, -ROOT\Microsoft\SecurityClient,ProtectionTechnologyStatus,TRUE, -ROOT\Microsoft\HomeNet,HNet_FwIcmpSettings,TRUE, \ No newline at end of file +root\cimv2\mdm\dmmap,MDM_Policy_Result01_Wifi02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsAutopilot02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsConnectionManager02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsDefenderSecurityCenter02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsInkWorkspace02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsLogon02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsPowerShell02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_WindowsSandbox02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_Result01_WirelessDisplay02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_ApplicationManagement02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_AttachmentManager02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Authentication02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Browser02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_CredentialsUI02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Desktop02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Display02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Education02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_EnterpriseCloudPrint02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Experience02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_FileExplorer02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_InternetExplorer02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Multitasking02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Notifications02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Printers02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Privacy02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_RemoteDesktop02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Security02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Settings02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Start02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_Storage02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_System02,FALSE, +root\cimv2\mdm\dmmap,MDM_Policy_User_Result01_TimeLanguageSettings02,FALSE, +ROOT\Microsoft\Windows\DeviceGuard,Win32_DeviceGuard,FALSE, +ROOT\Microsoft\SecurityClient,Win32_ProviderEx,FALSE, +ROOT\Microsoft\SecurityClient,ProtectionTechnologyStatus,FALSE, +ROOT\Microsoft\HomeNet,HNet_FwIcmpSettings,FALSE, \ No newline at end of file diff --git a/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv b/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv index fb3ec3e6c..9a45dffa9 100644 --- a/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv +++ b/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv @@ -1,165 +1,165 @@ -Origin,Category,Hive,Key,Name,FriendlyName,Type,Value,ValueIsList,CSPLink -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WTDS\Components,ServiceEnabled,Enhanced Phishing Protection,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#serviceenabled -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WTDS\Components,NotifyUnsafeApp,Enhanced Phishing Protection: Notify Unsafe App,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#notifyunsafeapp -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WTDS\Components,NotifyPasswordReuse,Enhanced Phishing Protection: Notify Password Reuse,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#notifypasswordreuse -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WTDS\Components,NotifyMalicious,Enhanced Phishing Protection: Notify Malicious,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#notifymalicious -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WTDS\Components,CaptureThreatWindow,Enhanced Phishing Protection: Capture Threat Window,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#automaticdatacollection -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Quarantine,PurgeItemsAfterDelay,Purge Items After Delay,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#quarantine_purgeitemsafterdelay -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Real-Time Protection,IOAVMaxSize,Maximum size of downloaded files and attachments to be scanned,DWORD,10000000,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#realtimeprotection_ioavmaxsize -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Scan,DisableScanningMappedNetworkDrivesForFullScan,Scanning Mapped Network Drives For Full Scan,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowfullscanonmappednetworkdrives -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Scan,DisableScanningNetworkFiles,Scanning Network Files,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowscanningnetworkfiles -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Scan,DisableRemovableDriveScanning,Removable Drive Scanning,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowfullscanremovabledrivescanning -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Scan,DisableReparsePointScanning,Reparse Point Scanning,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#scan_disablereparsepointscanning -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Scan,ArchiveMaxDepth,Maximum depth to scan archive files,DWORD,"4294967295,2147483647",true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#scan_archivemaxdepth -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Signature Updates,UpdateOnStartUp,Check for the latest virus and spyware security intelligence on startup,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#signatureupdate_updateonstartup -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Signature Updates,AVSignatureDue,Define the number of days before virus security intelligence is considered out of date,DWORD,2,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#signatureupdate_avsignaturedue -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Signature Updates,ASSignatureDue,Define the number of days before spyware security intelligence is considered out of date,DWORD,2,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#signatureupdate_assignaturedue -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Spynet,DisableBlockAtFirstSeen,Block At First Sight,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#disableblockatfirstseen -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,Optional Diagnostic Data Required for Smart App Control etc.,DWORD,3,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#allowtelemetry -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\DataCollection,DisableTelemetryOptInSettingsUx,Configure diagnostic data opt-in settings user interface,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#configuretelemetryoptinsettingsux -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,5,Severe Threat level default action = Remove,String,3,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#threatseveritydefaultaction -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,4,High Threat level default action = Remove,String,3,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#threatseveritydefaultaction -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,2,Moderate Threat level default action = Quarantine,String,2,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#threatseveritydefaultaction -GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,1,Low Threat level default action = Quarantine,String,2,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#threatseveritydefaultaction -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,DisallowStandardUserPINReset,Disallow Standard User PIN Reset,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesdisallowstandarduserscanchangepin -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseAdvancedStartup,Require additional authentication at startup,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,EnableBDEWithNoTPM,Don't allow Bitlocker without TPM,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseTPM,Don't Allow using TPM alone,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseTPMPIN,Allow using TPM + PIN,DWORD,2,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseTPMKey,Allow using TPM + key,DWORD,2,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseTPMKeyPIN,Allow using TPM + Startup Key + PIN,DWORD,2,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsOs,Correct Encryption method for OS drive,DWORD,7,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsFdv,Correct Encryption method for fixed data drives,DWORD,7,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsRdv,Correct Encryption method for removable drives,DWORD,7,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseEnhancedPin,Use Enhanced PIN,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesenhancedpin -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,OSEncryptionType,Full disk encryption for OS drive,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesencryptiontype -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,RDVEncryptionType,Full disk encryption for removable drives,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#removabledrivesencryptiontype -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,RDVDiscoveryVolumeType,Prevent access to BitLocker-protected removable data drives from earlier versions of Windows,String,,false, -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,RDVNoBitLockerToGoReader,Do not install BitLocker To Go Reader on FAT formatted removable drives,DWORD,0,false, -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,MinimumPIN,Configure minimum PIN length for startup,DWORD,10,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesminimumpinlength -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,ACSettingIndex,Disallow standby states (S1-S3) when sleeping (plugged in),DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-power#allowstandbywhensleepingpluggedin -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,DCSettingIndex,Disallow standby states (S1-S3) when sleeping (on battery),DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingonbattery -GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\Explorer,ShowHibernateOption,Show Hibernate Option,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-windowsexplorer#showhibernateoption -GroupPolicy,TLSSecurity,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002,Functions,Configure the correct TLS Cipher Suites,String,"TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#tlsciphersuites -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client,DisabledByDefault,Disable TLS 1.0 client - Disabled By Default,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionclient -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client,Enabled,Disable TLS 1.0 client - Enabled,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionclient -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server,DisabledByDefault,Disable TLS 1.0 server - Disabled By Default,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionserver -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server,Enabled,Disable TLS 1.0 server - Enabled,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionserver -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client,DisabledByDefault,Disable TLS 1.1 client - Disabled By Default,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionclient -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client,Enabled,Disable TLS 1.1 client - Enabled,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionclient -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server,DisabledByDefault,Disable TLS 1.1 server - Disabled By Default,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionserver -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server,Enabled,Disable TLS 1.1 server - Enabled,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionserver -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL\,Enabled,Disable NULL Cipher Suite,DWORD,0,false, -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56,Enabled,Disable 56/56 Cipher Suite,DWORD,0,false, -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128,Enabled,Disable 40/128 Cipher Suite,DWORD,0,false, -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128,Enabled,Disable RC2 56/128 Cipher Suite,DWORD,0,false, -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128,Enabled,Disable RC2 128/128 Cipher Suite,DWORD,0,false, -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128,Enabled,Disable RC4 40/128 Cipher Suite,DWORD,0,false, -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128,Enabled,Disable RC4 56/128 Cipher Suite,DWORD,0,false, -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128,Enabled,Disable RC4 64/128 Cipher Suite,DWORD,0,false, -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128,Enabled,Disable RC4 128/128 Cipher Suite,DWORD,0,false, -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168,Enabled,Disable Triple DES 168 Cipher Suite,DWORD,0,false, -RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5,Enabled,Disable MD5 Hashing Algorithm,DWORD,0,false, -GroupPolicy,LockScreen,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\PassportForWork\PINComplexity,Digits,Require digits in Windows Hello PIN,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexitydigits -GroupPolicy,LockScreen,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\PassportForWork\PINComplexity,LowercaseLetters,Require lower case letters in Windows Hello PIN,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexitylowercaseletters -GroupPolicy,LockScreen,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\PassportForWork\PINComplexity,Expiration,Set Expiration for Windows Hello PIN,DWORD,180,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityexpiration -GroupPolicy,LockScreen,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\PassportForWork\PINComplexity,History,Save history of Windows Hello PIN,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityhistory -GroupPolicy,LockScreen,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,Don't Display Network Selection UI on lock screen,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon#dontdisplaynetworkselectionui -GroupPolicy,UserAccountControl,HKEY_LOCAL_MACHINE,Software\Microsoft\Windows\CurrentVersion\Policies\System,HideFastUserSwitching,Hide Fast User Switching entry points,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon#hidefastuserswitching -GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,Enable Virtualization Based Security,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#enablevirtualizationbasedsecurity -GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,Require Platform Security Features,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#requireplatformsecurityfeatures -GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,Hypervisor Enforced Code Integrity - UEFI Lock,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-VirtualizationBasedTechnology?WT.mc_id=Portal-fx#hypervisorenforcedcodeintegrity -GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,Require HVCI MAT (Memory Attribute Table),DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-VirtualizationBasedTechnology?WT.mc_id=Portal-fx#requireuefimemoryattributestable -GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,Credential Guard Configuration - UEFI Lock,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#lsacfgflags -GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureSystemGuardLaunch,System Guard Launch,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#configuresystemguardlaunch -GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureKernelShadowStacksLaunch,Configure Kernel Shadow Stacks Launch,DWORD,1,false, -GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\Lsa,RunAsPPL,Enable Local Security Authority (LSA) process Protection with UEFI Lock,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-lsa#configurelsaprotectedprocess -GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,MachineIdentityIsolation,Configure Machine Identity Isolation Configuration,DWORD,2,false, -RegistryKeys,DeviceGuard,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\DeviceGuard,Mandatory,Enable VBS and Memory Integrity in Mandatory Mode,DWORD,1,false,https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=reg -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,EnableFirewall,Enable Windows Firewall for Domain profile,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileenablefirewall -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultOutboundAction,Set Default Outbound Action for Domain profile,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofiledefaultoutboundaction -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultInboundAction,Set Default Inbound Action for Domain profile,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofiledefaultinboundaction -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DoNotAllowExceptions,Block all Domain profile connections,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileshielded -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFilePath,Configure Log file path for domain profile,String,%systemroot%\system32\logfiles\firewall\domainfirewall.log,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofilelogfilepath -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFileSize,Configure Log file size for domain profile,DWORD,32767,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofilelogmaxfilesize -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogDroppedPackets,Log blocked connections for domain profile,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileenablelogdroppedpackets -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogSuccessfulConnections,Log successful connections for domain profile,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileenablelogsuccessconnections -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,EnableFirewall,Enable Windows Firewall for Private profile,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofileenablefirewall -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DisableNotifications,Display notifications for Private profile,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofiledisableinboundnotifications -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFileSize,Configure Log file size for Private profile,DWORD,32767,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofilelogmaxfilesize -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogDroppedPackets,Log blocked connections for Private profile,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofileenablelogdroppedpackets -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFilePath,Configure Log file path for Private profile,String,%systemroot%\system32\logfiles\firewall\privatefirewall.log,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofilelogfilepath -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,Enable Windows Firewall for Public profile,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofileenablefirewall -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DisableNotifications,Display notifications for Public profile,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofiledisableinboundnotifications -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFileSize,Configure Log file size for Public profile,DWORD,32767,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofilelogmaxfilesize -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,Log blocked connections for Public profile,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofileenablelogdroppedpackets -GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFilePath,Configure Log file path for Public profile,String,%systemroot%\system32\logfiles\firewall\publicfirewall.log,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofilelogfilepath -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\DNSClient,EnableNetbios,Disable Netbios,DWORD,0,false, -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\DNSClient,DisableSmartNameResolution,Disable Smart Name Resolution,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-dnsclient#dns_smartmultihomednameresolution -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\DNSClient,EnableMulticast,Disable Multicast,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-dnsclient#turn_off_multicast -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\Printers,DisableHTTPPrinting,Disable HTTP Printing,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-connectivity?WT.mc_id=Portal-fx#diableprintingoverhttp -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\Printers,DisableWebPnPDownload,Disable Web PnP Download,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-icm#disablewebpnpdownload_1 -RegistryKeys,WindowsNetworking,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\NetBT\Parameters,EnableLMHOSTS,Disable LMHOSTS lookup protocol on all network adapters,DWORD,0,false, -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanServer,EnableSMBQUIC,Enable SMB Server Over QUIC,DWORD,1,false, -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,EnableSMBQUIC,Enable SMB Client Over QUIC,DWORD,1,false, -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanServer,CipherSuiteOrder,SMB Server Cipher Suite Order,MULTI_STRING,"AES_256_GCM,AES_256_CCM,AES_128_GCM,AES_128_CCM",false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-lanmanserver#pol_ciphersuiteorder -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,CipherSuiteOrder,SMB Client Cipher Suite Order,MULTI_STRING,"AES_256_GCM,AES_256_CCM,AES_128_GCM,AES_128_CCM",false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-lanmanworkstation#pol_ciphersuiteorder -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanServer,MinSmb2Dialect,Sets the minimum SMB server version,DWORD,785,false, -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,MinSmb2Dialect,Sets the minimum SMB client version,DWORD,785,false, -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,BlockNTLM,Blocks NTLM for SMB,DWORD,1,false, -GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,RequireEncryption,Requires encryption for SMB client,DWORD,1,false, -RegistryKeys,WindowsNetworking,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,EncryptData,Enable SMB Server Encryption,DWORD,1,false, -GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,Include command line in process creation events,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-auditsettings#includecmdline -GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,Disable Location,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-System?WT.mc_id=Portal-fx#allowlocation -GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LocationAndSensors,DisableLocationScripting,Disable Location Scripting,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-sensors#disablelocationscripting_2 -GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LocationAndSensors,DisableWindowsLocationProvider,Disable Windows Location Provider,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-locationprovideradm#disablewindowslocationprovider_1 -GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\Rpc,EnableAuthEpResolution,Enable RPC Endpoint Mapper Client Authentication,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-remoteprocedurecall#rpcendpointmapperclientauthentication -GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,System\CurrentControlSet\Control\SCMConfig,EnableSvchostMitigationPolicy,Enable Svchost Mitigation,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-servicecontrolmanager#svchostprocessmitigation -GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,Boot-Start Driver Initialization Policy set to Good only,DWORD,8,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#bootstartdriverinitialization -RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows Search,EnableFindMyFiles,Enable enhanced search in Window,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#allowfindmyfiles -RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062},allowautoupdatesmetered,Set Microsoft Edge (Stable) to update over Metered connections,DWORD,1,false, -RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{2CD8A007-E189-409D-A2C8-9AF4EF3C72AA},allowautoupdatesmetered,Set Microsoft Edge (Beta) to update over Metered connections,DWORD,1,false, -RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{0D50BFEC-CD6A-4F9A-964C-C7416E3ACB10},allowautoupdatesmetered,Set Microsoft Edge (Dev) to update over Metered connections,DWORD,1,false, -RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Microsoft\Cryptography\Wintrust\Config,EnableCertPaddingCheck,WinVerifyTrust Signature Validation part 1,String,1,false, -RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config,EnableCertPaddingCheck,WinVerifyTrust Signature Validation part 2,String,1,false, -GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,EnableCbacAndArmor,Request claims and compound authentication for DAC and Kerberos armoring,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-kerberos#kerberosclientsupportsclaimscompoundarmor -GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\Printers\WPP,WindowsProtectedPrintGroupPolicyState,Enable Windows Protected Print,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-printers#configurewindowsprotectedprint -GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\FileSystem,LongPathsEnabled,Enable support for long paths,DWORD,1,false,https://learn.microsoft.com/en-us/windows/win32/fileio/maximum-file-path-limitation -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,AllowAutoWindowsUpdateDownloadOverMeteredNetwork,Allow updates to be downloaded automatically over metered connections,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#allowautowindowsupdatedownloadovermeterednetwork -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,AllowTemporaryEnterpriseFeatureControl,Enable features introduced via servicing that are off by default,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#allowtemporaryenterprisefeaturecontrol -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineNoAutoRebootForFeatureUpdates,Specify the number of days before feature updates are installed on devices automatically,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlinenoautorebootforfeatureupdates -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineNoAutoRebootForQualityUpdates,Specify the number of days before quality updates are installed on devices automatically,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlinenoautorebootforqualityupdates -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineForQualityUpdates,Number of days before quality updates are installed on devices automatically,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlineforqualityupdates -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineGracePeriod,Number of grace period days before quality updates are installed on devices automatically,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiod -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineForFeatureUpdates,Number of days before feature updates are installed on devices automatically,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlineforfeatureupdates -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineGracePeriodForFeatureUpdates,Number of grace period days before feature updates are installed on devices automatically,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,NoAutoUpdate,Set the computer to receive security updates and other important downloads through Windows update,DWORD,0,false, -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,AUOptions,Automatically download updates and install them on maintenance day,DWORD,4,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#allowautoupdate -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,AutomaticMaintenanceEnabled,Install updates during automatic maintenance,DWORD,1,false, -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,ScheduledInstallDay,Set scheduled install day to every day,DWORD,0,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#scheduledinstallday -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,ScheduledInstallTime,Set scheduled install time to any time,DWORD,24,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#scheduledinstalltime -GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,AllowMUUpdateService,Install updates for other Microsoft products,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-Update?WT.mc_id=Portal-fx#allowmuupdateservice -RegistryKeys,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\WindowsUpdate\UX\Settings,RestartNotificationsAllowed2,Enable restart notification for Windows update,DWORD,1,false, -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\Recommended,BlockThirdPartyCookies,Block 3rd party cookies,DWORD,1,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,DnsOverHttpsMode,Set Dns Over Https Mode to use system DoH settings,String,automatic,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,AutomaticHttpsDefault,Automatically upgrade HTTP connections to HTTPS,DWORD,2,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,EncryptedClientHelloEnabled,Enable Encrypted Client Hello,DWORD,1,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,BasicAuthOverHttpEnabled,Block Basic authentication for HTTP,DWORD,0,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,ExperimentationAndConfigurationServiceControl,Allow Edge to receive new features even after using policies,DWORD,2,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,AudioSandboxEnabled,Enforces the audio process to run sandboxed,DWORD,1,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\Recommended,DefaultShareAdditionalOSRegionSetting,Recommends that the share additional operating system region setting to be set to never,DWORD,2,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,1,Disable TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - (CBC - SHA1),String,0xc013,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,2,Disable TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - (CBC - SHA1),String,0xc014,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,3,Disable TLS_RSA_WITH_AES_256_CBC_SHA - (NO PFS - CBC - SHA1),String,0x0035,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,4,Disable TLS_RSA_WITH_AES_128_CBC_SHA - (NO PFS - CBC - SHA1),String,0x002f,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,5,Disable TLS_RSA_WITH_AES_128_GCM_SHA256 - (NO PFS),String,0x009c,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,6,Disable TLS_RSA_WITH_AES_256_GCM_SHA384 - (NO PFS),String,0x009d,false,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm -RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,HideFileExt,Show File extensions,DWORD,0,false, -RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Hidden,Show hidden files,DWORD,1,false, -RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Control Panel\International\User Profile,HttpAcceptLanguageOptOut,Disable websites accessing local language list,DWORD,1,false, -RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings,SafeSearchMode,Turn off safe search in Windows search,DWORD,0,false, -RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Clipboard,EnableClipboardHistory,Enable Clipboard History,DWORD,1,false, -RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Input\Settings,EnableHwkbTextPrediction,Turn on Show text suggestions when typing on the physical keyboard,DWORD,1,false, -RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Input\Settings,MultilingualEnabled,Turn on Multilingual text suggestions,DWORD,1,false, -RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Control Panel\Accessibility\StickyKeys,Flags,Turn off sticky key shortcut of pressing shift key 5 time fast,String,506,false, -RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Windows\CurrentVersion\Notifications\Settings,NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK,Disables show reminders and incoming VoIP calls on the lock screen,DWORD,0,false, \ No newline at end of file +Origin,Category,Hive,Key,Name,FriendlyName,Type,Value,ValueIsList,Exists,CSPLink +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WTDS\Components,ServiceEnabled,Enhanced Phishing Protection,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#serviceenabled +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WTDS\Components,NotifyUnsafeApp,Enhanced Phishing Protection: Notify Unsafe App,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#notifyunsafeapp +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WTDS\Components,NotifyPasswordReuse,Enhanced Phishing Protection: Notify Password Reuse,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#notifypasswordreuse +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WTDS\Components,NotifyMalicious,Enhanced Phishing Protection: Notify Malicious,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#notifymalicious +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WTDS\Components,CaptureThreatWindow,Enhanced Phishing Protection: Capture Threat Window,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#automaticdatacollection +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Quarantine,PurgeItemsAfterDelay,Purge Items After Delay,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#quarantine_purgeitemsafterdelay +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Real-Time Protection,IOAVMaxSize,Maximum size of downloaded files and attachments to be scanned,DWORD,10000000,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#realtimeprotection_ioavmaxsize +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Scan,DisableScanningMappedNetworkDrivesForFullScan,Scanning Mapped Network Drives For Full Scan,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowfullscanonmappednetworkdrives +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Scan,DisableScanningNetworkFiles,Scanning Network Files,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowscanningnetworkfiles +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Scan,DisableRemovableDriveScanning,Removable Drive Scanning,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowfullscanremovabledrivescanning +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Scan,DisableReparsePointScanning,Reparse Point Scanning,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#scan_disablereparsepointscanning +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Scan,ArchiveMaxDepth,Maximum depth to scan archive files,DWORD,"4294967295,2147483647",true,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#scan_archivemaxdepth +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Signature Updates,UpdateOnStartUp,Check for the latest virus and spyware security intelligence on startup,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#signatureupdate_updateonstartup +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Signature Updates,AVSignatureDue,Define the number of days before virus security intelligence is considered out of date,DWORD,2,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#signatureupdate_avsignaturedue +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Signature Updates,ASSignatureDue,Define the number of days before spyware security intelligence is considered out of date,DWORD,2,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#signatureupdate_assignaturedue +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Spynet,DisableBlockAtFirstSeen,Block At First Sight,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#disableblockatfirstseen +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,Optional Diagnostic Data Required for Smart App Control etc.,DWORD,3,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#allowtelemetry +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\DataCollection,DisableTelemetryOptInSettingsUx,Configure diagnostic data opt-in settings user interface,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#configuretelemetryoptinsettingsux +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,5,Severe Threat level default action = Remove,String,3,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#threatseveritydefaultaction +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,4,High Threat level default action = Remove,String,3,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#threatseveritydefaultaction +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,2,Moderate Threat level default action = Quarantine,String,2,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#threatseveritydefaultaction +GroupPolicy,MicrosoftDefender,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,1,Low Threat level default action = Quarantine,String,2,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#threatseveritydefaultaction +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,DisallowStandardUserPINReset,Disallow Standard User PIN Reset,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesdisallowstandarduserscanchangepin +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseAdvancedStartup,Require additional authentication at startup,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,EnableBDEWithNoTPM,Don't allow Bitlocker without TPM,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseTPM,Don't Allow using TPM alone,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseTPMPIN,Allow using TPM + PIN,DWORD,2,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseTPMKey,Allow using TPM + key,DWORD,2,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseTPMKeyPIN,Allow using TPM + Startup Key + PIN,DWORD,2,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsOs,Correct Encryption method for OS drive,DWORD,7,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsFdv,Correct Encryption method for fixed data drives,DWORD,7,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsRdv,Correct Encryption method for removable drives,DWORD,7,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,UseEnhancedPin,Use Enhanced PIN,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesenhancedpin +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,OSEncryptionType,Full disk encryption for OS drive,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesencryptiontype +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,RDVEncryptionType,Full disk encryption for removable drives,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#removabledrivesencryptiontype +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,RDVDiscoveryVolumeType,Prevent access to BitLocker-protected removable data drives from earlier versions of Windows,String,,false,true, +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,RDVNoBitLockerToGoReader,Do not install BitLocker To Go Reader on FAT formatted removable drives,DWORD,0,false,true, +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\FVE,MinimumPIN,Configure minimum PIN length for startup,DWORD,10,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesminimumpinlength +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,ACSettingIndex,Disallow standby states (S1-S3) when sleeping (plugged in),DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-power#allowstandbywhensleepingpluggedin +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,DCSettingIndex,Disallow standby states (S1-S3) when sleeping (on battery),DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingonbattery +GroupPolicy,BitLockerSettings,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\Explorer,ShowHibernateOption,Show Hibernate Option,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-windowsexplorer#showhibernateoption +GroupPolicy,TLSSecurity,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002,Functions,Configure the correct TLS Cipher Suites,String,"TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#tlsciphersuites +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client,DisabledByDefault,Disable TLS 1.0 client - Disabled By Default,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionclient +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client,Enabled,Disable TLS 1.0 client - Enabled,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionclient +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server,DisabledByDefault,Disable TLS 1.0 server - Disabled By Default,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionserver +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server,Enabled,Disable TLS 1.0 server - Enabled,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionserver +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client,DisabledByDefault,Disable TLS 1.1 client - Disabled By Default,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionclient +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client,Enabled,Disable TLS 1.1 client - Enabled,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionclient +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server,DisabledByDefault,Disable TLS 1.1 server - Disabled By Default,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionserver +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server,Enabled,Disable TLS 1.1 server - Enabled,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionserver +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL\,Enabled,Disable NULL Cipher Suite,DWORD,0,false,true, +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56,Enabled,Disable 56/56 Cipher Suite,DWORD,0,false,true, +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128,Enabled,Disable 40/128 Cipher Suite,DWORD,0,false,true, +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128,Enabled,Disable RC2 56/128 Cipher Suite,DWORD,0,false,true, +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128,Enabled,Disable RC2 128/128 Cipher Suite,DWORD,0,false,true, +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128,Enabled,Disable RC4 40/128 Cipher Suite,DWORD,0,false,true, +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128,Enabled,Disable RC4 56/128 Cipher Suite,DWORD,0,false,true, +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128,Enabled,Disable RC4 64/128 Cipher Suite,DWORD,0,false,true, +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128,Enabled,Disable RC4 128/128 Cipher Suite,DWORD,0,false,true, +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168,Enabled,Disable Triple DES 168 Cipher Suite,DWORD,0,false,true, +RegistryKeys,TLSSecurity,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5,Enabled,Disable MD5 Hashing Algorithm,DWORD,0,false,true, +GroupPolicy,LockScreen,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\PassportForWork\PINComplexity,Digits,Require digits in Windows Hello PIN,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexitydigits +GroupPolicy,LockScreen,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\PassportForWork\PINComplexity,LowercaseLetters,Require lower case letters in Windows Hello PIN,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexitylowercaseletters +GroupPolicy,LockScreen,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\PassportForWork\PINComplexity,Expiration,Set Expiration for Windows Hello PIN,DWORD,180,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityexpiration +GroupPolicy,LockScreen,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\PassportForWork\PINComplexity,History,Save history of Windows Hello PIN,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityhistory +GroupPolicy,LockScreen,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,Don't Display Network Selection UI on lock screen,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon#dontdisplaynetworkselectionui +GroupPolicy,UserAccountControl,HKEY_LOCAL_MACHINE,Software\Microsoft\Windows\CurrentVersion\Policies\System,HideFastUserSwitching,Hide Fast User Switching entry points,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon#hidefastuserswitching +GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,Enable Virtualization Based Security,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#enablevirtualizationbasedsecurity +GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,Require Platform Security Features,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#requireplatformsecurityfeatures +GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,Hypervisor Enforced Code Integrity - UEFI Lock,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-VirtualizationBasedTechnology?WT.mc_id=Portal-fx#hypervisorenforcedcodeintegrity +GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,Require HVCI MAT (Memory Attribute Table),DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-VirtualizationBasedTechnology?WT.mc_id=Portal-fx#requireuefimemoryattributestable +GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,Credential Guard Configuration - UEFI Lock,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#lsacfgflags +GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureSystemGuardLaunch,System Guard Launch,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#configuresystemguardlaunch +GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureKernelShadowStacksLaunch,Configure Kernel Shadow Stacks Launch,DWORD,1,false,true, +GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\Lsa,RunAsPPL,Enable Local Security Authority (LSA) process Protection with UEFI Lock,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-lsa#configurelsaprotectedprocess +GroupPolicy,DeviceGuard,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,MachineIdentityIsolation,Configure Machine Identity Isolation Configuration,DWORD,2,false,true, +RegistryKeys,DeviceGuard,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\DeviceGuard,Mandatory,Enable VBS and Memory Integrity in Mandatory Mode,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=reg +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,EnableFirewall,Enable Windows Firewall for Domain profile,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileenablefirewall +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultOutboundAction,Set Default Outbound Action for Domain profile,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofiledefaultoutboundaction +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultInboundAction,Set Default Inbound Action for Domain profile,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofiledefaultinboundaction +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DoNotAllowExceptions,Block all Domain profile connections,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileshielded +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFilePath,Configure Log file path for domain profile,String,%systemroot%\system32\logfiles\firewall\domainfirewall.log,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofilelogfilepath +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFileSize,Configure Log file size for domain profile,DWORD,32767,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofilelogmaxfilesize +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogDroppedPackets,Log blocked connections for domain profile,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileenablelogdroppedpackets +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogSuccessfulConnections,Log successful connections for domain profile,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileenablelogsuccessconnections +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,EnableFirewall,Enable Windows Firewall for Private profile,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofileenablefirewall +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DisableNotifications,Display notifications for Private profile,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofiledisableinboundnotifications +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFileSize,Configure Log file size for Private profile,DWORD,32767,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofilelogmaxfilesize +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogDroppedPackets,Log blocked connections for Private profile,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofileenablelogdroppedpackets +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFilePath,Configure Log file path for Private profile,String,%systemroot%\system32\logfiles\firewall\privatefirewall.log,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofilelogfilepath +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,Enable Windows Firewall for Public profile,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofileenablefirewall +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DisableNotifications,Display notifications for Public profile,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofiledisableinboundnotifications +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFileSize,Configure Log file size for Public profile,DWORD,32767,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofilelogmaxfilesize +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,Log blocked connections for Public profile,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofileenablelogdroppedpackets +GroupPolicy,WindowsFirewall,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFilePath,Configure Log file path for Public profile,String,%systemroot%\system32\logfiles\firewall\publicfirewall.log,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofilelogfilepath +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\DNSClient,EnableNetbios,Disable Netbios,DWORD,0,false,true, +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\DNSClient,DisableSmartNameResolution,Disable Smart Name Resolution,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-dnsclient#dns_smartmultihomednameresolution +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\DNSClient,EnableMulticast,Disable Multicast,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-dnsclient#turn_off_multicast +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\Printers,DisableHTTPPrinting,Disable HTTP Printing,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-connectivity?WT.mc_id=Portal-fx#diableprintingoverhttp +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\Printers,DisableWebPnPDownload,Disable Web PnP Download,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-icm#disablewebpnpdownload_1 +RegistryKeys,WindowsNetworking,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\NetBT\Parameters,EnableLMHOSTS,Disable LMHOSTS lookup protocol on all network adapters,DWORD,0,false,true, +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanServer,EnableSMBQUIC,Enable SMB Server Over QUIC,DWORD,1,false,true, +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,EnableSMBQUIC,Enable SMB Client Over QUIC,DWORD,1,false,true, +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanServer,CipherSuiteOrder,SMB Server Cipher Suite Order,MULTI_STRING,"AES_256_GCM,AES_256_CCM,AES_128_GCM,AES_128_CCM",false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-lanmanserver#pol_ciphersuiteorder +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,CipherSuiteOrder,SMB Client Cipher Suite Order,MULTI_STRING,"AES_256_GCM,AES_256_CCM,AES_128_GCM,AES_128_CCM",false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-lanmanworkstation#pol_ciphersuiteorder +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanServer,MinSmb2Dialect,Sets the minimum SMB server version,DWORD,785,false,true, +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,MinSmb2Dialect,Sets the minimum SMB client version,DWORD,785,false,true, +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,BlockNTLM,Blocks NTLM for SMB,DWORD,1,false,true, +GroupPolicy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,RequireEncryption,Requires encryption for SMB client,DWORD,1,false,true, +RegistryKeys,WindowsNetworking,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,EncryptData,Enable SMB Server Encryption,DWORD,1,false,true, +GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,Include command line in process creation events,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-auditsettings#includecmdline +GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,Disable Location,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-System?WT.mc_id=Portal-fx#allowlocation +GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LocationAndSensors,DisableLocationScripting,Disable Location Scripting,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-sensors#disablelocationscripting_2 +GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LocationAndSensors,DisableWindowsLocationProvider,Disable Windows Location Provider,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-locationprovideradm#disablewindowslocationprovider_1 +GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\Rpc,EnableAuthEpResolution,Enable RPC Endpoint Mapper Client Authentication,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-remoteprocedurecall#rpcendpointmapperclientauthentication +GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,System\CurrentControlSet\Control\SCMConfig,EnableSvchostMitigationPolicy,Enable Svchost Mitigation,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-servicecontrolmanager#svchostprocessmitigation +GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,Boot-Start Driver Initialization Policy set to Good only,DWORD,8,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#bootstartdriverinitialization +RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows Search,EnableFindMyFiles,Enable enhanced search in Window,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#allowfindmyfiles +RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062},allowautoupdatesmetered,Set Microsoft Edge (Stable) to update over Metered connections,DWORD,1,false,true, +RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{2CD8A007-E189-409D-A2C8-9AF4EF3C72AA},allowautoupdatesmetered,Set Microsoft Edge (Beta) to update over Metered connections,DWORD,1,false,true, +RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{0D50BFEC-CD6A-4F9A-964C-C7416E3ACB10},allowautoupdatesmetered,Set Microsoft Edge (Dev) to update over Metered connections,DWORD,1,false,true, +RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Microsoft\Cryptography\Wintrust\Config,EnableCertPaddingCheck,WinVerifyTrust Signature Validation part 1,String,1,false,true, +RegistryKeys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config,EnableCertPaddingCheck,WinVerifyTrust Signature Validation part 2,String,1,false,true, +GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,EnableCbacAndArmor,Request claims and compound authentication for DAC and Kerberos armoring,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-kerberos#kerberosclientsupportsclaimscompoundarmor +GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\Printers\WPP,WindowsProtectedPrintGroupPolicyState,Enable Windows Protected Print,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-printers#configurewindowsprotectedprint +GroupPolicy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Control\FileSystem,LongPathsEnabled,Enable support for long paths,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/win32/fileio/maximum-file-path-limitation +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,AllowAutoWindowsUpdateDownloadOverMeteredNetwork,Allow updates to be downloaded automatically over metered connections,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#allowautowindowsupdatedownloadovermeterednetwork +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,AllowTemporaryEnterpriseFeatureControl,Enable features introduced via servicing that are off by default,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#allowtemporaryenterprisefeaturecontrol +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineNoAutoRebootForFeatureUpdates,Specify the number of days before feature updates are installed on devices automatically,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlinenoautorebootforfeatureupdates +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineNoAutoRebootForQualityUpdates,Specify the number of days before quality updates are installed on devices automatically,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlinenoautorebootforqualityupdates +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineForQualityUpdates,Number of days before quality updates are installed on devices automatically,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlineforqualityupdates +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineGracePeriod,Number of grace period days before quality updates are installed on devices automatically,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiod +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineForFeatureUpdates,Number of days before feature updates are installed on devices automatically,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlineforfeatureupdates +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineGracePeriodForFeatureUpdates,Number of grace period days before feature updates are installed on devices automatically,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,NoAutoUpdate,Set the computer to receive security updates and other important downloads through Windows update,DWORD,0,false,true, +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,AUOptions,Automatically download updates and install them on maintenance day,DWORD,4,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#allowautoupdate +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,AutomaticMaintenanceEnabled,Install updates during automatic maintenance,DWORD,1,false,true, +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,ScheduledInstallDay,Set scheduled install day to every day,DWORD,0,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#scheduledinstallday +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,ScheduledInstallTime,Set scheduled install time to any time,DWORD,24,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#scheduledinstalltime +GroupPolicy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate\AU,AllowMUUpdateService,Install updates for other Microsoft products,DWORD,1,false,true,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-Update?WT.mc_id=Portal-fx#allowmuupdateservice +RegistryKeys,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\WindowsUpdate\UX\Settings,RestartNotificationsAllowed2,Enable restart notification for Windows update,DWORD,1,false,true, +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\Recommended,BlockThirdPartyCookies,Block 3rd party cookies,DWORD,1,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,DnsOverHttpsMode,Set Dns Over Https Mode to use system DoH settings,String,automatic,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,AutomaticHttpsDefault,Automatically upgrade HTTP connections to HTTPS,DWORD,2,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,EncryptedClientHelloEnabled,Enable Encrypted Client Hello,DWORD,1,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,BasicAuthOverHttpEnabled,Block Basic authentication for HTTP,DWORD,0,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,ExperimentationAndConfigurationServiceControl,Allow Edge to receive new features even after using policies,DWORD,2,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge,AudioSandboxEnabled,Enforces the audio process to run sandboxed,DWORD,1,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\Recommended,DefaultShareAdditionalOSRegionSetting,Recommends that the share additional operating system region setting to be set to never,DWORD,2,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,1,Disable TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - (CBC - SHA1),String,0xc013,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,2,Disable TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - (CBC - SHA1),String,0xc014,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,3,Disable TLS_RSA_WITH_AES_256_CBC_SHA - (NO PFS - CBC - SHA1),String,0x0035,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,4,Disable TLS_RSA_WITH_AES_128_CBC_SHA - (NO PFS - CBC - SHA1),String,0x002f,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,5,Disable TLS_RSA_WITH_AES_128_GCM_SHA256 - (NO PFS),String,0x009c,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,EdgeBrowserConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,6,Disable TLS_RSA_WITH_AES_256_GCM_SHA384 - (NO PFS),String,0x009d,false,true,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm +RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,HideFileExt,Show File extensions,DWORD,0,false,true, +RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Hidden,Show hidden files,DWORD,1,false,true, +RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Control Panel\International\User Profile,HttpAcceptLanguageOptOut,Disable websites accessing local language list,DWORD,1,false,true, +RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings,SafeSearchMode,Turn off safe search in Windows search,DWORD,0,false,true, +RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Clipboard,EnableClipboardHistory,Enable Clipboard History,DWORD,1,false,true, +RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Input\Settings,EnableHwkbTextPrediction,Turn on Show text suggestions when typing on the physical keyboard,DWORD,1,false,true, +RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Input\Settings,MultilingualEnabled,Turn on Multilingual text suggestions,DWORD,1,false,true, +RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Control Panel\Accessibility\StickyKeys,Flags,Turn off sticky key shortcut of pressing shift key 5 time fast,String,506,false,true, +RegistryKeys,NonAdminCommands,HKEY_CURRENT_USER,Software\Microsoft\Windows\CurrentVersion\Notifications\Settings,NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK,Disables show reminders and incoming VoIP calls on the lock screen,DWORD,0,false,true, \ No newline at end of file diff --git a/Harden-Windows-Security Module/Main files/Resources/XAML/Protect.xaml b/Harden-Windows-Security Module/Main files/Resources/XAML/Protect.xaml index c3f58711f..6d2a6958d 100644 --- a/Harden-Windows-Security Module/Main files/Resources/XAML/Protect.xaml +++ b/Harden-Windows-Security Module/Main files/Resources/XAML/Protect.xaml @@ -214,6 +214,9 @@ + + + diff --git a/Harden-Windows-Security Module/version.txt b/Harden-Windows-Security Module/version.txt index bcaffe19b..7deb86fee 100644 --- a/Harden-Windows-Security Module/version.txt +++ b/Harden-Windows-Security Module/version.txt @@ -1 +1 @@ -0.7.0 \ No newline at end of file +0.7.1 \ No newline at end of file diff --git a/Intune Files/Hardening Policies/TLS Settings.json b/Intune Files/Hardening Policies/TLS Settings.json index 1fcf36e2e..8c660ca4d 100644 --- a/Intune Files/Hardening Policies/TLS Settings.json +++ b/Intune Files/Hardening Policies/TLS Settings.json @@ -1,9 +1,9 @@ { "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity", - "createdDateTime": "2024-07-12T14:52:08.4917639Z", + "createdDateTime": "2025-01-02T07:52:18.9754212Z", "creationSource": null, "description": "TLS Settings Category", - "lastModifiedDateTime": "2024-07-12T14:56:14.7388844Z", + "lastModifiedDateTime": "2025-01-02T08:03:48.2719491Z", "name": "TLS Settings", "platforms": "windows10", "priorityMetaData": null, @@ -12,7 +12,7 @@ ], "settingCount": 2, "technologies": "mdm", - "id": "95419642-e19e-4c2f-aae2-b3bab7313f7f", + "id": "f0131daa-abf4-41dd-b706-28c36c045a29", "templateReference": { "templateId": "", "templateFamily": "none", @@ -64,14 +64,16 @@ { "id": "1", "settingInstance": { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance", + "@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance", "settingDefinitionId": "device_vendor_msft_policy_config_cryptography_tlsciphersuites", "settingInstanceTemplateReference": null, - "simpleSettingValue": { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationStringSettingValue", - "settingValueTemplateReference": null, - "value": "TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" - } + "simpleSettingCollectionValue": [ + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationStringSettingValue", + "settingValueTemplateReference": null, + "value": "TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" + } + ] } } ] diff --git a/README.md b/README.md index 4c4bff54d..dc36e4e8b 100644 --- a/README.md +++ b/README.md @@ -333,6 +333,8 @@ From Top to bottom in order: - Blue Check mark denoting Group Policy Clears Quarantined items after 1 day instead of the default behavior of keeping them indefinitely. Rotating green checkmark denoting CSP [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#quarantine_purgeitemsafterdelay) + * Quarantine involves isolating potentially harmful files in a non-executable area of your system to prevent any risk of execution. To further minimize potential threats, quarantined files are automatically removed after 1 day, rather than being retained indefinitely. This precaution helps mitigate the possibility of these files exploiting unforeseen vulnerabilities in the future, ensuring a proactive approach to system security. +
- Blue Check mark denoting Group Policy Allows Microsoft Defender to download security updates even on a metered connection. Rotating green checkmark denoting CSP [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp?WT.mc_id=Portal-fx#configurationmeteredconnectionupdates) @@ -814,9 +816,6 @@ Changes made by this category only affect things that use [Schannel SSP](https:/ If you want to read more: [Demystifying Schannel](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-schannel/ba-p/259233) -> [!NOTE]\ -> This category checks whether Battle.net client is installed on the system and if it is then includes `TLS_RSA_WITH_AES_256_CBC_SHA` as an additional cipher suite in the policy due to [a known issue](https://github.com/HotCakeX/Harden-Windows-Security/issues/38). The way Battle.net client is detected is by checking the presence of `Battle.net.exe` or `Battle.net Launcher.exe` in `C:\Program Files (x86)\Battle.net\` folder. -
- Rotating pink checkmark denoting registry or cmdlet Disables TLS 1 and TLS 1.1 security protocols that only **exist for backward compatibility**. All modern software should and do use `TLS 1.2` and `TLS 1.3`. Rotating green checkmark denoting CSP [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionclient) Rotating green checkmark denoting CSP [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionserver) @@ -847,6 +846,10 @@ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+- Blue Check mark denoting Group Policy Rotating green checkmark denoting Subcategory Use the ***TLS for BattleNet*** sub-category if you have the BattleNet game client installed on your system. This client utilizes the `TLS_RSA_WITH_AES_256_CBC_SHA` cipher suite to establish connections with its servers. Since this cipher suite is less secure, it is excluded from the secure cipher-suites list by default. However, enabling this sub-category will include the required cipher suite, allowing you to use BattleNet without interruptions. + +
+ - Blue Check mark denoting Group Policy [Configures](https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tls) TLS ECC Curves to [use the following](https://github.com/HotCakeX/Harden-Windows-Security/commit/5b5be1fcab8f7bf5d364f48459aecfc54c6eff9d#commitcomment-115982586) prioritized Curves order: Rotating green checkmark denoting CSP [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#configureellipticcurvecryptography) ```