diff --git a/Harden-Windows-Security Module/Harden Windows Security.csproj b/Harden-Windows-Security Module/Harden Windows Security.csproj
index 5006ab5e6..26c181cdd 100644
--- a/Harden-Windows-Security Module/Harden Windows Security.csproj
+++ b/Harden-Windows-Security Module/Harden Windows Security.csproj
@@ -37,12 +37,10 @@
True
- True
True
- True
@@ -64,8 +62,8 @@
-
-
+
+
diff --git a/Harden-Windows-Security Module/Main files/C#/GUI/Protection/EventHandlers.cs b/Harden-Windows-Security Module/Main files/C#/GUI/Protection/EventHandlers.cs
index 24624114e..43fb394e1 100644
--- a/Harden-Windows-Security Module/Main files/C#/GUI/Protection/EventHandlers.cs
+++ b/Harden-Windows-Security Module/Main files/C#/GUI/Protection/EventHandlers.cs
@@ -661,11 +661,23 @@ await Task.Run(() =>
case "WindowsNetworking":
{
HardenWindowsSecurity.WindowsNetworking.Invoke();
+
+ if (HardenWindowsSecurity.GUIProtectWinSecurity.SelectedSubCategories.Contains("WindowsNetworking_BlockNTLM"))
+ {
+ HardenWindowsSecurity.WindowsNetworking.WindowsNetworking_BlockNTLM();
+ }
+
break;
}
case "MiscellaneousConfigurations":
{
HardenWindowsSecurity.MiscellaneousConfigurations.Invoke();
+
+ if (HardenWindowsSecurity.GUIProtectWinSecurity.SelectedSubCategories.Contains("Miscellaneous_WindowsProtectedPrint"))
+ {
+ HardenWindowsSecurity.MiscellaneousConfigurations.MiscellaneousConfigurations_WindowsProtectedPrint();
+ }
+
break;
}
case "WindowsUpdateConfigurations":
diff --git a/Harden-Windows-Security Module/Main files/C#/GUI/Protection/Variables.cs b/Harden-Windows-Security Module/Main files/C#/GUI/Protection/Variables.cs
index e608fc203..d36adbf25 100644
--- a/Harden-Windows-Security Module/Main files/C#/GUI/Protection/Variables.cs
+++ b/Harden-Windows-Security Module/Main files/C#/GUI/Protection/Variables.cs
@@ -42,6 +42,8 @@ public partial class GUIProtectWinSecurity
{ "MicrosoftDefender", new string[] { "MSFTDefender_SAC", "MSFTDefender_NoDiagData", "MSFTDefender_NoScheduledTask", "MSFTDefender_BetaChannels" } },
{ "LockScreen", new string[] { "LockScreen_CtrlAltDel", "LockScreen_NoLastSignedIn" } },
{ "UserAccountControl", new string[] { "UAC_NoFastSwitching", "UAC_OnlyElevateSigned" } },
+ { "WindowsNetworking", new string[] { "WindowsNetworking_BlockNTLM" } },
+ { "MiscellaneousConfigurations", new string[] { "Miscellaneous_WindowsProtectedPrint" } },
{ "CountryIPBlocking", new string[] { "CountryIPBlocking_OFAC" } },
{ "DownloadsDefenseMeasures", new string[] { "DangerousScriptHostsBlocking" } }
};
@@ -94,14 +96,14 @@ public partial class GUIProtectWinSecurity
"preset: recommended", new System.Collections.Generic.Dictionary>
{
{ "Categories", new List { "MicrosoftSecurityBaselines", "Microsoft365AppsSecurityBaselines", "MicrosoftDefender", "AttackSurfaceReductionRules", "BitLockerSettings", "DeviceGuard", "TLSSecurity", "LockScreen", "UserAccountControl", "WindowsFirewall", "OptionalWindowsFeatures", "WindowsNetworking", "MiscellaneousConfigurations", "WindowsUpdateConfigurations", "EdgeBrowserConfigurations", "DownloadsDefenseMeasures", "NonAdminCommands" } },
- { "SubCategories", new List { "DangerousScriptHostsBlocking" } }
+ { "SubCategories", new List { "WindowsNetworking_BlockNTLM", "DangerousScriptHostsBlocking" } }
}
},
{
"preset: complete", new System.Collections.Generic.Dictionary>
{
{ "Categories", new List { "MicrosoftSecurityBaselines", "Microsoft365AppsSecurityBaselines", "MicrosoftDefender", "AttackSurfaceReductionRules", "BitLockerSettings", "DeviceGuard", "TLSSecurity", "LockScreen", "UserAccountControl", "WindowsFirewall", "OptionalWindowsFeatures", "WindowsNetworking", "MiscellaneousConfigurations", "WindowsUpdateConfigurations", "EdgeBrowserConfigurations", "CountryIPBlocking", "DownloadsDefenseMeasures", "NonAdminCommands" } },
- { "SubCategories", new List { "MSFTDefender_SAC", "UAC_OnlyElevateSigned", "CountryIPBlocking_OFAC", "DangerousScriptHostsBlocking" } }
+ { "SubCategories", new List { "MSFTDefender_SAC", "UAC_OnlyElevateSigned", "WindowsNetworking_BlockNTLM", "Miscellaneous_WindowsProtectedPrint", "CountryIPBlocking_OFAC", "DangerousScriptHostsBlocking" } }
}
}
};
diff --git a/Harden-Windows-Security Module/Main files/C#/Others/Categoriex.cs b/Harden-Windows-Security Module/Main files/C#/Others/Categoriex.cs
index 89079744c..8f2909a7a 100644
--- a/Harden-Windows-Security Module/Main files/C#/Others/Categoriex.cs
+++ b/Harden-Windows-Security Module/Main files/C#/Others/Categoriex.cs
@@ -10,6 +10,7 @@ namespace HardenWindowsSecurity
{
public class ComplianceCategoriex : IValidateSetValuesGenerator
{
+ // Categories for Confirmation / Compliance Checks
public string[] GetValidValues()
{
string[] categoriex =
@@ -23,8 +24,8 @@ public string[] GetValidValues()
"DeviceGuard", // 9
"WindowsFirewall", // 19
"OptionalWindowsFeatures", // 14
- "WindowsNetworking", // 14
- "MiscellaneousConfigurations", // 16
+ "WindowsNetworking", // 18
+ "MiscellaneousConfigurations", // 17
"WindowsUpdateConfigurations", // 15
"EdgeBrowserConfigurations", // 14
"NonAdminCommands" // 9
@@ -90,7 +91,7 @@ private static bool IsTpmPresentAndEnabled()
///
- /// Main method of the class to return the final authorized categories
+ /// Main method of the class to return the final authorized categories for Protection
/// For PowerShell cmdlets and GUI elements that will light up based on different criteria
///
///
diff --git a/Harden-Windows-Security Module/Main files/C#/Others/CategoryProcessing.cs b/Harden-Windows-Security Module/Main files/C#/Others/CategoryProcessing.cs
index b139950ff..1175c14ff 100644
--- a/Harden-Windows-Security Module/Main files/C#/Others/CategoryProcessing.cs
+++ b/Harden-Windows-Security Module/Main files/C#/Others/CategoryProcessing.cs
@@ -198,6 +198,11 @@ public static List ProcessCategory(string catName, string meth
// Handle the case where the DWORD value is returned as a uint
regValueStr = regValue.ToString();
}
+ else if (regValue is string[])
+ {
+ // Convert MULTI_STRING (string[]) to a comma-separated string for display
+ regValueStr = string.Join(",", (string[])regValue);
+ }
else
{
// Convert the registry value to a string otherwise
@@ -262,6 +267,11 @@ public static List ProcessCategory(string catName, string meth
// Handle the case where the DWORD value is returned as a uint
regValueStr = regValue.ToString();
}
+ else if (regValue is string[])
+ {
+ // Convert MULTI_STRING (string[]) to a comma-separated string for display
+ regValueStr = string.Join(",", (string[])regValue);
+ }
else
{
regValueStr = regValue?.ToString();
@@ -319,6 +329,9 @@ public static List ProcessCategory(string catName, string meth
return output;
}
+ private static readonly char[] separator = [','];
+
+
// method to parse the registry value based on its type that is defined in the CSV file
private static object ParseRegistryValue(string type, string value)
@@ -340,7 +353,13 @@ private static object ParseRegistryValue(string type, string value)
// String values are kept as strings
return value;
}
- // Will add more types later if needed, e.g., BINARY, MULTI_STRING etc.
+ case "MULTI_STRING":
+ {
+ // MULTI_STRING values are represented as an array of strings, separated by commas in the CSV file
+ // Split the CSV value by comma and return as a string array
+ return value.Split(separator, StringSplitOptions.None);
+ }
+ // Will add more types later if needed, e.g., BINARY
default:
{
throw new ArgumentException($"ParseRegistryValue: Unknown registry value type: {type}");
@@ -348,7 +367,6 @@ private static object ParseRegistryValue(string type, string value)
}
}
-
// method to compare the registry value based on its type that is defined in the CSV file
private static bool CompareRegistryValues(string type, object regValue, object expectedValue)
{
@@ -379,7 +397,21 @@ private static bool CompareRegistryValues(string type, object regValue, object e
// String values are compared as strings using ordinal ignore case
return string.Equals(regValue.ToString(), expectedValue.ToString(), StringComparison.OrdinalIgnoreCase);
}
- // Will add more types later if needed, e.g., BINARY, MULTI_STRING etc.
+ case "MULTI_STRING":
+ {
+ // MULTI_STRING values are arrays of strings
+ // Return false if either is not a string array
+ if (regValue is not string[] regValueArray || expectedValue is not string[] expectedValueArray)
+ {
+ return false;
+ }
+
+ // Compare the arrays by length first, then compare each element using ordinal ignore case
+ // The order of the MULTI_STRING registry keys will be taken into account when comparing the reg key value against the values defined in the CSV file
+ return regValueArray.Length == expectedValueArray.Length &&
+ regValueArray.SequenceEqual(expectedValueArray, StringComparer.OrdinalIgnoreCase);
+ }
+ // Will add more types later if needed, e.g., BINARY
default:
{
throw new ArgumentException($"CompareRegistryValues: Unknown registry value type: {type}");
@@ -393,5 +425,6 @@ private static bool CompareRegistryValues(string type, object regValue, object e
}
return false;
}
+
}
}
diff --git a/Harden-Windows-Security Module/Main files/C#/Others/ConfirmSystemComplianceMethods.cs b/Harden-Windows-Security Module/Main files/C#/Others/ConfirmSystemComplianceMethods.cs
index 6e040eec8..91c45d751 100644
--- a/Harden-Windows-Security Module/Main files/C#/Others/ConfirmSystemComplianceMethods.cs
+++ b/Harden-Windows-Security Module/Main files/C#/Others/ConfirmSystemComplianceMethods.cs
@@ -435,9 +435,9 @@ public static Task VerifyDeviceGuard()
nestedObjectArray.Add(new HardenWindowsSecurity.IndividualResult
{
FriendlyName = "Require Platform Security Features",
- Compliant = (RequirePlatformSecurityFeatures != null &&
+ Compliant = RequirePlatformSecurityFeatures != null &&
(RequirePlatformSecurityFeatures.Equals("1", StringComparison.OrdinalIgnoreCase) ||
- RequirePlatformSecurityFeatures.Equals("3", StringComparison.OrdinalIgnoreCase))) ? true : false,
+ RequirePlatformSecurityFeatures.Equals("3", StringComparison.OrdinalIgnoreCase)),
Value = (RequirePlatformSecurityFeatures != null && RequirePlatformSecurityFeatures.Equals("1", StringComparison.OrdinalIgnoreCase)) ?
"VBS with Secure Boot" :
(RequirePlatformSecurityFeatures != null && RequirePlatformSecurityFeatures.Equals("3", StringComparison.OrdinalIgnoreCase)) ?
diff --git a/Harden-Windows-Security Module/Main files/C#/Others/GlobalVars.cs b/Harden-Windows-Security Module/Main files/C#/Others/GlobalVars.cs
index 25ae41e47..5690aa6de 100644
--- a/Harden-Windows-Security Module/Main files/C#/Others/GlobalVars.cs
+++ b/Harden-Windows-Security Module/Main files/C#/Others/GlobalVars.cs
@@ -10,7 +10,7 @@ namespace HardenWindowsSecurity
public static class GlobalVars
{
// Minimum required OS build number
- internal const decimal Requiredbuild = 22621.3880M;
+ internal const decimal Requiredbuild = 22621.4169M;
// Current OS build version
internal static readonly decimal OSBuildNumber = Environment.OSVersion.Version.Build;
diff --git a/Harden-Windows-Security Module/Main files/C#/Others/Initializer.cs b/Harden-Windows-Security Module/Main files/C#/Others/Initializer.cs
index 3fe017020..154ad7d6c 100644
--- a/Harden-Windows-Security Module/Main files/C#/Others/Initializer.cs
+++ b/Harden-Windows-Security Module/Main files/C#/Others/Initializer.cs
@@ -95,7 +95,7 @@ public static void Initialize(string VerbosePreference = "SilentlyContinue", boo
HardenWindowsSecurity.GlobalVars.MDAVConfigCurrent = HardenWindowsSecurity.ConfigDefenderHelper.GetMpComputerStatus();
// Total number of Compliant values
- HardenWindowsSecurity.GlobalVars.TotalNumberOfTrueCompliantValues = 247;
+ HardenWindowsSecurity.GlobalVars.TotalNumberOfTrueCompliantValues = 252;
// Getting the $VerbosePreference from the calling cmdlet and saving it in the global variable
HardenWindowsSecurity.GlobalVars.VerbosePreference = VerbosePreference;
diff --git a/Harden-Windows-Security Module/Main files/C#/Others/NewToastNotification.cs b/Harden-Windows-Security Module/Main files/C#/Others/NewToastNotification.cs
index 4647d5446..f382f1f8e 100644
--- a/Harden-Windows-Security Module/Main files/C#/Others/NewToastNotification.cs
+++ b/Harden-Windows-Security Module/Main files/C#/Others/NewToastNotification.cs
@@ -30,216 +30,225 @@ public enum ToastNotificationType
public static void Show(ToastNotificationType Type, string? TotalCompliantValues, string? TotalNonCompliantValues, string? UnprotectCategory, string? BitLockerEncryptionTab)
{
- // Notifications Icon Override for all of the toast notification styles
- string LogoOverride = Path.Combine(HardenWindowsSecurity.GlobalVars.path!, "Resources", "Media", "NotificationIconOverride.png");
-
- // Detect the notification type so we can create the proper notification to be displayed
- switch (Type)
+ try
{
- // Notification to show at the end of applying the hardening measures
- case ToastNotificationType.EndOfProtection:
- {
- // Combine paths
- // string Hero = Path.Combine(HardenWindowsSecurity.GlobalVars.path!, "Resources", "Media", "Microsoft Defender.png");
- // string DismissButtonImage = Path.Combine(HardenWindowsSecurity.GlobalVars.path!, "Resources", "Media", "notification (1).png");
- string Inline = Path.Combine(HardenWindowsSecurity.GlobalVars.path!, "Resources", "Media", "ProtectToastNotificationImage.png");
+ // Notifications Icon Override for all of the toast notification styles
+ string LogoOverride = Path.Combine(HardenWindowsSecurity.GlobalVars.path!, "Resources", "Media", "NotificationIconOverride.png");
- new Microsoft.Toolkit.Uwp.Notifications.ToastContentBuilder()
+ // Detect the notification type so we can create the proper notification to be displayed
+ switch (Type)
+ {
- .AddAppLogoOverride(new Uri($"file:///{LogoOverride}"), ToastGenericAppLogoCrop.Circle)
+ // Notification to show at the end of applying the hardening measures
+ case ToastNotificationType.EndOfProtection:
+ {
+ // Combine paths
+ // string Hero = Path.Combine(HardenWindowsSecurity.GlobalVars.path!, "Resources", "Media", "Microsoft Defender.png");
+ // string DismissButtonImage = Path.Combine(HardenWindowsSecurity.GlobalVars.path!, "Resources", "Media", "notification (1).png");
+ string Inline = Path.Combine(HardenWindowsSecurity.GlobalVars.path!, "Resources", "Media", "ProtectToastNotificationImage.png");
- .AddText("Protection Completed.")
+ new Microsoft.Toolkit.Uwp.Notifications.ToastContentBuilder()
- .AddText($"Successfully applied {HardenWindowsSecurity.GUIProtectWinSecurity.SelectedCategories.Count} categories")
+ .AddAppLogoOverride(new Uri($"file:///{LogoOverride}"), ToastGenericAppLogoCrop.Circle)
- .AddText("Your computer is now more secure 👏")
+ .AddText("Protection Completed.")
- // .AddHeroImage(new Uri($"file:///{Hero}"))
+ .AddText($"Successfully applied {HardenWindowsSecurity.GUIProtectWinSecurity.SelectedCategories.Count} categories")
- .AddInlineImage(new Uri($"file:///{Inline}"))
+ .AddText("Your computer is now more secure 👏")
+ // .AddHeroImage(new Uri($"file:///{Hero}"))
- /*
+ .AddInlineImage(new Uri($"file:///{Inline}"))
- .AddButton(new ToastButton()
- .SetContent("Dismiss")
- .AddArgument("action", "dismiss")
- .SetImageUri(new Uri($"file:///{DismissButtonImage}")))
- .AddButton(new ToastButton()
- .SetContent("View Details")
- .AddArgument("action", "viewDetails")
- .SetImageUri(new Uri("file:///D:/notifications/view_icon.jpg")))
+ /*
- .AddButton(new ToastButton()
- .SetContent("Open App")
- .AddArgument("action", "openApp")
- .SetImageUri(new Uri("file:///D:/notifications/view_icon.jpg")))
+ .AddButton(new ToastButton()
+ .SetContent("Dismiss")
+ .AddArgument("action", "dismiss")
+ .SetImageUri(new Uri($"file:///{DismissButtonImage}")))
- .AddButton(new ToastButton()
- .SetContent("Open App")
- .AddArgument("action", "openApp")
- .SetImageUri(new Uri("file:///D:/notifications/view_icon.jpg")))
+ .AddButton(new ToastButton()
+ .SetContent("View Details")
+ .AddArgument("action", "viewDetails")
+ .SetImageUri(new Uri("file:///D:/notifications/view_icon.jpg")))
- .AddButton(new ToastButton()
- .SetContent("Open App")
- .AddArgument("action", "openApp")
- .SetImageUri(new Uri("file:///D:/notifications/view_icon.jpg")))
- */
+ .AddButton(new ToastButton()
+ .SetContent("Open App")
+ .AddArgument("action", "openApp")
+ .SetImageUri(new Uri("file:///D:/notifications/view_icon.jpg")))
- .AddAudio(new Uri("ms-winsoundevent:Notification.SMS"))
+ .AddButton(new ToastButton()
+ .SetContent("Open App")
+ .AddArgument("action", "openApp")
+ .SetImageUri(new Uri("file:///D:/notifications/view_icon.jpg")))
- .AddAttributionText("Brought to you by Harden Windows Security")
+ .AddButton(new ToastButton()
+ .SetContent("Open App")
+ .AddArgument("action", "openApp")
+ .SetImageUri(new Uri("file:///D:/notifications/view_icon.jpg")))
+ */
- .AddHeader("00001", "End of Protection", "Action")
+ .AddAudio(new Uri("ms-winsoundevent:Notification.SMS"))
- .Show();
+ .AddAttributionText("Brought to you by Harden Windows Security")
- break;
- }
+ .AddHeader("00001", "End of Protection", "Action")
- // Notification to show for End of compliance checking/Confirmation
- case ToastNotificationType.EndOfConfirmation:
- {
+ .Show();
- // Combine paths
- string Inline = Path.Combine(HardenWindowsSecurity.GlobalVars.path!, "Resources", "Media", "ConfirmToastNotificationImage.png");
+ break;
+ }
- new Microsoft.Toolkit.Uwp.Notifications.ToastContentBuilder()
+ // Notification to show for End of compliance checking/Confirmation
+ case ToastNotificationType.EndOfConfirmation:
+ {
- .AddAppLogoOverride(new Uri($"file:///{LogoOverride}"), ToastGenericAppLogoCrop.Circle)
+ // Combine paths
+ string Inline = Path.Combine(HardenWindowsSecurity.GlobalVars.path!, "Resources", "Media", "ConfirmToastNotificationImage.png");
- .AddText("Compliance checking completed.")
+ new Microsoft.Toolkit.Uwp.Notifications.ToastContentBuilder()
- .AddText($"Successfully verified the hardening measures on the current system.")
+ .AddAppLogoOverride(new Uri($"file:///{LogoOverride}"), ToastGenericAppLogoCrop.Circle)
- .AddText($"{TotalCompliantValues} Compliant and {TotalNonCompliantValues} Non-Compliant items have been detected.")
+ .AddText("Compliance checking completed.")
- // .AddHeroImage(new Uri($"file:///{Hero}"))
+ .AddText($"Successfully verified the hardening measures on the current system.")
- .AddInlineImage(new Uri($"file:///{Inline}"))
+ .AddText($"{TotalCompliantValues} Compliant and {TotalNonCompliantValues} Non-Compliant items have been detected.")
- .AddAudio(new Uri("ms-winsoundevent:Notification.SMS"))
+ // .AddHeroImage(new Uri($"file:///{Hero}"))
- .AddAttributionText("Brought to you by Harden Windows Security")
+ .AddInlineImage(new Uri($"file:///{Inline}"))
- .AddHeader("00002", "End of Confirmation", "Action")
+ .AddAudio(new Uri("ms-winsoundevent:Notification.SMS"))
- .Show();
+ .AddAttributionText("Brought to you by Harden Windows Security")
- break;
- }
- case ToastNotificationType.EndOfASRRules:
- {
+ .AddHeader("00002", "End of Confirmation", "Action")
- // Combine paths
- string Hero = Path.Combine(HardenWindowsSecurity.GlobalVars.path!, "Resources", "Media", "Attack Surface Reduction Notification Hero Image.png");
- string Inline = Path.Combine(HardenWindowsSecurity.GlobalVars.path!, "Resources", "Media", "ASRRulesToastNotificationImage.png");
+ .Show();
- new Microsoft.Toolkit.Uwp.Notifications.ToastContentBuilder()
+ break;
+ }
+ case ToastNotificationType.EndOfASRRules:
+ {
- .AddAppLogoOverride(new Uri($"file:///{LogoOverride}"), ToastGenericAppLogoCrop.Circle)
+ // Combine paths
+ string Hero = Path.Combine(HardenWindowsSecurity.GlobalVars.path!, "Resources", "Media", "Attack Surface Reduction Notification Hero Image.png");
+ string Inline = Path.Combine(HardenWindowsSecurity.GlobalVars.path!, "Resources", "Media", "ASRRulesToastNotificationImage.png");
- .AddText("ASR Rules Applied.")
+ new Microsoft.Toolkit.Uwp.Notifications.ToastContentBuilder()
- .AddText($"Successfully applied the Attack Surface Reduction configurations on the system.")
+ .AddAppLogoOverride(new Uri($"file:///{LogoOverride}"), ToastGenericAppLogoCrop.Circle)
- .AddText($"They were applied using Group Policy..")
+ .AddText("ASR Rules Applied.")
- .AddHeroImage(new Uri($"file:///{Hero}"))
+ .AddText($"Successfully applied the Attack Surface Reduction configurations on the system.")
- .AddInlineImage(new Uri($"file:///{Inline}"))
+ .AddText($"They were applied using Group Policy..")
- .AddAudio(new Uri("ms-winsoundevent:Notification.SMS"))
+ .AddHeroImage(new Uri($"file:///{Hero}"))
- .AddAttributionText("Brought to you by Harden Windows Security")
+ .AddInlineImage(new Uri($"file:///{Inline}"))
- .AddHeader("00003", "End of ASR Rules application", "Action")
+ .AddAudio(new Uri("ms-winsoundevent:Notification.SMS"))
- .Show();
+ .AddAttributionText("Brought to you by Harden Windows Security")
- break;
- }
- case ToastNotificationType.EndOfUnprotection:
- {
- // Combine paths
- string Inline = Path.Combine(HardenWindowsSecurity.GlobalVars.path!, "Resources", "Media", "UnprotectToastNotificationImage.png");
+ .AddHeader("00003", "End of ASR Rules application", "Action")
- new Microsoft.Toolkit.Uwp.Notifications.ToastContentBuilder()
+ .Show();
- .AddAppLogoOverride(new Uri($"file:///{LogoOverride}"), ToastGenericAppLogoCrop.Circle)
+ break;
+ }
+ case ToastNotificationType.EndOfUnprotection:
+ {
+ // Combine paths
+ string Inline = Path.Combine(HardenWindowsSecurity.GlobalVars.path!, "Resources", "Media", "UnprotectToastNotificationImage.png");
- .AddText("Protections have been removed.")
+ new Microsoft.Toolkit.Uwp.Notifications.ToastContentBuilder()
- .AddText($"Successfully removed the {UnprotectCategory} from the system.")
+ .AddAppLogoOverride(new Uri($"file:///{LogoOverride}"), ToastGenericAppLogoCrop.Circle)
- .AddInlineImage(new Uri($"file:///{Inline}"))
+ .AddText("Protections have been removed.")
- .AddAudio(new Uri("ms-winsoundevent:Notification.SMS"))
+ .AddText($"Successfully removed the {UnprotectCategory} from the system.")
- .AddAttributionText("Brought to you by Harden Windows Security")
+ .AddInlineImage(new Uri($"file:///{Inline}"))
- .AddHeader("00004", "End of Unprotection", "Action")
+ .AddAudio(new Uri("ms-winsoundevent:Notification.SMS"))
- .Show();
+ .AddAttributionText("Brought to you by Harden Windows Security")
- break;
- }
- case ToastNotificationType.EndOfExclusions:
- {
- // Combine paths
- string Inline = Path.Combine(HardenWindowsSecurity.GlobalVars.path!, "Resources", "Media", "UnprotectToastNotificationImage.png");
+ .AddHeader("00004", "End of Unprotection", "Action")
- new Microsoft.Toolkit.Uwp.Notifications.ToastContentBuilder()
+ .Show();
- .AddAppLogoOverride(new Uri($"file:///{LogoOverride}"), ToastGenericAppLogoCrop.Circle)
+ break;
+ }
+ case ToastNotificationType.EndOfExclusions:
+ {
+ // Combine paths
+ string Inline = Path.Combine(HardenWindowsSecurity.GlobalVars.path!, "Resources", "Media", "UnprotectToastNotificationImage.png");
- .AddText("Exclusions Processed.")
+ new Microsoft.Toolkit.Uwp.Notifications.ToastContentBuilder()
- .AddText($"Successfully Processed {(GUIExclusions.selectedFiles!.Length)} file path(s) for exclusions.")
+ .AddAppLogoOverride(new Uri($"file:///{LogoOverride}"), ToastGenericAppLogoCrop.Circle)
- .AddInlineImage(new Uri($"file:///{Inline}"))
+ .AddText("Exclusions Processed.")
- .AddAudio(new Uri("ms-winsoundevent:Notification.SMS"))
+ .AddText($"Successfully Processed {(GUIExclusions.selectedFiles!.Length)} file path(s) for exclusions.")
- .AddAttributionText("Brought to you by Harden Windows Security")
+ .AddInlineImage(new Uri($"file:///{Inline}"))
- .AddHeader("00004", "End of Exclusions", "Action")
+ .AddAudio(new Uri("ms-winsoundevent:Notification.SMS"))
- .Show();
+ .AddAttributionText("Brought to you by Harden Windows Security")
- break;
- }
- case ToastNotificationType.EndOfBitLocker:
- {
- // Combine paths
- string Inline = Path.Combine(HardenWindowsSecurity.GlobalVars.path!, "Resources", "Media", "BitLockerToastNotificationImage.png");
+ .AddHeader("00004", "End of Exclusions", "Action")
- new Microsoft.Toolkit.Uwp.Notifications.ToastContentBuilder()
+ .Show();
- .AddAppLogoOverride(new Uri($"file:///{LogoOverride}"), ToastGenericAppLogoCrop.Circle)
+ break;
+ }
+ case ToastNotificationType.EndOfBitLocker:
+ {
+ // Combine paths
+ string Inline = Path.Combine(HardenWindowsSecurity.GlobalVars.path!, "Resources", "Media", "BitLockerToastNotificationImage.png");
- .AddText("BitLocker section Completed.")
+ new Microsoft.Toolkit.Uwp.Notifications.ToastContentBuilder()
- .AddText($"{BitLockerEncryptionTab} encryption section completed.")
+ .AddAppLogoOverride(new Uri($"file:///{LogoOverride}"), ToastGenericAppLogoCrop.Circle)
- .AddInlineImage(new Uri($"file:///{Inline}"))
+ .AddText("BitLocker section Completed.")
- .AddAudio(new Uri("ms-winsoundevent:Notification.SMS"))
+ .AddText($"{BitLockerEncryptionTab} encryption section completed.")
- .AddAttributionText("Brought to you by Harden Windows Security")
+ .AddInlineImage(new Uri($"file:///{Inline}"))
- .AddHeader("00004", "End of BitLocker Encryption", "Action")
+ .AddAudio(new Uri("ms-winsoundevent:Notification.SMS"))
- .Show();
+ .AddAttributionText("Brought to you by Harden Windows Security")
- break;
- }
+ .AddHeader("00004", "End of BitLocker Encryption", "Action")
- default:
- break;
+ .Show();
+
+ break;
+ }
+
+ default:
+ break;
+ }
}
+ catch (Exception ex)
+ {
+ Logger.LogMessage($"Failed to display toast notification: {ex}", LogTypeIntel.Warning);
+ }
+
}
}
}
diff --git a/Harden-Windows-Security Module/Main files/C#/Others/RegistryEditor.cs b/Harden-Windows-Security Module/Main files/C#/Others/RegistryEditor.cs
index bf70cfd61..25c9b9816 100644
--- a/Harden-Windows-Security Module/Main files/C#/Others/RegistryEditor.cs
+++ b/Harden-Windows-Security Module/Main files/C#/Others/RegistryEditor.cs
@@ -20,7 +20,7 @@ public static void EditRegistry(string path, string key, string value, string ty
// Get the registry base key and the sub key path
string baseKey = path.Split('\\')[0];
- string subKeyPath = path.Substring(baseKey.Length + 1);
+ string subKeyPath = path[(baseKey.Length + 1)..];
RegistryKey baseRegistryKey;
diff --git a/Harden-Windows-Security Module/Main files/C#/Protect Methods/MiscellaneousConfigurations_WindowsProtectedPrint.cs b/Harden-Windows-Security Module/Main files/C#/Protect Methods/MiscellaneousConfigurations_WindowsProtectedPrint.cs
new file mode 100644
index 000000000..0417f0484
--- /dev/null
+++ b/Harden-Windows-Security Module/Main files/C#/Protect Methods/MiscellaneousConfigurations_WindowsProtectedPrint.cs
@@ -0,0 +1,28 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+#nullable enable
+
+namespace HardenWindowsSecurity
+{
+ public partial class MiscellaneousConfigurations
+ {
+
+ public static void MiscellaneousConfigurations_WindowsProtectedPrint()
+ {
+ if (HardenWindowsSecurity.GlobalVars.path == null)
+ {
+ throw new System.ArgumentNullException("GlobalVars.path cannot be null.");
+ }
+
+ HardenWindowsSecurity.Logger.LogMessage("Enabling Windows Protected Print", LogTypeIntel.Information);
+
+ HardenWindowsSecurity.LGPORunner.RunLGPOCommand(System.IO.Path.Combine(HardenWindowsSecurity.GlobalVars.path, "Resources", "Security-Baselines-X", "Miscellaneous Policies", "Windows Protected Print", "registry.pol"), LGPORunner.FileType.POL);
+
+ }
+
+ }
+}
diff --git a/Harden-Windows-Security Module/Main files/C#/Protect Methods/WindowsNetworking.cs b/Harden-Windows-Security Module/Main files/C#/Protect Methods/WindowsNetworking.cs
index e632c7d2f..0b6ae5e09 100644
--- a/Harden-Windows-Security Module/Main files/C#/Protect Methods/WindowsNetworking.cs
+++ b/Harden-Windows-Security Module/Main files/C#/Protect Methods/WindowsNetworking.cs
@@ -8,7 +8,7 @@
namespace HardenWindowsSecurity
{
- public class WindowsNetworking
+ public partial class WindowsNetworking
{
///
/// Runs the Windows Networking Hardening category
diff --git a/Harden-Windows-Security Module/Main files/C#/Protect Methods/WindowsNetworking_BlockNTLM.cs b/Harden-Windows-Security Module/Main files/C#/Protect Methods/WindowsNetworking_BlockNTLM.cs
new file mode 100644
index 000000000..327feb242
--- /dev/null
+++ b/Harden-Windows-Security Module/Main files/C#/Protect Methods/WindowsNetworking_BlockNTLM.cs
@@ -0,0 +1,21 @@
+#nullable enable
+
+namespace HardenWindowsSecurity
+{
+ public partial class WindowsNetworking
+ {
+ public static void WindowsNetworking_BlockNTLM()
+ {
+
+ if (HardenWindowsSecurity.GlobalVars.path == null)
+ {
+ throw new System.ArgumentNullException("GlobalVars.path cannot be null.");
+ }
+
+ HardenWindowsSecurity.Logger.LogMessage("Blocking NTLM", LogTypeIntel.Information);
+
+ HardenWindowsSecurity.LGPORunner.RunLGPOCommand(System.IO.Path.Combine(HardenWindowsSecurity.GlobalVars.path, "Resources", "Security-Baselines-X", "Windows Networking Policies", "Block NTLM", "registry.pol"), LGPORunner.FileType.POL);
+
+ }
+ }
+}
diff --git a/Harden-Windows-Security Module/Main files/Core/Protect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Core/Protect-WindowsSecurity.psm1
index 7964a1879..2b6b26e92 100644
--- a/Harden-Windows-Security Module/Main files/Core/Protect-WindowsSecurity.psm1
+++ b/Harden-Windows-Security Module/Main files/Core/Protect-WindowsSecurity.psm1
@@ -101,6 +101,16 @@ Function Protect-WindowsSecurity {
Invoke-Command -ScriptBlock $DynParamCreatorSubCategories -ArgumentList 'UAC_OnlyElevateSigned'
}
+ if ('WindowsNetworking' -in $PSBoundParameters['Categories']) {
+ # Create a dynamic parameter for -WindowsNetworking_BlockNTLM
+ Invoke-Command -ScriptBlock $DynParamCreatorSubCategories -ArgumentList 'WindowsNetworking_BlockNTLM'
+ }
+
+ if ('MiscellaneousConfigurations' -in $PSBoundParameters['Categories']) {
+ # Create a dynamic parameter for -Miscellaneous_WindowsProtectedPrint
+ Invoke-Command -ScriptBlock $DynParamCreatorSubCategories -ArgumentList 'Miscellaneous_WindowsProtectedPrint'
+ }
+
if ('CountryIPBlocking' -in $PSBoundParameters['Categories']) {
# Create a dynamic parameter for -CountryIPBlocking_OFAC
Invoke-Command -ScriptBlock $DynParamCreatorSubCategories -ArgumentList 'CountryIPBlocking_OFAC'
@@ -304,6 +314,8 @@ Function Protect-WindowsSecurity {
New-Variable -Name 'LockScreen_NoLastSignedIn' -Value $($PSBoundParameters['LockScreen_NoLastSignedIn']) -Force
New-Variable -Name 'UAC_NoFastSwitching' -Value $($PSBoundParameters['UAC_NoFastSwitching']) -Force
New-Variable -Name 'UAC_OnlyElevateSigned' -Value $($PSBoundParameters['UAC_OnlyElevateSigned']) -Force
+ New-Variable -Name 'WindowsNetworking_BlockNTLM' -Value $($PSBoundParameters['WindowsNetworking_BlockNTLM']) -Force
+ New-Variable -Name 'Miscellaneous_WindowsProtectedPrint' -Value $($PSBoundParameters['Miscellaneous_WindowsProtectedPrint']) -Force
New-Variable -Name 'CountryIPBlocking_OFAC' -Value $($PSBoundParameters['CountryIPBlocking_OFAC']) -Force
New-Variable -Name 'PathToLGPO' -Value $($PSBoundParameters['PathToLGPO']) -Force
New-Variable -Name 'PathToMSFT365AppsSecurityBaselines' -Value $($PSBoundParameters['PathToMSFT365AppsSecurityBaselines']) -Force
@@ -494,6 +506,7 @@ Function Protect-WindowsSecurity {
LockScreen_NoLastSignedIn -> Will not display the last signed in user at the lock screen
UAC_NoFastSwitching -> Hide entry points for fast user switching
UAC_OnlyElevateSigned -> Only elevate signed and validated executables
+ WindowsNetworking_BlockNTLM -> Will block NTLM completely
CountryIPBlocking_OFAC -> Include the IP ranges of OFAC Sanctioned Countries in the firewall block rules
Each of the switch parameters above will be dynamically generated based on the categories you choose.
diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1
index 81a4b21a5..5aa96a2f3 100644
--- a/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1
+++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1
@@ -2,7 +2,7 @@
# https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_module_manifests
RootModule = 'Harden-Windows-Security-Module.psm1'
- ModuleVersion = '0.6.5'
+ ModuleVersion = '0.6.6'
CompatiblePSEditions = @('Core')
GUID = 'afae7a0a-5eff-4a4d-9139-e1702b7ac426'
Author = 'Violet Hansen'
@@ -74,7 +74,7 @@ Harden Windows Safely, Securely, only with Official Microsoft methods - 🦄 Int
Tags = @('Harden-Windows-Security', 'Harden', 'Windows', 'Security', 'Compliance', 'Validation', 'Baseline', 'Security-Score', 'Benchmark', 'Group-Policy')
LicenseUri = 'https://github.com/HotCakeX/.github/blob/main/LICENSE'
ProjectUri = 'https://github.com/HotCakeX/Harden-Windows-Security'
- IconUri = 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/PowerShell%20Gallery%20Icon/Peach%20Small.png'
+ IconUri = 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/refs/heads/main/Harden-Windows-Security%20Module/ICON-FULLSIZE.png'
ReleaseNotes = @'
Complete detailed release notes available on GitHub releases: https://github.com/HotCakeX/Harden-Windows-Security/releases/
diff --git a/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv b/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv
index e40c8ceda..483611014 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv
+++ b/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv
@@ -99,6 +99,10 @@ Group Policy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Wi
Group Policy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\Printers,DisableHTTPPrinting,Disable HTTP Printing,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-connectivity?WT.mc_id=Portal-fx#diableprintingoverhttp
Group Policy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\Printers,DisableWebPnPDownload,Disable Web PnP Download,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-icm#disablewebpnpdownload_1
Registry Keys,WindowsNetworking,HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\NetBT\Parameters,EnableLMHOSTS,Disable LMHOSTS lookup protocol on all network adapters,DWORD,0,false,
+Group Policy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanServer,EnableSMBQUIC,Enable SMB Server Over QUIC,DWORD,1,false,
+Group Policy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,EnableSMBQUIC,Enable SMB Client Over QUIC,DWORD,1,false,
+Group Policy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanServer,CipherSuiteOrder,SMB Server Cipher Suite Order,MULTI_STRING,"AES_256_GCM,AES_256_CCM,AES_128_GCM,AES_128_CCM",false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-lanmanserver#pol_ciphersuiteorder
+Group Policy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,CipherSuiteOrder,SMB Client Cipher Suite Order,MULTI_STRING,"AES_256_GCM,AES_256_CCM,AES_128_GCM,AES_128_CCM",false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-lanmanworkstation#pol_ciphersuiteorder
Group Policy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanServer,MinSmb2Dialect,Sets the minimum SMB server version,DWORD,785,false,
Group Policy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,MinSmb2Dialect,Sets the minimum SMB client version,DWORD,785,false,
Group Policy,WindowsNetworking,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\LanmanWorkstation,BlockNTLM,Blocks NTLM for SMB,DWORD,1,false,
@@ -118,6 +122,7 @@ Registry Keys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,SOFTWARE\WOW6432Nod
Registry Keys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Microsoft\Cryptography\Wintrust\Config,EnableCertPaddingCheck,WinVerifyTrust Signature Validation part 1,String,1,false,
Registry Keys,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config,EnableCertPaddingCheck,WinVerifyTrust Signature Validation part 2,String,1,false,
Group Policy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,EnableCbacAndArmor,Request claims and compound authentication for DAC and Kerberos armoring,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-kerberos#kerberosclientsupportsclaimscompoundarmor
+Group Policy,MiscellaneousConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows NT\Printers\WPP,WindowsProtectedPrintGroupPolicyState,Enable Windows Protected Print,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-printers#configurewindowsprotectedprint
Group Policy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,AllowAutoWindowsUpdateDownloadOverMeteredNetwork,Allow updates to be downloaded automatically over metered connections,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#allowautowindowsupdatedownloadovermeterednetwork
Group Policy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,AllowTemporaryEnterpriseFeatureControl,Enable features introduced via servicing that are off by default,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#allowtemporaryenterprisefeaturecontrol
Group Policy,WindowsUpdateConfigurations,HKEY_LOCAL_MACHINE,Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineNoAutoRebootForFeatureUpdates,Specify the number of days before feature updates are installed on devices automatically,DWORD,1,false,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlinenoautorebootforfeatureupdates
diff --git a/Harden-Windows-Security Module/Main files/Resources/Security-Baselines-X/Miscellaneous Policies/Windows Protected Print/registry.pol b/Harden-Windows-Security Module/Main files/Resources/Security-Baselines-X/Miscellaneous Policies/Windows Protected Print/registry.pol
new file mode 100644
index 000000000..c04f20405
Binary files /dev/null and b/Harden-Windows-Security Module/Main files/Resources/Security-Baselines-X/Miscellaneous Policies/Windows Protected Print/registry.pol differ
diff --git a/Harden-Windows-Security Module/Main files/Resources/Security-Baselines-X/Windows Networking Policies/Block NTLM/registry.pol b/Harden-Windows-Security Module/Main files/Resources/Security-Baselines-X/Windows Networking Policies/Block NTLM/registry.pol
new file mode 100644
index 000000000..2744fda6a
Binary files /dev/null and b/Harden-Windows-Security Module/Main files/Resources/Security-Baselines-X/Windows Networking Policies/Block NTLM/registry.pol differ
diff --git a/Harden-Windows-Security Module/Main files/Resources/Security-Baselines-X/Windows Networking Policies/registry.pol b/Harden-Windows-Security Module/Main files/Resources/Security-Baselines-X/Windows Networking Policies/registry.pol
index e618f0719..3d3044126 100644
Binary files a/Harden-Windows-Security Module/Main files/Resources/Security-Baselines-X/Windows Networking Policies/registry.pol and b/Harden-Windows-Security Module/Main files/Resources/Security-Baselines-X/Windows Networking Policies/registry.pol differ
diff --git a/Harden-Windows-Security Module/Main files/Resources/XAML/Protect.xaml b/Harden-Windows-Security Module/Main files/Resources/XAML/Protect.xaml
index d6e4b0953..e8dbb365b 100644
--- a/Harden-Windows-Security Module/Main files/Resources/XAML/Protect.xaml
+++ b/Harden-Windows-Security Module/Main files/Resources/XAML/Protect.xaml
@@ -3,9 +3,9 @@
xmlns:d="http://schemas.microsoft.com/expression/blend/2008"
xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"
Style="{StaticResource Page_Style}" Background="Transparent" FontFamily="Trebuchet MS" FontSize="16"
- ToolTipService.InitialShowDelay="500"
+ ToolTipService.InitialShowDelay="1000"
ToolTipService.ShowDuration="2147483647"
- ToolTipService.BetweenShowDelay="0"
+ ToolTipService.BetweenShowDelay="1000"
ToolTipService.ShowOnDisabled="True">
@@ -114,61 +114,61 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -184,37 +184,43 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
-
+
diff --git a/Harden-Windows-Security Module/Main files/Resources/XAML/ResourceDictionaries/Page.xaml b/Harden-Windows-Security Module/Main files/Resources/XAML/ResourceDictionaries/Page.xaml
index b1b00a473..ea49ed30e 100644
--- a/Harden-Windows-Security Module/Main files/Resources/XAML/ResourceDictionaries/Page.xaml
+++ b/Harden-Windows-Security Module/Main files/Resources/XAML/ResourceDictionaries/Page.xaml
@@ -18,13 +18,13 @@
-- 
[Blocks NTLM](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-ntlm-blocking-now-supported-in-windows-insider/ba-p/3916206) completely for SMB.
+- 
[Blocks NTLM](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-ntlm-blocking-now-supported-in-windows-insider/ba-p/3916206) completely for SMB.
@@ -1091,6 +1091,22 @@ NistP384
- 
[Enables encryption](https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-security) for SMB Server. Its status can be checked using the following PowerShell command: `(get-SmbServerConfiguration).EncryptData`. If the returned value is `$True` then SMB Encryption is turned on.
+
+
+- Enables [QUIC](https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-over-quic) for SMB Client.
+
+
+
+- Enables [QUIC](https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-over-quic) for SMB Server.
+
+
+
+- Configures the Cipher Suites from the default value of `AES_128_GCM,AES_128_CCM,AES_256_GCM,AES_256_CCM` to `AES_256_GCM,AES_256_CCM,AES_128_GCM,AES_128_CCM` for the SMB Client. 
[CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-lanmanworkstation#pol_ciphersuiteorder)
+
+
+
+- Configures the Cipher Suites from the default value of `AES_128_GCM,AES_128_CCM,AES_256_GCM,AES_256_CCM` to `AES_256_GCM,AES_256_CCM,AES_128_GCM,AES_128_CCM` for the SMB Server. [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-lanmanserver#pol_ciphersuiteorder)
+
💡 (back to categories)
@@ -1176,16 +1192,20 @@ NistP384
-- Enables [Command line process auditing](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing) [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-auditsettings#includecmdline)
+- Enables [Command line process auditing](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing). [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-auditsettings#includecmdline)
-- Enables the RPC Endpoint Mapper Client Authentication policy [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-remoteprocedurecall#rpcendpointmapperclientauthentication)
+- Enables the RPC Endpoint Mapper Client Authentication policy. [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-remoteprocedurecall#rpcendpointmapperclientauthentication)
- Enables a policy that requests claims and compound authentication for Dynamic Access Control and Kerberos armoring. [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-kerberos#kerberosclientsupportsclaimscompoundarmor)
+
+
+- Enables [Windows Protected Print](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/a-new-modern-and-secure-print-experience-from-windows/ba-p/4002645). [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-printers#configurewindowsprotectedprint)
+
💡 (back to categories)
@@ -1214,7 +1234,7 @@ In Windows by default, devices will scan daily, automatically download and insta
-- Enables "Notify me when a restart is required to finish updating" [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#schedulerestartwarning)
+- Enables "Notify me when a restart is required to finish updating". [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#schedulerestartwarning)
diff --git "a/Wiki posts/Harden\342\200\220Windows\342\200\220Security\342\200\220Module/Harden\342\200\220Windows\342\200\220Security\342\200\220Module.md" "b/Wiki posts/Harden\342\200\220Windows\342\200\220Security\342\200\220Module/Harden\342\200\220Windows\342\200\220Security\342\200\220Module.md"
index 79d482fd3..c61f956f6 100644
--- "a/Wiki posts/Harden\342\200\220Windows\342\200\220Security\342\200\220Module/Harden\342\200\220Windows\342\200\220Security\342\200\220Module.md"
+++ "b/Wiki posts/Harden\342\200\220Windows\342\200\220Security\342\200\220Module/Harden\342\200\220Windows\342\200\220Security\342\200\220Module.md"
@@ -305,16 +305,18 @@ The path to the 'Microsoft 365 Apps for Enterprise zip'. Make sure it's in the z
| Parameter Name | Description | Required Category |
|:---------------------------------------:|:-------------------------------------------:|:-----------------:|
-|SecBaselines_NoOverrides | Applies the Microsoft Security Baselines without the optional overrides | MicrosoftSecurityBaselines |
-|MSFTDefender_SAC | Enables Smart App Control | MicrosoftDefender |
-|MSFTDefender_NoDiagData | Will not enable optional diagnostics data required for Smart App Control (Does not have any effect if Smart App Control is already turned on) | MicrosoftDefender |
-|MSFTDefender_NoScheduledTask | Will not create scheduled task for fast MSFT driver block rules | MicrosoftDefender |
-|MSFTDefender_BetaChannels | Set Defender Engine and Intelligence update channels to beta | MicrosoftDefender |
-|LockScreen_CtrlAltDel | Require CTRL + ALT + Delete at lock screen | LockScreen |
-|LockScreen_NoLastSignedIn | Will not display the last signed in user at the lock screen | LockScreen |
-|UAC_NoFastSwitching | Hide entry points for fast user switching | UserAccountControl |
-|UAC_OnlyElevateSigned | Only elevate signed and validated executables | UserAccountControl |
-|CountryIPBlocking_OFAC | Include the IP ranges of OFAC Sanctioned Countries in the firewall block rules | CountryIPBlocking |
+| SecBaselines_NoOverrides | Applies the Microsoft Security Baselines without the optional overrides | MicrosoftSecurityBaselines |
+| MSFTDefender_SAC | Enables Smart App Control | MicrosoftDefender |
+| MSFTDefender_NoDiagData | Will not enable optional diagnostics data required for Smart App Control (Does not have any effect if Smart App Control is already turned on) | MicrosoftDefender |
+| MSFTDefender_NoScheduledTask | Will not create scheduled task for fast MSFT driver block rules | MicrosoftDefender |
+| MSFTDefender_BetaChannels | Set Defender Engine and Intelligence update channels to beta | MicrosoftDefender |
+| LockScreen_CtrlAltDel | Require CTRL + ALT + Delete at lock screen | LockScreen |
+| LockScreen_NoLastSignedIn | Will not display the last signed in user at the lock screen | LockScreen |
+| UAC_NoFastSwitching | Hide entry points for fast user switching | UserAccountControl |
+| UAC_OnlyElevateSigned | Only elevate signed and validated executables | UserAccountControl |
+| WindowsNetworking_BlockNTLM | Blocks NTLM Completely | WindowsNetworking |
+| Miscellaneous_WindowsProtectedPrint | Enables Windows Protected Print Mode | MiscellaneousConfigurations |
+| CountryIPBlocking_OFAC | Include the IP ranges of OFAC Sanctioned Countries in the firewall block rules | CountryIPBlocking |
| DangerousScriptHostsBlocking | Deploys the Dangerous Script Hosts Blocking WDAC Policy | DownloadsDefenseMeasures |