# yaml-language-server: $schema=./.schema.yaml # ↑ Adds a schema support in VS Code for auto-completion and validation. # Structure is documented in "docs/collection-files.md" os: windows scripting: language: batchfile startCode: |- @echo off :: {{ $homepage }} — v{{ $version }} — {{ $date }} :: Ensure admin privileges fltmc >nul 2>&1 || ( echo Administrator privileges are required. PowerShell Start -Verb RunAs '%0' 2> nul || ( echo Right-click on the script and select "Run as administrator". pause & exit 1 ) exit 0 ) :: Initialize environment setlocal EnableExtensions DisableDelayedExpansion endCode: |- :: Pause the script to view the final state pause :: Restore previous environment settings endlocal :: Exit the script successfully exit /b 0 actions: - category: Privacy cleanup children: - category: Clear recent activity logs docs: |- This category encompasses a suite of scripts designed to erase traces of a user's recent activities. These activities include files accessed, applications used, and system settings altered. The primary objective of this category is to enhance user privacy by removing records that could potentially reveal personal usage patterns, habits, and preferences. By doing so, these scripts contribute significantly to safeguarding personal and sensitive information from unauthorized access and analysis. children: - category: Clear Quick Access (jump) lists docs: |- This category focuses on managing Jump Lists in Windows. This feature was first introduced with Windows 7 in July 2009 and has been included in subsequent versions [1] [2] [3]. These lists are found in the Start Menu or Taskbar and provide quick access to recently opened files and folders [1] [2] [3] [4] [5]. The privacy concern with Jump Lists is their detailed recording of user activities. They store data such as file names, directory paths, MAC (Modified, Accessed, Created) timestamps, network information, volume names, and file sizes [2] [3] [4] [6]. This information is utilized in forensic analysis to reveal user behavior and interactions with the system [1] [2] [3] [4] [5]. Authorities frequently examine these files for investigative purposes [3]. Clearing these Jump Lists is crucial for maintaining privacy. It helps remove traces of user activities, particularly those involving personal or confidential files. By doing so, users prevent the easy accessibility of their activity history, an important privacy measure since these records can persist long after the original files and applications are deleted [3] [5]. [1]: https://web.archive.org/web/20231128091134/https://www.forensicfocus.com/articles/forensic-analysis-of-windows-7-jump-lists/ "Forensic Analysis of Windows 7 Jump Lists - Forensic Focus | forensicfocus.com" [2]: https://web.archive.org/web/20210205154335/https://cyberforensicator.com/wp-content/uploads/2017/01/1-s2.0-S1742287616300202-main.2-14.pdf "A forensic insight into Windows 10 Jump Lists | Bhupendra Singh, Upasna Sin | Dept. of Computer Engineering, Defence Institute of Advanced Technology (DU), Girinagar, Pune, India" [3]: https://web.archive.org/web/20231128094035/https://forensafe.com/blogs/jumplist.html "Jump Lists Blog | forensafe.com" [4]: https://web.archive.org/web/20231128091208/https://www.justice.gov/usao/page/file/931366/download "Forensic Science and Forensic Evidence I | United States Attorneys' Bulletin | justice.gov" [5]: https://web.archive.org/web/20231128091107/https://www.slideshare.net/ctin/windows-7-forensics-jump-listsrv3public "Windows 7 forensics jump lists-rv3-public | PPT | slideshare.net" [6]: https://web.archive.org/web/20231128095448/https://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf "The Meaning of Linkfiles In Forensic Examinations | Harry Parsonage | computerforensics.parsonage.co.uk" children: - name: Clear recently accessed files list recommend: standard docs: |- This script clears the `AutomaticDestinations` Jump List files in Windows. It improves user privacy by removing traces of recent file and application usage. These files are automatically created when a user opens a file or an application [1]. They help users quickly access recently or frequently used items, usually via the Windows taskbar [2]. They are hidden and do not appear in Windows Explorer [3]. The files are located in `%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations` [2] [3] [4]. These files are identified by the `automaticDestinations-ms` extension [3]. However, these files also record detailed user activity, such as timestamps, file locations, network information, and usage frequency [1] [3] [4] [5]. They store comprehensive data including boot session times, sequence numbers, user directories, and MAC addresses of network cards [1] [5]. Web search strings from browsers like Edge, Firefox, Chrome, and Opera, used by Cortana, are also stored in these files [3]. By clearing these files, the script not only removes the history of user activity but also reduces the risk of this data being analyzed to construct user activity timelines [1]. Such analysis could potentially expose personal usage patterns and behaviors, compromising privacy. [1]: https://web.archive.org/web/20231128094035/https://forensafe.com/blogs/jumplist.html "Jump Lists Blog | forensafe.com" [2]: https://web.archive.org/web/20231128091208/https://www.justice.gov/usao/page/file/931366/download "Forensic Science and Forensic Evidence I | Uneyited States Attorns' Bulletin | justice.gov" [3]: https://web.archive.org/web/20210205154335/https://cyberforensicator.com/wp-content/uploads/2017/01/1-s2.0-S1742287616300202-main.2-14.pdf "A forensic insight into Windows 10 Jump Lists | Bhupendra Singh, Upasna Sin | Dept. of Computer Engineering, Defence Institute of Advanced Technology (DU), Girinagar, Pune, India" [4]: https://web.archive.org/web/20231128091107/https://www.slideshare.net/ctin/windows-7-forensics-jump-listsrv3public "Windows 7 forensics jump lists-rv3-public | PPT | slideshare.net" [5]: https://web.archive.org/web/20231128095448/https://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf "The Meaning of Linkfiles In Forensic Examinations | Harry Parsonage | computerforensics.parsonage.co.uk" call: function: ClearDirectoryContents parameters: directoryGlob: '%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations' - name: Clear pinned items for the user docs: |- This script removes `CustomDestinations` Jump List files in Windows. These files are hidden [1] and located in `%APPDATA%\Microsoft\Windows\Recent\CustomDestinations` [1] [2] [3]. `CustomDestinations` files are created by different applications to enable users to pin items such as tasks and files or applications. This includes tasks like opening a new browser window or creating a new spreadsheet [2], as well as files and applications frequently used [3] [4]. They are commonly used by web browsers and media players to store a user's web history and other activities [1]. The privacy concern arises because these files not only record pinned items but also store detailed data about user interactions. This includes file opening, modification, and access times, along with the full directory path and volume information [3] [4]. Such information, if accessed, could potentially reveal personal habits and preferences [1] [2] [3]. Clearing these files prevents the potential use of this data in reconstructing a user's activity history, which is particularly sensitive when it involves personal or confidential information. The script thus plays a crucial role in maintaining the confidentiality and privacy of the user's digital activities. [1]: https://web.archive.org/web/20210205154335/https://cyberforensicator.com/wp-content/uploads/2017/01/1-s2.0-S1742287616300202-main.2-14.pdf "A forensic insight into Windows 10 Jump Lists | Bhupendra Singh, Upasna Sin | Dept. of Computer Engineering, Defence Institute of Advanced Technology (DU), Girinagar, Pune, India" [2]: https://web.archive.org/web/20231128091107/https://www.slideshare.net/ctin/windows-7-forensics-jump-listsrv3public "Windows 7 forensics jump lists-rv3-public | PPT | slideshare.net" [3]: https://web.archive.org/web/20231128091208/https://www.justice.gov/usao/page/file/931366/download "Forensic Science and Forensic Evidence I | United States Attorneys' Bulletin | justice.gov" [4]: https://web.archive.org/web/20231128094035/https://forensafe.com/blogs/jumplist.html "Jump Lists Blog | forensafe.com" call: function: ClearDirectoryContents parameters: directoryGlob: '%APPDATA%\Microsoft\Windows\Recent\CustomDestinations' - category: Clear Windows Registry usage data docs: |- The Windows Registry is a hierarchical database that stores settings, configurations, and options for the operating system, installed applications, and user preferences. Over time, as users interact with their system and software, usage data and traces get stored in the registry. This category focuses on clearing specific types of this usage data, ensuring privacy and potentially improving system responsiveness. children: - name: Clear last `regedit` key recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f - name: Clear favorite keys in `regedit` recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f - name: Clear recently opened applications list recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU" /va /f reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy" /va /f - name: Clear "Adobe Media Browser" most recently used (MRU) list recommend: standard code: reg delete "HKCU\Software\Adobe\MediaBrowser\MRU" /va /f - name: Clear "MSPaint" most recently used (MRU) list recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f - name: Clear "Wordpad" most recently used (MRU) list recommend: standard code: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List" /va /f - name: Clear "Map Network Drive" most recently used (MRU) list recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f - name: Clear "Windows Search Assistant" history recommend: standard code: reg delete "HKCU\Software\Microsoft\Search Assistant\ACMru" /va /f - name: Clear recently opened files list for each file type recommend: standard code: |- reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /va /f - name: Clear Windows Media Player recent files and URLs recommend: standard code: |- reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList" /va /f reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentURLList" /va /f reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentFileList" /va /f reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentURLList" /va /f - name: Clear most recent DirectX application usage recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Direct3D\MostRecentApplication" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication" /va /f - name: Clear "Windows Run" most recently used (MRU) list and typed paths recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths" /va /f - category: Clear third-party application data children: - category: Clear privacy.sexy data # Marked: refactor-with-variables, refactor-with-partials # - Documentation is same across macOS, Linux and Windows, this should be shared and not duplicated. docs: |- This category offers scripts to remove data left by the privacy.sexy desktop application, helping you ensure your privacy by eliminating all traces of use. The web application version of privacy.sexy does not create or store user data on your device [1], so this category is applicable to desktop application users only. These scripts are designed for anyone wanting to ensure their script activities leave no trace on their systems. > **Caution**: > Deleting this data might affect security [2] and troubleshooting [1]: > - Logs are valuable for diagnosing issues and understanding past actions [1]. > - Script files can help review changes made to the system and aid in reverting those changes if needed. [1]: https://github.com/undergroundwires/privacy.sexy/blob/master/docs/desktop/desktop-vs-web-features.md "Desktop vs. Web Features | privacy.sexy | github.com" [2]: https://github.com/undergroundwires/privacy.sexy/blob/master/SECURITY.md "SECURITY.md | privacy.sexy | github.com" children: - name: Clear privacy.sexy script history docs: |- This script removes script files generated by the privacy.sexy desktop application. The desktop version executes scripts directly on your device [1], saving a script file for execution [1], troubleshooting [1], and security [2]. By running this script, you remove the executed script files, enhancing your privacy by ensuring that there is no residual data that could reveal your usage patterns or preferences. > **Caution**: > - This action is irreversible. Deleted script files cannot be retrieved. > - These files might be necessary for troubleshooting if you experience issues after using privacy.sexy scripts. [1]: https://github.com/undergroundwires/privacy.sexy/blob/master/docs/desktop/desktop-vs-web-features.md "Desktop vs. Web Features | privacy.sexy | github.com" [2]: https://github.com/undergroundwires/privacy.sexy/blob/master/SECURITY.md "SECURITY.md | privacy.sexy | github.com" call: function: ClearDirectoryContents parameters: directoryGlob: '%APPDATA%\privacy.sexy\runs' - name: Clear privacy.sexy activity logs docs: |- This script removes log files generated by the privacy.sexy desktop application. Different from the web version, the desktop application records logs for troubleshooting [1]. Additionally, these logs offer auditing and transparency for security [2]. Deleting these logs can help maintain your privacy by ensuring there are no records of the application's activities on your system. > **Caution**: > - Removing logs will prevent you from reviewing the application's activities, which could be helpful in diagnosing issues. > - Logs can contain valuable information for technical support should you need assistance. [1]: https://github.com/undergroundwires/privacy.sexy/blob/master/docs/desktop/desktop-vs-web-features.md "Desktop vs. Web Features | privacy.sexy | github.com" [2]: https://github.com/undergroundwires/privacy.sexy/blob/master/SECURITY.md "SECURITY.md | privacy.sexy | github.com" call: function: ClearDirectoryContents parameters: directoryGlob: '%APPDATA%\privacy.sexy\logs' - name: Clear Listary search index call: function: ClearDirectoryContents parameters: directoryGlob: '%APPDATA%\Listary\UserData' - name: Clear Java cache recommend: strict call: function: ClearDirectoryContents parameters: directoryGlob: '%APPDATA%\Sun\Java\Deployment\cache' - name: Clear Flash Player traces recommend: standard call: function: ClearDirectoryContents parameters: directoryGlob: '%APPDATA%\Macromedia\Flash Player' - category: Clear Steam data children: - name: Clear Steam dumps recommend: standard call: function: ClearDirectoryContents parameters: directoryGlob: '%PROGRAMFILES(X86)%\Steam\Dumps' - name: Clear Steam traces recommend: standard call: function: ClearDirectoryContents parameters: directoryGlob: '%PROGRAMFILES(X86)%\Steam\Traces' - name: Clear Steam cache recommend: standard call: function: ClearDirectoryContents parameters: directoryGlob: '%ProgramFiles(x86)%\Steam\appcache' - category: Clear Visual Studio usage data docs: |- Visual Studio is an integrated development environment (IDE) from Microsoft that is used to develop software [1]. Visual Studio store data such as your usage of the software and also information about your hardware [2]. The data is stored both in Microsoft cloud [3] and locally on computer. These scripts allow you to delete the local data that might reveal your personally identifiable data about you or the way you use the product. [1]: https://learn.microsoft.com/en-us/visualstudio/get-started/visual-studio-ide?view=vs-2022 "What is the Visual Studio IDE? | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240314092010/https://learn.microsoft.com/en-us/visualstudio/ide/visual-studio-experience-improvement-program?view=vs-2022 "Visual Studio Customer Experience Improvement Program | Microsoft Learn | learn.microsoft.com" [3]: https://www.infoworld.com/article/2609774/microsoft-reinvents-visual-studio-as-an-azure-cloud-service.html "Microsoft reinvents Visual Studio as an Azure cloud service | InfoWorld" children: - category: Clear Visual Studio telemetry and feedback data docs: |- These scripts delete data about you and your behavior that's locally stored by Visual Studio on your computer. These do not clear data that's already collected in Microsoft servers, but it can prevent sending more data by deleting data waiting to be sent. children: - name: Clear offline Visual Studio usage telemetry data recommend: standard docs: |- This script clears offline telemetry data in Visual Studio. These telemetry data, known as SQM (*Service Quality Monitoring* or *Software Quality Metrics* [2]) files, contain details about application usage, errors, and performance [1]. SQM files are created and used by Microsoft to gather data for the Microsoft Customer Experience Improvement Program [2]. When Visual Studio is offline, it stores these SQM files locally in `%LOCALAPPDATA%\Microsoft\VSCommon\\SQM` [3]. Accumulation of these files can significantly slow down Visual Studio. Removing these files can speed up the Visual Studio, as reported by the user community [3]. By clearing these files, this script helps mitigate potential privacy concerns and maintain application efficiency. [1]: https://web.archive.org/web/20231206212243/https://file.org/extension/sqm "SQM File: How to open SQM file (and what it is) | file.org" [2]: https://web.archive.org/web/20231206212102/https://devblogs.microsoft.com/oldnewthing/20100406-00/?p=14393 "Microspeak: SQMmed - The Old New Thing | devblogs.microsoft.com" [3]: https://web.archive.org/web/20240314062704/https://stackoverflow.com/questions/17643535/slow-visual-studio-related-to-sqmclient/38862596#38862596 "Process monitor - Slow Visual Studio, related to SQMClient? | Stack Overflow | stackoverflow.com" call: - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\VSCommon\14.0\SQM' - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\VSCommon\15.0\SQM' - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\VSCommon\16.0\SQM' - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\VSCommon\17.0\SQM' - name: Clear Visual Studio Application Insights logs recommend: standard docs: |- Application Insights for Visual Studio stores diagnostic data for e.g. exceptions and performance [1]. Application Insights store `.TRN` files that might grow and exceed thousands [2] [3]. [1]: https://azuredevopslabs.com/labs/vsts/monitor/ "Monitoring Applications using Application Insights | Azure DevOps Hands-on-Labs" [2]: https://developercommunity.visualstudio.com/t/visual-studio-freezes-randomly/224181#T-N257722-N277241-N407607 "Visual Studio freezes randomly | Visual Studio Feedback" [3]: https://web.archive.org/web/20240314062743/https://stackoverflow.com/questions/45832665/visual-studio-2017-15-3-1-keeps-hanging-freezing/53754481#53754481 "Visual Studio 2017 (15.3.1) keeps hanging/freezing | Stack Overflow | stackoverflow.com" call: - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\VSApplicationInsights' - function: ClearDirectoryContents parameters: directoryGlob: '%PROGRAMDATA%\Microsoft\VSApplicationInsights' - function: ClearDirectoryContents parameters: directoryGlob: '%TEMP%\Microsoft\VSApplicationInsights' - name: Clear Visual Studio telemetry data recommend: standard docs: |- `vstelemetry` is a folder created by both Visual Studio [1] and also by SQL Server Management Studio [2] to store telemetry data. There has been security vulnerabilities through these folders that were patched in 2020 by Microsoft [2]. [1]: http://processchecker.com/file/VsHub.exe.html "What is VsHub.exe ? VsHub.exe info | Processchecker.com" [2]: https://herolab.usd.de/en/security-advisories/usd-2020-0030/ "usd-2020-0030 - usd HeroLab" call: - function: ClearDirectoryContents parameters: directoryGlob: '%APPDATA%\vstelemetry' - function: ClearDirectoryContents parameters: directoryGlob: '%PROGRAMDATA%\vstelemetry' - name: Clear Visual Studio temporary telemetry and log data recommend: standard docs: |- These logs area created by different tools that Visual Studio uses such as its launcher, installer or data collection agents. Folders include `VSFaultInfo` [1], `VSFeedbackPerfWatsonData` [2], `VSFeedbackCollector` [2], `VSFeedbackVSRTCLogs` [3], `VSRemoteControl` [4] [5], `VSFeedbackIntelliCodeLogs` [4] [5], `VSTelem` [6] [7], `VSTelem.Out` [6]. There are more log and cache data stored by Visual Studio, but not all of them come with privacy implications. These files can be useful for faster loading, so this script removes only the sensitive data stored instead of cleaning all the cache completely. [1]: https://developercommunity.visualstudio.com/t/visual-studio-installer-crashes-after-updating-to/1356122 "Visual Studio Installer crashes after updating to version 16.9.0 - Visual Studio Feedback | Visual Studio Developer Community" [2]: https://developercommunity.visualstudio.com/t/microsoft-visual-studio-1/588200#T-N588861-N594783 "MSTF help | Visual Studio Developer Community" [3]: https://github.com/microsoft/live-share/issues/3584 "Agent logs in %TEMP%\VSFeedbackVSRTCLogs taking up over 87GB · Issue #3584 · MicrosoftDocs/live-share | GitHub" [4]: https://developercommunity.visualstudio.com/t/please-keep-my-temp-folder-clean/731637 "Please keep my TEMP folder clean! - Visual Studio Feedback | Visual Studio Developer Community" [5]: https://web.archive.org/web/20240314062744/https://stackoverflow.com/questions/60974427/reduce-log-and-other-temporary-file-creation-in-visual-studio-2019 "Reduce log and other temporary file creation in Visual Studio 2019 | Stack Overflow | stackoverflow.com" [6]: https://web.archive.org/web/20240314063145/https://stackoverflow.com/questions/72341126/visual-studio-2022-telemetry-related-temp-folders "Visual Studio 2022 - Telemetry related temp folders - Stack Overflow | stackoverflow.com" [7]: https://web.archive.org/web/20231206212802/https://social.msdn.microsoft.com/Forums/vstudio/en-US/5b2a0baa-748f-40e0-b504-f6dfad9b7b4d/vstelem-folder-24000-files-2064kb "VSTELEM folder 24000 files 2064Kb | MSDN Forums" call: - function: ClearDirectoryContents parameters: directoryGlob: '%TEMP%\VSFaultInfo' - function: ClearDirectoryContents parameters: directoryGlob: '%TEMP%\VSFeedbackPerfWatsonData' - function: ClearDirectoryContents parameters: directoryGlob: '%TEMP%\VSFeedbackVSRTCLogs' - function: ClearDirectoryContents parameters: directoryGlob: '%TEMP%\VSFeedbackIntelliCodeLogs' - function: ClearDirectoryContents parameters: directoryGlob: '%TEMP%\VSRemoteControl' - function: ClearDirectoryContents parameters: directoryGlob: '%TEMP%\Microsoft\VSFeedbackCollector' - function: ClearDirectoryContents parameters: directoryGlob: '%TEMP%\VSTelem' - function: ClearDirectoryContents parameters: directoryGlob: '%TEMP%\VSTelem.Out' - category: Clear Visual Studio licenses docs: |- Visual Studio stores a local copy of your product key. This information is kept even though Visual Studio is uninstalled [1] which may reveal unnecessary data and not be desired. This key is not only stored for purchased Visual Studio products but also for the free trials. [1]: https://stackoverflow.com/questions/12465361/how-to-change-visual-studio-2012-2013-or-2015-license-key "How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow | stackoverflow.com" children: - name: Clear Visual Studio 2010 licenses docs: "[How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow | stackoverflow.com](https://web.archive.org/web/20240314063218/https://stackoverflow.com/questions/12465361/how-to-change-visual-studio-2012-2013-or-2015-license-key/14810695#14810695)" code: reg delete "HKCR\Licenses\77550D6B-6352-4E77-9DA3-537419DF564B" /va /f - name: Clear Visual Studio 2015 licenses docs: "[How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow | stackoverflow.com](https://web.archive.org/web/20240314092348/https://stackoverflow.com/questions/12465361/how-to-change-visual-studio-2012-2013-or-2015-license-key/32482322#32482322)" code: reg delete "HKCR\Licenses\4D8CFBCB-2F6A-4AD2-BABF-10E28F6F2C8F" /va /f - name: Clear Visual Studio 2017 licenses docs: "[Is Visual Studio Community a 30 day trial? | Stack Overflow | stackoverflow.com](https://web.archive.org/web/20240314092402/https://stackoverflow.com/questions/43390466/is-visual-studio-community-a-30-day-trial/51570570#51570570)" code: reg delete "HKCR\Licenses\5C505A59-E312-4B89-9508-E162F8150517" /va /f - name: Clear Visual Studio 2019 licenses docs: "[How to change Visual Studio 2017 License Key? | Stack Overflow | stackoverflow.com](https://web.archive.org/web/20240314092257/https://stackoverflow.com/questions/46731291/how-to-change-visual-studio-2017-license-key/46974337#46974337)" code: reg delete "HKCR\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA" /va /f - name: Clear Visual Studio 2022 licenses docs: |- Different keys have been reported by community for VS 2022 license [1]. This may depend on different preview versions. The latest reported key is `1299B4B9-DFCC-476D-98F0-F65A2B46C96D` [2] [3]. I have tested and verified this along with some other keys of preview versions. This scripts deletes all mentioned keys. [1]: https://github.com/beatcracker/VSCELicense/issues/14 "VS 2022 Key Discussion | beatcracker/VSCELicense | GitHub" [2]: https://web.archive.org/web/20240314093547/https://learn.microsoft.com/en-us/answers/questions/673243/how-do-i-remove-a-license-from-visual-studio-2022 "MSFT Answer | How do i remove a license from visual studio 2022? - Microsoft Q&A | learn.microsoft.com" [3]: https://web.archive.org/web/20240314093624/https://stackoverflow.com/questions/46731291/how-to-change-visual-studio-2017-license-key/71624750#71624750 "How to change Visual Studio 2017 License Key? | Stack Overflow | stackoverflow.com" code: |- reg delete "HKCR\Licenses\B16F0CF0-8AD1-4A5B-87BC-CB0DBE9C48FC" /va /f reg delete "HKCR\Licenses\10D17DBA-761D-4CD8-A627-984E75A58700" /va /f reg delete "HKCR\Licenses\1299B4B9-DFCC-476D-98F0-F65A2B46C96D" /va /f - name: Clear Dotnet CLI telemetry recommend: standard call: function: ClearDirectoryContents parameters: directoryGlob: '%USERPROFILE%\.dotnet\TelemetryStorageService' - category: Clear browser history children: - category: Clear Internet Explorer history children: - name: Clear Internet Explorer cache recommend: standard docs: # INetCache - https://web.archive.org/web/20240314131456/https://support.microsoft.com/en-us/topic/how-to-delete-the-contents-of-the-temporary-internet-files-folder-8eb83a8d-43e2-300d-d355-2ee71602ab44 - https://web.archive.org/web/20240315114443/https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/apps-access-admin-web-cache # WebCache - https://web.archive.org/web/20240315114443/https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/apps-access-admin-web-cache call: - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE' - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\WebCache' - name: Clear Internet Explorer recent URLs recommend: strict docs: - https://web.archive.org/web/20160304232740/http://crucialsecurityblog.harris.com/2011/03/14/typedurls-part-1/ - https://web.archive.org/web/20160321221849/http://crucialsecurityblog.harris.com/2011/03/23/typedurls-part-2/ - https://web.archive.org/web/20150601014235/http://randomthoughtsofforensics.blogspot.com/2012/07/trouble-with-typedurlstime.html - https://sketchymoose.blogspot.com/2014/02/typedurls-registry-key.html code: |- reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs" /va /f reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime" /va /f - name: Clear "Temporary Internet Files" (browser cache) recommend: standard docs: - https://en.wikipedia.org/wiki/Temporary_Internet_Files - https://www.windows-commandline.com/delete-temporary-internet-files/ # %LOCALAPPDATA%\Temporary Internet Files - https://www.thewindowsclub.com/temporary-internet-files-folder-location # %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files and INetCache call: - function: ClearDirectoryContents parameters: directoryGlob: '%USERPROFILE%\Local Settings\Temporary Internet Files' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 📂 Unprotected on Windows 11 since 22H2 - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files' # This directory consists of 4 additional folders: # - %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5 # - %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\IE # - %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Low # - %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Virtualized # Since Windows 10 22H2 and Windows 11 22H2, data files are observed in this subdirectories but not on the parent. # Especially in `IE` folder includes many files. These folders are protected and hidden by default. grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\INetCache' - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Temporary Internet Files' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - name: Clear Internet Explorer feeds cache recommend: standard docs: https://web.archive.org/web/20240314175030/https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+11+Data call: function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\Feeds Cache' - name: Clear Internet Explorer cookies recommend: strict docs: - https://web.archive.org/web/20240314130055/https://learn.microsoft.com/en-us/windows/win32/wininet/managing-cookies - https://web.archive.org/web/20240314130046/https://learn.microsoft.com/en-us/internet-explorer/kb-support/ie-edge-faqs - https://www.thewindowsclub.com/cookies-folder-location-windows call: - function: ClearDirectoryContents parameters: # Windows 7 browsers directoryGlob: '%APPDATA%\Microsoft\Windows\Cookies' - function: ClearDirectoryContents parameters: # Windows 8 and higher directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\INetCookies' - name: Clear Internet Explorer DOMStore recommend: standard docs: |- [Introduction to DOM Storage | msdn.microsoft.com](https://web.archive.org/web/20100416135352/http://msdn.microsoft.com/en-us/library/cc197062(VS.85).aspx) call: function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\InternetExplorer\DOMStore' - name: Clear Internet Explorer usage data docs: - https://web.archive.org/web/20240314101459/https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+Data - https://web.archive.org/web/20240314175030/https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+11+Data - https://web.archive.org/web/20240314100550/https://forensafe.com/blogs/internetexplorer.html # Includes Internet Explorer cache, tab recovery data, persistence storage (DOMStore, indexed DB etc.) # Folders: CacheStorage\, Tracking Protection\, Tiles\, TabRoaming\, IECompatData\ # DOMStore\, Recovery\ (that includes browser history), DomainSuggestions\, # VersionManager\, UrlBlockManager\, Indexed DB\, imagestore\, IEFlipAheadCache\ # EUPP\, EmieUserList\, EmieSiteList\, EmieBrowserModeList\ # Files: brndlog.txt, brndlog.bak, ie4uinit-ClearIconCache.log, ie4uinit-UserConfig.log, # MSIMGSIZ.DAT call: function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\Internet Explorer' - category: Clear Chrome history children: - name: Clear Chrome crash reports recommend: standard docs: https://web.archive.org/web/20240314095801/https://www.chromium.org/developers/crash-reports/ call: - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Google\Chrome\User Data\Crashpad\reports' - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Google\CrashReports' - name: Clear Google's "Software Reporter Tool" logs recommend: standard docs: https://web.archive.org/web/20220808110009/https://support.google.com/chrome/forum/AAAAP1KN0B0T8qnffV5gwM/ call: function: DeleteFiles parameters: fileGlob: '%LOCALAPPDATA%\Google\Software Reporter Tool\*.log' - name: Clear Chrome user data docs: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/user_data_dir.md call: - # Windows XP function: ClearDirectoryContents parameters: directoryGlob: '%USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data' - # Windows Vista and newer function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Google\Chrome\User Data' - category: Clear Firefox history docs: |- This category encompasses a series of scripts aimed at helping users manage and delete their browsing history and related data in Mozilla Firefox. The scripts are designed to target different aspects of user data stored by Firefox, providing users options for maintaining privacy and freeing up disk space. children: - name: Clear Firefox browsing history (URLs, downloads, bookmarks, visits, etc.) # This script (name, documentation and code) is same in Linux and Windows collections. # Changes should be done at both places. # Marked: refactor-with-partials docs: |- This script targets the Firefox browsing history, including URLs, downloads, bookmarks, and site visits, by deleting specific database entries. Firefox stores various user data in a file named `places.sqlite`. This file includes: - Annotations, bookmarks, and favorite icons (`moz_anno_attributes`, `moz_annos`, `moz_favicons`) [1] - Browsing history, a record of pages visited (`moz_places`, `moz_historyvisits`) [1] - Keywords and typed URLs (`moz_keywords`, `moz_inputhistory`) [1] - Item annotations (`moz_items_annos`) [1] - Bookmark roots such as places, menu, toolbar, tags, unfiled (`moz_bookmarks_roots`) [1] The `moz_places` table holds URL data, connecting to various other tables like `moz_annos`, `moz_bookmarks`, `moz_inputhistory`, and `moz_historyvisits` [2]. Due to these connections, the script removes entries from all relevant tables simultaneously to maintain database integrity. **Bookmarks**: Stored across several tables (`moz_bookmarks`, `moz_bookmarks_folders`, `moz_bookmarks_roots`) [3], with additional undocumented tables like `moz_bookmarks_deleted` [4]. **Downloads**: Stored in the 'places.sqlite' database, within the 'moz_annos' table [5]. The entries in `moz_annos` are linked to `moz_places` that store the actual history entry (`moz_places.id = moz_annos.place_id`) [6]. Associated URL information is stored within the 'moz_places' table [5]. Downloads have been historically stored in `downloads.rdf` for Firefox 2.x and below [7], and `downloads.sqlite` later on [7]. **Favicons**: Older Firefox versions stored favicons in `places.sqlite` within the `moz_favicons` table [5], while newer versions use `favicons.sqlite` and the `moz_icons` table [5]. By executing this script, users can ensure their Firefox browsing history, bookmarks, and downloads are thoroughly removed, contributing to a cleaner and more private browsing experience. [1]: https://web.archive.org/web/20221029141626/https://kb.mozillazine.org/Places.sqlite "Places.sqlite - MozillaZine Knowledge Base | kb.mozillazine.org" [2]: https://web.archive.org/web/20221030160803/https://wiki.mozilla.org/images/0/08/Places.sqlite.schema.pdf "Places.sqlite.schema.pdf | Mozilla Wiki" [3]: https://web.archive.org/web/20221029145432/https://wiki.mozilla.org/Places:BookmarksComments "Places:BookmarksComments | MozillaWiki | wiki.mozilla.org" [4]: https://web.archive.org/web/20221029145447/https://github.com/mozilla/application-services/issues/514 "Add a `moz_bookmarks_deleted` table for tombstones · Issue #514 · mozilla/application-services | GitHub | github.com" [5]: https://web.archive.org/web/20221029145535/https://www.foxtonforensics.com/browser-history-examiner/firefox-history-location "Mozilla Firefox History Location | Firefox History Viewer | foxtonforensics.com" [6]: https://web.archive.org/web/20221029145550/https://support.mozilla.org/en-US/questions/1319253 "Where does Firefox store SQLITE download history | Firefox Support Forum | Mozilla Support | support.mozilla.org" [7]: https://web.archive.org/web/20221029145712/https://kb.mozillazine.org/Downloads.rdf "Downloads.rdf | MozillaZine Knowledge Base | kb.mozillazine.org" call: - function: DeleteFilesFromFirefoxProfiles parameters: pathGlob: downloads.rdf - function: DeleteFilesFromFirefoxProfiles parameters: pathGlob: downloads.sqlite - function: DeleteFilesFromFirefoxProfiles parameters: pathGlob: places.sqlite - function: DeleteFilesFromFirefoxProfiles parameters: pathGlob: favicons.sqlite - name: Clear all Firefox user information and preferences docs: |- This script performs a reset of Mozilla Firefox, erasing all user profiles, settings, and personalized data to restore the browser to its default state. Firefox user profiles, encompassing bookmarks, browsing history, passwords, extensions, themes, and preferences [1]. These folders are in: - `C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\` on Windows XP and earlier [1], - `%APPDATA%\Mozilla\Firefox\Profiles\` on Windows 10 and later [1]. > **Caution**: > - Using this script results in a total loss of all personalized Firefox data. > - If your goal is solely to clear browsing data while retaining settings and extensions, this script is not recommended. > - Close Firefox before running this script to prevent potential issues. [1]: https://web.archive.org/web/20231101125909/https://kb.mozillazine.org/Profile_folder_-_Firefox#Windows "Profile folder - Firefox - MozillaZine Knowledge Base | kb.mozillazine.org" call: - # Windows XP function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Mozilla\Firefox\Profiles' - # Windows Vista and newer function: ClearDirectoryContents parameters: directoryGlob: '%APPDATA%\Mozilla\Firefox\Profiles' - name: Clear Opera history (user profiles, settings, and data) call: - # Windows XP function: ClearDirectoryContents parameters: directoryGlob: '%USERPROFILE%\Local Settings\Application Data\Opera\Opera' - # Windows Vista and newer function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Opera\Opera' - # Windows Vista and newer function: ClearDirectoryContents parameters: directoryGlob: '%APPDATA%\Opera\Opera' - category: Clear Safari history children: - name: Clear Webpage Icons recommend: standard docs: https://www.sans.org/blog/safari-browser-forensics/ call: - # Windows XP function: DeleteFiles parameters: fileGlob: '%USERPROFILE%\Local Settings\Application Data\Safari\WebpageIcons.db' - # Windows Vista and newer function: DeleteFiles parameters: fileGlob: '%LOCALAPPDATA%\Apple Computer\Safari\WebpageIcons.db' - name: Clear Safari cache recommend: standard docs: https://web.archive.org/web/20220710222903/https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari call: - # Windows XP function: DeleteFiles parameters: fileGlob: '%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari\Cache.db' - # Windows Vista and newer function: DeleteFiles parameters: fileGlob: '%LOCALAPPDATA%\Apple Computer\Safari\Cache.db' - name: Clear Safari cookies recommend: strict docs: https://web.archive.org/web/20240314101529/https://kb.digital-detective.net/display/BF/Location+of+Safari+Data call: - # Windows XP function: DeleteFiles parameters: fileGlob: '%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari\Cookies.db' - # Windows Vista and newer function: DeleteFiles parameters: fileGlob: '%LOCALAPPDATA%\Apple Computer\Safari\Cookies.db' - name: Clear all Safari data (user profiles, settings, and data) docs: - https://web.archive.org/web/20240314101529/https://kb.digital-detective.net/display/BF/Location+of+Safari+Data - https://web.archive.org/web/20220710222903/https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari - https://web.archive.org/web/20240314091143/https://zerosecurity.org/2013/04/safari-forensic-tutorial/ call: - # Windows XP function: ClearDirectoryContents parameters: directoryGlob: '%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari' - # Windows Vista and newer function: ClearDirectoryContents parameters: directoryGlob: '%APPDATA%\Apple Computer\Safari' - category: Clear temporary Windows files docs: |- This category covers removal of temporary Windows files. It is recommended to clean these files as they can be used for unauthorized analysis of user behavior and system usage [1]. They may also potentially host malicious software [2] [3]. Eliminating these files significantly enhances the security and privacy of the system. Microsoft advises this cleanup for enhanced security [2]. Besides enhancing security, removing these files also frees up disk space. However, removing temporary files might lead to a slight delay in initial application/system load times. By regularly clearing these files, users reduce the chance of malware residing [2] [3] in these folders and prevent the unauthorized use of their information for forensic analysis [1], serving as a simple and effective strategy for maintaining a secure and private system environment. [1]: https://web.archive.org/web/20231001145651/https://s3.wp.wsu.edu/uploads/sites/3267/2022/05/Part2-DiskForensics.pdf "Disk Forensics | Montana State University" [2]: https://web.archive.org/web/20231001145035/https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to-clean-out-temp-folders/ "Weekend Scripter: Use PowerShell to Clean Out Temp Folders - Scripting Blog | microsoft.com" [3]: https://web.archive.org/web/20231001145930/https://nvd.nist.gov/vuln/detail/CVE-2019-11644 "NVD - CVE-2019-11644 | nist.gov" children: - name: Clear temporary system folder recommend: standard docs: |- This script eliminates the contents of the `%WINDIR%\Temp\` directory, also known as the Windows Temp directory [1]. This directory is located within the Windows system folder `%SystemDrive%\Windows\Temp\` [1] [2]. It is used by the system and system-level processes to store temporary files, including those generated by the operating system and other system-level software. This folder, protected by specific access control lists (ACL) [3] [4], is accessible only to system-level accounts [2]. Known for being utilized by malware, cleaning this directory is recommended for maintaining system security [2] [5]. Moreover, it's used for forensics to analyze user behavior [6], thus raising privacy concerns. Microsoft underscores the importance of cleaning this folder to free up disk space [7], resolve system application issues [1] [8] [9], and counteract malware [2]. Some system applications may populate this folder, taking up considerable disk space [7] [9] [10]. This script only deletes the contents of the `%WINDIR%\Temp\` directory, not the directory itself, to maintain system integrity, security, and privacy, avoiding potential issues caused by unintentional directory deletion without proper ACL. Deleting the directory itself might disrupt certain applications, such as `dism` [11], and application installers [12], while also removing the special ACL that secures the folder. [1]: https://web.archive.org/web/20231001145018/https://learn.microsoft.com/en-us/troubleshoot/windows-server/deployment/error-0x800f0922-uninstall-role-feature "Error 0x800f0922 when you uninstall roles - Windows Server | Microsoft Learn" [2]: https://web.archive.org/web/20231001145035/https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to-clean-out-temp-folders/ "Weekend Scripter: Use PowerShell to Clean Out Temp Folders - Scripting Blog | microsoft.com" [3]: https://web.archive.org/web/20231001145051/https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/enabling-postmortem-debugging#window-sysinternals-procdump "Enabling Postmortem Debugging - Windows drivers | Microsoft Learn" [4]: https://web.archive.org/web/20231001150053/https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/bb776892%28v=vs.85%29 "About User Profiles (Windows) | Microsoft Learn" [5]: https://web.archive.org/web/20231001145930/https://nvd.nist.gov/vuln/detail/CVE-2019-11644 "NVD - CVE-2019-11644 | nist.gov" [6]: https://web.archive.org/web/20231001145651/https://s3.wp.wsu.edu/uploads/sites/3267/2022/05/Part2-DiskForensics.pdf "Disk Forensics | Montana State University" [7]: https://web.archive.org/web/20231001150100/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Prepare to deploy Windows - Windows Deployment | Microsoft Learn" [8]: https://web.archive.org/web/20231001150108/https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/adr-updates-download-failure "Automatic deployment rule (ADR) fails to download updates - Configuration Manager | Microsoft Learn" [9]: https://web.archive.org/web/20231001150158/https://support.microsoft.com/en-us/topic/error-message-112-setup-is-unable-to-decompress-and-copy-all-the-program-files-c8dadf2a-4e7e-11bf-6543-ab5560b7fc19 'Error Message 112 "Setup Is Unable to Decompress and Copy All the Program Files" - Microsoft Support' [10]: https://web.archive.org/web/20231001150233/https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/unifiedcontent-folder-fills-up-drive "Exchange UnifiedContent folder fills up the drive - Exchange | Microsoft Learn" [11]: https://github.com/undergroundwires/privacy.sexy/pull/176 "Do not delete temp dirs by iam-py-test · Pull Request #176 · undergroundwires/privacy.sexy" [12]: https://github.com/undergroundwires/privacy.sexy/issues/89 "Some installer failed to installer · Issue #89 · undergroundwires/privacy.sexy" call: function: ClearDirectoryContents parameters: directoryGlob: '%WINDIR%\Temp' - name: Clear temporary user folder recommend: standard docs: |- This script deletes the contents of the `%TEMP%\` (or `%LOCALAPPDATA%\Temp\` [1], `%TMP%\` [2]) directory, used by applications and processes to store temporary files. This directory is situated within the user profile `%SystemDrive%\Users\\AppData\Local\Temp` [1] [2] [3]. Only the respective profile user can read and write to this folder [4]. This folder's usage for understanding user behavior in forensics [5] raises privacy concerns. Its content deletion, a regular operation performed by Windows system tools like SilentCleanup (`cleanmgr.exe`) or Storage Sense (`storsvc.exe`) [8], does not harm the system. On cloud machines, Microsoft does not retain contents of this directory and conducts automatic clean-ups to prevent data accumulation [6]. This script, while removing the contents, retains the directory to preserve the access control list (ACL) assigned by Microsoft [7], preventing potential misconfigurations due to unintentional folder creation without proper ACL. Microsoft recommends cleaning this folder to free disk space [8] and eliminate potential malware [9]. Post-script execution, a reboot is recommended to ensure smooth application functionality accessing `%TEMP%` [8]. [1]: https://github.com/undergroundwires/privacy.sexy/pull/176 "Do not delete temp dirs by iam-py-test · Pull Request #176 · undergroundwires/privacy.sexy" [2]: https://web.archive.org/web/20231001150554/https://learn.microsoft.com/en-us/windows/deployment/usmt/usmt-recognized-environment-variables "Recognized environment variables - Windows Deployment | Microsoft Learn" [3]: https://web.archive.org/web/20231001150603/https://learn.microsoft.com/en-us/dotnet/api/system.io.path.gettemppath?view=net-7.0#examples "Path.GetTempPath Method (System.IO) | Microsoft Learn" [4]: https://web.archive.org/web/20231001150917/https://learn.microsoft.com/en-us/windows/win32/shell/about-user-profiles "About User Profiles - Win32 apps | Microsoft Learn" [5]: https://web.archive.org/web/20231001145651/https://s3.wp.wsu.edu/uploads/sites/3267/2022/05/Part2-DiskForensics.pdf "Disk Forensics | Montana State University" [6]: https://web.archive.org/web/20231001150713/https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-troubleshoot-default-temp-folder-size-too-small-web-worker-role "Default TEMP folder size is too small for a role | Microsoft Learn" [7]: https://web.archive.org/web/20231001150053/https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/bb776892%28v=vs.85%29 "About User Profiles (Windows) | Microsoft Learn" [8]: https://web.archive.org/web/20240120214444/https://learn.microsoft.com/en-us/troubleshoot/windows-server/shell-experience/temp-folder-with-logon-session-id-deleted "The %TEMP% folder with logon session ID is deleted - Windows Server | Microsoft Learn" [9]: https://web.archive.org/web/20231001145035/https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to-clean-out-temp-folders/ "Weekend Scripter: Use PowerShell to Clean Out Temp Folders - Scripting Blog | microsoft.com" call: function: ClearDirectoryContents parameters: directoryGlob: '%TEMP%' - name: Clear prefetch folder recommend: standard docs: |- This script deletes the contents of `%WINDIR%\Prefetch\*`, typically pointing to `C:\Windows\Prefetch\` [1] [2]. **What is Prefetch?** Introduced in Windows XP [2], Prefetch was developed by Windows to expedite application startup [1] and the boot process [1] [2]. It works by preemptively loading data and code pages into memory from the disk before requests [2], monitoring application's startup page faults [2], and storing the gathered data in the Prefetch directory [2]. **Why Clear the Prefetch Directory?** Over time, many files accumulate in the Prefetch directory. Clearing this directory enhances privacy and potentially frees disk space by removing traces of recently used applications and files in the system, making unauthorized tracking of application usage more difficult. Despite its design for improving application startup times [1], Prefetch can inadvertently expose information about the applications and files accessed on the system [1]. Clearing the Prefetch directory addresses this issue by eliminating these traces. Microsoft suggests deleting the Prefetch directory and its contents if significant system configuration changes occur, like adjustments to drivers, services, or applications that start automatically [3]. This action eradicates any outdated prefetched data [3], ensuring that the system operates with the most up-to-date and relevant data for application startups [3]. The files in the Prefetch directory are used for forensic purposes [4] [5], adding to the privacy concerns. They reveal information about application usage, including data layout [4], access history on disk [4], last execution time [5], and the total number of times an application has been run [5]. Additionally, they contain historical process information such as loaded libraries and process dependencies [6]. Erasing these files mitigates the risk of this information being used for unauthorized tracking or analysis, improving your privacy. **Trade-Off** Clearing the Prefetch might cause a minor delay in application startup times until the necessary data is regenerated as applications are used again [2]. This is a compromise for heightened privacy and potentially freed disk space. [1]: https://web.archive.org/web/20231001151015/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide#collect-investigation-package-from-devices "Take response actions on a device in Microsoft Defender for Endpoint | Microsoft Learn" [2]: https://web.archive.org/web/20231001151029/https://learn.microsoft.com/en-us/sysinternals/resources/archive/v03n02#windows-xp-prefetching "Sysinternals Newsletter Vol. 3, No. 2 - Sysinternals | Microsoft Learn" [3]: https://web.archive.org/web/20230829142700/https://download.microsoft.com/download/7/e/7/7e7662cf-cbea-470b-a97e-ce7ce0d98dc2/win7perf.docx "Performance Testing Guide for Windows | Microsoft" [4]: https://web.archive.org/web/20231001151107/https://ccsweb.lanl.gov/~kei/mypubbib/papers/TOS_13_diskseen.pdf "A Prefetching Scheme Exploiting both Data Layout and Access History on Disk | ccsweb.lanl.gov" [5]: https://web.archive.org/web/20231001151150/https://www.justice.gov/sites/default/files/usao/legacy/2008/02/04/usab5601.pdf "Computer Forensics | justice.gov" [6]: https://web.archive.org/web/20231001151207/https://par.nsf.gov/servlets/purl/10333089 "Malware Family Classification via Residual Prefetch Artifacts | par.nsf.gov" call: function: ClearDirectoryContents parameters: directoryGlob: '%WINDIR%\Prefetch' - category: Clear Windows log and caches children: - name: Clear thumbnail cache call: function: DeleteFiles parameters: fileGlob: '%LOCALAPPDATA%\Microsoft\Windows\Explorer\*.db' - category: Clear Windows system log files children: - category: Clear Windows Update system logs children: - name: Clear Windows update and SFC scan logs recommend: standard docs: https://web.archive.org/web/20231206191838/https://answers.microsoft.com/en-us/windows/forum/all/cwindowslogscbs/fe4e359a-bcb9-4988-954d-563ef83bac1c call: function: ClearDirectoryContents parameters: directoryGlob: '%SYSTEMROOT%\Temp\CBS' - name: Clear Windows Update Medic Service logs recommend: standard docs: https://web.archive.org/web/20231206191736/https://answers.microsoft.com/en-us/windows/forum/all/what-is-this-waasmedic-and-why-it-required-to/e5e55a95-d5bb-4bf4-a7ce-4783df371de4 call: function: ClearDirectoryContents parameters: directoryGlob: '%SYSTEMROOT%\Logs\waasmedic' - name: Clear "Cryptographic Services" diagnostic traces recommend: standard docs: |- This script removes specific files associated with the "Cryptographic Services". The files include: - `%SYSTEMROOT%\System32\catroot2\dberr.txt` - `%SYSTEMROOT%\System32\catroot2.log` - `%SYSTEMROOT%\System32\catroot2.jrs` - `%SYSTEMROOT%\System32\catroot2.edb` - `%SYSTEMROOT%\System32\catroot2.chk` The "Cryptographic Services" (`CryptSvc`) service manages services such as key management for the computer [1] [2]. This service is used by different features, including Windows Updates [3] [4] [5]. There is no official documentation available for these files from Microsoft. However, after analyzing the internal workings of Windows, below is a detailed explanation of the purpose, collected data, and privacy implications for each file: | File name | Purpose | Data Collected | Privacy Implications | | --------- | ------- | -------------- | -------------------- | | `dberr.txt` | Logging database errors | Error messages and codes related to database operations | Potential system issues or vulnerabilities | | `catroot2.log` | Logging activities, errors, or transactions related to cryptographic operations | Log data including status messages, error codes | System configurations and vulnerabilities | | `catroot2.jrs` | Journal file for data integrity in cryptographic operations | Transaction logs or temporary cryptographic data | System's state and cryptographic operations | | `catroot2.edb` | Storing certificate and signature data for Windows Update | Certificate and signature validation data, update details | Update history and security state | | `catroot2.chk` | Ensuring data consistency in the ESE database | Information for database recovery | System state information | This script deletes these files, improving user privacy by removing sensitive information related to system configurations, vulnerabilities, and cryptographic operations is not readily available. [1]: https://web.archive.org/web/20231025233132/https://www.windows-security.org/windows-service/cryptographic-services "Cryptographic Services | Windows security encyclopedia | windows-security.org" [2]: https://web.archive.org/web/20231025233145/https://revertservice.com/10/cryptsvc/ "Cryptographic Services (CryptSvc) Defaults in Windows 10 | revertservice.com" [3]: https://web.archive.org/web/20230902020255/https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/additional-resources-for-windows-update "Additional resources for Windows Update - Windows Client | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20231025233228/https://support.microsoft.com/en-us/topic/claims-to-windows-token-service-c2wts-not-starting-after-rebooting-server-52a2d131-cb9d-bf28-77d4-1663a99d03b3 "Claims to Windows Token Service (c2WTS) not starting after rebooting server - Microsoft Support | support.microsoft.com" [5]: https://web.archive.org/web/20231025233251/https://learn.microsoft.com/en-us/troubleshoot/windows-server/backup-and-storage/vss-error-8193-restart-cryptographic-services "VSS event 8193 when you restart the Cryptographic Services service after you install the DHCP role - Windows Server | Microsoft Learn | learn.microsoft.com" call: - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\catroot2\dberr.txt' - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\catroot2.log' - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\catroot2.jrs' - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\catroot2.edb' - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\catroot2.chk' - name: Clear Server-initiated Healing Events system logs docs: |- These are logs related to Windows Update [1] [2]. It stores event trace log (ETL) files [3]. While the logs are largely technical, like many diagnostic logs, there's a potential for some data that could be considered personally identifiable information (PII), such as usernames or machine names, to be included. From a forensic standpoint, they offer valuable data for reconstructing system events related to software updates [3] : - **Update History**: The logs can provide a history of updates, including those that failed and required remediation. This could be used to establish a timeline of events on a system. - **System Integrity**: In forensic scenarios where the integrity of the system is in question, the SIH logs could be used to determine if there were any issues with updates, including any that were automatically remediated. - **Behavior Analysis**: While the primary purpose of the logs is not to capture user behavior, they can be part of a broader set of logs and data used in behavioral analysis, especially when reconstructing events leading up to a particular system state or incident. [1]: https://web.archive.org/web/20231020011710/https://raw.githubusercontent.com/Azure/azure-diskinspect-service/master/docs/manifest_by_file.md "Official Microsoft Documentation | azure-diskinspect-service/docs/manifest_by_file.md at master · Azure/azure-diskinspect-service | github.com" [2]: https://web.archive.org/web/20231020012236/https://answers.microsoft.com/es-es/windows/forum/all/windows-10-carpeta-y-archivos-sih/4d318121-fed6-4202-8b92-d4dc236b468e "Windows 10 | Carpeta y archivos SIH - Microsoft Community" [3]: https://tzworks.com/prototypes/tela/tela.users.guide.pdf "TZWorks Shim Database Parser (shims) Users Guide" call: function: ClearDirectoryContents parameters: directoryGlob: '%SYSTEMROOT%\Logs\SIH' - name: Clear Windows Update logs call: function: ClearDirectoryContents parameters: directoryGlob: '%SYSTEMROOT%\Traces\WindowsUpdate' - name: Clear Optional Component Manager and COM+ components logs recommend: standard call: function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\comsetup.log' - name: Clear "Distributed Transaction Coordinator (DTC)" logs recommend: standard call: function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\DtcInstall.log' - name: Clear logs for pending/unsuccessful file rename operations docs: |- This script is used to clear the log files created by Windows whenever there are pending file rename operations that are not successfully completed. The logged operations might include renaming, moving or deleting a file that is currently in use [1]. [1]: https://web.archive.org/web/20230806191624/https://support.microsoft.com/en-us/topic/how-to-install-multiple-windows-updates-or-hotfixes-with-only-one-reboot-6247def4-7f39-c1a0-efe5-61f82849fb7c "How to install multiple Windows updates or hotfixes with only one reboot - Microsoft Support" call: function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\PFRO.log' - name: Clear Windows update installation logs recommend: standard docs: |- This script is used to clear the log files created during the Windows update installation process. This includes both the actions log (`setupact.log`) and the error log (`setuperr.log`). These files contains information about initializing setup and typically used if setup fails to launch [1]. [1]: https://web.archive.org/web/20230806191844/https://learn.microsoft.com/en-us/windows/deployment/upgrade/log-files "Log files and resolving upgrade errors - Windows Deployment | Microsoft Learn" call: - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\setupact.log' - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\setuperr.log' - name: Clear Windows setup logs recommend: standard docs: https://web.archive.org/web/20240314130622/https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/windows-setup-log-file-locations call: - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\setupapi.log' - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\inf\setupapi.app.log' - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\inf\setupapi.dev.log' - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\inf\setupapi.offline.log' - function: ClearDirectoryContents parameters: directoryGlob: '%SYSTEMROOT%\Panther' - name: Clear "Windows System Assessment Tool (`WinSAT`)" logs recommend: standard docs: https://web.archive.org/web/20240314125941/https://learn.microsoft.com/en-us/windows/win32/winsat/windows-system-assessment-tool-portal call: function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\Performance\WinSAT\winsat.log' - name: Clear password change events recommend: standard call: function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\debug\PASSWD.LOG' - name: Clear user web cache database recommend: standard docs: https://web.archive.org/web/20240314130843/https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/performance-issues-custom-default-user-profile call: function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\WebCache' - name: Clear system temp folder when not logged in recommend: standard call: function: ClearDirectoryContents parameters: directoryGlob: '%SYSTEMROOT%\ServiceProfiles\LocalService\AppData\Local\Temp' - name: Clear DISM (Deployment Image Servicing and Management) system logs recommend: standard docs: https://web.archive.org/web/20240314125948/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files?view=windows-11 call: - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\Logs\CBS\CBS.log' - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\Logs\DISM\DISM.log' - name: Clear Windows update files docs: |- This script clears the contents of the `%SYSTEMROOT%\SoftwareDistribution\` directory. This action is sometimes called *resetting the Windows Update Agent* or *resetting Windows Update components* by Microsoft [1]. This directory contains Windows Update files [2] [3]. It includes logs of Windows updates [2] [4], downloaded updates [5], and database files related to the updates [2]. Over time, the size of this folder can increase [5], leading to potential disk space issues. Clearing this directory can help free up disk space [5]. This folder is used by Windows Updates [1] [6]. The `wuauserv` service, also known as "Windows Update Service" [7], uses this folder for its operations [1] [8] [9]. This service manages the Windows Update Agent (WUA) functionality [7]. Clearing this directory is generally safe, and sometimes, Microsoft even recommends this action to troubleshoot and resolve update-related errors [1] [5] [6] [9] [10]. This script contributes to users' privacy and system efficiency by cleaning up old and potentially unnecessary update files. [1]: https://web.archive.org/web/20230902020255/https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/additional-resources-for-windows-update#how-do-i-reset-windows-update-components "Additional resources for Windows Update - Windows Client | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20231027190239/https://support.microsoft.com/en-us/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc "Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158) - Microsoft Support | support.microsoft.com" [3]: https://web.archive.org/web/20231027190409/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus?view=o365-worldwide#windows-update-files-or-automatic-update-files "Microsoft Defender Antivirus exclusions on Windows Server | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20231027190425/https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-logs "Windows Update log files - Windows Deployment | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20231027190439/https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/address-disk-space-issues-caused-by-winsxs "Large WinSxS directory causes disk space issues - Windows Client | Microsoft Learn | learn.microsoft.com" [6]: https://web.archive.org/web/20231027190148/https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/common-windows-update-errors "Common Windows Update errors - Windows Client | Microsoft Learn | learn.microsoft.com" [7]: https://web.archive.org/web/20231027190357/https://revertservice.com/10/wuauserv/ "Windows Update (wuauserv) Service Defaults in Windows 10 | revertservice.com" [8]: https://web.archive.org/web/20231027190213/https://support.microsoft.com/en-us/windows/troubleshoot-problems-updating-windows-188c2b0f-10a7-d72f-65b8-32d177eb136c#WindowsVersion=Windows_11 "Troubleshoot problems updating Windows - Microsoft Support | support.microsoft.com" [9]: https://web.archive.org/web/20231027190503/https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/troubleshoot-software-update-scan-failures "Troubleshoot software update scan failures - Configuration Manager | Microsoft Learn | learn.microsoft.com" [10]: https://web.archive.org/web/20231029172022/https://support.microsoft.com/en-us/topic/you-receive-an-administrators-only-error-message-in-windows-xp-when-you-try-to-visit-the-windows-update-web-site-or-the-microsoft-update-web-site-d2c732b6-21e0-a2ce-8d18-303ed71736c9 'You receive an "Administrators only" error message in Windows XP when you try to visit the Windows Update Web site or the Microsoft Update Web site - Microsoft Support | support.microsoft.com' call: - function: StopService parameters: serviceName: wuauserv waitUntilStopped: 'true' serviceRestartStateFile: '%APPDATA%\privacy.sexy-wuauserv' # Marked: refactor-with-variables (app dir should be unified, not using %TEMP% as it can be cleaned during operation) - function: ClearDirectoryContents parameters: directoryGlob: '%SYSTEMROOT%\SoftwareDistribution' - function: StartService parameters: serviceName: wuauserv serviceRestartStateFile: '%APPDATA%\privacy.sexy-wuauserv' # Marked: refactor-with-variables (app dir should be unified, not using %TEMP% as it can be cleaned during operation) - name: Clear Common Language Runtime system logs recommend: standard call: - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\CLR_v4.0\UsageTraces' - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\UsageTraces' - name: Clear Network Setup Service Events system logs recommend: standard call: function: ClearDirectoryContents parameters: directoryGlob: '%SYSTEMROOT%\Logs\NetSetup' - name: Clear logs generated by Disk Cleanup Tool (`cleanmgr.exe`) docs: |- This script is used to clear the log files generated by the Disk Cleanup Tool (cleanmgr.exe). These logs are generated when the Disk Cleanup Tool is used to free up disk space. Log files for this tool are stored in `C:\Windows\System32\LogFiles\setupcln\` [1]. Erasing these logs can enhance user privacy by removing traces of the cleanup process. These logs are known to be used in forensic analysis [2]. [1]: https://web.archive.org/web/20230806192546/https://ss64.com/nt/cleanmgr.html "Cleanmgr - Delete Junk and Temp files - Windows CMD - SS64.com | ss64.com" [2]: https://archive.ph/2023.12.06-185637/https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ "Beyond good ol' Run key, Part 86 | Hexacorn | hexacorn.com" call: function: ClearDirectoryContents parameters: directoryGlob: '%SYSTEMROOT%\System32\LogFiles\setupcln' - name: Clear diagnostics tracking logs recommend: standard docs: |- This script deletes primary telemetry files in Windows. These files store event trace logs that are collected by the `DiagTrack` service [1] [2]. This service is also known as "Diagnostics Tracking Service" [3] or "Connected User Experiences and Telemetry" service [4]. These files are stored as Event Trace Log (`.etl`) files, also known as a trace logs [5]. Contents of these files are transmitted to Microsoft servers [1] [2]. This services uses *AutoLogger* logs. *AutoLogger* allows saving trace logs early in the operating system boot process before the user logs in [6]. This data is collected during system boot and shut-down, and typically read and deleted at each system boot [3]. The information collected is divided into two files: - `%PROGRAMDATA%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl` [1] [2] - `%PROGRAMDATA%\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl` [1] [2] To modify or delete these files, `SYSTEM` rights are required [1], which this script provides. The collected data varies based on the telemetry level set [2] and may include information about websites visited, application and system performance, device activity, and memory dumps [7]. By deleting these telemetry files, this script prevents the `DiagTrack` service from sending a specific set of diagnostic and usage data to Microsoft, enhancing user privacy by reducing data sharing. [1]: https://web.archive.org/web/20231027164549/https://it-forensik.fiw.hs-wismar.de/images/a/a3/MT_MReuter.pdf "Options for using Event Tracing for Windows (ETW) to support forensic analyzes of process behavior in Windows 10 | University of Wismar" [2]: https://web.archive.org/web/20230215084038/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/SiSyPHus/Analyse_Telemetriekomponente_1_2.pdf?__blob=publicationFile&v=3 "Analyse der Telemetriekomponente in Windows 10 | The national cyber security authority in Germany | bsi.bund.de" [3]: https://web.archive.org/web/20231027164826/https://troopers.de/downloads/troopers19/TROOPERS19_DM_Telemetry.pdf "The Anatomy of Windows Telemetry | The national cyber security authority in Germany | troopers.de" [4]: https://web.archive.org/web/20231027165627/https://revertservice.com/10/diagtrack/ "Connected User Experiences and Telemetry (DiagTrack) Service Defaults in Windows 10 | revertservice.com" [5]: https://web.archive.org/web/20231027164529/https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/trace-log "Trace Log - Windows drivers | Microsoft Learn" [6]: https://web.archive.org/web/20231027164510/https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session "Configuring and Starting an AutoLogger Session - Win32 apps | Microsoft Learn | learn.microsoft.com" [7]: https://web.archive.org/web/20240217185108/https://learn.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization "Configure Windows diagnostic data in your organization (Windows 10 and Windows 11) - Windows Privacy | Microsoft Learn | learn.microsoft.com" call: - function: StopService parameters: serviceName: DiagTrack waitUntilStopped: 'true' serviceRestartStateFile: '%APPDATA%\privacy.sexy-DiagTrack' # Marked: refactor-with-variables (app dir should be unified, not using %TEMP% as it can be cleaned during operation) - function: DeleteFiles parameters: fileGlob: '%PROGRAMDATA%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl' grantPermissions: 'true' - function: DeleteFiles parameters: fileGlob: '%PROGRAMDATA%\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl' grantPermissions: 'true' - function: StartService parameters: serviceName: DiagTrack serviceRestartStateFile: '%APPDATA%\privacy.sexy-DiagTrack' # Marked: refactor-with-variables (app dir should be unified, not using %TEMP% as it can be cleaned during operation) - name: Clear event logs in Event Viewer application docs: https://serverfault.com/questions/407838/do-windows-events-from-the-windows-event-log-have-sensitive-information code: |- REM https://social.technet.microsoft.com/Forums/en-US/f6788f7d-7d04-41f1-a64e-3af9f700e4bd/failed-to-clear-log-microsoftwindowsliveidoperational-access-is-denied?forum=win10itprogeneral wevtutil sl Microsoft-Windows-LiveId/Operational /ca:O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) for /f "tokens=*" %%i in ('wevtutil.exe el') DO ( echo Deleting event log: "%%i" wevtutil.exe cl %1 "%%i" ) - name: Clear Defender scan (protection) history docs: |- This script deletes the scan history kept by Microsoft Defender on your computer. Microsoft Defender logs detected threats but also gathers and stores data about various other files it scans [1] [2]. While removing this history enhances your privacy, it might decrease security, as these logs assist in monitoring threats. By eliminating traces of your system's files, activities and any threats detected, you ensure no residual data can be utilized to study or analyze your computer's activities, thus protecting your privacy. Defender keeps a log of various details whenever it scans your computer for threats. This includes [3] [4]: - **Time**: The moment the threat was discovered. - **Threat Status**: The action carried out against the threat. - **Virus Type**: The type or category of the virus. - **Threat ID**: A unique identifier for the threat. - **Virus Name**: The name of the virus. - **File Path**: The location of the threat on your computer. - **File Hash**: A unique code representing the file. - **Quarantine File Name (GUID)**: The name given to the quarantined threat. - **File Size**: The size of the file. When you first set up Windows, it conducts an initial scan [1]. This scan identifies system files that won't require future scans [1]. These 'safe' files are saved in a unique folder, which becomes a part of the scan history [1]. If a threat is recognized, Microsoft Defender will notify you [4]. Regardless of whether you choose to run the file or not, a `DetectionHistory` file is created [2]. This file is stored in a specific folder (`%ProgramData%\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\[numbered folder]\`), and it contains a system-generated ID for the event [2]. > **Caution:** Deleting these logs may decrease your security. These logs help in keeping track of potential threats and their sources, allowing for a more proactive response in future encounters. Without this history, Microsoft Defender might not recognize recurring threats as quickly, possibly leaving your system more vulnerable. It's essential to understand that you're making a trade-off between enhanced privacy and potentially reduced security. [1]: https://web.archive.org/web/20230829142700/https://download.microsoft.com/download/7/e/7/7e7662cf-cbea-470b-a97e-ce7ce0d98dc2/win7perf.docx "Performance Testing Guide for Windows | Microsoft" [2]: https://web.archive.org/web/20230829143754/https://www.sans.org/blog/uncovering-windows-defender-real-time-protection-history-with-dhparser/ "Uncovering Windows Defender Real-time Protection History with DHParser | SANS Alumni Blog" [3]: https://web.archive.org/web/20230829144957/https://learn.microsoft.com/en-us/previous-versions/windows/desktop/defender/msft-mpthreatdetection "MSFT\_MpThreatDetection class | Microsoft Learn" [4]: https://web.archive.org/web/20230829144434/https://forensafe.com/blogs/windows_defender.html "Windows Defender | Forensafe" call: function: ClearDirectoryContents # Otherwise it cannot access/delete files under `Scans\History`, see https://github.com/undergroundwires/privacy.sexy/issues/246 parameters: directoryGlob: '%ProgramData%\Microsoft\Windows Defender\Scans\History' grantPermissions: 'true' # Running as TrustedInstaller is not needed, and causes Defender to alarm https://github.com/undergroundwires/privacy.sexy/issues/264 - name: Clear credentials in Windows Credential Manager call: function: RunPowerShell parameters: code: |- $cmdkeyPath = Get-Command cmdkey -ErrorAction SilentlyContinue if (-not $cmdkeyPath) { throw 'Failed to find the `cmdkey` utility on this system.' } $cmdkeyListOutput = & $cmdkeyPath /list if ($LASTEXITCODE -ne 0) { throw "Failed to execute `cmdkey /list`. Exit code: $LASTEXITCODE." } if (-not $cmdkeyListOutput) { throw 'Failed to retrieve credentials list. The output from `cmdkey /list` is empty.' } $credentialEntries = @($cmdkeyListOutput | Select-String 'Target') if (-not $credentialEntries) { Write-Host 'Skipping: No credentials found for deletion.' exit 0 } $allCredentialsDeletedSuccessfully = $true Write-Host "Total of $($credentialEntries.Length) credential(s) found. Initiating deletion..." foreach ($credentialEntry in $credentialEntries) { if ($credentialEntry -notmatch 'Target:(.+)') { Write-Error "Failed to parse credential from output: $credentialEntry" $allCredentialsDeletedSuccessfully = $false continue } $credentialTargetName = $matches[1].Trim() Write-Host "Deleting credential: `"$credentialTargetName`"..." & $cmdkeyPath /delete:$credentialTargetName if ($LASTEXITCODE -ne 0) { Write-Error "Failed to delete credential '$credentialTargetName'. `cmdkey` returned exit code: $LASTEXITCODE." $allCredentialsDeletedSuccessfully = $false } else { Write-Host "Successfully deleted credential: `"$credentialTargetName`"." } } if (-not $allCredentialsDeletedSuccessfully) { Write-Warning 'Failed to delete some credentials. Please check the error messages above.' } else { Write-Host "Successfully deleted all $($credentialEntries.Length) credential(s)." } - name: Remove the controversial `default0` user docs: https://github.com/undergroundwires/privacy.sexy/issues/30 recommend: standard code: net user defaultuser0 /delete 2>nul - name: Empty trash (Recycle Bin) call: function: RunPowerShell parameters: code: |- $bin = (New-Object -ComObject Shell.Application).NameSpace(10) $bin.items() | ForEach { Write-Host "Deleting $($_.Name) from Recycle Bin" Remove-Item $_.Path -Recurse -Force } - name: Minimize DISM "Reset Base" update data recommend: standard docs: |- This script diminishes unnecessary system data, thus enhancing your privacy and performance. The **DISM tool** is used to manage Windows images and is often used to fix issues with the Windows operating system [1]. The **"Reset Base"** option can help to reduce the size of the WinSxS folder [2]. Once, "Reset Base" is enabled, you cannot uninstall any previous updates [2]. This script activates the **"Reset Base"** feature, minimizing the size of WinSxS folder. It contributes to the reduction of redundant data, enhancing both the performance of your system and your privacy. The **WinSxS folder**, also known as the "Windows Side by Side" folder, is a component of the Windows operating system [3]. It is located in the Windows directory (for example, `C:\Windows\WinSxS`) [3]. The WinSxS folder is used to store system components that are required for the installation of Windows [3]. It also stores components that are added to the system through Windows updates [3]. **Windows Component Store** contains all the files that are required to Windows features on demand [3]. > **Caution:** Once the "Reset Base" operation is activated, you will not be able to uninstall previous updates. However, this small trade-off improves your privacy and control over system data. [1]: https://web.archive.org/web/20230806160623/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/what-is-dism?view=windows-11 "DISM Overview | Microsoft Learn" [2]: https://web.archive.org/web/20230806160827/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/clean-up-the-winsxs-folder?view=windows-11 "Clean Up the WinSxS Folder | Microsoft Learn" [3]: https://web.archive.org/web/20230710000943/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/manage-the-component-store?view=windows-11 "Manage the Component Store | Microsoft Learn" call: function: RunInlineCode parameters: code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\Configuration" /v "DisableResetbase" /t "REG_DWORD" /d "0" /f revertCode: |- # Windows 10 21H1, 22H1: Key exists with value "1" | Windows 11 21H1: Key does not exist | Windows 11 22H2, 23H2: Key exists with value "1" reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\Configuration" /v "DisableResetbase" /t "REG_DWORD" /d "1" /f - name: Remove Windows product key from registry # Helps to protect it from being stolen and used for identity theft or identifying you. docs: https://web.archive.org/web/20240314100853/https://winaero.com/remove-windows-10-product-key-from-registry-and-protect-it-from-being-stolen/ # We use cscript.exe to execute instead of `slmgr` command directly to keep the output but suppress the dialogs. code: cscript.exe //nologo "%SYSTEMROOT%\System32\slmgr.vbs" /cpky - name: Clear volume backups (shadow copies) docs: - https://web.archive.org/web/20240314130354/https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin-delete-shadows - https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods code: vssadmin delete shadows /all /quiet - name: Remove associations of default apps recommend: standard code: dism /online /Remove-DefaultAppAssociations - name: Clear System Resource Usage Monitor (SRUM) data recommend: standard docs: |- This script deletes the Windows System Resource Usage Monitor (SRUM) database file. SRUM tracks the usage of desktop applications, services, Windows applications, and network connections [1] [2] [3]. SRUM stores its file at `C:\Windows\System32\sru\SRUDB.dat` [1] [3] [4]. Before deleting the file, the script temporarily stops the Diagnostic Policy Service (DPS). The DPS helps Windows detect and solve problems with its components [4]. Stopping this service is required as modifications to the SRUM file require it to be turned off [5]. Deleting this file can enhance user privacy as it contains usage data and is often used for forensic analysis of user behavior [1] [6]. [1]: https://web.archive.org/web/20231013164746/https://raw.githubusercontent.com/libyal/esedb-kb/main/documentation/System%20Resource%20Usage%20Monitor%20%28SRUM%29.asciidoc "esedb-kb/documentation/System Resource Usage Monitor (SRUM).asciidoc at main · libyal/esedb-kb | github.com" [2]: https://web.archive.org/web/20231004161112/https://learn.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809 "Windows 10, version 1809 basic diagnostic events and fields (Windows 10) - Windows Privacy | Microsoft Learn" [3]: https://web.archive.org/web/20231004161132/https://security.opentext.com/appDetails/SRUM-Database-Parser "SRUM Database Parser | security.opentext.com" [4]: https://web.archive.org/web/20231004161147/https://learn.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#diagnostic-policy-service "Security guidelines for system services in Windows Server 2016 | Microsoft Learn" [5]: https://web.archive.org/web/20231008135321/https://devblogs.microsoft.com/sustainable-software/measuring-your-application-power-and-carbon-impact-part-1/ "Measuring Your Application Power and Carbon Impact (Part 1) - Sustainable Software | devblogs.microsoft.com" [6]: https://web.archive.org/web/20231008135333/https://www.sciencedirect.com/science/article/abs/pii/S1742287615000031 "Forensic implications of System Resource Usage Monitor (SRUM) data in Windows 8 | Yogesh Khatri | sciencedirect.com" call: - # If the service is not stopped, following error is thrown: # Failed to delete SRUM database file at: "C:\Windows\System32\sru\SRUDB.dat". Error Details: The process cannot access # the file 'C:\Windows\System32\sru\SRUDB.dat' because it is being used by another process function: StopService parameters: serviceName: DPS waitUntilStopped: 'true' serviceRestartStateFile: '%APPDATA%\privacy.sexy-DPS' # Marked: refactor-with-variables (app dir should be unified, not using %TEMP% as it can be cleaned during operation) - function: DeleteFiles parameters: fileGlob: '%WINDIR%\System32\sru\SRUDB.dat' grantPermissions: 'true' - function: StartService parameters: serviceName: DPS serviceRestartStateFile: '%APPDATA%\privacy.sexy-DPS' # Marked: refactor-with-variables (app dir should be unified, not using %TEMP% as it can be cleaned during operation) - name: Clear previous Windows installations call: function: DeleteDirectory parameters: directoryGlob: '%SYSTEMDRIVE%\Windows.old' grantPermissions: 'true' - category: Disable OS data collection children: - name: Disable Recall recommend: strict docs: |- This script disables the Recall feature to address serious privacy concerns. Recall is an AI feature introduced in Windows 11 on Copilot+ PCs [1] [2] [3] [4] [5]. It is designed to capture and store snapshots of your screen and analyze them [1] [2] [3] [4] [5] [6] [7]. This feature allows users to browse and search their past activities, such as images and text [1] [2] [3] [4] [5] [6] [7]. Recall includes a component called 'screenray'. This component analyzes the snapshot's contents and lets you interact with elements within it [3] [5] [6]. This script will also disable the screenray feature [6]. This feature is enabled by default, so Windows will capture and store screen snapshots [2] [5] [6]. They remain on your computer for months by default [4]. Recall captures frequent screenshots, as frequent as multiple times during a minute [1] [2] [4]. These screenshots may include all visible content such as app data, websites, images, and documents [2] [5]. It may even include sensitive information like passwords and bank account numbers [2] [3]. The data is indexed, and the indexes are stored locally on your computer [5]. This feature raises significant security and privacy concerns. Experts sometimes describe this feature as a 'privacy nightmare' [4] [7] or 'keylogger' [4] due to these concerns. The privacy risks associated with this feature include: - **Misuse**: This data is stored locally on your computer [1] [2] [5] [7]. It poses a risk of unauthorized access to your sensitive and private data [4] [7]. Potential threats include malicious attackers, state actors, colleagues, or family members who could misuse this information for identity theft, financial crime, phishing, or coercion. - **Microsoft data collection**: Microsoft's data collection policies may change. As Mozilla expressed, this raises concerns about potential data sharing with law enforcement or the use of the data for targeted advertising or AI training in the future [7]. - **Storing sensitive data**: Microsoft does not perform content moderation on the snapshots [2] [3] [4] [7]. It means that sensitive information such as passwords or financial account numbers are visible and stored [2] [3], posing a significant privacy and security risk. - **Opt-in**: The feature is opt-in by default [2] [6], and users can only opt-out of certain sites if they are using Microsoft Edge [3]. This limits user control over their privacy. - **Lack of transparency:** While Microsoft states that the snapshots are not sent to their servers [2] [7] and that all analysis is conducted locally [1] [2] [3] [7]. However, Microsoft has not specified whether it collects the results of these analyses or any related diagnostic data. United Kingdom's data protection agency finds this lack of transparency worrying [4] [7]. - **Language model vulnerabilities:** Language models susceptibility to attacks like prompt engineering underlines its security risks [8]. More about security vulnerabilities: [Attacks on language models](https://erkinekici.com/articles/attacks-on-language-models/). This script configures the `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot!DisableAIDataAnalysis` registry key [6]. By running this script, you enhance your privacy by preventing the storage and analysis of snapshots on your device [6], thereby mitigating the associated risks. [1]: https://web.archive.org/web/20240523143034/https://support.microsoft.com/en-us/windows/retrace-your-steps-with-recall-aa03f8a0-a78b-4b3e-b0a1-2eb8ac48701c "Retrace your steps with Recall - Microsoft Support | support.microsoft.com" [2]: https://web.archive.org/web/20240523143048/https://support.microsoft.com/en-us/windows/privacy-and-control-over-your-recall-experience-d404f672-7647-41e5-886c-a3c59680af15 "Privacy and control over your Recall experience - Microsoft Support | support.microsoft.com" [3]: https://web.archive.org/web/20240523143210/https://learn.microsoft.com/en-us/windows/client-management/manage-recall "Manage Recall for Windows clients - Windows Client Management | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240523122636/https://www.bleepingcomputer.com/news/microsoft/microsofts-new-windows-11-recall-is-a-privacy-nightmare/ "Microsoft's new Windows 11 Recall is a privacy nightmare | www.bleepingcomputer.com" [5]: https://web.archive.org/web/20240523143240/https://blogs.microsoft.com/blog/2024/05/20/introducing-copilot-pcs/ "Introducing Copilot+ PCs - The Official Microsoft Blog | blogs.microsoft.com" [6]: https://web.archive.org/web/20240522162728/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis "WindowsAI Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [7]: https://web.archive.org/web/20240523155006/https://www.bbc.com/news/articles/cpwwqp6nx14o "Microsoft Copilot+ Recall feature 'privacy nightmare' | www.bbc.com" [8]: https://erkinekici.com/articles/attacks-on-language-models/ "Attacks on language models :: Erkin Ekici | erkinekici.com" call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot valueName: DisableAIDataAnalysis dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable app access to personal information docs: |- # refactor-with-variables: Same • App Access Caution This category enhances your privacy by restricting app access to sensitive personal data. These scripts enable you to enforce the *principle of least privilege* ensuring that apps only have access to the information absolutely necessary for their legitimate function, thereby minimizing potential data misuse. It specifically targets UWP (Universal Windows Platform) apps. These apps can be both native system apps [1] and third-party apps [2]. They are typically available through the Microsoft Store [1] [2]. These scripts only affect UWP apps, not desktop applications outside the UWP ecosystem. By disabling default app access to personal information and requiring explicit user permission, these scripts protect your security and privacy. > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. [1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240427123038/https://learn.microsoft.com/en-us/windows/uwp/get-started/universal-application-platform-guide "What's a Universal Windows Platform (UWP) app? - UWP applications | Microsoft Learn | learn.microsoft.com" children: - name: Disable app access to location recommend: standard docs: |- # refactor-with-variables: Same • App Access Caution This script prevents Windows apps from accessing your location [1]. It restricts access to location-specific network information [2] and sensors [2] [3], enhancing your privacy and security. This script configures: - Windows policy (`LetAppsAccessLocation` [1] [3]) - Privacy settings user interface (`BFA794E4-F964-4FDB-90F6-51056BFE4B44` [4], `location` [2] [5]) - Location Services (`E6AD100E-5F4E-44CD-BE0F-2265D88D14F5` [4], `lfsvc` [6]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. [1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccesslocation "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#182-location "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk" [5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com" [6]: https://web.archive.org/web/20231206211616/https://social.technet.microsoft.com/Forums/en-US/63904312-04af-41e5-8b57-1dd446ea45c5/privacy-settings-reg-keys?forum=win10itprosetup "Privacy Settings Reg Keys | social.technet.microsoft.com" call: - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsAccessLocation - function: BlockUWPAccessViaConsentStore parameters: appCapability: location - function: RunInlineCode parameters: code: |- :: Disable "Location Services" reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /d "0" /t REG_DWORD /f # The default value is `1` by default since Windows 10 22H2 and Windows 11 23H2. revertCode: |- :: Restore "Location Services" reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /d "1" /t REG_DWORD /f - function: BlockUWPLegacyDeviceAccess parameters: deviceAccessId: '{BFA794E4-F964-4FDB-90F6-51056BFE4B44}' - function: BlockUWPLegacyDeviceAccess parameters: deviceAccessId: '{E6AD100E-5F4E-44CD-BE0F-2265D88D14F5}' - name: Disable app access to account information, name, and picture recommend: standard # refactor-with-variables: Same • App Access Caution docs: |- This script prevents Windows apps from accessing account information [1]. This includes your name and picture [2] [3]. By limiting this access, the script enhances your privacy by protecting against potential misuse of personal details by apps. This script configures: - Windows policy (`LetAppsAccessAccountInfo` [1] [2]) - Privacy settings user interface (`C1D23ACC-752B-43E5-8448-8D0E519CD6D6` [4], `userAccountInformation` [3] [5]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. [1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessaccountinfo "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#187-account-info "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk" [5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com" call: - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsAccessAccountInfo - function: BlockUWPAccessViaConsentStore parameters: appCapability: userAccountInformation - function: BlockUWPLegacyDeviceAccess parameters: deviceAccessId: '{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}' - name: Disable app access to motion activity recommend: standard # refactor-with-variables: Same • App Access Caution docs: |- This script prevents Windows apps from accessing motion data [1] [2] [3]. By running this script, you improve your privacy by preventing apps from automatically tracking physical movements without permission. This script configures: - Windows policy (`LetAppsAccessMotion` [1] [2]). - Privacy settings user interface (`activity` [3] [4]). > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. [1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessmotion "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1818-motion "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com" call: - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsAccessMotion - function: BlockUWPAccessViaConsentStore parameters: appCapability: activity - name: Disable app access to trusted devices recommend: standard # refactor-with-variables: Same • App Access Caution docs: |- This script prevents Windows apps from accessing trusted devices [1]. It restricts apps from automatically connecting to or controlling trusted devices without your permission, enhancing privacy protection. This script configures: - Windows policy (`LetAppsAccessTrustedDevices` [1]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. [1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccesstrusteddevices "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" call: function: BlockUWPAccessViaGPO parameters: policyName: LetAppsAccessTrustedDevices - name: Disable app access to unpaired wireless devices recommend: standard # refactor-with-variables: Same • App Access Caution docs: |- This script prevents Windows apps from communicating with unpaired wireless devices [1]. It prevents automatic sharing and synchronization of information with devices that aren't paired [2] [3] [4]. For example, these devices can be gaming consoles (e.g., Xbox One [2]), phones, TVs, tablets. By preventing apps from sending or receiving data from such devices, this script protects your security and privacy. This script configures: - Windows policy (`LetAppsSyncWithDevices` [1] [2]) - Privacy settings user interface (`LooselyCoupled` [3] [4]). > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. [1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappssyncwithdevices "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1815-other-devices "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk" [4]: https://web.archive.org/web/20240427100504/https://4sysops.com/archives/windows-10-privacy-settings/#rtoc-18 "Windows 10 privacy settings – 4sysops | 4sysops.com" call: - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsSyncWithDevices - function: BlockUWPLegacyDeviceAccess parameters: deviceAccessId: LooselyCoupled - name: Disable app access to camera docs: |- # refactor-with-variables: Same • App Access Caution This script prevents Windows apps from accessing the camera [1] [2]. By disabling access, it ensures that no app can use the camera to capture photos or videos [3] without explicit user permission, thereby protecting privacy. This script configures: - Windows policy (`LetAppsAccessCamera` [1] [2]) - Privacy settings user interface (`E5323777-F976-4f5b-9B55-B94699C46E44` [4], `webcam` [3] [5]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. [1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccesscamera "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#182-location "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk" [5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com" call: - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsAccessCamera - function: BlockUWPAccessViaConsentStore parameters: appCapability: webcam - function: BlockUWPLegacyDeviceAccess parameters: deviceAccessId: '{E5323777-F976-4f5b-9B55-B94699C46E44}' - name: Disable app access to microphone (breaks Sound Recorder) docs: |- # refactor-with-variables: Same • App Access Caution This script prevents Windows apps from accessing the microphone [1] [2]. It enhances privacy by preventing apps from recording audio [3], which may include sensitive conversations. This script configures: - Windows policy (`LetAppsAccessMicrophone` [1] [2]) - Privacy settings user interface (`2EEF81BE-33FA-4800-9670-1CD474972C3F` [4], `microphone` [3] [5]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. > Disabling microphone access will impact recording sounds with built-in Sound Recorder (formerly Voice Recorder) app [6]. [1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessmicrophone "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#184-microphone "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk" [5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com" [6]: https://web.archive.org/web/20240427140021/https://learn.microsoft.com/en-us/hololens/hololens-cortana "Use your voice to operate HoloLens | Microsoft Learn | learn.microsoft.com" call: - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsAccessMicrophone - function: BlockUWPAccessViaConsentStore parameters: appCapability: microphone - function: BlockUWPLegacyDeviceAccess parameters: deviceAccessId: '{2EEF81BE-33FA-4800-9670-1CD474972C3F}' - name: Disable app access to information about other apps recommend: standard # refactor-with-variables: Same • App Access Caution docs: |- This script prevents Windows apps from accessing diagnostic information about other apps [1] [2] [3] [4]. This includes details like user names [1], package information, memory usage, and account names for any running UWP apps [2]. This script configures: - Windows policy (`LetAppsGetDiagnosticInfo` [1] [3]) - Privacy settings user interface (`2297E4E2-5DBE-466D-A12B-0F8286F0D9CA` [4], `appDiagnostics` [2] [5]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. [1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsgetdiagnosticinfo "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1820-app-diagnostics "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk" [5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com" call: - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsGetDiagnosticInfo - function: BlockUWPAccessViaConsentStore parameters: appCapability: appDiagnostics - function: BlockUWPLegacyDeviceAccess parameters: deviceAccessId: '{2297E4E2-5DBE-466D-A12B-0F8286F0D9CA}' - category: Disable app access to your files docs: |- # refactor-with-variables: Same • App Access Caution This category limits the access of Windows apps to various user-specific folders and other file systems. It enhances privacy by restricting apps from accessing and manipulating files without explicit user permission. > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. children: - name: Disable app access to "Documents" folder recommend: standard docs: |- # refactor-with-variable: Similar template to other file access restriction scripts This script prevents Windows apps from accessing the Documents folder [1] [2]. It restricts app access to document files without user consent [1]. After running this script, apps can still access the files when explicitly permitted [1]. This script enhances your privacy and security by preventing unauthorized app access. This script configures: - Privacy settings user interface (`documentsLibrary` [1] [2]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. [1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com" call: function: BlockUWPAccessViaConsentStore parameters: appCapability: documentsLibrary - name: Disable app access to "Pictures" folder recommend: standard docs: |- # refactor-with-variable: Similar template to other file access restriction scripts This script prevents Windows apps from accessing the Pictures folder [1] [2]. It restricts app access to photos and images without user consent [1]. After running this script, apps can still access the files when explicitly permitted [1]. This script enhances your privacy and security by preventing unauthorized app access. This script configures: - Privacy settings user interface (`picturesLibrary` [1] [2]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. > This may specifically impact photo-related apps. [1]. [1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com" call: function: BlockUWPAccessViaConsentStore parameters: appCapability: picturesLibrary - name: Disable app access to "Videos" folder recommend: standard docs: |- # refactor-with-variable: Similar template to other file access restriction scripts This script prevents Windows apps from accessing the Videos folder [1] [2]. It restricts app access to video files without user consent [1]. After running this script, apps can still access the files when explicitly permitted [1]. This script enhances your privacy and security by preventing unauthorized app access. This script configures: - Privacy settings user interface (`videosLibrary` [1] [2]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. > This may specifically impact movie playback apps [1]. [1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com" call: function: BlockUWPAccessViaConsentStore parameters: appCapability: videosLibrary - name: Disable app access to "Music" folder recommend: standard docs: |- # refactor-with-variable: Similar template to other file access restriction scripts This script prevents Windows apps from accessing the Music folder [1]. It restricts app access to audio files without user consent [1]. After running this script, apps can still access the files when explicitly permitted [1]. This script enhances your privacy and security by preventing unauthorized app access. This script configures: - Privacy settings user interface (`musicLibrary` [1]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. [1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" call: function: BlockUWPAccessViaConsentStore parameters: appCapability: musicLibrary - name: Disable app access to personal files recommend: standard docs: |- # refactor-with-variable: Same • App Access Caution • Template as other file access restriction scripts This script restricts app access to the broader file system [1] [2]. It restricts app access to files that the user has access to without user consent [2]. After running this script, apps can still access the files when explicitly permitted [1]. This script enhances your privacy and security by preventing unauthorized app access. This script configures: - Privacy settings user interface (`broadFileSystemAccess` [1] [2]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. [1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com" call: function: BlockUWPAccessViaConsentStore parameters: appCapability: broadFileSystemAccess - name: Disable app access to your contacts recommend: standard # refactor-with-variable: Same • App Access Caution docs: |- This script prevents Windows apps from accessing your contact list [1] [2] [3] [4] [5]. Your contact list may include sensitive details synced from various networks [2]. This script improves privacy by safeguarding personal and sensitive details in your contact list by restrictings applications from automatically accessing it. This script configures: - Windows policy (`LetAppsAccessContacts` [1] [3]) - Privacy settings user interface (`7D7E8402-7C54-4821-A34E-AEEFD62DED93` [4], `contacts` [2] [5]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. [1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccesscontacts "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#188-contacts "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk" [5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com" call: - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsAccessContacts - function: BlockUWPAccessViaConsentStore parameters: appCapability: contacts - function: BlockUWPLegacyDeviceAccess parameters: deviceAccessId: '{7D7E8402-7C54-4821-A34E-AEEFD62DED93}' - name: Disable app access to notifications recommend: strict # User may be in need of notifications from apps like Instagram and Whatsapp #339 docs: |- # refactor-with-variable: Same • App Access Caution This script prevents Windows apps from accessing notifications [1] [2] [3]. It enhances privacy by ensuring that apps cannot access [1] [2] [3] or manage [4] notifications without explicit user permission. Notifications can contain personal or sensitive information. This script configures: - Windows policy (`LetAppsAccessNotifications` [1] [2]) - Privacy settings user interface (`52079E78-A92B-413F-B213-E8FE35712E72` [3], `userNotificationListener` [4] [5]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. > This may disrupt essential functions, such as receiving alerts from messaging apps including Instagram and WhatsApp [6]. [1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessnotifications "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#185-notifications "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk" [4]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com" [6]: https://web.archive.org/web/20240428104000/https://github.com/undergroundwires/privacy.sexy/issues/339 "[BUG]: Ran the standard protection and now my Windows does not display notifications to apps like Instagram and Whatsapp · Issue #339 · undergroundwires/privacy.sexy · GitHub | github.com" call: - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsAccessNotifications - function: BlockUWPAccessViaConsentStore parameters: appCapability: userNotificationListener - function: BlockUWPLegacyDeviceAccess parameters: deviceAccessId: '{52079E78-A92B-413F-B213-E8FE35712E72}' - name: Disable app access to calendar recommend: standard # refactor-with-variable: Same • App Access Caution docs: |- This script prevents Windows apps from accessing the calendar data [1] [2] [3] [4] [5]. This includes information about appointments from your synced network accounts [2]. It protects personal schedule by preventing apps from automatically creating [2], reading [1] [2] [3] [4] [5] or writing to calendars [2] without explicit user permission. This script configures: - Windows policy (`LetAppsAccessCalendar` [1] [3]) - Privacy settings user interface (`D89823BA-7180-4B81-B50C-7E471E6121A3` [4], `appointments` [2] [5]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. [1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccesscalendar "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#189-calendar "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk" [5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com" call: - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsAccessCalendar - function: BlockUWPAccessViaConsentStore parameters: appCapability: appointments - function: BlockUWPLegacyDeviceAccess parameters: deviceAccessId: '{D89823BA-7180-4B81-B50C-7E471E6121A3}' - category: Disable app access to phone docs: |- # refactor-with-variable: Same • App Access Caution This category contains scripts that restrict app access to phone-related functionalities. They protect your privacy and security by ensuring communication details remain private and are accessible only when necessary. > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. children: - name: Disable app access to call history recommend: standard docs: |- # refactor-with-variable: Same • App Access Caution This script prevents Windows apps from accessing your call history [1] [2] [3] [4] [5]. It protects past communication records by blocking apps from automatically reading and deleting call history [1] without explicit user permission. This script configures: - Windows policy (`LetAppsAccessCallHistory` [2] [3]) - Privacy settings user interface (`8BC668CF-7728-45BD-93F8-CF2B3B41D7AB` [4], `phoneCallHistory` [1] [5]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. [1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccesscallhistory "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1810-call-history "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk" [5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com" call: - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsAccessCallHistory - function: BlockUWPAccessViaConsentStore parameters: appCapability: phoneCallHistory - function: BlockUWPLegacyDeviceAccess parameters: deviceAccessId: '{8BC668CF-7728-45BD-93F8-CF2B3B41D7AB}' - name: Disable app access to phone calls (breaks phone calls through Phone Link) recommend: strict # Breaks "Calls" feature (making and receiving phone calls) of Microsoft Phone Link #350 docs: |- # refactor-with-variable: Same • App Access Caution This script prevents Windows apps from accessing phone calls [1] [2] [3]. This includes reading phone call data [1] and making phone calls [1] [2] [3]. By controlling app permissions related to phone functionalities, it ensures that your personal communication remains private and secure, requiring explicit user approval before any app can interact with phone calls. The restrictions include: - Preventing apps from accessing phone call data, including metadata and call triggers [1]. - Disallowing apps from managing spam filters, such as modifying block lists or call origin details [1]. - Blocking apps from initiating calls [1] [2] [3] or displaying the system dialer [1] without user consent. This script configures: - Windows policy (`LetAppsAccessPhone` [2] [3]) - Privacy settings user interface (`phoneCall` [1]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. > This will disable the Calls feature in the Microsoft Phone Link app, preventing the ability to make and receive > phone calls through your PC [4]. [1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1813-phone-calls "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessphone "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [4]: https://github.com/undergroundwires/privacy.sexy/issues/350 "[BUG]: After applying Standard selection Phone Link is broken · Issue #350 · undergroundwires/privacy.sexy". call: - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsAccessPhone - function: BlockUWPAccessViaConsentStore parameters: appCapability: phoneCall - name: Disable app access to messaging (SMS / MMS) recommend: standard docs: |- # refactor-with-variable: Same • App Access Caution This script prevents Windows apps from accessing messages [1] [2] [3] [4] [5], securing message content from unauthorized access and improving privacy. It protects your privacy by blocking apps from automatically reading [1] [2] [3] [4], storing [1], sending [2] [3] [4], or deleting [1] SMS/MMS messages without your permission. This script configures: - Windows policy (`LetAppsAccessMessaging` [2] [3]) - Privacy settings user interface (`992AFA70-6F47-4148-B3E9-3003349C1548` [4], `21157C1F-2651-4CC1-90CA-1F28B02263F6` [4], `chat` [1] [5]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. [1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessmessaging "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1812-messaging "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk" [5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com" call: - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsAccessMessaging - function: BlockUWPAccessViaConsentStore parameters: appCapability: chat - function: BlockUWPLegacyDeviceAccess parameters: deviceAccessId: '{992AFA70-6F47-4148-B3E9-3003349C1548}' - function: BlockUWPLegacyDeviceAccess parameters: deviceAccessId: '{21157C1F-2651-4CC1-90CA-1F28B02263F6}' - name: Disable app access to email recommend: standard docs: |- # refactor-with-variable: Same • App Access Caution This script prevents Windows apps from accessing email [1] [2] [3] [4] [5]. It protects your privacy by blocking apps from automatically reading [1], sending [1] [2], organizing [1] emails without your permission. This script configures: - Windows policy (`LetAppsAccessEmail` [2] [3]) - Privacy settings user interface (`9231CB4C-BF57-4AF3-8C55-FDA7BFCC04C5` [4], `email` [1] [5]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. [1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1811-email "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessemail "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk" [5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com" call: - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsAccessEmail - function: BlockUWPAccessViaConsentStore parameters: appCapability: email - function: BlockUWPLegacyDeviceAccess parameters: deviceAccessId: '{9231CB4C-BF57-4AF3-8C55-FDA7BFCC04C5}' - name: Disable app access to tasks recommend: standard docs: |- # refactor-with-variable: Same • App Access Caution This script prevents Windows apps from accessing task data [1] [2] [3] [4] [5]. These task items may be stored by Exchange ActiveSync (EAS) connections and other provider apps [1]. This script protects your privacy by preventing unauthorized access without your permission to your task information. This script configures: - Windows policy (`LetAppsAccessTasks` [2] [3]) - Privacy settings user interface (`E390DF20-07DF-446D-B962-F5C953062741` [4], `userDataTasks` [1] [5]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. [1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccesstasks "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1819-tasks "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk" [5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com" call: - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsAccessTasks - function: BlockUWPAccessViaConsentStore parameters: appCapability: userDataTasks - function: BlockUWPLegacyDeviceAccess parameters: deviceAccessId: '{E390DF20-07DF-446D-B962-F5C953062741}' - name: Disable app access to radios recommend: standard docs: |- # refactor-with-variable: Same • App Access Caution This script prevents Windows apps from controlling radios [1] [2] [3] [4] [5], improving privacy by preventing unauthorized use or toggling of these components. This script ensures that apps cannot toggle device radios [1] [2] such as Wi-Fi and Bluetooth [1] without your explicit consent. This script configures: - Windows policy (`LetAppsAccessRadios` [2] [3]) - Privacy settings user interface (`A8804298-2D5F-42E3-9531-9C8C39EB29CE` [4], `radios` [1] [5]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. [1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1814-radios "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessradios "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk" [5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com" call: - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsAccessRadios - function: BlockUWPAccessViaConsentStore parameters: appCapability: radios - function: BlockUWPLegacyDeviceAccess parameters: deviceAccessId: '{A8804298-2D5F-42E3-9531-9C8C39EB29CE}' - category: Disable app access to Bluetooth devices docs: |- # refactor-with-variable: Same • App Access Caution This category enhances user privacy by blocking unauthorized access to Bluetooth devices through Windows apps. It restricts Bluetooth connections, preventing apps from initiating unwanted communication or data exchange. > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. children: - name: Disable app access to paired Bluetooth devices recommend: standard docs: |- # refactor-with-variable: Same • App Access Caution This script prevents Windows apps from accessing paired Bluetooth devices [1]. This script improves your privacy by preventing apps from automatically interacting with paired Bluetooth devices [1], thus blocking unauthorized data exchanges without your permission. This script configures: - Privacy settings user interface (`bluetooth` [1]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. [1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" call: function: BlockUWPAccessViaConsentStore parameters: appCapability: bluetooth - name: Disable app access to unpaired Bluetooth devices recommend: standard docs: |- # refactor-with-variable: Same • App Access Caution This script prevents Windows apps from accessing unpaired Bluetooth devices [1] [2]. This script protects your privacy by blocking apps from automatically sharing and synchronizing information with wireless devices that don't explicitly pair with your PC [2], preventing unauthorized data exchange without your permission. This script configures: - Privacy settings user interface (`bluetoothSync` [1] [2]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. [1]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com" [2]: https://web.archive.org/web/20240427192428/https://www.tenforums.com/tutorials/85048-turn-off-apps-communicate-unpaired-devices-windows-10-a.html "Turn On or Off Apps Communicate with Unpaired Devices in Windows 10 | Tutorials | www.tenforums.com" call: function: BlockUWPAccessViaConsentStore parameters: appCapability: bluetoothSync - category: Disable app access to voice activation docs: |- # refactor-with-variable: Same • App Access Caution This category safeguards against unauthorized app activation via voice commands. It includes measures to disable voice activation for apps, ensuring that apps cannot be triggered by voice and start listening without explicit user permission. This protects your security against potential eavesdropping or accidental triggering of applications. > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. children: - name: Disable app access to voice activation recommend: standard docs: |- # refactor-with-variable: Same • App Access Caution This script prevents Windows apps from voice activation [1] [2] [3] [4]. This script improves privacy by preventing apps from being activated [1] [2] [3] [4] and from continuing to listen [3] [4] automatically while the device is locked without explicit user instruction. This protects your security against potential eavesdropping or accidental triggering of applications. This script configures: - Windows policy (`LetAppsActivateWithVoice` [1] [2] [4]) - Privacy settings user interface (`AgentActivationEnabled` [3]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. > This affects Cortana and may impact its functionality [1] [2]. [1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsactivatewithvoice "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240427115516/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppPrivacy::LetAppsActivateWithVoice "Let Windows apps activate with voice | admx.help" [3]: https://web.archive.org/web/20240427115515/https://www.tenforums.com/tutorials/130122-allow-deny-apps-access-use-voice-activation-windows-10-a.html "Allow or Deny Apps Access to Use Voice Activation in Windows 10 | Tutorials | www.tenforums.com" [4]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1823-voice-activation "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com" call: - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsActivateWithVoice - function: SetRegistryValue parameters: keyPath: HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps valueName: AgentActivationEnabled dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable app access to voice activation on locked system recommend: standard docs: |- # refactor-with-variable: Same • App Access Caution This script prevents Windows apps from voice activation when the system is locked [1] [2] [3] [4]. This script improves privacy by preventing apps from being activated [1] [2] [3] [4] and from continuing to listen [3] [4] automatically while the device is locked without explicit user instruction. This protects your security against potential eavesdropping or accidental triggering of applications. This script configures: - Windows policy (`LetAppsActivateWithVoiceAboveLock` [1] [2]) - Privacy settings user interface (`AgentActivationEnabled` [3]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. > This affects Cortana and may impact its functionality [1] [2]. [1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsactivatewithvoiceabovelock "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240427115725/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppPrivacy::LetAppsActivateWithVoiceAboveLock "Let Windows apps activate with voice while the system is locked | admx.help" [3]: https://web.archive.org/web/20240427115515/https://www.tenforums.com/tutorials/130122-allow-deny-apps-access-use-voice-activation-windows-10-a.html "Allow or Deny Apps Access to Use Voice Activation in Windows 10 | Tutorials | www.tenforums.com" [4]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1823-voice-activation "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com" call: - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsActivateWithVoiceAboveLock - function: SetRegistryValue parameters: keyPath: HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps valueName: AgentActivationOnLockScreenEnabled dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable app access to physical movement recommend: standard docs: |- # refactor-with-variable: Same • App Access Caution This script prevents Windows apps from accessing spatial perception data [1] [2]. This includes movement of the user's head, hands, motion controllers, and other tracked objects [1], as well as nearby surfaces [2]. This data may be accessed while the apps are running in the background [1] [2]. This script enhances privacy by preventing apps from accessing body-related data automatically [1] [2] , without explicit user permission. This script configures: - Windows policy (`LetAppsAccessBackgroundSpatialPerception` [1]) - Privacy settings user interface (`spatialPerception` [2], `backgroundSpatialPerception` [2]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. > Disabling access to physical movement may impact the functionality of mixed reality apps that use this data [2]. [1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessbackgroundspatialperception "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" call: - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsAccessBackgroundSpatialPerception - function: BlockUWPAccessViaConsentStore parameters: appCapability: spatialPerception - function: BlockUWPAccessViaConsentStore parameters: appCapability: backgroundSpatialPerception - name: Disable app access to eye tracking recommend: standard docs: |- # refactor-with-variable: Same • App Access Caution This script prevents Windows apps from accessing the eye tracker [1] [2]. This script improves privacy by blocking apps from tracking users' eye automatically without explicit user instruction. This script configures: - Windows policy (`LetAppsAccessGazeInput` [1]) - Privacy settings user interface (`gazeInput` [2]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. > This may significantly impact the functionality of mixed reality apps that rely on this data [2]. > These apps may be unable to detect where a user is looking within the application bounds when an eye-tracking > device is connected [2]. [1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessgazeinput "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" call: - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsAccessGazeInput - function: BlockUWPAccessViaConsentStore parameters: appCapability: gazeInput - name: Disable app access to human presence recommend: standard docs: |- # refactor-with-variable: Same • App Access Caution This script prevents Windows apps from accessing presence sensing [1] [2]. Presence data includes information on user presence and engagement [2]. This data could potentially be used to infer user behavior or activities. This script improves privacy by blocking apps from Presence Sensors on the device [2] without explicit user instruction. This script configures: - Windows policy (`LetAppsAccessHumanPresence` [1]) - Privacy settings user interface (`humanPresence` [2]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. [1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccesshumanpresence "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" call: - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsAccessHumanPresence - function: BlockUWPAccessViaConsentStore parameters: appCapability: humanPresence - name: Disable app access to screen capture recommend: standard # It does not affect built-in Snipping Tool docs: |- # refactor-with-variable: Same • App Access Caution This script restricts Windows apps from taking screenshots of the user's screen [1] [2] [3]. This script improves privacy by blocking apps from taking screenshots programmatically [1] [3], and without showing a screenshot border [3], without explicit user instruction. This script configures: - Windows policy (`LetAppsAccessGraphicsCaptureProgrammatic` [1], `LetAppsAccessGraphicsCaptureWithoutBorder` [2]) - Privacy settings user interface (`graphicsCaptureProgrammatic` [3], `graphicsCaptureWithoutBorder` [3]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. [1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessgraphicscaptureprogrammatic "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessgraphicscapturewithoutborder "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" call: - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsAccessGraphicsCaptureProgrammatic - function: BlockUWPAccessViaConsentStore parameters: appCapability: graphicsCaptureProgrammatic - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsAccessGraphicsCaptureWithoutBorder - function: BlockUWPAccessViaConsentStore parameters: appCapability: graphicsCaptureWithoutBorder - name: Disable app access to background activity (breaks Cortana, Search, live tiles, notifications) docs: |- # refactor-with-variable: Same • App Access Caution This script prevents Windows apps from running in the background [1] [2] [3]. This script may improve system performance by reducing resource usage. This script configures: - Windows policy (`LetAppsRunInBackground` [1] [2]) - Privacy settings user interface (`BackgroundAccessApplications!GlobalUserDisabled` [3]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. > This may impact the functionality of apps that rely on background tasks, such as Cortana and Search [2]. > It may also impact live tile updates, along with notifications such as text messages, email and voicemail [3]. [1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsruninbackground "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1817-background-apps "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk" call: - function: BlockUWPAccessViaGPO parameters: policyName: LetAppsRunInBackground - function: SetRegistryValue parameters: keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications valueName: GlobalUserDisabled dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable app access to input devices recommend: standard docs: |- # refactor-with-variable: Same • App Access Caution This script prevents apps from accessing Human Interface Device (HID) capabilities [1]. HIDs include a wide range of devices such as keyboards, mice, and other input devices that can communicate directly with the system. By restricting access, the script ensures that applications cannot intercept or record input data from these devices, thereby safeguarding user interactions. This script configures: - Privacy settings user interface (`humanInterfaceDevice` [1]) > **Caution:** > Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications. [1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com" call: function: BlockUWPAccessViaConsentStore parameters: appCapability: humanInterfaceDevice - category: Disable Application Experience data collection docs: |- Application Experience comprises services and tasks that help applications, including older ones, run smoothly. These components collect and send telemetry data to Microsoft, potentially impacting user privacy [1] [2] [3] [4]. Scripts under this category aim to enhance user privacy, data protection, and protect the system from potential vulnerabilities [5]. They also optimize system performance [1] [2] by removing non-essential operating system components. However, disabling Application Experience could influence the performance or compatibility of specific applications or services on your system [3] [5]. [1]: https://web.archive.org/web/20230929124611/https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/high-network-bandwidth-usage "High network bandwidth usage - Configuration Manager | Microsoft Learn" [2]: https://web.archive.org/web/20230929124644/https://geeksadvice.com/fix-microsoft-compatibility-telemetry-high-cpu-usage/ "Fix Microsoft Compatibility Telemetry High CPU Usage (CompatTelRunner.exe) | Geek's Advice" [3]: https://web.archive.org/web/20230528031527/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/overview "Desktop Analytics - Configuration Manager | Microsoft Learn" [4]: https://web.archive.org/web/20230928142052/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/monitor-connection-health "Monitor connection health - Configuration Manager | Microsoft Learn" [5]: https://web.archive.org/web/20230929124720/https://nvd.nist.gov/vuln/detail/CVE-2019-1267 "NVD - CVE-2019-1267 | nist.gov" children: # Excluding: # - "Application Experience" service (`AeLookupSvc`) as it does not exists since Windows 10 21H1 and Windows 11 22H2 - category: Disable automatic system compatibility checks (Microsoft Compatibility Appraiser) docs: |- This category covers disabling of the Microsoft Compatibility Appraiser. This tool checks your computer's software and hardware compatibility with the latest Windows updates, including major upgrades such as Windows 11 [1]. It scans your system, collecting detailed information about your apps and devices to ensure everything will work smoothly with potential updates [2] [3]. This process helps Microsoft improve Windows and keep your system running efficiently with the latest features. However, it sends substantial system usage data to Microsoft, raising privacy concerns for some users. This script optimizes your computer by managing how it prepares for Windows updates. The Microsoft Compatibility Appraiser, designed to check system readiness for new updates, routinely discards saved update data [2]. Consequently, your computer must redownload this data during subsequent update checks, consuming significant internet bandwidth [2] and CPU resources [3]. Preventing this redundancy, the script reduces internet usage and improves computer performance. The Microsoft Compatibility Appraiser contributes to Desktop Analytics [2] (formerly Windows Analytics [4]), a system that collects and sends Windows diagnostics and app usage data to Microsoft servers [4]. This service is unavailable in high-privacy settings such as GCC High or the US Department of Defense [4], highlighting its potential privacy implications. These organizations, known for stringent privacy and security standards, do not utilize Desktop Analytics, suggesting the service's inherent data collection practices may not align with high-privacy protocols. Despite its utility, Microsoft Compatibility Appraiser can introduce additional vulnerabilities to your system. A known elevation of privilege vulnerability linked with the appraiser allows a configuration file to be susceptible to symbolic link and hard link attacks, also known as the "Microsoft Compatibility Appraiser Elevation of Privilege Vulnerability" [5]. By disabling the Microsoft Compatibility Appraiser, this category contributes to enhancing your system's privacy by reducing unnecessary data transmission to Microsoft servers, mitigating potential vulnerabilities, and conserving network bandwidth and CPU usage. [1]: https://web.archive.org/web/20230929124550/https://support.microsoft.com/en-us/windows/how-to-check-if-your-device-meets-windows-11-system-requirements-after-changing-device-hardware-f3bc0aeb-6884-41a1-ab57-88258df6812b "How to check if your device meets Windows 11 system requirements after changing device hardware - Microsoft Support" [2]: https://web.archive.org/web/20230929124611/https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/high-network-bandwidth-usage "High network bandwidth usage - Configuration Manager | Microsoft Learn" [3]: https://web.archive.org/web/20230929124644/https://geeksadvice.com/fix-microsoft-compatibility-telemetry-high-cpu-usage/ "Fix Microsoft Compatibility Telemetry High CPU Usage (CompatTelRunner.exe) | Geek's Advice" [4]: https://web.archive.org/web/20230528031527/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/overview "Desktop Analytics - Configuration Manager | Microsoft Learn" [5]: https://web.archive.org/web/20230929124720/https://nvd.nist.gov/vuln/detail/CVE-2019-1267 "NVD - CVE-2019-1267 | nist.gov" children: - name: Disable daily compatibility data collection ("Microsoft Compatibility Appraiser" task) recommend: standard docs: |- This script disables the "Microsoft Compatibility Appraiser" scheduled task. The "Microsoft Compatibility Appraiser" is a default scheduled task in Windows [1] [2]. It collects program telemetry information for participants in the Microsoft Customer Experience Improvement Program [2], and it maintains this data collection across computer reboots [2]. Running at least daily [3], this task assesses your system's eligibility for Windows 11 upgrades [4]. By disabling this task, the script helps in optimizing computer performance as recommended by Microsoft [1] [2]. This action prevents the task from collecting and sending your computer's data to Microsoft, enhancing your privacy and conserving system resources. It also stops the task from checking Windows 11 eligibility, which can be beneficial for systems that do not plan to upgrade. > **Caution:** While this script increases privacy, it may limit the system's ability to automatically resolve compatibility > issues or provide upgrade recommendations. ### Overview of default task statuses `\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser` [3] [4]: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | | Windows 11 23H2 | 🟢 Ready | [1]: https://web.archive.org/web/20230929130253/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-1803#scheduled-tasks "Optimizing Windows 10, version 1803, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn" [2]: https://web.archive.org/web/20230929130219/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004#scheduled-tasks "Optimizing Windows 10, Build 2004, for a Virtual Desktop role | Microsoft Learn" [3]: https://web.archive.org/web/20230929124611/https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/high-network-bandwidth-usage#mitigation "High network bandwidth usage - Configuration Manager | Microsoft Learn" [4]: https://web.archive.org/web/20230929124550/https://support.microsoft.com/en-us/windows/how-to-check-if-your-device-meets-windows-11-system-requirements-after-changing-device-hardware-f3bc0aeb-6884-41a1-ab57-88258df6812b "How to check if your device meets Windows 11 system requirements after changing device hardware - Microsoft Support" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Application Experience\' -TaskName 'Microsoft Compatibility Appraiser' taskPathPattern: \Microsoft\Windows\Application Experience\ taskNamePattern: Microsoft Compatibility Appraiser - name: Disable telemetry collector and sender process (`CompatTelRunner.exe`) recommend: standard docs: |- This script disables `CompatTelRunner.exe`, associated with the Microsoft Compatibility Appraiser [1] [2] This process runs at least daily [2] from Windows 7 onwards [3] [4]. It collects extensive data, including information about devices, apps, drivers, hardware configurations, and other user engagement details [1] [6]. This data, formerly known as Windows Customer Data [7], is then sent to Microsoft servers [1]. `CompatTelRunner.exe` is known for high CPU [8], disk [8], and network usage [2], affecting system performance. Disabling it can therefore lead to better computer efficiency and enhanced privacy by reducing data transmission to Microsoft. The `CompatTelRunner.exe` is located in the directory: `%WINDIR%\System32\CompatTelRunner.exe` [1]. This script specifically targets and disables it at this location. [1]: https://web.archive.org/web/20230928142052/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/monitor-connection-health "Monitor connection health - Configuration Manager | Microsoft Learn" [2]: https://web.archive.org/web/20230929124611/https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/high-network-bandwidth-usage "High network bandwidth usage - Configuration Manager | Microsoft Learn" [3]: https://web.archive.org/web/20230929132723/https://support.microsoft.com/en-us/topic/compatibility-update-for-keeping-windows-up-to-date-in-windows-7-5fe4a218-adf1-9074-9522-bea956cf149b "Compatibility update for keeping Windows up-to-date in Windows 7 - Microsoft Support" [4]: https://web.archive.org/web/20230929132734/https://support.microsoft.com/en-us/topic/compatibility-update-for-keeping-windows-up-to-date-in-windows-8-1-34c1fdff-bb94-32ef-4a8b-0d71e11c4af0 "Compatibility update for keeping Windows up-to-date in Windows 8.1 - Microsoft Support" [5]: https://web.archive.org/web/20230929132806/https://support.microsoft.com/en-us/topic/update-rollup-2-for-system-center-configuration-manager-current-branch-version-1810-fb956f05-ef39-03b4-ab73-e66dd5e96a9a "Update Rollup 2 for System Center Configuration Manager current branch, version 1810 - Microsoft Support" [6]: https://web.archive.org/web/20230929132837/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/appraiser-diagnostic-data-events-and-fields#windows-customer-data-opt-in "Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields | Microsoft Learn" [7]: https://web.archive.org/web/20230929132845/https://support.microsoft.com/en-us/topic/compatibility-update-for-keeping-windows-up-to-date-in-windows-server-2012-r2-and-windows-server-2008-r2-sp1-c62197fb-d711-f7d3-f135-172844b9f322 "Compatibility update for keeping Windows up-to-date in Windows Server 2012 R2 and Windows Server 2008 R2 SP1 - Microsoft Support" [8]: https://web.archive.org/web/20230929124644/https://geeksadvice.com/fix-microsoft-compatibility-telemetry-high-cpu-usage/ "Fix Microsoft Compatibility Telemetry High CPU Usage (CompatTelRunner.exe) | Geek's Advice" call: - function: TerminateAndBlockExecution parameters: executableNameWithExtension: CompatTelRunner.exe - function: SoftDeleteFiles parameters: fileGlob: '%WINDIR%\System32\CompatTelRunner.exe' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 - category: Disable background application compatibility checks (Application Experience scheduled tasks) docs: |- This category focuses on disabling scheduled tasks related to Application Experience. These tasks aim to improve user experience by identifying compatibility issues with older software and boosting application performance. However, they also collect and transmit telemetry data to Microsoft. Disabling them can optimize system performance, reduce unwanted data collection, and lower security risks. To view all the scheduled tasks related to Application Experience, you can use the following PowerShell command: ```powershell @('\Microsoft\Windows\Application Experience\*') ` | ForEach-Object { Get-ScheduledTask -TaskName '*' -TaskPath $_ -ErrorAction SilentlyContinue } ` | ForEach-Object { Write-Host "$($_.TaskPath)$($_.TaskName)" } ``` children: - name: Disable program data collection and reporting (`ProgramDataUpdater`) recommend: standard docs: |- This script disables the "ProgramDataUpdater" scheduled task. This component collects and transmits Application Telemetry information for participants in the Microsoft Customer Experience Improvement Program [1]. Running this script improves privacy and security by limiting data transmission, making it suitable for high-security environments. Recommendations to disable or delete this task have been voiced by both the Polish [2] and Argentine [3] governments. Microsoft acknowledges this task as non-essential, explaining that its deactivation improves system reliability and performance by preventing possible degradation [1] [4]. It highlights that the task's deactivation will not adversely affect other users and services, reinforcing its non-critical nature [1]. Running this script prioritizes privacy by reducing telemetry data sent to Microsoft. This choice comes without any notable drawbacks [1], thereby ensuring enhanced privacy and security. ### Overview of default task statuses `\Microsoft\Windows\Application Experience\ProgramDataUpdater`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟡 N/A (missing) | | Windows 11 23H2 | 🟡 N/A (missing) | [1]: https://web.archive.org/web/20231002104948/https://learn.microsoft.com/en-us/services-hub/health/other/work-with-results/assessmentplanreport_windowsclientassessmentplus.xlsx "Windows Client Assessment Recommendations Report generated on: 06/13/2019 | microsoft.com" [2]: https://web.archive.org/web/20231011231107/https://plid.obywatel.gov.pl/wp-content/uploads/2014/08/Wymagania-dla-stacji-koncowych-SRP-v-5-0.pdf "WYMAGANIA - dla stacji roboczych stanowisk obsługi dla użytkowników końcowych SRP" [3]: https://archive.ph/2023.10.17-193954/http://onc-ftp1.argentinacompra.gov.ar/0091/000/020000042017001000/CNV-000736230001.xml "A complete task sequence for deploying a client operating system (snapshot from http://onc-ftp1.argentinacompra.gov.ar/0091/000/020000042017001000/CNV-000736230001.xml) | Government of Argentina" [4]: https://web.archive.org/web/20220120073244/https://docs.microsoft.com/en-us/archive/blogs/jeff_stokes/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe "Hot off the presses, get it now, the Windows 8 VDI optimization script, courtesy of PFE! | Microsoft Docs" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Application Experience\' -TaskName 'ProgramDataUpdater' taskPathPattern: \Microsoft\Windows\Application Experience\ taskNamePattern: ProgramDataUpdater - name: Disable application usage tracking (`AitAgent`) recommend: standard docs: |- This script disables the "AitAgent" scheduled task. `AitAgent` is a task that is part of the Microsoft Customer Experience Improvement Program [3] [4], which aggregates and uploads Application Telemetry information if the user has opted in [3]. This task is part of Application Experience as per its registry location (`Microsoft\Windows\Application Experience\AitAgent` [1] [3]) and VMWare's documentation [4]. Governments of various countries, including Argentina [1] and the United States (via VMWare) [2], recommend disabling this task to improve system privacy by reducing data collection. Microsoft recommends disabling to optimize speed of your computer [5]. By disabling this task, you minimize background activities on your system, contributing positively to your privacy. ### Overview of default task statuses `\Microsoft\Windows\Application Experience\AitAgent`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟡 N/A (missing) | | Windows 11 22H2 | 🟡 N/A (missing) | | Windows 11 23H2 | 🟡 N/A (missing) | [1]: https://archive.ph/2023.10.17-193954/http://onc-ftp1.argentinacompra.gov.ar/0091/000/020000042017001000/CNV-000736230001.xml "A complete task sequence for deploying a client operating system (snapshot from http://onc-ftp1.argentinacompra.gov.ar/0091/000/020000042017001000/CNV-000736230001.xml) | Government of Argentina" [2]: https://web.archive.org/web/20231123073336/https://www.mspb.gov/foia/files/VMWareHealthCheckReport.pdf "VMware Desktop Virtualization Health Check Services Health Check Report | www.mspb.gov" [3]: https://web.archive.org/web/20231130072051/http://windows.fyicenter.com/4363_AitAgent_Scheduled_Task_on_Windows_8.html '"AitAgent" Scheduled Task on Windows 8' [4]: https://web.archive.org/web/20231017193840/https://docs.vmware.com/en/VMware-Horizon-7/7.13/horizon-virtual-desktops/GUID-BE82165B-13BC-4FD9-A9CF-FBEF6343D98A.html "Disable the Windows Customer Experience Improvement Program | docs.vmware.com" [5]: https://web.archive.org/web/20220120073244/https://docs.microsoft.com/en-us/archive/blogs/jeff_stokes/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe "Hot off the presses, get it now, the Windows 8 VDI optimization script, courtesy of PFE! | Microsoft Docs" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Application Experience\' -TaskName 'AitAgent' taskPathPattern: \Microsoft\Windows\Application Experience\ taskNamePattern: AitAgent - name: Disable startup application data tracking (`StartupAppTask`) recommend: strict docs: |- This script disables the "StartupAppTask" scheduled task. This task checks auto-start programs at boot-up and alerts if there are excessively many [1]. By disabling this task, you can speed up your computer's startup time and reduce unnecessary data collection [1]. Microsoft itself suggests turning it off to optimize system performance and reduce data collection [1] [2]. ### Overview of default task statuses `\Microsoft\Windows\Application Experience\StartupAppTask`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | | Windows 11 23H2 | 🟢 Ready | [1]: https://web.archive.org/web/20230929130219/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004#scheduled-tasks "Optimizing Windows 10, Build 2004, for a Virtual Desktop role | Microsoft Learn" [2]: https://web.archive.org/web/20220120073244/https://docs.microsoft.com/en-us/archive/blogs/jeff_stokes/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe "Hot off the presses, get it now, the Windows 8 VDI optimization script, courtesy of PFE! | Microsoft Docs" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Application Experience\' -TaskName 'StartupAppTask' taskPathPattern: \Microsoft\Windows\Application Experience\ taskNamePattern: StartupAppTask - name: Disable software compatibility updates (`PcaPatchDbTask`) recommend: strict docs: |- This script disables the "PcaPatchDbTask" scheduled task. "PcaPatchDbTask" is responsible for periodically updating a specific database that tracks software known to have compatibility issues [1]. When users run a program listed in this database, Windows' Program Compatibility Assistant (PCA) will notify them and suggest a solution to address the compatibility problem the next time the program is started [2] [3]. By keeping this database updated, the PCA can consistently recognize and remedy compatibility conflicts, ensuring that even software designed for older Windows versions runs correctly on newer ones. This database is named the System Application Compatibility Database [3]. Its primary function is to support users in seamlessly operating older software on modern Windows versions by auto-applying compatibility settings when necessary. Besides compatibility features, 'PcaPatchDbTask' supports Windows' Dynamic Update process, performing tasks like [4]: - Retrieving the latest Windows updates and integrating them into the existing system [4]. This action can occasionally trigger antivirus alerts, labeling the process as "Riskware.Injector.Generic" [5]. - Acquiring drivers that may be missing from the installation media [4]. - Keeping the aforementioned compatibility database up-to-date [1] [4]. "PcaPatchDbTask" was initially rolled out in Windows 10 [4] and it's present by default since Windows 10 21H1 and Windows 11 22H2. Disabling this task might enhance user privacy by preventing automated compatibility checks and updates. However, users might miss out on helpful compatibility solutions for older software. ### Overview of default task statuses `\Microsoft\Windows\Application Experience\PcaPatchDbTask`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | | Windows 11 23H2 | 🟢 Ready | [1]: https://web.archive.org/web/20231004190322/https://raw.githubusercontent.com/Azure/Azure-Sentinel/daa1d3717a3c6240cf15f7f06041905b73208720/Sample%20Data/ASIM/Microsoft_Windows_AuditEvent_WindowsEvent_IngestedLogs_.csv "(Line 48 shows task scheduler description for PcaPatchDbTask) Azure-Sentinel/Sample Data/ASIM/Microsoft_Windows_AuditEvent_WindowsEvent_IngestedLogs_.csv at daa1d3717a3c6240cf15f7f06041905b73208720 · Azure/Azure-Sentinel | github.com" [2]: https://web.archive.org/web/20231004182336/https://techcommunity.microsoft.com/t5/ask-the-performance-team/the-program-compatibility-assistant-part-one/ba-p/372538 "The Program Compatibility Assistant - Part One - Microsoft Community Hub | techcommunity.microsoft.com" [3]: https://web.archive.org/web/20231004182349/https://techcommunity.microsoft.com/t5/ask-the-performance-team/the-program-compatibility-assistant-part-two/ba-p/372543 "The Program Compatibility Assistant - Part Two - Microsoft Community Hub | techcommunity.microsoft.com" [4]: https://web.archive.org/web/20231004182253/https://slideplayer.com/slide/12553555/ "Enhance Windows 10 deployment: What's new with Windows 10 deployment | Microsoft (from Microsoft Ignite 2016)" [5]: https://web.archive.org/web/20231004182325/https://forums.malwarebytes.com/topic/274456-recurring-detection-infection-or-part-of-a-windows-update/ "Recurring Detection - infection or part of a Windows update? - File Detections - Malwarebytes Forums" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Application Experience\' -TaskName 'PcaPatchDbTask' taskPathPattern: \Microsoft\Windows\Application Experience\ taskNamePattern: PcaPatchDbTask - name: Disable compatibility adjustment data sharing (`SdbinstMergeDbTask`) recommend: strict docs: |- This script disables the "SdbinstMergeDbTask" scheduled task. The 'SdbinstMergeDbTask' task merges pending shim application compatibility databases, as described in Task Scheduler (Windows 11 22H2), facilitating the running of older software on newer Windows versions. According to Task Scheduler (Windows 11 22H2), the task utilizes the `sdbinst.exe` tool [1] [2] [3]. This tool is known as the "Application Compatibility Database Installer" [4]. It is part of the Application Compatibility Toolkit (ACT) [4] [5]. It allows the deployment of SDB files (Windows Shim Database [6] [7]) to the computer [4] [5]. Before any compatibility fixes or messages are applied [5], this tool is used to make sure applications run correctly, a process called application shimming [8]. This task is associated with the collection of telemetry data [1] [2] [3]. Telemetry data is information that software providers, such as Microsoft, gather about software usage. By disabling this task, the amount of telemetry data that Microsoft collects is reduced, which boosts user privacy. Additionally, there have been instances where malicious actors exploited this Windows feature to covertly gain unauthorized access and execute code within genuine Windows processes [2] [9] [10] [11]. Disabling this task provides an added layer of security against such threats. Standard administrator rights are insufficient to turn off this task [12]. Attempts to do so result in an `ERROR: Access is denied` message. To overcome this, the script escalates its privileges ensuring the task is correctly disabled. ### Overview of default task statuses `\Microsoft\Windows\Application Experience\SdbinstMergeDbTask`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟡 N/A (missing) | | Windows 11 22H2 | 🟢 Ready | | Windows 11 23H2 | 🟢 Ready | [1]: https://web.archive.org/web/20231005111407/https://github.com/elastic/detection-rules/issues/2354 "[Rule Tuning] Potential Application Shimming via Sdbinst (Windows) · Issue #2354 · elastic/detection-rules | github.com" [2]: https://web.archive.org/web/20231005111515/https://www.elastic.co/guide/en/security/current/potential-application-shimming-via-sdbinst.html "Potential Application Shimming via Sdbinst | Elastic Security Solution [8.10] | Elastic" [3]: https://web.archive.org/web/20231005111850/https://www.bleepingcomputer.com/forums/t/785832/farbar-loghijackthis-log/ "FarBar log/HijackThis log - Virus, Trojan, Spyware, and Malware Removal Help | bleepingcomputer.com" [4]: https://web.archive.org/web/20231005111905/https://download.microsoft.com/download/4/a/2/4a28d2bb-2916-43a6-9c88-a819d3bfa70f/05_CHAPTER_3_Planning_and_Testing_for_Application_Deployment.doc "Planning and Testing for Application Deployment (Word Document) | microsoft.com" [5]: https://web.archive.org/web/20231005111314/https://learn.microsoft.com/en-us/windows/deployment/planning/using-the-sdbinstexe-command-line-tool "Using the Sdbinst.exe Command-Line Tool (Windows 10) - Windows Deployment | Microsoft Learn" [6]: https://web.archive.org/web/20231005111428/https://www.microfocus.com/documentation/idol/IDOL_23_2/KeyviewViewingSDK_23.2_Documentation/Guides/html/Content/kv_formats/_KV_FMT__AllDetected.htm "Supported Formats | microfocus.com" [7]: https://web.archive.org/web/20230927174609/https://tzworks.com/prototype_page.php?proto_id=33 "Windows Shim Database (SDB) Parser | tzworks.com" [8]: https://web.archive.org/web/20231005111828/https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/ "Process Injection and Persistence using Application Shimming | Andrea Fortuna | andreafortuna.org" [9]: https://web.archive.org/web/20231005112020/https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_sdbinst_shim_persistence/ "Potential Shim Database Persistence via Sdbinst.EXE | Detection.FYI" [10]: https://web.archive.org/web/20231005112110/https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_sdbinst_susp_extension/ "Suspicious Shim Database Installation via Sdbinst.EXE | Detection.FYI" [11]: https://web.archive.org/web/20231005112255/https://jpcertcc.github.io/ToolAnalysisResultSheet/details/SDB-UAC-Bypass.htm "SDB UAC Bypass | jpcertcc.github.io" [12]: https://web.archive.org/web/20231005111150/https://discuss.techlore.tech/t/will-windows-11-force-me-to-sign-in-to-a-microsoft-account/1869/9 "Will Windows 11 force me to sign in to a Microsoft Account? - Privacy and Security / Get Advice - Techlore Discussions | discuss.techlore.tech" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Application Experience\' -TaskName 'SdbinstMergeDbTask' taskPathPattern: \Microsoft\Windows\Application Experience\ taskNamePattern: SdbinstMergeDbTask grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 11 23H2] - name: Disable application backup data gathering (`MareBackup`) recommend: strict docs: |- This script disables the "MareBackup" scheduled task. According to the Task Scheduler, this task gathers Win32 application data for backups. It executes `%WINDIR%\System32\CompatTelRunner.exe`. Although this task is intended for backup and system reliability, some users may prefer limiting the amount of data collected by Windows, thus enhancing their privacy. > **Caution**: Designed for application data backup, this task supports data recovery processes. ### Overview of default task statuses `\Microsoft\Windows\Application Experience\MareBackup`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟡 N/A (missing) | | Windows 11 22H2 | 🟡 N/A (missing) | | Windows 11 23H2 | 🟢 Ready | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Application Experience\' -TaskName 'MareBackup' taskPathPattern: \Microsoft\Windows\Application Experience\ taskNamePattern: MareBackup - category: Disable Application Compatibility Framework docs: |- This category disables the Application Compatibility (AppCompat) framework on Windows. The Application Compatibility (AppCompat) framework is a feature in Windows that collects data about application compatibility. This includes gathering information about application crashes, issues, and other operational details to help improve the compatibility of applications on Windows [1]. It is controlled by a set of policies within the Microsoft Windows operating system aimed at enabling applications designed for older versions of Windows to function properly on newer versions [1]. However, the Application Compatibility framework involves various forms of data collection that may be considered invasive from a privacy standpoint [1]. It can potentially be exploited to reveal more data about your application usage or to inject your computer with malware [2] [3] [4]. By disabling the AppCompat framework, this script contributes to enhancing users' privacy by limiting potential data collection and exposure to malware exploitation. [1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20230927174707/https://docplayer.net/15700963-The-active-use-and-exploitation-of-microsoft-s-application-compatibility-framework-jon-erickson.html "'The active use and exploitation of Microsoft's Application Compatibility Framework' by Jon Erickson" [3]: https://web.archive.org/web/20230927174609/https://tzworks.com/prototype_page.php?proto_id=33 "Windows Shim Database (SDB) Parser | tzworks.com" [4]: https://web.archive.org/web/20230927174559/https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf "Malicious Application Compatibility Shims | blackhat.com" children: - name: Disable Application Impact Telemetry (AIT) recommend: standard docs: |- This script disables Application Impact Telemetry (AIT). Application Impact Telemetry (AIT) is a function that tracks the usage of certain Windows system components by various applications [1]. Turning this feature off stops the collection of usage data [1], enhancing your privacy by ensuring that your usage patterns and behaviors are not sent to external servers. Disabling telemetry will take effect on any newly launched applications [1]. To ensure that telemetry collection has stopped for all applications, please reboot your machine [1]. Note that if the Customer Experience Improvement Program (CEIP) is turned off, Application Telemetry will be disabled regardless of this setting [1]. This script performs its function by modifying a specific registry key: `HKLM\Software\Policies\Microsoft\Windows\AppCompat!AITEnable`. This is the switch that controls the AIT setting within the operating system [1]. [1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffapplicationimpacttelemetry "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn" call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows\AppCompat valueName: AITEnable dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2) - name: Disable Application Compatibility Engine recommend: standard docs: |- This script disables the Application Compatibility Engine on Windows systems. The Application Compatibility Engine examines a compatibility database every time an application starts [1]. If it finds a match for the application, it either applies compatibility fixes or displays a help message for known problems with the application [1]. This process may inadvertently reveal data about the applications you run on your system, especially if the query functions are intercepted [2]. Moreover, this database can be utilized by malware creators to modify an application and make it perform unintended actions [3]. Disabling the Application Compatibility Engine leads to enhanced system performance [1]. However, this might compromise the compatibility of many older, popular applications and permit the installation of known incompatible applications [1]. Additionally, certain Windows features like Windows Resource Protection and User Account Control use this engine to resolve application issues [1]. Without the engine, these solutions won't be applied, and applications may not install or run correctly [1]. This option is suitable for users seeking faster performance who are knowledgeable about the compatibility of the applications they use [1]. Keep in mind that any changes to this setting require a system reboot to take effect as many system processes cache this setting's value for performance reasons [1]. The script achieves its goal by altering a specific registry key: `HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableEngine` [1]. By disabling this engine, known to be a vulnerability exploited by malware [4], the script reduces the potential attack surface on the system, enhancing overall security. [1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffengine "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20230927174559/https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf "Malicious Application Compatibility Shims | blackhat.com" [3]: https://web.archive.org/web/20230927174609/https://tzworks.com/prototype_page.php?proto_id=33 "Windows Shim Database (SDB) Parser | tzworks.com" [4]: https://web.archive.org/web/20230927174707/https://docplayer.net/15700963-The-active-use-and-exploitation-of-microsoft-s-application-compatibility-framework-jon-erickson.html "'The active use and exploitation of Microsoft's Application Compatibility Framework' by Jon Erickson" call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows\AppCompat valueName: DisableEngine dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2) - name: Remove "Program Compatibility" tab from file properties (context menu) recommend: strict docs: |- This script removes the "Program Compatibility" tab from the file properties context menu. This tab is visible on the property context menu of any program shortcut or executable file, and displays options that can be applied to the application to solve common issues affecting older applications [1]. When enabled, this script prevents the compatibility property page from appearing in the context menus, though it does not impact any prior compatibility settings applied to applications through this interface [1]. This script achieves its functionality by modifying a specific registry key: `HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisablePropPage` [1]. This setting is often used in organizational environments to prevent end-users from modifying the compatibility settings of applications. It ensures that applications operate with the settings considered most suitable by the system administrator or IT department. This restriction aids in upholding system stability and security by ensuring users cannot run applications in modes recognized to be insecure or unstable. This script assists in upholding a more secure and stable environment by barring unauthorized changes to application compatibility settings. The security benefits include: - **Restricting User Actions**: By limiting the actions that a user can perform, administrators can prevent unintended security vulnerabilities. Users may inadvertently (or intentionally) choose settings that could expose the system to risks, and this script helps in preventing such scenarios. - **Maintaining Known Configurations**: By ensuring that applications can only run in certain compatibility modes, administrators can more effectively manage and secure their environments. They can thoroughly test and verify the security of the allowed configurations, leading to a more robust security posture. - **Preventing Exploitation of Vulnerabilities**: Some compatibility settings might make applications run in a less secure mode to maintain compatibility with older software or systems. Preventing users from enabling such settings can help in avoiding potential vulnerabilities associated with these modes. By preventing users from changing compatibility settings, you could prevent them from selecting settings that send additional data to software vendors (for example, certain compatibility modes might enable additional telemetry or error reporting). Though primarily aimed at control and stability, this restriction indirectly contributes to privacy protection by reducing potential unwanted data transmission. [1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatremoveprogramcompatproppage "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn" call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows\AppCompat valueName: DisablePropPage dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2) - name: Disable Steps Recorder (collects screenshots, mouse/keyboard input and UI data) recommend: standard docs: |- This script disables Steps Recorder on your device. Steps Recorder, formerly known as Problem Steps Recorder [1] [2], is a tool that records the actions taken on a computer, including keyboard and mouse inputs, user interface interactions, and screenshots with every click [2] [3].This tool is used to diagnose and troubleshoot problems by capturing the exact steps taken when an issue occurs [1]. The data collected by Steps Recorder can be sent to Microsoft or third-party developers [3] [4], potentially revealing sensitive user information. By running this script, the Steps Recorder functionality will be turned off by altering a specific registry key: `HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableUAR` [3]. This prevents the automatic recording and sharing of user action data, enhancing the privacy and security of the user's device. Not running this script leaves the Steps Recorder enabled by default on Windows [3], allowing it to record and potentially share user actions and information. Using this script enhances user privacy by ensuring that personal actions taken on a computer are not automatically recorded and shared without the user's knowledge or consent. It's a straightforward measure to increase your control over your own device and data. Additionally, disabling Steps Recorder is recommended by The Australian Signals Directorate's Australian Cyber Security Centre (ACSC) [5]. While enhancing privacy, this script may complicate the troubleshooting process as Steps Recorder will not be available to easily record and share encountered issues. [1]: https://web.archive.org/web/20230927120359/https://support.microsoft.com/en-us/windows/record-steps-to-reproduce-a-problem-46582a9b-620f-2e36-00c9-04e25d784e47 "Record steps to reproduce a problem - Microsoft Support" [2]: https://web.archive.org/web/20230927120405/https://cloudblogs.microsoft.com/dynamics365/no-audience/2016/03/08/capturing-repro-scenarios-using-windows-steps-recorder/ "Capturing Repro Scenarios Using Windows Steps Recorder - Microsoft Dynamics 365 Blog" [3]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffuseractionrecord "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn" [4]: https://web.archive.org/web/20230927120745/https://learn.microsoft.com/en-us/windows/win32/win7appqual/windows-error-reporting-problem-steps-recorder "Windows Error Reporting Problem Steps Recorder - Win32 apps | Microsoft Learn" [5]: https://web.archive.org/web/20210729125842/https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-microsoft-windows-10-version-1909-workstations "Hardening Microsoft Windows 10 version 1909 Workstations | Cyber.gov.au" call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows\AppCompat valueName: DisableUAR dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2) - name: Disable "Inventory Collector" task recommend: standard docs: |- This script disables the "Inventory Collector" task on your computer. The Inventory Collector is a feature in Windows that gathers data about the applications, files, devices, and drivers on your system and sends this information to Microsoft [1]. This process is used to help solve compatibility problems, ensuring that your software and hardware work together without issues [1]. Running this script will turn off the Inventory Collector, ensuring no data is sent to Microsoft [1]. It also stops the collection of installation data through the Program Compatibility Assistant [1]. By disabling these features, you prevent potentially sensitive information from being shared and avoid uncontrolled updates to your system [2] [3]. If not disabled, the Inventory Collector remains active, continuing to send data [1]. If the Customer Experience Improvement Program is turned off, the Inventory Collector will already be inactive, and running this script will have no effect [1]. Disabling Inventory Collector is advised by several organizations and authorities for enhanced security: - The Australian Signals Directorate's Australian Cyber Security Centre (ACSC) [4] - The Department of Defense (DoD) information systems in the USA [2] - Microsoft, as part of Windows security baseline for Azure [3] - National Institute of Standards and Technology (NIST) in the USA [5] This advice is based on the principle of limiting the amount of data shared, contributing to better privacy and security. When you run this script, it modifies a specific registry key (`HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableInventory`) to turn off the Inventory Collector [1]. > **Caution:** Disabling the Inventory Collector may lead to challenges in identifying and resolving compatibility issues > between your software and hardware. [1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffprograminventory "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20230927174739/https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63663 "The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft | stigviewer.com" [3]: https://web.archive.org/web/20231105200918/https://learn.microsoft.com/en-us/azure/governance/policy/samples/guest-configuration-baseline-windows#windows-components "Reference - Azure Policy guest configuration baseline for Windows - Azure Policy | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20210729125842/https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-microsoft-windows-10-version-1909-workstations "Hardening Microsoft Windows 10 version 1909 Workstations | Cyber.gov.au" [5]: https://web.archive.org/web/20230927174843/https://csrc.nist.gov/CSRC/media/Projects/United-States-Government-Configuration-Baseline/data/documentation/USGCB-Windows-Settings.xls "USGCB Windows Settings | nist.gov" call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat valueName: DisableInventory dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2) - category: Disable Program Compatibility Assistant (PCA) docs: |- This category covers disabling the Program Compatibility Assistant (PCA) in Windows. The PCA is designed to help users run desktop applications created for earlier versions of Windows by tracking and identifying known compatibility issues [1]. When an issue is detected, PCA offers the user a recommended fix to help the app run better on Windows [1]. **Privacy Implications:** 1. **Tracking and Monitoring of Application Activities:** PCA tracks the activities and behaviors of applications to identify symptoms of compatibility issues [1]. Continuous monitoring could inadvertently collect user data, depending on the nature of the applications being monitored and the specifics of the compatibility issues. This persistent oversight could be seen as an invasion of privacy as users' application usage is consistently observed. 2. **Application and System Data Access:** PCA accesses data about the application and system to determine appropriate compatibility modes and fixes [1]. Access to application and system data might inadvertently lead to access to sensitive or personal information. The extent of PCA's access to such information is not clear from the official documentations, presenting a potential privacy concern. 3. **Automatic Modifications and Permissions:** PCA automatically applies certain compatibility modes to resolve issues, such as giving applications administrative privileges or preventing an app from freeing a DLL from memory [1]. Automatic changes in application permissions or behavior could potentially introduce security risks, as apps might gain access to resources or data they would not normally have access to. Users may not be fully aware of the extent of the changes applied, leading to unintentional security or privacy vulnerabilities. 4. **User Notification and Consent:** While PCA does notify users and often requires their input to apply recommended settings, some fixes are applied silently [1]. Users might not be aware of all the changes PCA makes to application settings and system configurations, limiting their control over their own system and potential impacts on their privacy. 5. **User Feedback and Data Sharing with Microsoft**: At the end of each scenario, after the app is run with recommended compatibility settings, the Program Compatibility Assistant (PCA) will ask the user a simple question to gather feedback on whether the app worked or failed with the compatibility setting [1]. This data is sent to Microsoft [1]. Users may have concerns about sending any kind of data to Microsoft. Some users might be wary of potential data mishandling or misuse. It's crucial to ensure that the data collected is securely stored and processed, and that users are adequately informed about what data is being collected and how it will be used. 6. **Detection and Mitigation Measures by PCA**: The PCA automatically detects issues with applications and applies various mitigation measures [1]. The automatic detection and mitigation by PCA imply that the system is continuously monitoring application behavior, which might be seen as invasive by some users. There could be concerns regarding what kind of data is accessed by PCA during this monitoring and whether any sensitive data could potentially be exposed. 7. **Downloading Missing Components for Apps:** PCA provides a recommendation to download missing components and install them after the app terminates [1]. This could involve downloading software from the internet, which may introduce security and privacy risks [1]. Users might inadvertently download malicious software or software with privacy-invasive features if not adequately guided [1]. 8. **Handling of Administrative Privileges:** PCA handles various scenarios involving administrative privileges and User Account Control (UAC) dialogs, including applying the `RUNASADMIN` compatibility mode to certain installers and applets [1]. This handling of administrative privileges could potentially be exploited by malicious software to gain elevated privileges without adequate user knowledge or consent. It is important to ensure that the mechanisms for handling administrative privileges are secure and not prone to exploitation. 9. **Using the Compatibility Troubleshooter**: The Compatibility Troubleshooter allows users to apply recommended fixes to get apps working properly [1]. Use of the Compatibility Troubleshooter involves sharing more data regarding app behavior and issues with Microsoft, raising similar concerns as mentioned above regarding data sharing. By disabling PCA, these potential privacy and security concerns can be mitigated, giving users more control over their data and application behavior, and reducing the risk of unintentional data collection and sharing. [1]: https://web.archive.org/web/20230928141226/https://learn.microsoft.com/en-us/windows/compatibility/pca-scenarios-for-windows-8 "Program Compatibility Assistant scenarios - Compatibility Cookbook | Microsoft Learn" children: - name: Disable "Program Compatibility Assistant (PCA)" feature recommend: standard docs: |- This script disables the Program Compatibility Assistant (PCA) feature in Windows [1]. The purposes include: - Enhances privacy by stopping the continuous monitoring and data collection by PCA. The PCA monitors applications run by the user [1]. - Users gain more control over their system by manually managing application compatibility issues. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions [1]. - Potentially avoids the automatic changes made by PCA that might introduce security risks. - It increases the system performance. Microsoft recommends turning off the PCA can be useful for those who require better performance and are already aware of application compatibility issues [1]. This script modifies a specific registry key (`HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisablePCA`) to turn off the PCA [1]. As a result, users will not receive automatic solutions to known compatibility issues when running applications [1], ensuring that they have control over the solutions they apply. By default, if you do not run this script or disable PCA manually, the PCA will be turned on [1]. Once this script is executed and PCA is turned off, the user won't be presented with solutions to known compatibility issues when running applications [1]. [1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffprogramcompatibilityassistant_2 "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn" call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat valueName: DisablePCA dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2) - name: Disable "Program Compatibility Assistant Service" (`PcaSvc`) recommend: standard docs: |- This script disables the "Program Compatibility Assistant Service" (`PcaSvc`) in Windows [1]. The `PcaSvc` assists the Program Compatibility Assistant (PCA) in monitoring programs installed and run by the user [1], detecting known compatibility problems [1], and aiding in Windows appraiser data collection [2]. By disabling this service, the script prevents PCA from functioning [1], thereby halting application monitoring and data collection, leading to enhanced user privacy. This script turns off the `PcaSvc` which is, by default, automatically started in Windows [1]. Microsoft has clarified that disabling this service does not have a negative impact on the system's functionality, affirming that it's safe to execute this action [1]. By running this script, you prevent the continuous surveillance and data gathering activities conducted by PCA. ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 21H1) | 🟢 Running | Automatic | | Windows 11 (≥ 22H2) | 🟢 Running | Automatic | [1]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services#program-compatibility-assistant-service "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn" [2]: https://web.archive.org/web/20231017234102/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/monitor-connection-health#appraiser-data-collection "Monitor connection health - Configuration Manager | Microsoft Learn" call: function: DisableService parameters: serviceName: PcaSvc # Check: (Get-Service -Name 'PcaSvc').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - category: Disable Windows telemetry and data collection children: - name: Disable Customer Experience Improvement Program (CEIP) docs: https://web.archive.org/web/20240314130037/https://learn.microsoft.com/en-us/windows/win32/devnotes/ceipenable recommend: standard call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\SQMClient\Windows valueName: CEIPEnable dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2) - category: Disable diagnostics telemetry services children: - name: Disable "Connected User Experiences and Telemetry" (`DiagTrack`) service # Connected User Experiences and Telemetry recommend: standard docs: |- Details: [Connected User Experiences and Telemetry - Windows 10 Service - batcmd.com | batcmd.com](https://web.archive.org/web/20240314062548/https://batcmd.com/windows/10/services/diagtrack/) ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 21H1) | 🟢 Running | Automatic | | Windows 11 (≥ 22H2) | 🟢 Running | Automatic | call: function: DisableService parameters: serviceName: DiagTrack # Check: (Get-Service -Name DiagTrack).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable WAP push notification routing service # Device Management Wireless Application Protocol (WAP) Push message Routing Service recommend: standard docs: |- Details: [Device Management Wireless Application Protocol (WAP) Push message Routing Service - Windows 10 Service - batcmd.com | batcmd.com](https://web.archive.org/web/20240314090537/http://batcmd.com/windows/10/services/dmwappushservice/) ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 21H1) | 🔴 Stopped | Manual | | Windows 11 (≥ 22H2) | 🔴 Stopped | Manual | call: function: DisableService parameters: serviceName: dmwappushservice # Check: (Get-Service -Name dmwappushservice).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable "Diagnostics Hub Standard Collector" service docs: |- Details: [Microsoft (R) Diagnostics Hub Standard Collector Service - Windows 10 Service - batcmd.com | batcmd.com](https://web.archive.org/web/20240314090703/https://batcmd.com/windows/10/services/diagnosticshub-standardcollector-service/) ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 21H1) | 🔴 Stopped | Manual | | Windows 11 (≥ 22H2) | 🔴 Stopped | Manual | call: function: DisableService parameters: serviceName: diagnosticshub.standardcollector.service # Check: (Get-Service -Name diagnosticshub.standardcollector.service).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable "Diagnostic Execution Service" (`diagsvc`) docs: |- Details: [Diagnostic Execution Service - Windows 10 Service - batcmd.com](https://web.archive.org/web/20240314091013/https://batcmd.com/windows/10/services/diagsvc/) ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 21H1) | 🔴 Stopped | Manual | | Windows 11 (≥ 22H2) | 🔴 Stopped | Manual | call: function: DisableService parameters: serviceName: diagsvc # Check: (Get-Service -Name diagsvc).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable "Customer Experience Improvement Program" scheduled tasks recommend: standard docs: |- ### Overview of default task statuses `\Microsoft\Windows\Customer Experience Improvement Program\Consolidator`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | `\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟡 N/A (missing) | | Windows 11 22H2 | 🟡 N/A (missing) | `\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | call: - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Customer Experience Improvement Program\' -TaskName 'Consolidator' taskPathPattern: \Microsoft\Windows\Customer Experience Improvement Program\ taskNamePattern: Consolidator - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Customer Experience Improvement Program\' -TaskName 'KernelCeipTask' taskPathPattern: \Microsoft\Windows\Customer Experience Improvement Program\ taskNamePattern: KernelCeipTask - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Customer Experience Improvement Program\' -TaskName 'UsbCeip' taskPathPattern: \Microsoft\Windows\Customer Experience Improvement Program\ taskNamePattern: UsbCeip - category: Disable census data collection docs: |- Census is a component within Windows that inventories the device [1]. The primary role of Census is to collect and understand data about the device's configuration [1], including its operating system type, region, language, and architecture [2]. This data helps determine the appropriateness of updates for the device [3]. By disabling this feature, users can enhance their privacy by preventing the collection and transmission of device data to Microsoft [1] [2] [3]. [1]: https://web.archive.org/web/20231017234102/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/monitor-connection-health#census-data-collection "Monitor connection health - Configuration Manager | Microsoft Learn" [2]: https://web.archive.org/web/20231017234118/https://answers.microsoft.com/en-us/windows/forum/all/what-is-device-census/6f0b9f58-86b6-4e36-8fc8-4701218b49b6 "What is Device Census? - Microsoft Community" [3]: https://web.archive.org/web/20231017234127/https://support.microsoft.com/en-us/topic/update-to-windows-10-version-1703-version-1607-version-1511-and-version-1507-for-update-applicability-march-15-2018-3aad1c66-2b88-c012-4623-dee1410891ad "Update to Windows 10 Version 1703, Version 1607, Version 1511, and Version 1507 for update applicability: March 15, 2018 - Microsoft Support" children: - name: Disable "Device" task recommend: standard docs: |- This script disables the "Device" scheduled task. According to the Task Scheduler, this task triggers the execution of the `%WINDIR%\System32\devicecensus.exe SystemCxt` command in Windows 10 and 11. This component collects device and configuration data, which is then sent to Microsoft [1]. By disabling this task, users can prevent this specific data collection process, enhancing their privacy. ### Overview of default task statuses `\Microsoft\Windows\Device Information\Device`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | [1]: https://web.archive.org/web/20231017234102/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/monitor-connection-health#census-data-collection "Monitor connection health - Configuration Manager | Microsoft Learn" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Device Information\' -TaskName 'Device' taskPathPattern: \Microsoft\Windows\Device Information\ taskNamePattern: Device - name: Disable "Device User" task recommend: standard docs: |- This script disables the "Device User" scheduled task. According to the Task Scheduler, this task triggers the execution of the `%WINDIR%\System32\devicecensus.exe UserCxt` command in Windows 10 and 11. This component collects device and configuration data, which is then sent to Microsoft [1]. By disabling this task, users can prevent this specific data collection process, enhancing their privacy. ### Overview of default task statuses `\Microsoft\Windows\Device Information\Device User`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | [1]: https://web.archive.org/web/20231017234102/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/monitor-connection-health#census-data-collection "Monitor connection health - Configuration Manager | Microsoft Learn" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Device Information\' -TaskName 'Device User' taskPathPattern: \Microsoft\Windows\Device Information\ taskNamePattern: Device User - name: Disable device and configuration data collection tool recommend: standard docs: |- This script prevents the execution of `devicecensus.exe`, also known as the "device and configuration data collection tool" [1]. This tool is located at `%WINDIR%\System32\DeviceCensus.exe` [1] [2] and is responsible for gathering data used for compatibility updates [3]. Disabling this tool helps keeping the device's data private and preventing its usage for diagnostic collections or determining update applicability [1] [2] [3]. [1]: https://web.archive.org/web/20231017234102/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/monitor-connection-health#census-data-collection "Monitor connection health - Configuration Manager | Microsoft Learn" [2]: https://web.archive.org/web/20231017234628/https://strontic.github.io/xcyclopedia/library/DeviceCensus.exe-594993E23161BB37E365D8784DE020EA.html "DeviceCensus.exe | Device Census | STRONTIC | strontic.github.io" [3]: https://web.archive.org/web/20231017234127/https://support.microsoft.com/en-us/topic/update-to-windows-10-version-1703-version-1607-version-1511-and-version-1507-for-update-applicability-march-15-2018-3aad1c66-2b88-c012-4623-dee1410891ad "Update to Windows 10 Version 1703, Version 1607, Version 1511, and Version 1507 for update applicability: March 15, 2018 - Microsoft Support" call: function: TerminateAndBlockExecution parameters: executableNameWithExtension: DeviceCensus.exe - category: Disable enterprise/business focused data collection docs: |- This category contains scripts to disable data collection capabilities focused on enterprise/business uses. The scripts target various Windows features like Desktop Analytics, Windows Update for Business, and Azure services. These capabilities are meant to provide insights for IT administrators but collect and transmit data from end user devices. By disabling these enterprise/business focused data collection features, you can increase privacy and reduce data sharing from your personal device. However, note that some functionality expected by business IT administrators may be reduced. These scripts can help limit enterprise/Microsoft visibility into your device, but may limit management capabilities on managed business devices. children: - category: Disable Desktop Analytics telemetry docs: |- Desktop Analytics is a cloud-based service that provides insights about Windows devices in an organization. The service provides insight and intelligence from user data [1]. Desktop Analytics collects diagnostic data from enrolled Windows devices and sends it to Microsoft cloud services [1]. It creates an inventory of apps running in an organization. This data provides insights about application compatibility and pilot identification to help IT administrators in organizations evaluate the readiness and compatibility of devices for Windows feature updates [1]. To enable data collection, Desktop Analytics configures settings on the device registry and group policies related to commercial ID, telemetry levels, and data sharing [2]. While this data sharing raises potential privacy concerns, Microsoft states that privacy controls allow organizations to limit data collection [1]. Desktop Analytics is retired since November 30, 2022 in favor of Microsoft Intune and Configuration Manager [3]. [1]: https://web.archive.org/web/20230528031527/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/overview "Desktop Analytics - Configuration Manager | Microsoft Learn" [2]: https://web.archive.org/web/20230531234446/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/group-policy-settings "Group policy settings - Configuration Manager | Microsoft Learn" [3]: https://web.archive.org/web/20230601065209/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/whats-new "What's new in Desktop Analytics - Configuration Manager | Microsoft Learn" children: - name: Disable processing of Desktop Analytics recommend: strict docs: |- This script ensures that Microsoft does not process Windows diagnostic data from your device [1]. When activated, it modifies a setting known as the Group Policy object on your device. This object is a set of policies that determine how your system operates. The script disables a policy related to Microsoft's Desktop Analytics service. This service is designed to provide insights into the health and usage of your devices but may involve processing diagnostic data [2]. By disabling this policy, the script helps to enhance the privacy of your device by preventing the processing of its diagnostic data by Microsoft. This means that information about the usage and performance of your device will not be sent to Microsoft's Desktop Analytics service [1][2]. [1]: https://web.archive.org/web/20220903042236/https://docs.microsoft.com/en-US/windows/client-management/mdm/policy-csp-system#system-allowdesktopanalyticsprocessing "Policy CSP - System - Windows Client Management | Microsoft Docs" [2]: https://web.archive.org/web/20211127031547/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowDesktopAnalyticsProcessing "Allow Desktop Analytics Processing | admx.help" call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection valueName: AllowDesktopAnalyticsProcessing dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - name: Disable sending device name in Windows diagnostic data recommend: strict docs: |- This script enhances privacy by ensuring that the name of your device is anonymized in any diagnostic data collected by Microsoft Desktop Analytics [1]. In other words, instead of your actual device name, "Unknown" will appear in the data [1]. Since the release of Windows 10, version 1803, the device name is not included in the diagnostic data by default [1]. This script guarantees that this privacy-enhancing measure remains in place [1]. When implemented, it changes a specific registry setting, `AllowDeviceNameInTelemetry`, which controls whether the device name is included in Windows diagnostic data [2]. The script sets this value to `0`, thus disabling the inclusion of the device name in the data [2]. [1]: https://web.archive.org/web/20220903043346/https://docs.microsoft.com/en-US/mem/configmgr/desktop-analytics/enroll-devices#device-name "Enroll devices in Desktop Analytics - Configuration Manager | Microsoft Docs" [2]: https://web.archive.org/web/20210228151919/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowDeviceNameInDiagnosticData "Allow device name to be sent in Windows diagnostic data" call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection valueName: AllowDeviceNameInTelemetry dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - name: Disable collection of Edge browsing data for Desktop Analytics recommend: strict docs: |- This script configures Microsoft Edge to prevent it from sending your browsing history data to Desktop Analytics [1]. This browsing data can include information from either your intranet or internet history, or both [1]. When you use Microsoft Edge for browsing, it can collect and send your browsing history to Desktop Analytics, a Microsoft service that helps enterprises to analyze and improve their IT environment. If this setting is disabled, Microsoft Edge does not send any browsing history data, thereby enhancing your privacy. The script achieves this by modifying a specific value in the Windows Registry. The specific value that the script modifies is `MicrosoftEdgeDataOptIn` located at `HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection`. The script sets this value to `0`, which indicates to Microsoft Edge that it should not send browsing history data to Desktop Analytics [1]. While enhancing privacy, this could limit the functionality of Desktop Analytics for enterprises that rely on this service for IT insights. However, for individual users, this script can help prevent unwanted data collection and transmission, contributing to an overall safer browsing experience [1]. [1]: https://web.archive.org/web/20220524020212/https://admx.help/?Category=Windows_11_2022&Policy=Microsoft.Policies.MicrosoftEdge::ConfigureTelemetryForMicrosoft365Analytics "Configure collection of browsing data for Desktop Analytics" call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection valueName: MicrosoftEdgeDataOptIn # MDM name: ConfigureTelemetryForMicrosoft365Analytics dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - name: Disable diagnostics data processing for Business cloud recommend: strict docs: |- This script controls whether diagnostic data from your device is processed by Windows Update for Business cloud [1] [2]. If enabled, the script can enhance privacy by ensuring that diagnostic data from your device is not processed by the Windows Update for Business cloud (WufB) [1], an update management service provided by Microsoft [3]. This service typically helps businesses manage updates on their devices efficiently. But if privacy is a concern, you can opt to disable it [3]. The policy is applicable to devices joined to Azure Active Directory [1]. Azure Active Directory is a Microsoft cloud service that provides identity and access capabilities. Disabling this policy means that some features of the Windows Update for Business deployment service might not be available. However, your device will gain an added layer of privacy as diagnostic data will not be processed by the business cloud [1]. [1]: https://web.archive.org/web/20220903042236/https://docs.microsoft.com/en-US/windows/client-management/mdm/policy-csp-system#system-allowwufbcloudprocessing "Policy CSP - System - Windows Client Management | Microsoft Docs" [2]: https://web.archive.org/web/20210307173837/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowWUfBCloudProcessing "Allow WUfB Cloud Processing" [3]: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/update-management-for-windows-on-a-windows-365-cloud-pc/ba-p/3452703 call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection valueName: AllowWUfBCloudProcessing dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - name: Disable Update Compliance processing of diagnostics data recommend: standard docs: |- Update Compliance is a service provided by Microsoft hosted in Azure, which uses Windows diagnostic data [1]. This service doesn't meet the US Government community compliance (GCC) requirements [1], and is utilized by both Desktop Analytics and Azure Update Management [1]. This script is designed to disable the Update Compliance processing of diagnostic data on your device. When this script is run, it modifies the system registry to prevent diagnostic data from your device being processed by Update Compliance. This change in settings increases the privacy of your device by limiting the diagnostic data that can be accessed and analyzed by Microsoft's services. Diagnostic data, in this context, includes information about device health, system events, and usage metrics. By disabling the processing of this data, the script helps protect the privacy of your activities on your device [1]. This script can be reversed at any time by using the provided `revertCode` if you decide to re-enable the processing of diagnostic data by Update Compliance. In technical terms, the script sets the `AllowUpdateComplianceProcessing` value in the `HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection` registry path to 0, which disables the processing of diagnostic data by Update Compliance [2]. [1]: https://web.archive.org/web/20220703201221/https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-get-started "Get started with Update Compliance - Windows Deployment | Microsoft Docs" [2]: https://web.archive.org/web/20220610123725/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowUpdateComplianceProcessing "Allow Update Compliance Processing" call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection valueName: AllowUpdateComplianceProcessing dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - name: Disable commercial usage of collected data recommend: standard docs: |- This protects your privacy by placing a limit on the commercial usage of your data. It manages how Windows diagnostic data is handled by controlling whether Microsoft is a processor or controller for Windows diagnostic data collected from your device [1] [2]. In the default setting, Microsoft operates as the controller of this diagnostic data, thus enabling it to use the data for commercial purposes. This script alters that setting to limit the commercial usage of your data [1] [2]. This script does not affect the operation of optional analytics processor services like Desktop Analytics and Windows Update for Business reports. Moreover, it doesn't change whether diagnostic data is collected or the ability of the user to change the level. [1]: https://web.archive.org/web/20230803142206/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#allowcommercialdatapipeline "System Policy CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20230330140620/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowCommercialDataPipeline "Allow commercial data pipeline" call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection valueName: AllowCommercialDataPipeline dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - name: Disable diagnostic and usage telemetry recommend: standard docs: |- This script improves your privacy by blocking the transmission of diagnostic and usage telemetry data from your Windows device [1]. This includes data about your device's usage, app compatibility, and system performance, which can be sensitive in nature. By stopping this data from being sent, you reduce the amount of personal information that could potentially be accessed by third parties. The script works by configuring the Group Policy Object (GPO) and Local Policy preferences, which essentially govern your device's data sharing policies [2]. These modifications restrict the data that Windows and its built-in apps can collect and send. Upon executing this script, Desktop Analytics will be disabled, as it relies on basic diagnostic data to function [2]. Desktop Analytics is a cloud-based service provided by Microsoft [4]. It provides insights and intelligence for IT administrators [4]. Desktop Analytics is deprecated and was retired on November 30, 2022. Once this script is executed, even if the policy permits a telemetry setting of Security or Basic, users will not have the capability to opt for a higher data sharing level [3]. This restriction is limited to the operating system and apps included with Windows, and does not pertain to third-party apps installed on your device [3]. [1]: https://web.archive.org/web/20230731225232/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#allowtelemetry "System Policy CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20230731225319/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/group-policy-settings "Group policy settings - Configuration Manager | Microsoft Learn" [3]: https://web.archive.org/web/20211129155126/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection%3A%3AAllowTelemetry "Allow Telemetry" [4]: https://web.archive.org/web/20230731225544/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/overview "Desktop Analytics - Configuration Manager | Microsoft Learn" call: - function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t "REG_DWORD" /d "0" /f revertCode: |- # Key exists with value "1" since Windows 10 22H2, Windows 11 22H3 reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t "REG_DWORD" /d "1" /f - function: SetRegistryValue # Using Group policy object (GPO) parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection valueName: AllowTelemetry dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - name: Disable automatic cloud configuration downloads recommend: strict docs: |- This script turns off the OneSettings service, a feature from Microsoft that downloads configuration settings [1]. This action can enhance the privacy and security of your Windows desktop environment by managing a feature called the Services Configuration [1]. Services Configuration is a mechanism that various Windows components and apps use to update their settings dynamically [2] [3]. By default, Windows periodically tries to connect with the OneSettings service to download configuration settings [1]. This script turns off that function, reducing the chance of data being shared with third-party vendors [1]. This script is recommended by CIS Microsoft Windows Desktop Benchmarks [1]. Please be aware that turning off this service might affect how certain apps that rely on this service work [3]. The script changes a registry setting to disable OneSettings downloads [3] [1]. It also provides a revert code to undo this change, if needed, which returns the system to its previous state. If you want to limit how much data is sent to Microsoft, turning off the OneSettings service can help enhance your privacy [1]. For more information about the impact of OneSettings on privacy, visit [learn.microsoft.com](https://web.archive.org/web/20230803025857/https://learn.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809). This script lets you manage your privacy by restricting the automatic configuration updates of Windows components and apps, including telemetry services, from the cloud [3] [1]. By using this script, Windows will not connect to OneSettings to fetch any configuration settings [1]. This reduces the amount of data sent to third-party vendors, which can help alleviate potential security concerns [1]. However, please be aware that while this setting can enhance privacy, turning off this service could lead to some applications not working properly. These applications may depend on dynamic configuration updates that will be stopped when the service is disabled [3] [1]. [1]: https://web.archive.org/web/20230803030428/https://www.tenable.com/audits/items/CIS_MS_Windows_10_Enterprise_Level_1_Bitlocker_v1.12.0.audit:b3aec171f406cbe87f37e57bc9dd1411 "18.9.17.3 Ensure 'Disable OneSettings Downloads' is set to 'En... | Tenable" [2]: https://web.archive.org/web/20230803024926/https://learn.microsoft.com/en-us/windows/win32/services/service-configuration "Service Configuration - Win32 apps | Microsoft Learn" [3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#31-services-configuration "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows\DataCollection valueName: DisableOneSettingsDownloads dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - name: Disable license telemetry recommend: standard call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform valueName: NoGenTicket dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - name: Disable error reporting recommend: standard docs: |- This script disables the Windows Error Reporting (WER) feature. Windows Error Reporting collects and sends error logs from your computer to Microsoft [1], which can be a potential privacy concern for users. By disabling it, this script ensures that your system errors remain local to your machine and are not sent to external servers. Here's a breakdown of what the script does: 1. **Registry Changes**: The script modifies specific registry entries to disable the WER functionality and its related settings. 2. **Scheduled Tasks**: The script disables scheduled tasks related to error details updates and queue reporting. 3. **Services**: The script disables the services related to error reporting. ### Registry changes - `HKLM\Software\Microsoft\Windows\Windows Error Reporting!DefaultConsent` [2] - `HKLM\Software\Microsoft\Windows\Windows Error Reporting!DefaultOverrideBehavior` [2] - `HKLM\Software\Microsoft\Windows\Windows Error Reporting!DontSendAdditionalData` [2] - `HKLM\Software\Microsoft\Windows\Windows Error Reporting!LoggingDisabled` [2] - `HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting!Disabled` [2] - `HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting` [3] ### Overview of default service statuses Windows Error Reporting Service (`wersvc`) [4]: | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 21H1) | 🔴 Stopped | Manual | | Windows 11 (≥ 22H2) | 🔴 Stopped | Manual | Problem Reports Control Panel Support (`wercplsupport) [5]: | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 21H1) | 🔴 Stopped | Manual | | Windows 11 (≥ 22H2) | 🔴 Stopped | Manual | ### Overview of default task statuses `\Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟡 N/A (missing) | | Windows 11 22H2 | 🟡 N/A (missing) | `\Microsoft\Windows\Windows Error Reporting\QueueReporting`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | [1]: https://web.archive.org/web/20231018135854/https://learn.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/windows-error-reporting-diagnostics-enablement-guidance "Windows Error Reporting and Windows diagnostics enablement guidance - Windows Client | Microsoft Learn" [2]: https://web.archive.org/web/20231018135903/https://learn.microsoft.com/en-us/windows/win32/wer/wer-settings "WER Settings - Win32 apps | Microsoft Learn" [3]: https://web.archive.org/web/20231018135918/https://www.stigviewer.com/stig/windows_10/2016-06-24/finding/V-63493 "The system must be configured to allow a local or DOD-wide collector to request additional error reporting diagnostic data to be sent. | stigviewer.com" [4]: https://web.archive.org/web/20231018135930/https://batcmd.com/windows/10/services/wersvc/ "Windows Error Reporting Service - Windows 10 Service - batcmd.com" [5]: https://web.archive.org/web/20231019222221/https://batcmd.com/windows/10/services/wercplsupport/ "Problem Reports Control Panel Support - Windows 10 Service - batcmd.com" call: - function: Comment parameters: codeComment: Disable Windows Error Reporting (WER) revertCodeComment: Revert Windows Error Reporting (WER) - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting valueName: Disabled dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting valueName: Disabled dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - function: Comment parameters: codeComment: Disable Windows Error Reporting (WER) consent revertCodeComment: Revert Windows Error Reporting (WER) consent - function: RunInlineCode parameters: code: reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t "REG_DWORD" /d "1" /f revertCode: >- # Key exists with value "4" (All data) since Windows 10 22H2, Windows 11 22H3 reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t "REG_DWORD" /d "4" /f - function: SetRegistryValue parameters: keyPath: HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent valueName: DefaultOverrideBehavior dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - function: Comment parameters: codeComment: Disable WER sending second-level data revertCodeComment: Revert WER sending second-level data - function: SetRegistryValue parameters: keyPath: HKLM\Software\Microsoft\Windows\Windows Error Reporting valueName: DontSendAdditionalData dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - function: SetRegistryValue parameters: keyPath: HKLM\Software\Microsoft\Windows\Windows Error Reporting valueName: LoggingDisabled dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\ErrorDetails\' -TaskName 'EnableErrorDetailsUpdate' taskPathPattern: \Microsoft\Windows\ErrorDetails\ taskNamePattern: EnableErrorDetailsUpdate - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Error Reporting\' -TaskName 'QueueReporting' taskPathPattern: \Microsoft\Windows\Windows Error Reporting\ taskNamePattern: QueueReporting - # Windows Error Reporting Service function: DisableService parameters: serviceName: wersvc # Check: (Get-Service -Name wersvc).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - # Problem Reports Control Panel Support function: DisableService parameters: serviceName: wercplsupport # Check: (Get-Service -Name wercplsupport).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - category: Disable Windows Update data collection children: - category: Disable automatic driver updates by Windows Update children: - name: Disable device metadata retrieval (breaks auto updates) recommend: strict docs: - https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-21964 - https://web.archive.org/web/20240314125819/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#preventdevicemetadatafromnetwork call: - function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f revertCode: >- # Key exists as `0` since Windows 10 22H2, Windows 11 22H3 reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 0 /f - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata valueName: PreventDeviceMetadataFromNetwork dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - name: Disable inclusion of drivers with Windows updates docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::ExcludeWUDriversInQualityUpdate recommend: strict call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate valueName: ExcludeWUDriversInQualityUpdate dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - name: Disable Windows Update device driver search docs: https://www.stigviewer.com/stig/windows_7/2018-02-12/finding/V-21965 recommend: strict call: function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t "REG_DWORD" /d "1" /f revertCode: |- :: Key exists with value "4" (All data) since Windows 10 22H2, Windows 11 22H3 reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t "REG_DWORD" /d "1" /f - category: Disable obtaining updates from other PCs on the Internet (delivery optimization) docs: |- Windows Delivery Optimization is a feature introduced by Microsoft to facilitate a more efficient downloading process for Windows updates, upgrades, and applications [1] [2]. Instead of exclusively relying on Microsoft's servers, this feature identifies other PCs on a user's local network or even across the internet that already possess the desired updates or applications [2]. By breaking the download into smaller segments and fetching each from the fastest and most reliable source, which can include other PCs, the system ensures more efficient downloads [2]. To support this process, Delivery Optimization uses a local cache to temporarily store downloaded files [2]. While Delivery Optimization is designed for speed and reliability, its operation raises privacy concerns. Specifically, when enabled, it can distribute updates and applications from one user's PC to others [2], sharing users' data such as their IP addresses [3]. Benefits of disabling Delivery Optimization for privacy: - **Minimizing Data Sharing**: By turning off Delivery Optimization, users ensure that updates and apps are neither downloaded from nor sent to other devices [2]. This guarantees that all data remains strictly on the user's device [2] and the user IP is not shared [3]. - **Storage Conservation**: Users can save storage space by eliminating the local cache utilized by Delivery Optimization. - **Guaranteed Source Authenticity**: Although Microsoft ensures the authenticity of updates and apps shared via Delivery Optimization [2], disabling the feature guarantees that all updates and apps come directly from Microsoft's servers, eliminating potential intermediaries. - **Bandwidth Conservation**: With the feature off, updates are restricted to direct downloads from Microsoft [1]. This is beneficial for users on metered or capped internet connections, as it allows for more effective bandwidth monitoring [2]. - **Enhanced Security**: Devices using Delivery Optimization open port 7680 to accept peer requests [4]. Disabling the feature avoids this, ensuring users are not exposed to unwanted inbound traffic and enhancing security [5]. - **VPN Protection**: Although Delivery Optimization attempts to detect VPNs and halts uploads when a VPN connection is detected [4], disabling it removes any risk of unintended data sharing over a VPN. Notably, the USA government [5] and Department of Defense (DoD) in the USA [6] recommends disabling this feature. [1]: https://web.archive.org/web/20230914164204/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization "What is Delivery Optimization? - Windows Deployment | Microsoft Learn" [2]: https://web.archive.org/web/20230914164355/https://support.microsoft.com/en-us/windows/windows-update-delivery-optimization-and-privacy-bf86a244-8f26-a3c7-a137-a43bfbe688e8 "Windows Update Delivery Optimization and privacy - Microsoft Support" [3]: https://web.archive.org/web/20230914164646/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-monitor "Monitor Delivery Optimization - Windows Deployment | Microsoft Learn" [4]: https://web.archive.org/web/20230905120220/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-faq "Delivery Optimization Frequently Asked Questions - Windows Deployment | Microsoft Learn" [5]: https://web.archive.org/web/20230914171139/https://www.irs.gov/pub/irs-utl/win10.xlsx "Internal Revenue Service Office of Safeguards - Windows 10 | irs.gov" [6]: https://web.archive.org/web/20230914171410/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-65681 "Windows Update must not obtain updates from other PCs on the Internet | stigviewer.com" children: - name: Disable peering download method for Windows Updates recommend: standard docs: |- This script modifies Delivery Optimization's download method for Windows Updates [1] to disable peering. When this script is run, it sets the download method to `0`, which means "HTTP only, no peering" [1] [2]. As a result, Windows Updates are downloaded solely from the internet and not from other computers on the network (referred to as "peer-to-peer") [3]. Peer-to-peer is a method where multiple computers share data amongst themselves. For Windows Updates, the default setting is for computers within a network to share updates (called LAN mode, represented by the value `1`) [1] [2]. Changing the setting to "HTTP only" reduces potential vulnerabilities [3]. When updates are fetched only from official servers, there's less chance of unwanted or malicious data entering the system. This is why the Department of Defense (DoD) in the USA [4] and USA government [3] recommends this setting. They assert that leaving it in its default configuration could expose the system to additional risks [3]. [1]: https://web.archive.org/web/20230914171524/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization "DeliveryOptimization Policy CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20230914171842/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-reference "Delivery Optimization reference - Windows Deployment | Microsoft Learn" [3]: https://web.archive.org/web/20230914171139/https://www.irs.gov/pub/irs-utl/win10.xlsx "Internal Revenue Service Office of Safeguards - Windows 10 | irs.gov" [4]: https://web.archive.org/web/20230914171410/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-65681 "Windows Update must not obtain updates from other PCs on the Internet | stigviewer.com" call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization valueName: DODownloadMode dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2) - name: Disable "Delivery Optimization" service (breaks Microsoft Store downloads) recommend: strict docs: |- Delivery Optimization is a Windows feature that provides the Windows Updates through peer-to-peer sharing [1]. In simple terms, instead of solely relying on Microsoft's servers for updates, your computer can also fetch them from other devices that already possess the necessary files. The "Delivery Optimization" service manages these content delivery tasks [2] [3]. It orchestrates the retrieval of updates both from other Windows users [3]. In doing so, it connects to various Microsoft service points to collect data, such as policies, content details, device specifications, and information about other Windows users [3]. This data sharing raises privacy concerns. This service also logs IP addresses [4] of peers which can be considered personal data. It listens on port 7680 for TCP/UDP traffic [5] that may expose the user to unwanted inbound traffic and enhancing security [6]. By default, the "Delivery Optimization" service is set to start automatically when Windows boots up [2]. This script alters that behavior, ensuring it doesn't run unless explicitly started by the user. Taking control of this service prevents Microsoft from activating peer-to-peer sharing, enhancing user privacy. It ensures your device doesn't share update data or fetch it from arbitrary peers. > **Caution:** Disabling this service affects the functionality of Windows Store. It plays a role not just in Windows Updates but also in Microsoft Store app downloads, especially since Windows 11 [7]. There have been reported issues with some app downloads on Windows 10 [8]. ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 21H1) | 🟢 Running | Automatic | | Windows 11 (≥ 22H2) | 🟢 Running | Automatic | [1]: https://web.archive.org/web/20230914164204/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization "What is Delivery Optimization? - Windows Deployment | Microsoft Learn" [2]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services#delivery-optimization "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn" [3]: https://web.archive.org/web/20230914172129/https://learn.microsoft.com/en-us/windows/deployment/do/delivery-optimization-workflow "Delivery Optimization client-service communication explained - Windows Deployment | Microsoft Learn" [4]: https://web.archive.org/web/20230914164646/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-monitor "Monitor Delivery Optimization - Windows Deployment | Microsoft Learn" [5]: https://web.archive.org/web/20230914172319/https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-deployment "Deploying a privileged access solution | Microsoft Learn" [6]: https://web.archive.org/web/20230914171139/https://www.irs.gov/pub/irs-utl/win10.xlsx "Internal Revenue Service Office of Safeguards - Windows 10 | irs.gov" [7]: https://web.archive.org/web/20230914164355/https://support.microsoft.com/en-us/windows/windows-update-delivery-optimization-and-privacy-bf86a244-8f26-a3c7-a137-a43bfbe688e8 "Windows Update Delivery Optimization and privacy - Microsoft Support" [8]: https://github.com/undergroundwires/privacy.sexy/issues/173 "[BUG] Error 0x80004002 on Microsoft Store when attempting to download an app · Issue #173 · undergroundwires/privacy.sexy" call: function: DisableServiceInRegistry # Using registry way because other options such as "sc config" or # "Set-Service" returns "Access is denied" since Windows 10 1809. parameters: serviceName: DoSvc # Check: (Get-Service -Name 'DoSvc').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable cloud-based speech recognition recommend: standard docs: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-priv-speech call: function: SetRegistryValue parameters: keyPath: HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy valueName: HasAccepted dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2) - name: Disable active probing to Microsoft NCSI server recommend: strict call: function: RunInlineCode parameters: code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t "REG_DWORD" /d "0" /f revertCode: >- # Key exists with value "1" since Windows 10 21H2, Windows 11 22H2 reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t "REG_DWORD" /d "1" /f - name: Opt out of Windows privacy consent recommend: standard call: function: RunInlineCode parameters: code: reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t "REG_DWORD" /d "0" /f revertCode: >- # Key exists with value "1" since Windows 10 21H2, Windows 11 22H2 reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t "REG_DWORD" /d "1" /f - name: Disable Windows feedback collection recommend: standard docs: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-priv-feedback call: - function: SetRegistryValue parameters: keyPath: HKCU\SOFTWARE\Microsoft\Siuf\Rules valueName: NumberOfSIUFInPeriod dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2) - function: RunPowerShell parameters: code: reg delete "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /f 2>nul revertCode: >- # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2) reg delete "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /f 2>nul - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection valueName: DoNotShowFeedbackNotifications dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection valueName: DoNotShowFeedbackNotifications dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2) - name: Disable text and handwriting data collection recommend: standard call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization valueName: RestrictImplicitInkCollection dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization valueName: RestrictImplicitTextCollection dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports valueName: PreventHandwritingErrorReports dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\TabletPC valueName: PreventHandwritingDataSharing dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization valueName: AllowInputPersonalization dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2) - function: RunInlineCode parameters: code: reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d 0 /f revertCode: |- # Default value: `1` since Windows 10 21H2, Windows 11 23H2 reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d 1 /f - category: Disable location access children: - name: Disable Windows Location Provider call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors valueName: DisableWindowsLocationProvider dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable location scripting recommend: standard call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors valueName: DisableLocationScripting dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable location recommend: standard call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors valueName: DisableLocation dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44} valueName: Value dataType: REG_SZ data: "Deny" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /d "0" /t REG_DWORD /f revertCode: >- # Default value is `1` since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /d "1" /t REG_DWORD /f - name: Disable device sensors recommend: standard call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors valueName: DisableSensors dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Windows search data collection docs: |- This category is dedicated to minimizing the personal data collected and utilized by Windows Search and Cortana. It encompasses a range of scripts designed to curtail data sharing and bolster user privacy. These scripts are crucial for preventing the search function from transmitting sensitive information such as search history, account details, and location data to Microsoft's servers. The Windows search functionality, often integrated with Cortana [1], is a key feature that allows for data collection through various means. This includes gathering user searches, contacts, location data, voice inputs, browsing history, and details from emails, calendars, and communication history [2]. The voice data thus collected aids in refining language understanding and machine learning models [2]. Furthermore, Cortana's use of location data provides contextually relevant answers and suggestions, often estimating the user's location via their IP address [2]. This feature extends to web browsing as well, where Cortana utilizes Microsoft Edge browsing history for personalized suggestions [2]. Contacts, calendar details, and email information are also accessed by Cortana to track and offer tailored suggestions [2] Additionally, when signed in, chat history with Cortana is retained, and typed searches are transmitted to Bing for enhanced recommendation quality, even when Cortana is not actively in use [2]. By using the scripts in this category, users can significantly enhance their privacy and security. These scripts enable users to control the extent of their personal data used by Windows, thereby ensuring a more secure and private search experience. [1]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#2-cortana-and-search "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" [2]: https://web.archive.org/web/20240121010852/https://support.microsoft.com/en-us/windows/cortana-and-privacy-47e5856e-3680-d930-22e1-71ec6cdde231 "Cortana and privacy - Microsoft Support | support.microsoft.com" children: # Excluding: # Disable Bing adult content filter # - `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings!SafeSearchMode` # - `HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ConnectedSearchSafeSearch` # It doesn't really add to privacy or security. # Remove Search Button on Taskbar: # `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search!SearchboxTaskbarMode` # It doesn't really add to privacy or security. - category: Disable Cortana data collection docs: |- This category targets the reduction of Cortana's data collection practices. Cortana, Microsoft's digital assistant, integrates deeply with Windows Search to provide personalized assistance based on user data. By disabling Cortana's data collection features, this category aims to enhance user privacy by preventing the sharing of sensitive information with Microsoft. The scripts within this category provide users with the tools to limit Cortana's reach into their personal data, thereby fostering a more private and secure digital environment. children: - name: Disable Cortana during search recommend: standard docs: - https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::AllowCortana - https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-cortana call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search valueName: AllowCortana dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - name: Disable Cortana experience recommend: standard code: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d 0 /f # This key has value `1` (tested since Windows 10 22H2, and Windows 11 23H3) revertCode: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d 1 /f - name: Disable Cortana's access to cloud services such as OneDrive and SharePoint recommend: standard docs: https://web.archive.org/web/20240120140023/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#allowcloudsearch call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search valueName: AllowCloudSearch dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - name: Disable Cortana speech interaction while the system is locked recommend: standard docs: https://web.archive.org/web/20240314125714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-abovelock call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search valueName: AllowCortanaAboveLock dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - name: Disable participation in Cortana data collection recommend: standard call: - function: SetRegistryValue parameters: keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Search valueName: CortanaConsent dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - name: Disable enabling of Cortana recommend: standard call: function: SetRegistryValue parameters: keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Search valueName: CanCortanaBeEnabled dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Cortana in start menu recommend: standard call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search valueName: CortanaEnabled dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search valueName: CortanaEnabled dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - category: Disable Cortana activity history docs: |- This category focuses on preventing Cortana from storing and displaying user interaction history. When enabled, Cortana collects data on user activities, such as interactions with the assistant and search queries, to personalize the user experience. This collection can be a privacy concern as it involves the retention and potential analysis of personal behavior patterns. By disabling this feature, users can prevent their activity history from being used for customization or other purposes, thereby enhancing their privacy and potentially improving system performance by reducing background data processing tasks. children: - name: Disable Cortana's history display recommend: standard call: function: SetRegistryValue parameters: keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search valueName: HistoryViewEnabled dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Cortana's device history usage recommend: standard call: - function: SetRegistryValue parameters: keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search valueName: DeviceHistoryEnabled dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - name: Remove "Cortana" icon from taskbar recommend: standard call: - function: SetRegistryValue parameters: keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced valueName: ShowCortanaButton dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Key exists with value `0` since Windows 10 22H2, missing key since Windows 11 23H2 - function: ShowExplorerRestartSuggestion - name: Disable Cortana in ambient mode recommend: standard call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search valueName: CortanaInAmbientMode dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - category: Disable Cortana voice listening docs: |- This category is designed to stop Cortana from listening for voice commands. By default, Cortana can actively listen for voice input, which may include capturing and processing speech patterns and potentially sensitive spoken content. This capability raises privacy issues as voice data is often processed and stored remotely. Disabling Cortana's voice listening features ensures that conversations or background noises are not inadvertently recorded or analyzed, providing users with a greater level of privacy in their personal or work environments. children: - name: Disable "Hey Cortana" voice activation recommend: standard call: - function: SetRegistryValue parameters: keyPath: HKCU\Software\Microsoft\Speech_OneCore\Preferences valueName: VoiceActivationOn dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\Software\Microsoft\Speech_OneCore\Preferences valueName: VoiceActivationDefaultOn dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Cortana keyboard shortcut (**Windows logo key** + **C**) recommend: standard call: - function: SetRegistryValue parameters: keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search valueName: VoiceShortcut dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - name: Disable Cortana on locked device recommend: standard call: function: SetRegistryValue parameters: keyPath: HKCU\Software\Microsoft\Speech_OneCore\Preferences valueName: VoiceActivationEnableAboveLockscreen dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)f - name: Disable automatic update of speech data recommend: standard call: function: SetRegistryValue parameters: keyPath: HKCU\Software\Microsoft\Speech_OneCore\Preferences valueName: ModelDownloadAllowed dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Cortana voice support during Windows setup recommend: standard call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE valueName: DisableVoice dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable privacy-invasive indexing docs: |- This category is dedicated to preventing privacy-invasive indexing features within Windows. Indexing can include details from emails, documents, and other files that may contain sensitive information. Scripts in this category limit the exposure of personal data through search functionalities. By controlling what and how information is indexed, these scripts help in protecting user privacy against potential data breaches or unauthorized access. children: # There are other missing indexing settings such as: # EnableIndexingDelegateMailboxes, DisableRemovableDriveIndexing, PreventIndexingEmailAttachments # PreventIndexingLowDiskSpaceMB, PreventIndexingOfflineFiles, PreventIndexingOutlook, PreventIndexingPublicFolders, # PreventIndexingUncachedExchangeFolders, PreventIndexOnBattery, AutoIndexSharedFolders - name: Disable indexing of encrypted items recommend: standard docs: https://web.archive.org/web/20240120140023/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#allowindexingencryptedstoresoritems call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search valueName: AllowIndexingEncryptedStoresOrItems dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - name: Disable automatic language detection when indexing recommend: standard docs: https://web.archive.org/web/20240120140023/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#alwaysuseautolangdetection call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search valueName: AlwaysUseAutoLangDetection dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - name: Disable remote access to search index recommend: standard docs: |- This disables remote access to the search index of your computer [1] [2] [3] [4]. By executing this script, other computers will no longer be able to query your computer's search index remotely [1] [2] [4]. This means that when others are browsing network shares on your computer, they cannot use its index for searching [1] [2] [4]. By default, without this script, client computers can search using the host's index [1] [2] [3] [4], which might pose a privacy concern. Implementing this change is crucial for maintaining both the privacy and security of your search data. Not restricting this access is recognized as a security vulnerability [5]. The script targets the following registry key to implement the change: `HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventRemoteQueries` [1] [2] [4] [5]. [1]: https://web.archive.org/web/20240120140023/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#preventremotequeries "Search Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240120200959/https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::PreventRemoteQueries "Prevent clients from querying the index remotely | admx.help" [3]: https://web.archive.org/web/20240120200946/https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10#search "Device restriction settings for Windows 10/11 in Microsoft Intune | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240120200943/https://www.windows-security.org/bcf256ddaff391fa2a294d42ffecbd90/prevent-clients-from-querying-the-index-remotely "Prevent clients from querying the index remotely | Windows security encyclopedia | www.windows-security.org" [5]: https://web.archive.org/web/20240120200943/https://www.scaprepo.com/control.jsp?command=relation&relationId=CCE-93119-6&search=CCE-93119-6 "SecPod SCAP Repo, a repository of SCAP Content (CVE, CCE, CPE, CWE, OVAL and XCCDF) | www.scaprepo.com" call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search valueName: PreventRemoteQueries dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - name: Disable iFilters and protocol handlers recommend: standard docs: |- This script enhances the security of Windows Desktop Search by restricting the use of iFilters and protocol handlers [1]. These components enhance Windows search capabilities by enabling the indexing of specific file types and the processing of various file protocols [2] [3]. By default, Windows Desktop Search can use any installed iFilters and protocol handlers [1], which might pose a security risk if untrusted components are used. The script configures the system to only use iFilters and protocol handlers that are explicitly listed in an 'allow list' [1]. It does not prevent the installation of new iFilters or protocol handlers, nor does it restrict their use by other applications [1]. This measure is particularly useful for preventing unauthorized or potentially harmful search-related add-ins from being used by Windows Desktop Search, thereby enhancing the overall security of the system. [1]: https://web.archive.org/web/20240121002144/https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::PreventUnwantedAddins "Prevent unwanted iFilters and protocol handlers | admx.help" [2]: https://web.archive.org/web/20240121002129/https://learn.microsoft.com/en-us/windows/win32/search/-search-ifilter-conceptual "Developing Filter Handlers for Windows Search - Win32 apps | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240121002136/https://learn.microsoft.com/en-us/windows/win32/search/-search-ifilter-registering-filters "Registering Filter Handlers - Win32 apps | Microsoft Learn | learn.microsoft.com" call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search valueName: PreventUnwantedAddIns dataType: REG_SZ data: " " deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - name: Disable search's access to location recommend: standard docs: |- This script blocks both the Windows search function and Cortana, Microsoft's virtual assistant, from accessing your device's location data [1]. By default, Microsoft processes location data, impacting user privacy [2]. The U.S. Internal Revenue Service advises restricting access to this data to improve security, given the sensitivity of location information [3]. Once this script is applied, search and Cortana will no longer be able to provide results based on the user's location [1], thus enhancing privacy. The script accomplishes this by modifying the following registry keys: - `HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AllowSearchToUseLocation` [1] [2] - `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search!AllowSearchToUseLocation` [4] [1]: https://web.archive.org/web/20240120140023/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#allowsearchtouselocation "Search Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" [3]: https://web.archive.org/web/20230914171139/https://www.irs.gov/pub/irs-utl/win10.xlsx "Internal Revenue Service Office of Safeguards - Windows 10 | irs.gov" [4]: https://web.archive.org/web/20240120230024/https://www.neowin.net/news/the-windows-10-spring-update-no-longer-lets-you-disable-web-search-in-start/ "The Windows 10 spring update no longer lets you disable web search in Start - workaround - Neowin | www.neowin.net" call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search valueName: AllowSearchToUseLocation dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search valueName: AllowSearchToUseLocation dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - category: Disable search suggestions docs: |- This category focuses on enhancing privacy by disabling various search suggestions in Windows, commonly associated with Cortana [1]. Cortana is a digital assistant integrated into Windows Search, capable of collecting extensive personal data to provide its services [2]. This includes your search queries, contact information, location, voice inputs, browsing history, and details from emails, calendars, and communication history [2]. These scripts are designed to limit the amount of personal data shared with Microsoft, preventing your typed searches from being sent to Bing for search recommendations, even when Cortana is inactive [2]. [1]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#2-cortana-and-search "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" [2]: https://web.archive.org/web/20240121010852/https://support.microsoft.com/en-us/windows/cortana-and-privacy-47e5856e-3680-d930-22e1-71ec6cdde231 "Cortana and privacy - Microsoft Support | support.microsoft.com" children: - name: Disable Bing search and recent search suggestions (breaks search history) recommend: standard docs: |- This script improves privacy by disabling Bing search in the Start menu and recent search suggestions in File Explorer [1] [2] [3] [4] [5]. By default, Windows 10's Search Box includes suggestions from the Internet, alongside local search results [4] [5] [6] [7]. This script limits the search results to your local machine, improving privacy by not sending data to Microsoft servers [2]. The script: - Stops Bing web search integration in the Start menu [1] [2] [3] [4] [5]. - Disables recent search suggestions in File Explorer [5] [6] [7]. - Prevents search entries from being stored in the registry for future use [5] [6] [7]. > **Caution:** Running this script will remove Bing web search [1] [2] [3] [4] [5] and recent query suggestions > from the search box [5] [6] [7], breaking the functionality of File Explorer pop-up suggestions based on past entries [6] [7]. This script modifies: - `HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer!DisableSearchBoxSuggestions` [2] [3] [4]. - `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search!DisableSearchBoxSuggestions` [8] [9]. These keys replace older `BingSearchEnabled` registry value [2] [3]. They apply to Windows 10 versions post 1909, including Windows 10 v2004 (20H1) and higher [5] [9]. [1]: https://web.archive.org/web/20240120193801/https://github.com/undergroundwires/privacy.sexy/pull/117 'Added "Disable Bing search suggestions in Start Menu" by Permanently · Pull Request #117 · undergroundwires/privacy.sexy | github.com' [2]: https://web.archive.org/web/20240120182931/https://www.windowslatest.com/2020/10/04/disable-bing-in-windows-search/ "How to disable Bing search in the Windows 10 Start menu | www.windowslatest.com" [3]: https://web.archive.org/web/20240120182853/https://borncity.com/win/2020/10/05/windows-10-disable-bing-in-the-search/ "Windows 10: Disable Bing in the search | Born's Tech and Windows World | borncity.com" [4]: https://web.archive.org/web/20240120182943/https://www.techbout.com/disable-web-results-in-windows-search-44034/ "How to Disable Web Search Results in Windows 10 - Techbout | www.techbout.com" [5]: https://web.archive.org/web/20240120135454/https://www.winhelponline.com/blog/disable-web-results-windows-10-start-menu/ "How to Disable Web Search in Windows 10 Start menu | Winhelponline | www.winhelponline.com" [6]: https://web.archive.org/web/20240120194244/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsExplorer::DisableSearchBoxSuggestions "Turn off display of recent search entries in the File Explorer search box | admx.help" [7]: https://web.archive.org/web/20240120194340/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-windowsexplorer#disablesearchboxsuggestions "ADMX_WindowsExplorer Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [8]: https://web.archive.org/web/20240120194603/https://www.pcastuces.com/pratique/astuces/6080-print.htm "PC Astuces - Désactiver les recommandations dans la recherche - Windows 10 | www.pcastuces.com" [9]: https://web.archive.org/web/20240120194547/https://www.deskmodder.de/phpBB3/viewtopic.php?t=23243 "Websuche in der Windows 10 Taskleiste deaktivieren - Deskmodder.de | www.deskmodder.de" call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer valueName: DisableSearchBoxSuggestions dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search valueName: DisableSearchBoxSuggestions dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - name: Disable Bing search in start menu # Obsolete since Windows 10 20H2, replaced by `DisableSearchBoxSuggestions` recommend: standard docs: |- This script disables the Bing search integration in the Windows Start menu search function [1] [2] [3]. In Windows, typing in the Start menu search box displays results from the web via Bing, in addition to local search results [2] [3]. By preventing the search function from sending queries to Microsoft servers, this script enhances user privacy and optimizes system performance by reducing the search workload. Running this script prevents such web searches by modifying the `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search!BingSearchEnabled` registry key [1] [2] [3]. It is applicable to Windows version 1909 and older [1] [2] [4]. [1]: https://web.archive.org/web/20240120182931/https://www.windowslatest.com/2020/10/04/disable-bing-in-windows-search/ "How to disable Bing search in the Windows 10 Start menu | www.windowslatest.com" [2]: https://web.archive.org/web/20240120135454/https://www.winhelponline.com/blog/disable-web-results-windows-10-start-menu/ "How to Disable Web Search in Windows 10 Start menu | Winhelponline | www.winhelponline.com" [3]: https://web.archive.org/web/20240120182943/https://www.techbout.com/disable-web-results-in-windows-search-44034/ "How to Disable Web Search Results in Windows 10 - Techbout | www.techbout.com" [4]: https://web.archive.org/web/20240120182853/https://borncity.com/win/2020/10/05/windows-10-disable-bing-in-the-search/ "Windows 10: Disable Bing in the search | Born's Tech and Windows World | borncity.com" call: - function: SetRegistryValue parameters: keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search # HKCU key is needed, not HKLM valueName: BingSearchEnabled dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - name: Disable web search in search bar # Obsolete since Windows 10 1803 recommend: standard docs: |- This script disables the ability to perform web searches directly from the Windows Desktop Search [1] [2] [3] By executing this script, searches made from the desktop will be restricted to local content, omitting results from the web [1] [2] [3]. Without this script, Windows Desktop Search includes web results by default, utilizing the user's default web browser and search engine [1]. This script configures `HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!DisableWebSearch` registry key [1] [2] [3]. `DisableWebSearch` is not respected since Windows, version 1803 [1] [2]. [1]: https://web.archive.org/web/20240120163752/https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::DisableWebSearch "Do not allow web search | admx.help" [2]: https://web.archive.org/web/20240120143549/https://community.spiceworks.com/topic/2145330-psa-gp-to-disable-web-connected-search-no-longer-works-in-1803-workaround "PSA: GP to disable web-connected search no longer works in 1803 - workaround - Windows 10 | community.spiceworks.com" [3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search valueName: DisableWebSearch dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - name: Disable web results in Windows Search recommend: standard docs: |- This script improves your privacy by disabling the display of web results in the Windows Search function [1] [2]. This prevents your search terms from being sent to Microsoft servers [3]. By default, the Windows Start menu Search box shows results from your computer, the Windows Store, and Bing's web search results [4]. This default behavior [2] means your queries are shared with Microsoft, which could impact your privacy [3]. Running this script stops the Start menu search from performing web searches and displaying web results [1] [2], both generally and over metered connections [5], ensuring your searches remain local to your device [3] [5]. When executed, this script modifies the following registry keys: - `HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ConnectedSearchUseWeb` [1] [3] [4]. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ConnectedSearchUseWebOverMeteredConnections` [5]. [1]: https://web.archive.org/web/20240120135419/https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::DoNotUseWebResults "Don't search the web or display web results in Search" [4]: https://web.archive.org/web/20240120135454/https://www.winhelponline.com/blog/disable-web-results-windows-10-start-menu/ "How to Disable Web Search in Windows 10 Start menu | Winhelponline | www.winhelponline.com" [3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" [2]: https://web.archive.org/web/20240120140023/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#donotusewebresults "Search Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20240120135331/https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::DoNotUseWebResultsOnMeteredConnections "Don't search the web or display web results in Search over metered connections | admx.help" call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search valueName: ConnectedSearchUseWeb dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search valueName: ConnectedSearchUseWebOverMeteredConnections dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - name: Disable Windows search highlights recommend: standard docs: |- This script disables the search highlights feature in the taskbar search box. By default [1] [2], search highlights present content like holidays, anniversaries, and other special events, both globally and regionally [1]. This feature, available since Windows 10 and 11 version 2004 [1] [3] [4], periodically updates with content, including illustrations and text in the search box [1]. However, using search highlights can impact your privacy. This feature is even considered a security vulnerability [2]. It reduces privacy by communicating personalized content including updates from your organization, suggested people, files, and more [3]. Acknowledging this privacy concern, Windows provides settings in the "Privacy & security" section to manage it [3]. This script adjusts following registry keys to turn off this feature: - `HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!EnableDynamicContentInWSB` [4] [2] [5] - `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings!IsDynamicSearchBoxEnabled` [6] [7] [8] - `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings!ShowDynamicContent` [7] [1]: https://web.archive.org/web/20240120213614/https://techcommunity.microsoft.com/t5/windows-it-pro-blog/group-configuration-search-highlights-in-windows/ba-p/3263989 "Group configuration: search highlights in Windows - Microsoft Community Hub | techcommunity.microsoft.com" [2]: https://web.archive.org/web/20240120214205/https://www.scaprepo.com/view.jsp?id=CCE-99848-4 "SecPod SCAP Repo, a repository of SCAP Content (CVE, CCE, CPE, CWE, OVAL and XCCDF) | www.scaprepo.com" [3]: https://web.archive.org/web/20240120214019/https://blogs.windows.com/windows-insider/2022/03/09/announcing-windows-11-insider-preview-build-22572/ "Announcing Windows 11 Insider Preview Build 22572 | Windows Insider Blog | blogs.windows.com" [4]: https://web.archive.org/web/20240120214147/https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::AllowSearchHighlights "Allow search highlights | admx.help" [5]: https://web.archive.org/web/20240120140023/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#allowsearchhighlights "Search Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [6]: https://web.archive.org/web/20240121145807/https://www.thewindowsclub.com/how-to-disable-search-highlights-in-windows "How to disable Search Highlights in Windows 11/10 | www.thewindowsclub.com" [7]: https://web.archive.org/web/20240120214424/https://www.tenforums.com/tutorials/194711-enable-disable-search-highlights-windows-10-a.html "Enable or Disable Search Highlights in Windows 10 | Tutorials | www.tenforums.com" [8]: https://web.archive.org/web/20240120214331/https://www.howtogeek.com/895945/how-to-turn-off-search-highlights-on-windows-11/ "How to Turn Off Search Highlights on Windows 11 | www.howtogeek.com" call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search valueName: EnableDynamicContentInWSB dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\SearchSettings valueName: IsDynamicSearchBoxEnabled dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - name: Disable local search history (breaks recent suggestions) recommend: strict docs: |- This disables the storage and display of search history in Windows [1] [2]. When executed, the script prevents the operating system from storing search queries in the registry [1] [2]. Consequently, suggestions based on previous searches will no longer appear in the search pane [1] [2]. However, suggestions based on local content from apps or Windows itself will remain available [1] [2]. The National Security Agency (NSA) in the USA recommends this setting for enhanced privacy and security [3]. By default, Windows provides search suggestions based on previous searches [1] [2] [4]. Running this script disables this feature, thereby enhancing privacy. The script configures the following registry keys: - `HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer!DisableSearchHistory` registry key [1] [2]. - `HKCU\Software\Microsoft\Windows\CurrentVersion\SearchSettings!IsDeviceSearchHistoryEnabled` [5]. [1]: https://web.archive.org/web/20240120195206/https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::DisableSearchHistory "Turn off storage and display of search history | admx.help" [2]: https://web.archive.org/web/20240120195237/https://www.windows-security.org/97ff7103a68191c257fcf3a98d3dd87f/turn-off-storage-and-display-of-search-history "Turn off storage and display of search history | Windows security encyclopedia | www.windows-security.org" [3]: https://archive.ph/2024.01.20-195609/https://github.com/nsacyber/Windows-Secure-Host-Baseline/blob/a0bdd660753327addc3bf4c0500d03c2770a4740/Windows/Group%20Policy%20Templates/Search.admx%23L456 "Windows-Secure-Host-Baseline/Windows/Group Policy Templates/Search.admx · nsacyber/Windows-Secure-Host-Baseline | github.com" [4]: https://web.archive.org/web/20240120211224/https://support.microsoft.com/en-us/windows/windows-search-and-privacy-99fb8251-7260-1cd6-1bbb-15c2370eb168 "Windows Search and privacy - Microsoft Support | support.microsoft.com" [5]: https://web.archive.org/web/20240120211424/https://www.tenforums.com/tutorials/133365-how-turn-off-device-search-history-windows-10-a.html "How to Turn On or Off Device Search History in Windows 10 | Tutorials | www.tenforums.com" [6]: https://web.archive.org/web/20240120211431/https://technoresult.com/how-to-disable-windows-search-history-feature-in-windows-10/ "How to Disable Windows Search History Feature in Windows 10? - Technoresult | technoresult.com" [7]: https://web.archive.org/web/20240120211444/https://www.thewindowsclub.com/clear-windows-10-search-history-and-remove-recent-activities "How to clear Windows Search History and remove Recent Activities | www.thewindowsclub.com" call: - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows\Explorer valueName: DisableSearchHistory dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\SearchSettings valueName: IsDeviceSearchHistoryEnabled dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - name: Disable sharing personal search data with Microsoft recommend: standard docs: |- This script enhances privacy by limiting what search information is shared with Bing [1] [2] [3] [4] [5]. By default, Search in Windows shares user information, including search history, Microsoft account details, and location data, to personalize search results and other Microsoft services [1] [2]. Executing this script ensures that search history, account details, or specific location data are not sent to Microsoft [1] [2]. Applicable to Windows 8.1 and later [1] [2] [3] [5], this script is a key privacy measure. It is recommended by the US Department of Defense (DoD) and is considered a standard security practice [3]. Sharing this information is recognized as a security vulnerability [4]. The Center for Internet Security (CIS) also recommends this setting in its security framework [5]. The script modifies the following registry key to enforce this privacy setting: `HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ConnectedSearchPrivacy` [1] [2] [3] [4] [5]. [1]: https://web.archive.org/web/20240120203041/https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::SearchPrivacy "Set what information is shared in Search | admx.help" [2]: https://web.archive.org/web/20240120203121/https://www.windows-security.org/c3a6b16451db61009c33a3be38dd1594/set-what-information-is-shared-in-search "Set what information is shared in Search | Windows security encyclopedia | www.windows-security.org" [3]: https://web.archive.org/web/20240120202937/https://www.stigviewer.com/stig/windows_8_8.1/2015-06-16/finding/V-43242 "Information shared with Bing in Search must be configured to the most restrictive setting. (Windows 8.1) | www.stigviewer.com" [4]: https://web.archive.org/web/20240120203138/https://www.scaprepo.com/control.jsp?command=relation&relationId=oval:org.secpod.oval:def:27705&search=oval:org.secpod.oval:def:27705 "SecPod SCAP Repo, a repository of SCAP Content (CVE, CCE, CPE, CWE, OVAL and XCCDF) | www.scaprepo.com" [5]: https://web.archive.org/web/20240120203149/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2_1_0.pdf "CIS Microsoft Windows Server 2012 R2 Benchmark v2.1.0 | bobylive.com" call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search valueName: ConnectedSearchPrivacy dataType: REG_DWORD data: "3" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - name: Disable personal cloud content search in taskbar recommend: standard docs: |- This script disables the integration of personal cloud content in the taskbar search box [1] [2] [3]. By default [2], Windows Search can access and display results from various Microsoft cloud services, including OneDrive, Outlook, Bing, SharePoint [2] [3] [4] for both personal Microsoft accounts and work or school accounts [1] [2] [3] [4]. This means your personal and work-related files stored on Microsoft's cloud platforms can be searched through the Windows Search interface. While this feature increases convenience, it also poses privacy concerns. For instance, someone with access to your computer can potentially view your personal search results or data from your cloud storage. Additionally, your search queries are shared with Microsoft, further impacting your privacy. By disabling this feature, you ensure that Windows Search only returns results from your local device, safeguarding your personal and professional information stored in cloud services. This action enhances privacy by keeping your cloud-stored data separate from local search operations. The script modifies two registry keys to disable cloud content search for different account types: - For personal Microsoft accounts: `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings!IsMSACloudSearchEnabled` [1] [2] [3] - For work or school accounts: `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings!IsAADCloudSearchEnabled` [1] [2] [3] [1]: https://web.archive.org/web/20240121002929/https://r-pufky.github.io/docs/operating-systems/windows/10/20H2/settings/search/permissions-and-history.html "8.1. Permissions & History — Generic service & computer documentation. documentation | r-pufky.github.io" [2]: https://web.archive.org/web/20240121002902/https://www.clasesordenador.com/como-activar-y-desactivar-la-busqueda-de-contenido-en-la-nube-en-windows-11/ "Cómo activar y desactivar la búsqueda de contenido en la nube en Windows 11 | www.clasesordenador.com" [3]: https://web.archive.org/web/20240121002826/https://www.thewindowsclub.com/disable-cloud-content-search-in-taskbar-search-box "Disable Cloud Content Search in Taskbar search box in Windows 11/10 | www.thewindowsclub.com" [4]: https://web.archive.org/web/20240121010645/https://support.microsoft.com/en-us/windows/windows-search-and-privacy-99fb8251-7260-1cd6-1bbb-15c2370eb168 "Windows Search and privacy - Microsoft Support | support.microsoft.com" call: - function: SetRegistryValue parameters: keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings valueName: IsMSACloudSearchEnabled dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings valueName: IsAADCloudSearchEnabled dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - category: Disable targeted advertisements and marketing children: - name: Disable ad customization with Advertising ID recommend: standard docs: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general call: - function: RunInlineCode parameters: code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f # `1` by default since Windows 10 22H2, and Windows 11 22H3 revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "1" /f - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo valueName: DisabledByGroupPolicy dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable cloud-based advertising and tips children: - name: Disable Windows Tips recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::DisableSoftLanding code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t REG_DWORD /d "1" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t REG_DWORD /d "0" /f - name: Disable Windows Spotlight (shows random wallpapers on lock screen) recommend: strict docs: |- The script disables the Windows Spotlight feature. Windows Spotlight is a feature in Windows 10 and Windows 11 [1] that automatically downloads and displays random wallpapers on the lock screen [1] [2]. These images are sourced from the internet [1] [2] [3]. At times, it might also promote various Microsoft products, services [1] [2], or even third-party apps and content [4]. When the lock screen fetches images from the internet, there's a silent data exchange happening. This can inadvertently reveal details about the user's device or their preferences. To mitigate this potential privacy risk, the script makes a change to a key (`DisableWindowsSpotlightFeatures`) in the Windows operating system [3]. Originally, Windows Spotlight is turned on unless the user decides otherwise [2]. By applying this script, users can be sure their lock screen remains private and doesn't retrieve wallpapers from the internet, eliminating potential data leaks. [1]: https://web.archive.org/web/20230911110727/https://support.microsoft.com/en-us/windows/personalize-your-lock-screen-81dab9b0-35cf-887c-84a0-6de8ef72bea0 "Personalize your lock screen - Microsoft Support" [2]: https://web.archive.org/web/20230911110748/https://learn.microsoft.com/en-us/windows/configuration/windows-spotlight "Configure Windows Spotlight on the lock screen - Configure Windows | Microsoft Learn" [3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#25-windows-spotlight "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" [4]: https://web.archive.org/web/20230911110921/https://download.microsoft.com/download/8/F/B/8FBD2E85-8852-45EC-8465-92756EBD9365/Windows10andWindowsServer2016PolicySettings.xlsx "Group Policy Settings Reference - Microsoft" call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows\CloudContent valueName: DisableWindowsSpotlightFeatures dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2) - name: Disable Microsoft Consumer Experiences recommend: standard docs: - https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-71771 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::DisableWindowsConsumerFeatures - https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics code: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t "REG_DWORD" /d "1" /f revertCode: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t "REG_DWORD" /d "0" /f - name: Disable suggested content in Settings app recommend: standard docs: - https://web.archive.org/web/20230929130219/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004 - https://www.blogsdna.com/28017/how-to-disable-turn-off-suggested-content-on-windows-10-setting-app.htm code: |- reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /d "0" /t REG_DWORD /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /d "0" /t REG_DWORD /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /d "0" /t REG_DWORD /f revertCode: |- reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /d "1" /t REG_DWORD /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /d "1" /t REG_DWORD /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /d "1" /t REG_DWORD /f - category: Disable biometrics (breaks fingerprinting/facial login) children: - name: Disable use of biometrics recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableBio call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Biometrics valueName: Enabled dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2) - name: Disable biometric logon recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableCredProv call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider valueName: Enabled dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2) - name: Disable "Windows Biometric Service" recommend: strict docs: |- Details: - [Security guidelines for system services in Windows Server 2016 | Microsoft Learn | learn.microsoft.com](https://web.archive.org/web/20240218231654/https://learn.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#windows-biometric-service) - [Windows Biometric Service - Windows 10 Service - batcmd.com | batcmd.com](https://web.archive.org/web/20240314062512/https://batcmd.com/windows/10/services/wbiosrvc/) ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 21H1) | 🔴 Stopped | Manual | | Windows 11 (≥ 22H2) | 🔴 Stopped | Manual | call: function: DisableService parameters: serviceName: WbioSrvc # Check: (Get-Service -Name WbioSrvc).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable Wi-Fi Sense recommend: standard call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting valueName: value dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2) - function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "value" /t REG_DWORD /d 0 /f # Default value: `1` since Windows 10 21H2, Windows 11 22H2 revertCode: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "value" /t REG_DWORD /d 1 /f - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config valueName: AutoConnectAllowedOEM dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2) - name: Disable app launch tracking (hides most-used apps) recommend: strict docs: https://www.thewindowsclub.com/enable-or-disable-app-launch-tracking-in-windows-10 call: - function: SetRegistryValue parameters: keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced valueName: Start_TrackProgs dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - name: Disable Website Access of Language List recommend: standard docs: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general call: function: SetRegistryValue parameters: keyPath: HKCU\Control Panel\International\User Profile valueName: HttpAcceptLanguageOptOut dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable automatic map downloads recommend: standard call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps valueName: AllowUntriggeredNetworkTrafficOnSettingsPage dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps valueName: AutoDownloadAndUpdateMapData dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable game screen recording recommend: standard call: - function: RunInlineCode parameters: code: reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f revertCode: >- # `0` since Windows 11 23H2 and `1` since Windows 10 22H2 reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR valueName: AllowGameDVR dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable internet access for Windows DRM recommend: standard docs: https://web.archive.org/web/20231206191323/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DigitalRights2::DisableOnline call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\WMDRM valueName: DisableOnline dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable typing feedback (sends typing data) recommend: standard call: - function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f # `1` since Windows 11 23H2 and `1` since Windows 10 22H2 revertCode: reg add "HKLM\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 1 /f - function: RunInlineCode parameters: code: reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f # `1` since Windows 11 23H2 and `1` since Windows 10 22H2 revertCode: reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 1 /f - name: Disable Activity Feed feature recommend: standard call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System valueName: EnableActivityFeed dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Windows Insider Program children: - name: Disable "Windows Insider Service" docs: |- Details: - [Security guidelines for system services in Windows Server 2016 | Microsoft Learn | learn.microsoft.com](https://web.archive.org/web/20240218231654/https://learn.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#windows-insider-service) - [Windows Insider Service - Windows 10 Service - batcmd.com | batcmd.com](https://web.archive.org/web/20240314062528/https://batcmd.com/windows/10/services/wisvc/) ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 21H1) | 🔴 Stopped | Manual | | Windows 11 (≥ 22H2) | 🔴 Stopped | Manual | recommend: standard call: function: DisableService parameters: serviceName: wisvc # Check: (Get-Service -Name wisvc).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable Microsoft feature trials docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::EnableExperimentation recommend: standard call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds valueName: EnableExperimentation dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds valueName: EnableConfigFlighting dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t "REG_DWORD" /d 0 / # Default value is `1` since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) revertCode: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t "REG_DWORD" /d 1 /f - name: Disable receipt of Windows preview builds docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AllowBuildPreview::AllowBuildPreview recommend: standard call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds valueName: AllowBuildPreview dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Remove "Windows Insider Program" from Settings docs: https://winaero.com/how-to-hide-the-windows-insider-program-page-from-the-settings-app-in-windows-10/ call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility valueName: HideInsiderPage dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable cloud sync docs: https://web.archive.org/web/20240314101013/https://support.microsoft.com/en-us/windows/about-windows-backup-and-sync-settings-deebcba2-5bc0-4e63-279a-329926955708 children: - name: Disable all settings synchronization recommend: standard # This script is a master switch that disables all other types of setting synchronizations in this category. call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync valueName: DisableSettingSync dataType: REG_DWORD data: "2" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync valueName: DisableSettingSyncUserOverride dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync valueName: DisableSyncOnPaidNetwork dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync valueName: SyncPolicy dataType: REG_DWORD data: "5" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Application" setting synchronization recommend: standard call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync valueName: DisableApplicationSettingSync dataType: REG_DWORD data: "2" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync valueName: DisableApplicationSettingSyncUserOverride dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "App Sync" setting synchronization recommend: standard call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync valueName: DisableAppSyncSettingSync dataType: REG_DWORD data: "2" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync valueName: DisableAppSyncSettingSyncUserOverride dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Credentials" setting synchronization recommend: standard call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync valueName: DisableCredentialsSettingSync dataType: REG_DWORD data: "2" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync valueName: DisableCredentialsSettingSyncUserOverride dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials valueName: Enabled dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Desktop Theme" setting synchronization recommend: standard call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync valueName: DisableDesktopThemeSettingSync dataType: REG_DWORD data: "2" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync valueName: DisableDesktopThemeSettingSyncUserOverride dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Personalization" setting synchronization recommend: standard call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync valueName: DisablePersonalizationSettingSync dataType: REG_DWORD data: "2" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync valueName: DisablePersonalizationSettingSyncUserOverride dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Start Layout" setting synchronization recommend: standard call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync valueName: DisableStartLayoutSettingSync dataType: REG_DWORD data: "2" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync valueName: DisableStartLayoutSettingSyncUserOverride dataType: REG_DWORD data: "1" - name: Disable "Web Browser" setting synchronization recommend: standard call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync valueName: DisableWebBrowserSettingSync dataType: REG_DWORD data: "2" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync valueName: DisableWebBrowserSettingSyncUserOverride dataType: REG_DWORD data: "1" - name: Disable "Windows" setting synchronization recommend: standard call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync valueName: DisableWindowsSettingSync dataType: REG_DWORD data: "2" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync valueName: DisableWindowsSettingSyncUserOverride dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Language" setting synchronization recommend: standard docs: - https://winaero.com/turn-on-off-sync-settings-windows-10/ - https://www.thewindowsclub.com/how-to-configure-windows-10-sync-settings-using-registry-editor - https://tuxicoman.jesuislibre.net/blog/wp-content/uploads/Windows10_Telemetrie_1709.pdf # from guide on confidentiality and privacy with Windows 10 distributed to the French police, previous version of guide: https://www.pmenier.net/dotclear/docext/win10/.Windows10-Presentation.pdf call: function: SetRegistryValue parameters: keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language valueName: Enabled dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Configure programs children: - category: Disable Visual Studio data collection docs: |- These scripts disable future local and cloud data collection by Visual Studio about you and your behavior. These do not clean existing data collected about you locally or on cloud servers. children: - name: Disable participation in Visual Studio Customer Experience Improvement Program (VSCEIP) recommend: standard docs: |- `VSCEIP` collects information about errors, computer hardware, and how people use Visual Studio [1]. The information is sent to Microsoft servers for further analysis. This was previously known as Customer Experience Improvement Program (`PerfWatson`) for Visual Studio that primarily collected your personal usage and related performance data [2]. For more information about the information collected, processed, or transmitted by the `VSCEIP`, see the [Microsoft Privacy Statement](https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement). Visual Studio uses different keys based on CPU architecture of the host operating system (32bit or 64bit) [1]: - 32bit: `HKLM\SOFTWARE\Microsoft\VSCommon` - 64bit: `HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon` Key `OptIn` can have two different values [1]: - `0` is opted out (turn off) - `1` is opted in (turn on) The default installation sets the key as `1` (opt-in by default) since Visual Studio 2022. [1]: https://web.archive.org/web/20240314092010/https://learn.microsoft.com/en-us/visualstudio/ide/visual-studio-experience-improvement-program?view=vs-2022 "Customer Experience Improvement Program - Visual Studio (Windows) | Microsoft Learn | learn.microsoft.com" [2]: https://devblogs.microsoft.com/visualstudio/how-we-use-your-perfwatson-data-to-identify-unresponsive-areas/ "How we use your PerfWatson data to identify Unresponsive areas | Visual Studio Blog" call: - # Using OS keys function: RunInlineCode parameters: code: |- if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit? reg add "HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f ) else ( reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f ) revertCode: |- if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit? reg add "HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f ) else ( reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f ) - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\VisualStudio\SQM valueName: OptIn dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022 - name: Disable Visual Studio telemetry docs: |- This key was first seen to be used in Visual Studio 15 (2017) [1] [2]. By default (after clean installation) the registry key set by this script does not exist since Visual Studio 2022. [1]: https://developercommunity.visualstudio.com/t/bad-crashes-when-visualstudiotelemetryturnoffswitc/208693 "Bad crashes when VisualStudio\Telemetry\TurnOffSwitch is set to 0 | Visual Studio Feedback" [2]: https://web.archive.org/web/20231206212728/https://social.msdn.microsoft.com/Forums/vstudio/en-US/7796f0c5-ec9a-4fc8-9f62-584a663f9016/vs2015-pro-upd-3-quotthe-application-cannot-startquot-exception-in-obtainoptinstatus?forum=vssetup 'VS2015 (pro + upd 3): "Forum post showing logs for TurnOffSwitch key | MSDN Forums' recommend: standard call: function: SetRegistryValue parameters: keyPath: HKCU\Software\Microsoft\VisualStudio\Telemetry valueName: TurnOffSwitch dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022 - name: Disable Visual Studio feedback recommend: standard docs: |- Feedback tool in Visual Studio allows users to report a problem from either Visual Studio or its installer. It collects rich diagnostic information along with personally identifiable information [1]. Information includes large log files, crash information, screenshots, repro recording, and other artifacts [1]. This script disables feedback dialog and screenshot capture/email input that's prompted to be sent as part of the feedback. By default (after clean installation) the registry keys are not configured/set since Visual Studio 2022. Having these settings no set imply that feedback is enabled. [1]: https://web.archive.org/web/20240314101616/https://learn.microsoft.com/en-us/visualstudio/ide/how-to-report-a-problem-with-visual-studio?view=vs-2022 "Report a problem with Visual Studio - Visual Studio (Windows) | Microsoft Learn | learn.microsoft.com" call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback valueName: DisableFeedbackDialog dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022 - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback valueName: DisableEmailInput dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022 - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback valueName: DisableScreenshotCapture dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022 - name: Disable "Visual Studio Standard Collector Service" recommend: standard docs: |- Visual Studio Standard Collector Service is a service that is part of [Microsoft Visual Studio and .NET Log Collection Tool](https://web.archive.org/web/20231207105404/https://www.microsoft.com/en-us/download/details.aspx?id=12493) [1]. This service collects logs for Diagnostics Hub just like Diagnostic Hub Standard Collector [2]. It has been known to be vulnerable to privilege elevation [3] [4]. Disabling this service is recommended because otherwise it would: - Increase the attack surface of your computer, making it open to potential future vulnerabilities. - Use computer resources in favor of collecting more data about you and your behavior. ### Overview of default service statuses `VSStandardCollectorService150` (tested on Microsoft Visual Studio Community 2022): | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 11 (≥ 21H2) | 🟡 Missing | N/A | [1]: https://web.archive.org/web/20240314123619/https://learn.microsoft.com/en-us/answers/questions/891356/i-cant-start-vsstandardcollectorservice150#answer-929168 "I can't start VSStandardCollectorService150 | Microsoft Q&A | learn.microsoft.com" [2]: https://web.archive.org/web/20240413105955/https://www.atredis.com/blog/cve-2018-0952-privilege-escalation-vulnerability-in-windows-standard-collector-service "CVE-2018-0952: Privilege Escalation Vulnerability in Windows Standard Collector Service | Atredis Partners" [3]: https://web.archive.org/web/20240413105849/https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-0952 "Diagnostic Hub Standard Collector Elevation of Privilege Vulnerability" [4]: https://web.archive.org/web/20240413105849/https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-0952 "CVE-2024-20656 - Local Privilege Escalation in the VSStandardCollectorService150 Service - MDSec | www.mdsec.co.uk" call: function: DisableService parameters: serviceName: VSStandardCollectorService150 # (Get-Service -Name VSStandardCollectorService150).StartType defaultStartupMode: Manual # Manual since Visual Studio 2022, allowed values: Automatic | Manual - name: Disable Diagnostics Hub log collection docs: |- Diagnostics Hub is online data collection point for diagnostic tools used by Visual Studio. It can be disabled by deleting `LogLevel` and `LogDirectory` registry keys [1] and enabled by adding them [2] [3] [4] [5]. The registry keys are not set after installation since Visual Studio 2022. [1]: https://developercommunity.visualstudio.com/t/cant-disable-diagnostics-hub-in-visual-stuido/1449322#T-N1449680 "Can't disable Diagnostics hub in visual stuido | Visual Studio Feedback" [2]: https://developercommunity.visualstudio.com/t/diagnostic-tool-no-registered-class/1099781#T-N1106849 "diagnostic tool No registered class | Visual Studio Feedback" [3]: https://web.archive.org/web/20240314093647/https://stackoverflow.com/questions/39308334/visual-studio-2015-diagnostic-tools-no-longer-working/39380284#39380284 "c# - Visual Studio 2015 diagnostic tools no longer working | Stack Overflow" [4]: https://developercommunity.visualstudio.com/t/collectionstartfailedhubexception-on-profiler-laun/414212#T-N447791 "CollectionStartFailedHubException on profiler launch | Visual Studio Feedback" [5]: https://developercommunity.visualstudio.com/t/diagnostics-tools-failed-unexpectedly-unable-to-st/437117#T-N447777 "Diagnostics tools failed unexpectedly--unable to start standard collector | Visual Studio Feedback" code: |- reg delete "HKLM\Software\Microsoft\VisualStudio\DiagnosticsHub" /v "LogLevel" /f 2>nul revertCode: |- "C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe" -property catalog_productDisplayVersion >Nul | findstr "15." >nul && ( reg add "HKLM\Software\Microsoft\VisualStudio\DiagnosticsHub" /v "LogLevel" /t REG_SZ /d "All" /f ) - name: Disable participation in IntelliCode data collection recommend: standard docs: |- This script prevents IntelliCode in Visual Studio from collecting data. IntelliCode uses AI to suggest code improvements by analyzing usage and error reports [1]. In scenarios like team model training, user code is shared with Microsoft [2] [3] [4]. Opting out does not affect IntelliCode's local suggestion capabilities [3] [4]. By relying on local data models [3] [4], this script improves privacy, reducing the amount of data shared with Microsoft. The script works by modifying registry keys to disable the feature that sends data to Microsoft for remote analysis [3]. By default, Visual Studio 2022 and newer versions do not contain these registry keys. The backend servers for IntelliCode model training are discontinued, making the data collection feature outdated [5]. Thus, this script provides peace of mind for users of older Visual Studio 2022 versions, even though the feature is outdated. [1]: https://web.archive.org/web/20231112024816/https://learn.microsoft.com/en-us/visualstudio/ide/intellicode-visual-studio?view=vs-2022 "IntelliCode for Visual Studio | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20231112024456/https://learn.microsoft.com/en-us/visualstudio/ide/intellicode-privacy?view=vs-2022 "IntelliCode privacy - Visual Studio IntelliCode | Microsoft Learn | docs.microsoft.com" [3]: https://web.archive.org/web/20231112024639/https://raw.githubusercontent.com/MicrosoftDocs/intellicode/50ea60c91a7175e749ed5e094403568a583a292e/docs/intellicode-privacy.md "intellicode/docs/intellicode-privacy.md at 50ea60c91a7175e749ed5e094403568a583a292e · MicrosoftDocs/intellicode | github.com" [4]: https://web.archive.org/web/20231122105835/https://raw.githubusercontent.com/microsoft/vscode-docs/main/docs/csharp/intellicode.md "vscode-docs/docs/csharp/intellicode.md at main · microsoft/vscode-docs | github.com" [5]: https://web.archive.org/web/20240409110051/https://github.com/MicrosoftDocs/intellicode/issues/510#issuecomment-1982513204 "Is `DisableRemoteAnalysis` no longer supported? · Issue #510 · MicrosoftDocs/intellicode · GitHub | github.com" call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\IntelliCode # Global policy valueName: DisableRemoteAnalysis dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022 - function: SetRegistryValue parameters: keyPath: HKCU\SOFTWARE\Microsoft\VSCommon\16.0\IntelliCode # Local policy valueName: DisableRemoteAnalysis dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022 - function: SetRegistryValue parameters: keyPath: HKCU\SOFTWARE\Microsoft\VSCommon\17.0\IntelliCode # Local policy valueName: DisableRemoteAnalysis dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022 - name: Disable NET Core CLI telemetry recommend: standard code: setx DOTNET_CLI_TELEMETRY_OPTOUT 1 revertCode: setx DOTNET_CLI_TELEMETRY_OPTOUT 0 - name: Disable PowerShell telemetry recommend: standard docs: https://web.archive.org/web/20221011165907/https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_telemetry?view=powershell-7.2 code: setx POWERSHELL_TELEMETRY_OPTOUT 1 revertCode: setx POWERSHELL_TELEMETRY_OPTOUT 0 - category: Disable Nvidia telemetry docs: - https://github.com/privacysexy-forks/nVidia-modded-Inf - https://github.com/privacysexy-forks/Disable-Nvidia-Telemetry - https://web.archive.org/web/20231206190157/https://forum.palemoon.org/viewtopic.php?f=4&t=15686&sid=3d7982d3b9e89c713547f1a581ea44a2&start=20 children: - name: Remove Nvidia telemetry packages recommend: standard code: |- if exist "%ProgramFiles%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL" ( rundll32 "%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL",UninstallPackage NvTelemetryContainer rundll32 "%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL",UninstallPackage NvTelemetry ) - name: Remove Nvidia telemetry components recommend: standard call: - function: SoftDeleteFiles parameters: fileGlob: '%PROGRAMFILES(X86)%\NVIDIA Corporation\NvTelemetry\*' recurse: 'true' - function: SoftDeleteFiles parameters: fileGlob: '%PROGRAMFILES%\NVIDIA Corporation\NvTelemetry\*' recurse: 'true' - name: Disable Nvidia telemetry drivers recommend: standard call: function: SoftDeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\DriverStore\FileRepository\NvTelemetry*.dll' recurse: 'true' - name: Disable participation in Nvidia telemetry recommend: standard call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client valueName: OptInOrOutPreference dataType: REG_DWORD data: "0" deleteOnRevert: 'true' - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS valueName: EnableRID44231 dataType: REG_DWORD data: "0" deleteOnRevert: 'true' - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS valueName: EnableRID64640 dataType: REG_DWORD data: "0" deleteOnRevert: 'true' - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS valueName: EnableRID66610 dataType: REG_DWORD data: "0" deleteOnRevert: 'true' - function: SetRegistryValue parameters: keyPath: HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup valueName: SendTelemetryData dataType: REG_DWORD data: "0" deleteOnRevert: 'true' - name: Disable "Nvidia Telemetry Container" service docs: |- [Disable Nvidia Telemetry tracking on Windows - gHacks Tech News](https://web.archive.org/web/20231019222346/https://www.ghacks.net/2016/11/07/nvidia-telemetry-tracking/) ### Overview of default service statuses `NvTelemetryContainer` (tested on driver version 497.09 on Windows 11 23H2): | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 11 (≥ 21H2) | 🟡 Missing | N/A | call: function: DisableService parameters: serviceName: NvTelemetryContainer # (Get-Service -Name NvTelemetryContainer).StartType # Display name: "NVIDIA Telemetry Container" # Description: "Container service for NVIDIA Telemetry" defaultStartupMode: Automatic - category: Disable Nvidia telemetry scheduled tasks docs: |- This category contains scripts that disable Nvidia telemetry tasks. Telemetry tasks are programmed to transmit data, which may encompass system performance details or error reports [1] [2]. By disabling these tasks, you can improve your privacy by ensuring your system's data remains confidential and is not shared with external sources. [1]: https://web.archive.org/web/20231019222235/https://www.file.net/process/nvtmrep.exe.html "NvTmRep.exe Windows process - What is it? | file.net" [2]: https://web.archive.org/web/20231019222243/https://www.file.net/process/nvtmmon.exe.html "NvTmMon.exe Windows process - What is it? | file.net" children: - name: Disable "NVIDIA Telemetry Report" task recommend: standard docs: |- This script disables the "NVIDIA Telemetry Report" scheduled task, which is related to the `NvTmRep` process. This process is called "NVIDIA crash and telemetry reporter" [1]. Disabling it stops the `C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe` [2] program from executing and reporting data [1]. ### Overview of default task statuses `\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟡 N/A (missing) | | Windows 11 22H2 | 🟡 N/A (missing) | [1]: https://web.archive.org/web/20231019222235/https://www.file.net/process/nvtmrep.exe.html "NvTmRep.exe Windows process - What is it? | file.net" [2]: https://web.archive.org/web/20231019222346/https://www.ghacks.net/2016/11/07/nvidia-telemetry-tracking/ "Disable Nvidia Telemetry tracking on Windows - gHacks Tech News" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}' taskPathPattern: \ taskNamePattern: NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} - name: Disable "NVIDIA Telemetry Report on Logon" task recommend: standard docs: |- This script disables the "NVIDIA Telemetry Report on Logon" scheduled task, associated with the `NvTmRep` process. This process is also known as "NVIDIA crash and telemetry reporter" [1]. When enabled, this task executes the `C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe --logon` [2] program during user logon, sending telemetry data [1]. ### Overview of default task statuses `\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟡 N/A (missing) | | Windows 11 22H2 | 🟡 N/A (missing) | [1]: https://web.archive.org/web/20231019222235/https://www.file.net/process/nvtmrep.exe.html "NvTmRep.exe Windows process - What is it? | file.net" [2]: https://web.archive.org/web/20231019222346/https://www.ghacks.net/2016/11/07/nvidia-telemetry-tracking/ "Disable Nvidia Telemetry tracking on Windows - gHacks Tech News" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}' taskPathPattern: \ taskNamePattern: NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} - name: Disable "NVIDIA telemetry monitor" task docs: |- This script disables the "NVIDIA telemetry monitor" scheduled task related to the `NvTmMon` process. The telemetry monitor collects and sends data to NVIDIA [1]. Turning off this task prevents `C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmMon.exe` [2] from running and transmitting data [1]. ### Overview of default task statuses `\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟡 N/A (missing) | | Windows 11 22H2 | 🟡 N/A (missing) | [1]: https://web.archive.org/web/20231019222243/https://www.file.net/process/nvtmmon.exe.html "NvTmMon.exe Windows process - What is it? | file.net" [2]: https://web.archive.org/web/20231019222346/https://www.ghacks.net/2016/11/07/nvidia-telemetry-tracking/ "Disable Nvidia Telemetry tracking on Windows - gHacks Tech News" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}' taskPathPattern: \ taskNamePattern: NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} - category: Disable Visual Studio Code data collection docs: |- - [Visual Studio Code July 2018 | code.visualstudio.com](https://web.archive.org/web/20221029170840/https://code.visualstudio.com/updates/v1_26#_offline-mode) - [Visual Studio Code User and Workspace Settings | code.visualstudio.com](https://web.archive.org/web/20231206190826/https://code.visualstudio.com/docs/getstarted/settings) children: - name: Disable Visual Studio Code telemetry docs: https://web.archive.org/web/20221029171138/https://code.visualstudio.com/docs/getstarted/telemetry recommend: standard call: function: SetVsCodeSetting parameters: setting: telemetry.enableTelemetry powerShellValue: $false - name: Disable Visual Studio Code crash reporting docs: https://web.archive.org/web/20221029171138/https://code.visualstudio.com/docs/getstarted/telemetry recommend: standard call: function: SetVsCodeSetting parameters: setting: telemetry.enableCrashReporter powerShellValue: $false - name: Disable online experiments by Microsoft in Visual Studio Code docs: https://github.com/privacysexy-forks/vscode/blob/1aee0c194cff72d179b9f8ef324e47f34555a07d/src/vs/workbench/contrib/experiments/node/experimentService.ts#L173 recommend: standard call: function: SetVsCodeSetting parameters: setting: workbench.enableExperiments powerShellValue: $false - name: Disable Visual Studio Code automatic updates in favor of manual updates call: function: SetVsCodeSetting parameters: setting: update.mode powerShellValue: "'manual'" # The double quotes around 'manual' is important for PowerShell to correctly interpret the value. - name: Disable fetching release notes from Microsoft servers after an update call: function: SetVsCodeSetting parameters: setting: update.showReleaseNotes powerShellValue: $false - name: Automatically check extensions from Microsoft online service call: function: SetVsCodeSetting parameters: setting: extensions.autoCheckUpdates powerShellValue: $false - name: Fetch recommendations from Microsoft only on demand call: function: SetVsCodeSetting parameters: setting: extensions.showRecommendationsOnlyOnDemand powerShellValue: $true - name: Disable automatic fetching of remote repositories in Visual Studio Code call: function: SetVsCodeSetting parameters: setting: git.autofetch powerShellValue: $false - name: Disable fetching package information from NPM and Bower in Visual Studio Code call: function: SetVsCodeSetting parameters: setting: npm.fetchOnlinePackageInfo powerShellValue: $false - category: Disable Microsoft Office telemetry docs: https://web.archive.org/web/20240314130549/https://learn.microsoft.com/en-us/deployoffice/compat/manage-the-privacy-of-data-monitored-by-telemetry-in-office children: - name: Disable Microsoft Office logging recommend: standard code: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 1 /f - name: Disable Microsoft Office client telemetry recommend: standard code: |- reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 1 /f - name: Disable Microsoft Office Customer Experience Improvement Program docs: https://www.stigviewer.com/stig/microsoft_office_system_2013/2014-12-23/finding/V-17612 recommend: standard code: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 1 /f - name: Disable Microsoft Office feedback recommend: standard code: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 1 /f - name: Disable Microsoft Office telemetry agent recommend: standard docs: |- This script disables the scheduled tasks associated with the Office telemetry agent. The Office Telemetry Agent, introduced in Office 2013, collects and uploads a variety of data for monitoring purposes [1]. This data includes runtime logs, properties of Office documents, and other insights from Office applications [1] [2]. Notably, it can upload file names, paths, and document titles in their original format [1]. The data is stored locally before being uploaded to a shared folder (at `%LOCALAPPDATA%\Microsoft\Office\16.0\Telemetry`) [3]. This poses privacy risks as it may contain personal or confidential information. The `OfficeTelemetryAgentLogOn` scheduled task, collects data for the Office Telemetry Dashboard [1]. This task activates upon user login to an Office client and continues to scan and collect data during the session [1]. The types of data collected encompass file names of recently accessed Office documents [2] [3], names of add-ins and solutions interacting with Office [3], and system information including user and computer names [2]. Disabling these tasks is recommended for enhancing privacy. The script effectively prevents privacy risks associated with telemetry data collection by disabling the related scheduled tasks. It prevents the collection and upload of potentially sensitive information, thereby protecting users from exposure of personal or internal process-related details. ### Overview of default task statuses `\Microsoft\Office\OfficeTelemetryAgentFallBack` (tested on Office version 2208): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟡 N/A (missing) | | Windows 11 22H2 | 🟡 N/A (missing) | `\Microsoft\Office\OfficeTelemetryAgentFallBack2016` (tested on Office version 2208): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | `\Microsoft\Office\OfficeTelemetryAgentLogOn` (tested on Office version 2208): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟡 N/A (missing) | | Windows 11 22H2 | 🟡 N/A (missing) | `\Microsoft\Office\OfficeTelemetryAgentLogOn2016` (tested on Office version 2208): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | [1]: https://web.archive.org/web/20231022114220/https://learn.microsoft.com/en-us/deployoffice/compat/deploy-telemetry-dashboard "Deploy Office Telemetry Dashboard - Deploy Office | Microsoft Learn" [2]: https://web.archive.org/web/20231022114227/https://learn.microsoft.com/en-us/deployoffice/compat/data-that-the-telemetry-agent-collects-in-office "Data collected by the agent for Office Telemetry Dashboard - Deploy Office | Microsoft Learn" [3]: https://web.archive.org/web/20240314130549/https://learn.microsoft.com/en-us/deployoffice/compat/manage-the-privacy-of-data-monitored-by-telemetry-in-office "Manage the privacy of data monitored by Office Telemetry Dashboard - Deploy Office | Microsoft Learn" call: - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Office\' -TaskName 'OfficeTelemetryAgentFallBack' taskPathPattern: \Microsoft\Office\ taskNamePattern: OfficeTelemetryAgentFallBack - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Office\' -TaskName 'OfficeTelemetryAgentFallBack2016' taskPathPattern: \Microsoft\Office\ taskNamePattern: OfficeTelemetryAgentFallBack2016 - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Office\' -TaskName 'OfficeTelemetryAgentLogOn' taskPathPattern: \Microsoft\Office\ taskNamePattern: OfficeTelemetryAgentLogOn - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Office\' -TaskName 'OfficeTelemetryAgentLogOn2016' taskPathPattern: \Microsoft\Office\ taskNamePattern: OfficeTelemetryAgentLogOn2016 # - (breaks office, see https://answers.microsoft.com/en-us/office/forum/office_2016-officeapps/office-2016-click-to-run-service-is-it-necessary/07f87963-7193-488a-9885-d6339105824b) # name: Disable ClickToRun Service Monitor # docs: https://web.archive.org/web/20180201221907/https://technet.microsoft.com/en-us/library/jj219427.aspx # call: # - # function: DisableScheduledTask # parameters: # # Check: Get-ScheduledTask -TaskPath '\Microsoft\Office\' -TaskName 'Office ClickToRun Service Monitor' # taskPathPattern: \Microsoft\Office\ # taskNamePattern: Office ClickToRun Service Monitor # - # function: DisableService # parameters: # serviceName: ClickToRunSvc # Check: (Get-Service -Name ClickToRunSvc).StartType # defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable "Microsoft Office Subscription Heartbeat" task docs: |- This script disables the "Microsoft Office Subscription Heartbeat" scheduled task. The primary function of the Office Subscription Heartbeat task is to periodically check the subscription status of Microsoft Office products [1] [2], verifying their licenses are active and valid [1]. This task actively communicates with Microsoft servers, transmitting Microsoft account data [3] for license verification. Disabling this task improves privacy as it prevents these regular communications and data transmissions, though it may lead to complications regarding license compliance over time. The task creates and utilizes cache files located at `%SYSTEMDRIVE%\Program Files\Microsoft Office 15\root\vfs\Common AppData\microsoft\office\Heartbeat` [1] and `%PROGRAMDATA%\Microsoft\Office\Heartbeat\HeartbeatCache` [3] [4], in `HeartbeatCache.xml` file [1] [4]. It executes the `OLicenseHeartbeat.exe` process daily [2], also known as "Office Subscription Licensing Heartbeat" [2]. `\Microsoft\Office\Office 15 Subscription Heartbeat` (tested since Office version 2208): | OS Version | Default Status | | ---------------- | -------------------- | | Windows 10 22H2 | 🟡 N/A (missing) | | Windows 11 22H2 | 🟡 N/A (missing) | > **Caution:** Consider that while disabling this task may lead to increased privacy, it could also impact license compliance and the overall functionality of Microsoft Office products in the long run. [1]: https://web.archive.org/web/20231024130456/https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/licensing/subscription-automatic-license-renew-fails "Microsoft 365 subscription automatic license renewal fails when heartbeatcache in wrong location - Microsoft 365 | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20231024130510/https://www.shouldiblockit.com/olicenseheartbeat.exe-9886.aspx "OLicenseHeartbeat.exe - Should I Block It? (Office Subscription Licensing Heartbeat) | shouldiblockit.com" [3]: https://web.archive.org/web/20231024130503/https://support.microsoft.com/en-us/office/-product-key-is-not-valid-error-when-activating-office-4f89be39-26eb-404f-b485-8e2014bd3790#ID0EBBD=Microsoft_365_subscription '"Product key is not valid" error when activating Office - Microsoft Support | support.microsoft.com' [4]: https://web.archive.org/web/20231024130510/https://support.microsoft.com/en-us/office/about-the-microsoft-support-and-recovery-assistant-e90bb691-c2a7-4697-a94f-88836856c72f#ID0ED6=Office "About the Microsoft Support and Recovery Assistant - Microsoft Support | support.microsoft.com" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Office\' -TaskName 'Office 15 Subscription Heartbeat' taskPathPattern: \Microsoft\Office\ taskNamePattern: Office 15 Subscription Heartbeat # "Office 16 Subscription Heartbeat": # For Office 16, there isn't a separate and verified task named "Office 16 Subscription Heartbeat". # Instead, it appears to utilize the "Office 15 Subscription Heartbeat" task, # but runs the `OLicenseHeartbeat.exe` process from the Office16 folder. - category: Configure browsers docs: |- This category includes scripts that enhance privacy by adjusting browsers to prevent tracking, minimize data leaks, and restrict personalized ads. These changes help protect user privacy across different web browsers and optimize system performance by reducing privacy-invasive processing. children: - category: Configure Edge docs: |- # Similar to "Configure Chrome" This category contains scripts that adjust Microsoft Edge settings to enhance privacy, security, and potentially improve system performance This category is designed for Chromium-based Edge only, not for legacy Edge. Edge (Chromium) is the current version of Microsoft Edge, replacing Edge (Legacy) [1] [2]. It comes pre-installed on all Windows versions starting from Windows 10 20H2 [2]. Older versions are automatically upgraded to Edge (Chromium) through Windows updates [1]. Edge collects personal data, including browsing history, favorite sites, usage data, web content, and device information [3]. This data is used for personal identification, targeted advertising, and product improvement, raising privacy concerns [3]. The scripts in this category are designed to enhance your privacy by offering options to disable data collection and improve security while using Microsoft Edge. These scripts enable you to configure Microsoft Edge to limit these data collection practices, enhancing your online privacy, security, and system performance. [1]: https://web.archive.org/web/20240517223534/https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-microsoft-edge-to-replace-microsoft-edge-legacy-with-april-s/ba-p/2114224 "New Microsoft Edge to replace Microsoft Edge Legacy with April’s Windows 10 Update Tuesday release - Microsoft Community Hub | techcommunity.microsoft.com" [2]: https://web.archive.org/web/20240517225921/https://blogs.windows.com/windowsexperience/2020/06/16/whats-next-for-windows-10-updates/ "What’s next for Windows 10 updates | Windows Experience Blog | blogs.windows.com" [3]: https://web.archive.org/web/20240623170024/https://support.microsoft.com/en-us/microsoft-edge/microsoft-edge-browsing-activity-for-personalized-advertising-and-experiences-37aa831e-6372-238e-f33f-7cd3f0e53679 "Microsoft Edge browsing activity for personalized advertising and experiences - Microsoft Support | support.microsoft.com" children: - category: Disable Edge telemetry docs: |- This category includes scripts that enhance privacy by disabling Microsoft Edge telemetry. Telemetry is the automatic collection and sharing of data about you and your usage patterns of a software. These scripts prevent the automatic transmission of diagnostic and usage data to Microsoft, optimize system performance by reducing background data transmission, and safeguard personal data by limiting third-party sharing. children: - name: Disable Edge diagnostic data sending recommend: standard docs: |- # refactor-with-variables: • Chromium Policy Caution • "Disabling this telemetry.." This script disables the sending of diagnostic data in Edge. This script blocks all diagnostic data related to your browser usage, including websites visited, feature usage, and browser configuration [1] [2]. Disabling this telemetry reduces potential privacy risks by preventing data sharing with third parties. This may also improve system performance by reducing processing workload. This script configures the `DiagnosticData` policy [1] [2]. Changes will take effect after restarting the browser [1]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#diagnosticdata "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240624083056/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::DiagnosticData "Send required and optional diagnostic data about browser usage | admx.help" call: - function: SetEdgePolicyViaRegistry parameters: valueName: DiagnosticData # Edge ≥ 122 dwordData: '0' - function: ShowEdgeRestartSuggestion - name: Disable outdated Edge metrics data sending recommend: standard docs: |- # refactor-with-variables: • Chromium Policy Caution • "Disabling this telemetry.." This script stops Edge from reporting metrics data. This script stops the reporting of usage and crash-related data [1] [2]. This data includes information about how the browser operates and the causes of any failures [1] [2]. Disabling this telemetry potential privacy risks by preventing data sharing with third-parties. This may also improve system performance by reducing processing workload. This script applies to Edge versions between 77 and 89 [1] [2]. It does not affect newer versions of Edge as this settings is deprecated [1] [2]. This script configures the `MetricsReportingEnabled` policy [1] [2]. Changes will take effect after restarting the browser [1]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#metricsreportingenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240624083344/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::MetricsReportingEnabled "Enable usage and crash-related data reporting (deprecated) | admx.help" call: - function: SetEdgePolicyViaRegistry parameters: valueName: MetricsReportingEnabled # Edge ≥ 77 and Edge ≤ 89 dwordData: '0' - function: ShowEdgeRestartSuggestion - name: Disable outdated Edge site information sending recommend: standard docs: |- # refactor-with-variables: • Chromium Policy Caution • "Disabling this telemetry.." This script prevents Edge from sending site-related information. This prevents the browser from sending site information used to improve Microsoft services [1] [2]. This may might include URLs and page interaction data [1] [2]. Disabling this telemetry potential privacy risks by preventing data sharing with third-parties. This may also improve system performance by reducing processing workload. This script configures the `SendSiteInfoToImproveServices` policy [1] [2]. Changes will take effect after restarting the browser [1]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240314103512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#sendsiteinfotoimproveservices "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240624083104/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SendSiteInfoToImproveServices "Send site information to improve Microsoft services (deprecated) | admx.help" call: - function: SetEdgePolicyViaRegistry parameters: valueName: SendSiteInfoToImproveServices # Edge ≥ 77 and Edge ≤ 89 dwordData: '0' - function: ShowEdgeRestartSuggestion - name: Disable Edge Feedback recommend: standard # DISA recommended docs: |- # refactor-with-variables: • Chromium Policy Caution This script disables the Edge Feedback feature in Microsoft Edge, enhancing user privacy by preventing feedback and data from being sent to Microsoft. The feature is enabled by default and cannot be disabled through standard browser settings [1] [2]. When signed into Microsoft Edge with a work or school account, feedback is linked to the user's account and organization, potentially exposing sensitive information [1]. Disabling this feature addresses privacy concerns by ensuring that feedback does not inadvertently share usage data or personal information with external servers. This may also improve system performance by reducing processing workload. Authorities like The Defense Information Systems Agency (DISA) [2] and The Center for Internet Security (CIS) [3] recommend this script for enhanced security. DISA categorizes the absence of this setting as a medium severity security vulnerability [2]. Once applied, this script prevents the Edge Feedback feature from being used [1] [2]. This script configures the `UserFeedbackAllowed` Edge policy [1] [2]. The change takes effect after restarting the browser [1]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#userfeedbackallowed "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240624221221/https://www.stigviewer.com/stig/microsoft_edge/2021-06-23/finding/V-235769 "User feedback must be disabled. | www.stigviewer.com" [3]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com" call: - function: SetEdgePolicyViaRegistry parameters: valueName: UserFeedbackAllowed # Edge ≥ 77 dwordData: '0' - function: ShowEdgeRestartSuggestion - category: Disable Edge and WebView2 automatic updates docs: |- # refactor-with-variable: Same • Edge Update Caution This category encompasses scripts that disable automatic updates for Microsoft Edge and its WebView2 component. Disabling updates for Edge and WebView2 prevents automatic download and installation of new versions and patches. Both Edge and WebView2 share the same mechanisms for updates [1] [2]. This mechanism is a way Microsoft collects user data [1]. WebView2 uses Edge technologies to render web content within applications [3]. It's widely integrated across various software products. This widespread integration exposes users to significant privacy risks associated with web browsing and data collection [4]. Both Edge and WebView2 collect extensive user data, including browsing and download history [5] [6]. Disabling updates blocks tracking features from being introduced, thus significantly enhancing your control over personal data privacy. Disabling updates increases privacy by reducing data shared with update servers. However, this could leave your system vulnerable to security risks if attackers exploit unpatched vulnerabilities in older versions. Disabling updates is beneficial if you do not rely on Edge or WebView2 daily, as it reduces unnecessary data transmission and unwanted system changes. > **Caution:** Disabling updates may reduce security if you use Edge and its components (WebView2). [1]: https://archive.ph/2024.06.21-133037/https://github.com/undergroundwires/privacy.sexy/issues/309 "[BUG]: Microsoft Edge still alive after removal · Issue #309 · undergroundwires/privacy.sexy" [2]: https://web.archive.org/web/20240621150615/https://joji.me/en-us/blog/understanding-the-edge-and-edge-webview2-update-logs/ "Understanding the Edge and Edge WebView2 Update Logs | joji.me" [3]: https://web.archive.org/web/20240623112820/https://learn.microsoft.com/en-us/microsoft-edge/webview2/ "Introduction to Microsoft Edge WebView2 - Microsoft Edge Developer documentation | Microsoft Learn | learn.microsoft.com" [4]: https://archive.today/2022.12.15-232158/https://learn.microsoft.com/en-us/microsoft-edge/webview2/concepts/distribution%23evergreen-distribution-mode "Distribute your app and the WebView2 Runtime - Microsoft Edge Development | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20240623112758/https://learn.microsoft.com/en-us/microsoft-edge/webview2/concepts/data-privacy?tabs=dotnetcsharp "Data and privacy in WebView2 - Microsoft Edge Developer documentation | Microsoft Learn | learn.microsoft.com" [6]: https://web.archive.org/web/20240623112809/https://support.microsoft.com/en-us/windows/microsoft-edge-browsing-data-and-privacy-bb8174ba-9d73-dcf2-9b4a-c582b4e640dd "Microsoft Edge, browsing data, and privacy - Microsoft Support | support.microsoft.com" children: - name: Disable Edge automatic update services recommend: standard # Safe-to-disable as they're stopped by default docs: |- # refactor-with-variable: Same • Edge Update Caution This script disables services responsible for automatically updating Microsoft Edge. It disables the `edgeupdate` [1] [2] [3] and `edgeupdatem` [1] [2] [4] services. These services keep your Microsoft software up to date [1] [3] [4]. Disabling these services: - Enhances privacy by stopping automatic data transmission, preventing background data collection. - Improves system performance by reducing background processes. - Allows more control over which updates are installed. Keep in mind: - Security vulnerabilities and issues in Edge won't be fixed if updates are disabled [1] [3] [4]. - Manual updates are still possible as these services start automatically for manual updates. ### Overview of default service statuses Microsoft Edge Update Service (`edgeupdate`) (tested on version Edge 126.0.2592.68): | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 21H1) | 🔴 Stopped | Automatic | | Windows 11 (≥ 22H2) | 🔴 Stopped | Automatic | Microsoft Edge Update Service (`edgeupdatem`) (tested on version Edge 126.0.2592.68): | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 21H1) | 🔴 Stopped | Manual | | Windows 11 (≥ 22H2) | 🔴 Stopped | Manual | > **Caution:** Disabling updates may reduce security if you use Edge and its components (WebView2). [1]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn" [2]: https://archive.ph/2024.06.21-133037/https://github.com/undergroundwires/privacy.sexy/issues/309 "[BUG]: Microsoft Edge still alive after removal · Issue #309 · undergroundwires/privacy.sexy" [3]: https://web.archive.org/web/20240621143823/https://revertservice.com/10/edgeupdate/ "Microsoft Edge Update Service (edgeupdate) Defaults in Windows 10 | revertservice.com" [4]: https://web.archive.org/web/20240621143835/https://revertservice.com/10/edgeupdatem/ "Microsoft Edge Update Service (edgeupdatem) Defaults in Windows 10 | revertservice.com" call: - function: DisableService parameters: serviceName: edgeupdate # Check: (Get-Service -Name edgeupdate).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - function: DisableService parameters: serviceName: edgeupdatem # Check: (Get-Service -Name edgeupdatem).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable Edge automatic update scheduled tasks recommend: strict docs: |- # refactor-with-variable: Same • Edge Update Caution This script stops Microsoft Edge from updating automatically by disabling specific scheduled tasks. Specifically, it targets two tasks: - `MicrosoftEdgeUpdateTaskMachineCore` [1] [2] [3] - `MicrosoftEdgeUpdateTaskMachineUA` [3] These tasks: - Start Edge at logon [1] - Run updates at least every hour [3] - Update Edge and its WebView2 components [3] Disabling these tasks: - Enhances privacy by preventing automatic data transmission for updates. - Improves system performance by reducing background tasks. - Reduces your attack surface, as these tasks can be targeted by malware [4]. However, remember that disabling updates means security vulnerabilities in Edge won't be fixed automatically; manual updates will be necessary. > **Caution:** Disabling updates may lead to decreased security if you rely on Edge and its components (WebView2). ### Overview of default task statuses `\MicrosoftEdgeUpdateTaskMachineCore{RandomString}` (tested since Edge version 126): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | `\MicrosoftEdgeUpdateTaskMachineUA{RandomString}` (tested since Edge version 126): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | [1]: https://web.archive.org/web/20220112180622/https://techcommunity.microsoft.com/t5/discussions/edge-97-starting-automatically-at-logon/m-p/3057166 "Edge 97 starting automatically at logon - Microsoft Community Hub | techcommunity.microsoft.com" [2]: https://web.archive.org/web/20240621141001/https://www.file.net/process/microsoftedgeupdate.exe.html "MicrosoftEdgeUpdate.exe Windows process - What is it? | www.file.net" [3]: https://web.archive.org/web/20240621150615/https://joji.me/en-us/blog/understanding-the-edge-and-edge-webview2-update-logs/ "Understanding the Edge and Edge WebView2 Update Logs | joji.me" [4]: https://archive.today/2024.06.21-151340/https://vms.drweb.com/virus/?i=25158791 "Trojan.Siggen17.58258 — Dr.Web Malware description library | vms.drweb.com" call: - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'MicrosoftEdgeUpdateTaskMachineCore{*}' taskPathPattern: \ taskNamePattern: MicrosoftEdgeUpdateTaskMachineCore{*} - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{*}' taskPathPattern: \ taskNamePattern: MicrosoftEdgeUpdateTaskMachineUA{*} - name: Disable Edge update executable recommend: strict docs: |- # refactor-with-variable: Same • Edge Update Caution This script disables the Microsoft Edge Update executable to enhance your privacy and control over system updates. `MicrosoftEdgeUpdate.exe` is responsible for updating Microsoft Edge as part of the Microsoft Edge Update system [1] [2] [3]. It's also responsible for updating Edge WebView2 [3]. Blocking this executable: - Enhances privacy by preventing communication with the update server [4] [5]. - Increases security by giving you control over software installations. - Boosts system performance by reducing background processes. - May decrease security if you rely on Edge or WebView2, as missing updates can lead to security vulnerabilities. Executable locations: - `%PROGRAMFILES(x86)%\Microsoft\EdgeUpdate\\MicrosoftEdgeUpdate.exe` [4] - `%PROGRAMFILES(x86)%\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe` [1] [2] [4] [5] [6]. > **Caution:** Disabling updates may reduce security if you use Edge and its components (WebView2). [1]: https://web.archive.org/web/20240621140833/https://learn.microsoft.com/en-us/deployedge/deploy-edge-with-windows-10-updates "Deploy Microsoft Edge with Windows 10 updates | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240621141001/https://www.file.net/process/microsoftedgeupdate.exe.html "MicrosoftEdgeUpdate.exe Windows process - What is it? | www.file.net" [3]: https://web.archive.org/web/20240621150615/https://joji.me/en-us/blog/understanding-the-edge-and-edge-webview2-update-logs/ "Understanding the Edge and Edge WebView2 Update Logs | joji.me" [4]: https://web.archive.org/web/20240621141128/https://support.microsoft.com/en-us/microsoft-edge/troubleshooting-tips-for-installing-and-updating-microsoft-edge-a5eceb94-c2b1-dfab-6569-e79d0250317b "Troubleshooting tips for installing and updating Microsoft Edge - Microsoft Support | support.microsoft.com" [5]: https://archive.ph/2024.06.21-133037/https://github.com/undergroundwires/privacy.sexy/issues/309 "[BUG]: Microsoft Edge still alive after removal · Issue #309 · undergroundwires/privacy.sexy" [6]: https://web.archive.org/web/20240621141031/https://strontic.github.io/xcyclopedia/library/MicrosoftEdgeUpdate.exe-0F11E6717C1FE6DD20AE2D12F63AF3F7.html "MicrosoftEdgeUpdate.exe | Microsoft Edge Update | STRONTIC | strontic.github.io" call: - function: TerminateAndBlockExecution parameters: executableNameWithExtension: MicrosoftEdgeUpdate.exe - function: SoftDeleteFiles parameters: fileGlob: '%PROGRAMFILES(x86)%\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe' - function: SoftDeleteFiles parameters: fileGlob: '%PROGRAMFILES(x86)%\Microsoft\EdgeUpdate\*\MicrosoftEdgeUpdate.exe' # Version specific e.g. C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdate.exe - name: Disable Edge automatic updates across all channels recommend: strict docs: |- # refactor-with-variable: Same • Edge Update Caution • Chromium Policy Caution • Active Directory only • Edge Channels This script prevents Microsoft Edge from automatically updating across all channels. Microsoft Edge offers four update channels—Stable, Beta, Dev, and Canary—each designed with different stability levels and update frequencies [1]. This script disables updates for all of these channels. This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [2] [3]. It is effective only on computers under organizational management, such as those in workplaces or schools. It's not applicable to personal computers that are not managed by an organization. Disabling automatic updates enhances privacy by controlling data sharing during updates and improves system performance by reducing background activities. If you use Edge, manually check for and distribute updates after using this script to maintain security [2] [3] [4]. This script configures update policies for different Edge channels: - `UpdateDefault` to configure all channels [3]. - `56EB18F8-B008-4CBD-B6D2-8C97FE7E9062` for Edge (Stable) [2] [4] [5]. - `2CD8A007-E189-409D-A2C8-9AF4EF3C72AA` to Edge (Beta) [2] [4] [6]. - `65C35B14-6C1D-4122-AC46-7148CC9D6497` to Edge (Canary) [2] [4] [7]. - `0D50BFEC-CD6A-4F9A-964C-C7416E3ACB10` to Edge (Dev) [2] [4] [8]. - `F3C4FE00-EFD5-403B-9569-398A20F1BA4A` to Edge Insider [9]. > **Caution:** > - Disabling updates may reduce security if you use Edge and its components (WebView2). > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240624181311/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-channels "Microsoft Edge channel overview | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240622121924/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-update-policies#update "Microsoft Edge Update Policy Documentation | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240622121924/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-update-policies#updatedefault "Microsoft Edge Update Policy Documentation | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240623111327/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Update::Pol_DefaultUpdatePolicy "Update policy override default | admx.help" [5]: https://web.archive.org/web/20240623111917/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Update::Pol_UpdatePolicyMicrosoftEdge "Update policy override | admx.help" [6]: https://web.archive.org/web/20240623111334/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Update::Pol_UpdatePolicyMicrosoftEdgeBeta "Update policy override | admx.help" [7]: https://web.archive.org/web/20240623111327/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Update::Pol_UpdatePolicyMicrosoftEdgeCanary "Update policy override | admx.help" [8]: https://web.archive.org/web/20240623111849/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Update::Pol_UpdatePolicyMicrosoftEdgeDev "Update policy override | admx.help" [9]: https://web.archive.org/web/20240623111904/https://www.bleepingcomputer.com/news/microsoft/what-we-know-about-microsoft-s-chromium-based-edge-browser/ "What We Know About Microsoft’s Chromium-Based Edge Browser | bleepingcomputer.com" call: - function: SetEdgeUpdatePolicyViaRegistry parameters: valueName: UpdateDefault # Microsoft Edge Update ≥ 1.2.145.5 dwordData: '0' - function: SetEdgeUpdatePolicyViaRegistry parameters: valueName: Update{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062} # Microsoft Edge Update ≥ 1.2.145.5 dwordData: '0' - function: SetEdgeUpdatePolicyViaRegistry parameters: valueName: Update{2CD8A007-E189-409D-A2C8-9AF4EF3C72AA} # Microsoft Edge Update ≥ 1.2.145.5 dwordData: '0' - function: SetEdgeUpdatePolicyViaRegistry parameters: valueName: Update{65C35B14-6C1D-4122-AC46-7148CC9D6497} # Microsoft Edge Update ≥ 1.2.145.5 dwordData: '0' - function: SetEdgeUpdatePolicyViaRegistry parameters: valueName: Update{0D50BFEC-CD6A-4F9A-964C-C7416E3ACB10} # Microsoft Edge Update ≥ 1.2.145.5 dwordData: '0' - function: SetEdgeUpdatePolicyViaRegistry parameters: valueName: Update{F3C4FE00-EFD5-403B-9569-398A20F1BA4A} dwordData: '0' - name: Disable Edge WebView and WebView2 updates recommend: strict docs: |- # refactor-with-variable: Same • Edge Update Caution • Chromium Policy Caution This script disables automatic updates for Microsoft Edge WebView components. Microsoft Edge WebView and WebView2 Runtime are components that enable applications to display web content [1] [2]. By default, these components receive updates automatically [1] [2]. Running this script will prevent automatic downloading and application of updates for both older WebView [1] and newer WebView2 [2]. This action might lead to compatibility issues with applications relying on the latest features of WebView [1] [2]. This script configures `Update{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}` Edge Policy [1] [2]. > **Caution:** > - Disabling updates may reduce security if you use Edge and its components (WebView2). > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240622124745/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Update::Pol_UpdatePolicyMicrosoftEdgeWebView "Update policy override | admx.help" [2]: https://web.archive.org/web/20240622121924/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-update-policies#update-webview "Microsoft Edge Update Policy Documentation | Microsoft Learn | learn.microsoft.com" call: function: SetEdgeUpdatePolicyViaRegistry parameters: valueName: Update{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5} # Microsoft Edge Update ≥ 1.3.127.1 dwordData: '0' - name: Disable Edge automatic update checks recommend: strict docs: |- # refactor-with-variable: Same • Edge Update Caution • Chromium Policy Caution This script stops the Microsoft Edge Update agent from automatically checking for updates. This script prevents the Microsoft Edge Update agent from performing any automatic update checks [1]. This includes updates for all Edge applications [2], including WebView2. Disabling these updates enhances privacy by eliminating the regular network activity initiated by Microsoft Edge Update [2]. It can also improve performance due to the reduction of background network operations. If you choose not to run this script, Microsoft Edge will continue to check for updates every 10 hours [1]. Although disabling updates can enhance privacy, it may compromise security, particularly if you rely on Edge and its components like WebView2. Automatic updates help ensure that the browser and its components receive stability and security updates promptly [1]. This script configures `AutoUpdateCheckPeriodMinutes` [1] [2] Edge policy. Setting to `0` disables all periodic network traffic by Microsoft Edge Update [1] [2]. > **Caution:** > - Disabling updates may reduce security if you use Edge and its components (WebView2). > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240622121922/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Update::Pol_AutoUpdateCheckPeriod "Auto-update check period override | admx.help" [2]: https://web.archive.org/web/20240622121924/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-update-policies#autoupdatecheckperiodminutes "Microsoft Edge Update Policy Documentation | Microsoft Learn | learn.microsoft.com" call: function: SetEdgeUpdatePolicyViaRegistry parameters: valueName: AutoUpdateCheckPeriodMinutes # Microsoft Edge Update ≥ 1.2.145.5 dwordData: '0' - name: Maximize Edge update suppression duration recommend: strict docs: |- # refactor-with-variable: Same • Edge Update Caution • Chromium Policy Caution This script suppresses automatic updates for Microsoft Edge for the longest possible duration. If you do not run this script, Microsoft Edge checks for updates periodically throughout the day by default [1] [2]. This script limits update checks to the least frequent interval permitted by policy settings. This reduces network traffic and decreases system load, thereby enhancing both privacy and performance. However, this delay in updates can expose you to security risks, especially if you depend on Edge for critical tasks. Keep in mind, automatic updates play a crucial role in protecting your system against emerging security threats. The script configures the `UpdatesSuppressedDurationMin`, `UpdatesSuppressedStartHour`, and `UpdatesSuppressedStartMin` Edge policies [1] [2]. > **Caution:** > - Disabling updates may reduce security if you use Edge and its components (WebView2). > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240622121924/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-update-policies#updatessuppressed "Microsoft Edge Update Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240622123413/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Update::Pol_UpdateCheckSuppressedPeriod "Time period in each day to suppress auto-update check | admx.help" call: - function: SetEdgeUpdatePolicyViaRegistry parameters: valueName: UpdatesSuppressedDurationMin # Microsoft Edge Update ≥ 1.3.33.5 dwordData: '1440' # Total number of minutes in a day = 24×60 minutes = 1440 minutes. - function: SetEdgeUpdatePolicyViaRegistry parameters: valueName: UpdatesSuppressedStartHour # Microsoft Edge Update ≥ 1.3.33.5 dwordData: '0' - function: SetEdgeUpdatePolicyViaRegistry parameters: valueName: UpdatesSuppressedStartMin # Microsoft Edge Update ≥ 1.3.33.5 dwordData: '0' - category: Disable automatic installation of Edge and WebView docs: |- This category contains scripts that prevent the automatic installation of Microsoft Edge, allowing users to maintain control over software installations on their systems. These scripts help ensure that Edge and its components like WebView and WebView2 are only installed when explicitly approved by the user, which can significantly enhance privacy and security. Automatic installations can potentially introduce unwanted features or security vulnerabilities, and by preventing these installations, users can manage their system's exposure to such risks. Overall, these scripts help to: - Prevent unsolicited installations of Microsoft Edge. - Enable users to decide when and if Edge WebView should be installed, aligning with best practices for security and privacy. - Provide users with tools to manage software deployment in a controlled manner. children: - name: Disable automatic installation of Edge recommend: standard # Preventing automatic installation helps control unwanted software without impacting system stability or security docs: |- This script prevents the automatic installation of Edge (Chromium) via Windows Update. Microsoft Edge (Chromium), designed to replace Edge (Legacy), is automatically distributed to devices running Windows 10 version 1803 or newer [1] [2] [3]. This script does not impact Windows 10, version 20H2 and later [3]. Windows 10 version 20H2 and later already include Edge (Chromium) by default [4]. This script only blocks the automatic installation of Edge (Chromium) through Windows Update, without affecting other installation methods [2] [3] or system updates [2]. As Microsoft has ceased support for Edge (Legacy), including security updates [1], this script enables you to manage the installation timing and method for Edge (Chromium), aligning the updates with your preferences. This script modifies the `HKLM\SOFTWARE\Microsoft\EdgeUpdate!DoNotUpdateToEdgeWithChromium` [2] [3] registry key to to configure this setting. [1]: https://web.archive.org/web/20240517223534/https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-microsoft-edge-to-replace-microsoft-edge-legacy-with-april-s/ba-p/2114224 "New Microsoft Edge to replace Microsoft Edge Legacy with April’s Windows 10 Update Tuesday release - Microsoft Community Hub | techcommunity.microsoft.com" [2]: https://web.archive.org/web/20240517225010/https://admx.help/?Category=EdgeChromium_Blocker&Policy=Microsoft.Policies.EdgeUpdate::NoUpdate "Do not allow delivery of Microsoft Edge (Chromium-Based) through Automatic Updates | admx.help" [3]: https://web.archive.org/web/20210118230052/https://docs.microsoft.com/en-us/deployedge/microsoft-edge-blocker-toolkit "Blocker Toolkit to disable automatic delivery of Microsoft Edge | Microsoft Docs | docs.microsoft.com" [4]: https://web.archive.org/web/20240517225921/https://blogs.windows.com/windowsexperience/2020/06/16/whats-next-for-windows-10-updates/ "What’s next for Windows 10 updates | Windows Experience Blog | blogs.windows.com" call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\EdgeUpdate valueName: DoNotUpdateToEdgeWithChromium dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable automatic installation of Edge across all channels recommend: standard # Preventing automatic installation helps control unwanted software without impacting system stability or security docs: |- # refactor-with-variables: Same • Active Directory only • Edge Channels • Chromium Policy Caution This script disables the automatic installation of Microsoft Edge across all update channels, enhancing user control over their systems and privacy. Microsoft Edge offers four update channels—Stable, Beta, Dev, and Canary—each designed with different stability levels and update frequencies [1]. This script blocks automatic installations for all these channels [2] [3]. This allows users to manually manage their updates and potentially reduce exposure to unstable or privacy-intrusive software. This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [2] [3]. It is effective only on computers under organizational management, such as those in workplaces or schools. It's not applicable to personal computers that are not managed by an organization. This script configures update policies for different Edge channels: - `InstallDefault` to configure all channels [3]. - `56EB18F8-B008-4CBD-B6D2-8C97FE7E9062` for Edge (Stable) [2]. - `2CD8A007-E189-409D-A2C8-9AF4EF3C72AA` to Edge (Beta) [2]. - `65C35B14-6C1D-4122-AC46-7148CC9D6497` to Edge (Canary) [2]. - `0D50BFEC-CD6A-4F9A-964C-C7416E3ACB10` to Edge (Dev) [2]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240624181311/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-channels "Microsoft Edge channel overview | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240622121924/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-update-policies#install "Microsoft Edge Update Policy Documentation | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240622121924/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-update-policies#installdefault "Microsoft Edge Update Policy Documentation | Microsoft Learn | learn.microsoft.com" call: - function: SetEdgeUpdatePolicyViaRegistry parameters: valueName: InstallDefault # Microsoft Edge Update ≥ 1.2.145.5 dwordData: '0' - function: SetEdgeUpdatePolicyViaRegistry parameters: valueName: Install{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062} # Microsoft Edge Update ≥ 1.3.155.43 dwordData: '0' - function: SetEdgeUpdatePolicyViaRegistry parameters: valueName: Install{2CD8A007-E189-409D-A2C8-9AF4EF3C72AA} # Microsoft Edge Update ≥ 1.3.155.43 dwordData: '0' - function: SetEdgeUpdatePolicyViaRegistry parameters: valueName: Install{65C35B14-6C1D-4122-AC46-7148CC9D6497} # Microsoft Edge Update ≥ 1.3.155.43 dwordData: '0' - function: SetEdgeUpdatePolicyViaRegistry parameters: valueName: Install{0D50BFEC-CD6A-4F9A-964C-C7416E3ACB10} # Microsoft Edge Update ≥ 1.3.155.43 dwordData: '0' - name: Disable automatic installation of WebView and WebView2 recommend: standard # Preventing automatic installation helps control unwanted software without impacting system stability or security docs: |- # refactor-with-variables: Same • Chromium Policy Caution This script prevents the automatic installation of Microsoft Edge WebView and WebView2 components. By default, the WebView2 Runtime is installed automatically through Microsoft Edge Update [1]. After applying this script, automatic installation of the WebView2 Runtime via Microsoft Edge Update is blocked [1]. This improves your privacy and control over installed software on your system. This script configures the `Install{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}` policy [1]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240622121924/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-update-policies#install-webview "Microsoft Edge Update Policy Documentation | Microsoft Learn | learn.microsoft.com" call: function: SetEdgeUpdatePolicyViaRegistry parameters: valueName: Install{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5} # Microsoft Edge Update ≥ 1.3.155.43 dwordData: '0' - category: Disable Copilot in Edge docs: |- This category contains scripts to disable Copilot features in Microsoft Edge. Copilot, initially known as *Bing Chat* [1], integrates generative AI into Edge [1] [2]. Despite its capabilities, it raises significant privacy and security concerns: - **Privacy Concerns**: Microsoft may retain chat data, which could include sensitive information [2]. It also collects personal data, such as URLs, page titles, user queries, and browsing context [2]. - **Security Risks**: Language models like those used in Copilot are susceptible to specific attacks and vulnerabilities [3]. Read more: [Attacks on language models](https://erkinekici.com/articles/attacks-on-language-models/). - **Targeted Advertising**: Copilot can display targeted ads based on chat interactions, raising further privacy issues [4]. Disabling Copilot capabilities bolsters privacy, reduces security threats, improves browser speed, and provides a cleaner browsing experience. [1]: https://web.archive.org/web/20240623213328/https://blogs.bing.com/search/november-2023/our-vision-to-bring-microsoft-copilot-to-everyone-and-more "Our vision to bring Microsoft Copilot to everyone, and more | Bing Search Blog | blogs.bing.com" [2]: https://web.archive.org/web/20240519104435/https://learn.microsoft.com/en-us/copilot/edge "Copilot in Edge | Microsoft Learn | learn.microsoft.com" "Copilot in Edge | Microsoft Learn | learn.microsoft.com" [3]: https://erkinekici.com/articles/attacks-on-language-models/ "Attacks on language models :: Erkin Ekici | erkinekici.com" [4]: https://web.archive.org/web/20240623220035/https://learn.microsoft.com/en-us/copilot/privacy-and-protections "Copilot Privacy and Protections | Microsoft Learn | learn.microsoft.com" children: - name: Disable Edge Copilot and Hubs Sidebar docs: |- # refactor-with-variables: Same • Chromium Policy Caution This script enhances your privacy and system performance by disabling multiple linked features in Microsoft Edge. This script primarily disables the **Hubs Sidebar**. This is a launcher bar on the right side of Microsoft Edge's screen [1]. By default, the Sidebar is visible [1], but running this script will permanently hide it [1]. Disabling the Hubs Sidebar also deactivates the following features: - **Copilot in Edge**: This feature was known as *Bing Chat* [11], *Discover in Edge* [2], *Bing Discover* [2], *Edge Discover* [3], *Discover app* [4], *Discover experience* [4], or simply *Discover* [4]. It collects personal data including URLs, page titles, user queries, browsing context, and conversation histories [5]. It enables the discovery of content relevant to the page you are browsing, such as summaries and source information [4]. By default, this feature sends URLs to Microsoft Bing for related recommendations [3] Disabling the Hubs Sidebar is the recommended method to also disable Copilot in Edge [3] [4]. Disabling it stops this data collection, improving your privacy. - **Sidebar apps**: Disabling the Hubs Sidebar also deactivates all sidebar apps [6]. This script disables also the sidebar in Progressive Web Apps (PWAs) [6]. This script prevents all sidebar apps from being activated [6]. - **Standalone Sidebar**: Disabling the Hubs Sidebar also turns off any standalone sidebar modes [7]. This mode displays the Sidebar in a fixed position on the desktop, separate from the browser frame [7]. Disabling this reduces background resource usage, thereby optimizing system performance [8]. The script configures the following Edge policies: | Edge policy | Affected Edge versions | |-----------------------------------------|------------------------------| | `HubsSidebarEnabled` [1] [2] [6] [9] [10] | Edge ≥ 99 [1] | | `StandaloneHubsSidebarEnabled` [7] [8] | Edge ≥ 88 and ≤ 119 [7] | The new settings will take effect after you restart the browser [6]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#hubssidebarenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240328062746/https://techcommunity.microsoft.com/t5/discussions/copilot-or-discover-browser-extension-not-working-as-expected/m-p/4097297 "Copilot or Discover browser extension not working as expected for managed Edge browser - Microsoft Community Hub | techcommunity.microsoft.com" [4]: https://web.archive.org/web/20240101215939/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnote-archive-beta-channel "Archived release notes for Microsoft Edge Beta Channel | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20240519104435/https://learn.microsoft.com/en-us/copilot/edge#data-used-by--in-edge "Copilot in Edge | Microsoft Learn | learn.microsoft.com" [6]: https://web.archive.org/web/20240519104338/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-sidebar#allow-or-block-the-sidebar-in-group-policy "Manage the sidebar in Microsoft Edge | Microsoft Learn | learn.microsoft.com" [7]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#standalonehubssidebarenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [8]: https://web.archive.org/web/20240519104546/https://answers.microsoft.com/en-us/microsoftedge/forum/all/microsoft-edge-running-in-the-background/b827d6dc-8853-4258-a2e1-a760e93df561 "Microsoft Edge running in the background - Microsoft Community | answers.microsoft.com" [9]: https://web.archive.org/web/20240519104435/https://learn.microsoft.com/en-us/copilot/edge#manage--in-edge "Copilot in Edge | Microsoft Learn | learn.microsoft.com" [10]: https://web.archive.org/web/20240122064120/https://learn.microsoft.com/en-us/windows/client-management/manage-windows-copilot "Manage Copilot in Windows - Windows Client Management | Microsoft Learn | learn.microsoft.com" [11]: https://web.archive.org/web/20240623213328/https://blogs.bing.com/search/november-2023/our-vision-to-bring-microsoft-copilot-to-everyone-and-more "Our vision to bring Microsoft Copilot to everyone, and more | Bing Search Blog | blogs.bing.com" call: - function: SetEdgePolicyViaRegistry parameters: valueName: HubsSidebarEnabled # Edge ≥ 99 dwordData: '0' - function: SetEdgePolicyViaRegistry parameters: valueName: StandaloneHubsSidebarEnabled # Edge ≥ 114 dwordData: '0' - function: ShowEdgeRestartSuggestion - name: Disable Edge Copilot browsing data collection recommend: strict docs: |- # refactor-with-variables: Same • Chromium Policy Caution This script limits data access for Copilot in Microsoft Edge to enhance user privacy. This script blocks Copilot's access to web pages in the Edge sidebar [1] [2] [3]. This stops Microsoft from collecting page contents, browser history, and user preferences [2] [3]. Otherwise, this data would automatically be sent to Bing [1]. This setting is specific to Microsoft Entra ID profiles [2], previously called AAD profiles [1]. Additionally, this script applies to "Copilot with Commercial Data Protection" [3] By default, Copilot has access to page contents [1] [2] [3]. This access enables summarizing pages and interacting with text selections [1] [2]. This feature was previously known as **Discover** [1] and is based on Bing Chat [1]. > **Caution**: > Disabling this feature will disable Copilot's abilities to summarize pages and > interact with text selections in Edge. The script configures the following Edge policies: | Edge policy | Affected Edge versions | |-------------------------------------|-------------------------------| | `DiscoverPageContextEnabled` [1] | Edge ≥ 113 and Edge ≤ 127 [1] | | `CopilotPageContext` [2] | Edge ≥ 124 [2] | | `CopilotCDPPageContext` [2] | Edge ≥ 124 [2] | > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#discoverpagecontextenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#copilotpagecontext "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#copilotcdppagecontext "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" call: - function: SetEdgePolicyViaRegistry parameters: valueName: DiscoverPageContextEnabled # Edge ≥ 113 and Edge ≤ 127 dwordData: '0' - function: SetEdgePolicyViaRegistry parameters: valueName: CopilotPageContext # Edge ≥ 124 dwordData: '0' - function: SetEdgePolicyViaRegistry parameters: valueName: CopilotCDPPageContext # Edge ≥ 124 dwordData: '0' - name: Disable Edge Copilot access on new tab page docs: |- # refactor-with-variables: • Chromium Policy Caution This script disables the Copilot access on the new tab page of Microsoft Edge. Originally known as Bing Chat, Copilot is a generative AI solution developed by Microsoft, integrated directly into the Edge browser [2]. By default, the new tab page in Edge features two access points to Copilot: within the search box and in the Bing Autosuggest drawer upon clicking [1]. Without this script, these Copilot entry-points remain active, offering AI-driven assistance directly from the new tab page [1]. Running this script removes these, ensuring a simpler, distraction-free new tab page experience in Microsoft Edge [1]. This script configures the `NewTabPageBingChatEnabled` Edge policy [1]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#newtabpagebingchatenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240623213328/https://blogs.bing.com/search/november-2023/our-vision-to-bring-microsoft-copilot-to-everyone-and-more "Our vision to bring Microsoft Copilot to everyone, and more | Bing Search Blog | blogs.bing.com" call: function: SetEdgePolicyViaRegistry parameters: valueName: NewTabPageBingChatEnabled # Edge ≥ 117 dwordData: '0' - name: Disable outdated Edge Discover button docs: |- # refactor-with-variables: Same • Chromium Policy Caution This script disables the outdated Discover feature in Microsoft Edge. Initially called *Bing Chat* [1] [2] or *Bing Discover* [2], this feature has evolved into what is now known as **Copilot** [1] [2]. In recent versions of Edge, the Discover button in the toolbar has been replaced with the new Copilot button [2]. This script is applicable only to versions of Edge between 97 and 105 [3]. It disables the obsolete Discover feature and button on older versions of Edge [3] [4]. When enabled, this feature used to send URLs to Microsoft Bing to search for related content [3]. By default, the Discover feature remains accessible in earlier Edge versions [3]. This script configures the `EdgeDiscoverEnabled` Edge policy [3] [4]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240623213328/https://blogs.bing.com/search/november-2023/our-vision-to-bring-microsoft-copilot-to-everyone-and-more "Our vision to bring Microsoft Copilot to everyone, and more | Bing Search Blog | blogs.bing.com" [2]: https://archive.today/2024.06.23-222710/https://www.askvg.com/disable-or-remove-bing-chat-button-or-icon-from-microsoft-edge-toolbar/ "How to Disable or Remove Bing Chat Button from Microsoft Edge Toolbar – AskVG | www.askvg.com" [3]: https://web.archive.org/web/20220930193320/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#edgediscoverenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240101215939/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnote-archive-beta-channel "Archived release notes for Microsoft Edge Beta Channel | Microsoft Learn | learn.microsoft.com" call: function: SetEdgePolicyViaRegistry parameters: valueName: EdgeDiscoverEnabled # Edge ≥ 97 and Edge ≤ 105 dwordData: '0' - category: Disable Edge ads docs: |- ### Overview This category blocks several types of advertisements in Microsoft Edge, such as promotional suggestions, notifications, and recommendations. ### Impact - **User Experience**: Provides a cleaner, less distracting browsing experience. - **Privacy**: Enhances privacy by reducing potential tracking mechanisms. - **Performance**: Improves system performance by reducing unnecessary processing. ### Scope - **Targeted Ad Blocking**: Disables only those ads that can be suppressed without affecting other features. - **Feature Integrity**: Blocks ads selectively, ensuring the functionality of Edge's features is not compromised. - **External Ads**: Does not affect advertisements displayed by external websites. children: - name: Disable Edge spotlight recommendations recommend: standard # Recommended by CIS docs: |- # refactor-with-variables: • Chromium Policy Caution This script disables spotlight recommendations in Microsoft Edge to enhance privacy protection. By default, Microsoft Edge offers spotlight experiences and recommendations [1] [2] [3]. These include personalized background images, text, suggestions, notifications, and tips based on your browsing activities [1] [2] [3]. These features collect data about you and your interactions with Microsoft services [1]. Disabling these recommendations helps protect your privacy by preventing Microsoft from using your browsing data to personalize and display content [1]. This is especially important because such data could inadvertently be exposed or shared with unauthorized third parties [1]. The Center for Internet Security recommends disabling these features as they consider them a potential security risk [1]. This script configures the `SpotlightExperiencesAndRecommendationsEnabled` [2] [3] Edge policy. After running this script, users will no longer receive any spotlight experiences or recommendations from Microsoft Edge [1] [2] [3], maintaining a more generic and less intrusive browsing environment. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20231129023615/https://www.tenable.com/audits/items/CIS_Microsoft_Edge_v1.1.0_L2.audit:399926c716539508b62eeb5dfec08582 "1.3.2 Ensure 'Choose whether users can receive customized back... | Tenable® | www.tenable.com" [2]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#spotlightexperiencesandrecommendationsenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240618225121/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SpotlightExperiencesAndRecommendationsEnabled "Choose whether users can receive customized background images and text, suggestions, notifications, and tips for Microsoft services | admx.help" call: function: SetEdgePolicyViaRegistry parameters: valueName: SpotlightExperiencesAndRecommendationsEnabled # Edge ≥ 86 dwordData: '0' - name: Disable Edge feature ads recommend: standard # Recommended by Microsoft docs: |- # refactor-with-variables: • Chromium Policy Caution • Microsoft recommends This script disables promotional notifications and feature recommendations in Microsoft Edge, providing a distraction-free browsing experience. By default, Microsoft Edge may show notifications encouraging users to explore various features [1] [2], such as using vertical tabs for improved tab management [1]. These notifications typically appear in situations like having multiple tabs open [1], and can include suggestions to link Edge with a smartphone [3] or to use Bing as a search engine in Chrome [4]. Running this script stops these notifications [1], ensuring users do not receive prompts even in scenarios where they are typically triggered [1]. Such recommendations may pose privacy concerns by potentially tracking user interactions and preferences. By disabling these features, the script helps safeguard user privacy by reducing exposure to tracking mechanisms. This action is beneficial for those who prefer a less intrusive interface while browsing. Microsoft recommends this script for users who favor a streamlined browser setup without unsolicited suggestions or interruptions [2]. This script configures the `ShowRecommendationsEnabled` [1] [2] Edge policy. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#allow-feature-recommendations-and-browser-assistance-notifications-from-microsoft-edge "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240618221222/https://learn.microsoft.com/en-us/mem/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge "Common Education Microsoft Edge configuration | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240618223116/https://www.tenforums.com/browsers-email/204773-microsoft-edge-promotional-messages-homepage.html "Microsoft Edge Promotional Messages On Homepage - Windows 10 Forums | www.tenforums.com" [4]: https://archive.ph/2024.06.18-223049/https://www.reddit.com/r/windows/comments/15yo389/this_popped_up_on_my_desktop_while_i_was_using/ "This popped up on my desktop while I was using Firefox and I am unreasonably annoyed. I feel like I have less and less control over my OS each year. : r/windows | www.reddit.com" call: function: SetEdgePolicyViaRegistry parameters: valueName: ShowRecommendationsEnabled # Edge ≥ 89 dwordData: '0' - name: Disable Edge Bing ads recommend: standard docs: |- # refactor-with-variables: • Chromium Policy Caution This script blocks all advertisements on Bing when using Edge, enhancing the search experience by eliminating interruptions and unwanted content. By default, `bing.com` displays ads within search results [1]. This intrudes on privacy by tracking user behavior. This script blocks these ads [1], providing a cleaner and more private search environment. It also sets the SafeSearch filter to 'Strict' [1]. This limits adult content for safer browsing, particularly in educational settings. The 'Strict' setting may also limit the accessibility of some legitimate search results, which can affect search efficiency. Once applied, these settings cannot be changed by the user [1], solidifying the search environment configuration. You will need to run the revert script. This script applies only on K-12 SKUs identified as educational tenants by Microsoft [1]. It is effective only in educational institutions recognized by Microsoft. This script configures the `BingAdsSuppression` [1] Edge policy. The changes will take effect upon the next restart of the Edge browser [1]. > **Caution**: > - While this script offers an ad-free experience on Bing.com, it also enforces strict content filtering > which may overly restrict search results. > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#bingadssuppression "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" call: - function: SetEdgePolicyViaRegistry parameters: valueName: BingAdsSuppression # Edge ≥ 83 dwordData: '0' - function: ShowEdgeRestartSuggestion - name: Disable Edge promotional pages recommend: standard docs: |- # refactor-with-variables: • Chromium Policy Caution This script disables full-tab promotional content in Microsoft Edge. By default, Microsoft Edge may display full-tab content [1] [2]. These promotions may include product feature highlights, sign-in assistance, default browser selection, or tutorials on new features [1] [2]. This content can include welcome pages and educational material [1] [2]. Running this script modifies the `PromotionalTabsEnabled` policy [1] [2] to prevent Microsoft Edge from showing this type of promotional content. After executing the script, Edge will no longer display these full-tab promotions [1] [2]. This improves user privacy by reducing exposure to unsolicited promotional material and helps streamline the browsing experience by eliminating potential distractions. Additionally, it improves system performance by reducing the load times associated with these promotional tabs. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#promotionaltabsenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240414222217/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge%3A%3APromotionalTabsEnabled "Enable full-tab promotional content | admx.help" call: function: SetEdgePolicyViaRegistry parameters: valueName: PromotionalTabsEnabled # Edge ≥ 77 dwordData: '0' - name: Disable Edge browsing history collection for ads recommend: standard docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities This script stops Microsoft from personalizing ads and content using your browsing data across its services, thereby enhancing your privacy. Microsoft Edge collects and transmits your browsing history, favorites, usage data, and other web activities to Microsoft [1] [2] [3]. This data is used to personalize advertisements and content to your interests [1] [2] [3] [4]. This information is shared with other Microsoft services, such as Microsoft Edge, Bing, and News [1] [2] [3] [4]. For instance, based on your activity, Microsoft may show you ads for products from stores you frequently visit or news related to topics you often read about [1] [3]. By executing this script, you prevent Microsoft from utilizing your browsing data to personalize ads and content [1]. This ensures your browsing habits are kept private and not used for advertising purposes. Authorities like The Defense Information Systems Agency (DISA) [5] and The Center for Internet Security (CIS) [6] recommend this script for enhanced security. DISA categorizes the absence of this setting as a medium severity security vulnerability [5]. This setting is applicable only to personal Microsoft accounts and does not apply to child or enterprise accounts [2] [4]. Once applied, the setting cannot be altered by the user, indicating that the browser is being managed [2] [4]. This script configures the `PersonalizationReportingEnabled` [2] [3] [4] [5] [6] Edge policy. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240623170024/https://support.microsoft.com/en-us/microsoft-edge/microsoft-edge-browsing-activity-for-personalized-advertising-and-experiences-37aa831e-6372-238e-f33f-7cd3f0e53679 "Microsoft Edge browsing activity for personalized advertising and experiences - Microsoft Support | support.microsoft.com" [2]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#personalizationreportingenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240623151609/https://www.elevenforum.com/t/enable-or-disable-personalize-advertising-and-experiences-in-microsoft-edge.16986/ "Enable or Disable Personalize Advertising and Experiences in Microsoft Edge Tutorial | Windows 11 Forum | www.elevenforum.com" [4]: https://web.archive.org/web/20240623151615/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::PersonalizationReportingEnabled "Allow personalization of ads, search and news by sending browsing history to Microsoft | admx.help" [5]: https://web.archive.org/web/20240623151630/https://www.stigviewer.com/stig/microsoft_edge/2021-02-16/finding/V-235748 "Personalization of ads, search, and news by sending browsing history to Microsoft must be disabled. | www.stigviewer.com" [6]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com" call: function: SetEdgePolicyViaRegistry parameters: valueName: PersonalizationReportingEnabled # Edge ≥ 80 dwordData: '0' - name: Disable Edge Insider ads recommend: standard docs: |- # refactor-with-variables: • Chromium Policy Caution • Microsoft recommends This script disables Microsoft Edge Insider promotions to create a cleaner and more streamlined browser experience. By default, Edge displays content promoting its Insider channels on the "About Microsoft Edge" settings page [1]. Running this script prevents these promotional materials from appearing [1] [2]. Disabling these ads helps maintain a more private and less cluttered browsing interface. Microsoft recommends this script for users who favor a streamlined browser setup without unsolicited suggestions or interruptions [2]. This script configures the `MicrosoftEdgeInsiderPromotionEnabled` Edge policy to stop these promotions [1] [2] [3]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#microsoftedgeinsiderpromotionenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240618221222/https://learn.microsoft.com/en-us/mem/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge "Common Education Microsoft Edge configuration | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240104223003/https://borncity.com/win/2022/03/10/edge-99-0-1150-36-edge-insider-werbung-endlich-per-gpo-abschaltbar/ "Edge 99.0.1150.36: Edge Insider ads can finally be deactivated via GPO | Born's Tech and Windows World | borncity.com" call: function: SetEdgePolicyViaRegistry parameters: valueName: MicrosoftEdgeInsiderPromotionEnabled # Edge ≥ 98 dwordData: '0' - name: Disable Edge Adobe Acrobat subscription ads recommend: standard docs: |- # refactor-with-variables: • Chromium Policy Caution This script removes the Adobe Acrobat subscription button from Microsoft Edge's PDF viewer. In 2023, Microsoft integrated Adobe's PDF viewer into Edge and added a subscription button for purchasing Acrobat services [1]. This button is visible by default [2] and prompts users to subscribe to Adobe Acrobat, offering access to premium features [1] [2]. This script conceals the subscription button, thus preventing direct prompts to purchase Adobe's premium services from the PDF viewer [1]. This action creates a cleaner interface and minimizes commercial distractions. This script configures the `ShowAcrobatSubscriptionButton` [1] [2] Edge policy to hide the subscription button. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240623192157/https://www.ghacks.net/2023/03/19/how-to-remove-the-try-acrobat-advertisement-from-microsoft-edges-new-pdf-viewer/ "How to remove the Try Acrobat advertisement from Microsoft Edge's new PDF Viewer - gHacks Tech News | www.ghacks.net" [2]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#showacrobatsubscriptionbutton "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" call: function: SetEdgePolicyViaRegistry parameters: valueName: ShowAcrobatSubscriptionButton # Edge ≥ 111 dwordData: '0' - name: Disable Edge top sites and sponsored links on new tab page recommend: standard # Remove ads and increase privacy without compromising essential functionality docs: |- # refactor-with-variables: • Chromium Policy Caution This script disables the display of default top sites and sponsored links on Microsoft Edge's new tab page, enhancing privacy by eliminating commercial content and preventing the exposure of your frequently visited sites. By default, Microsoft Edge displays tiles of frequently visited sites, known as top sites, on the new tab page [1]. These sites, saved from your browsing history, facilitate quick access to frequently visited destinations [2]. The display also includes sponsored links [3], which are advertisements. Running this script will hide these default top site tiles and remove all sponsored quick links from the new tab page [3]. Removing these links helps minimize tracking from your visits and interactions with ads, promoting a more private browsing environment. Microsoft recommends this script for users who favor a streamlined browser setup without unsolicited suggestions or interruptions [4]. Furthermore, removing these top sites and sponsored links protects sensitive browsing data from exposure to others, including friends, family, and potential attackers, maintaining your privacy and security. This script configures the `NewTabPageHideDefaultTopSites` Edge policy [1] [3] [4]. Running this script does not require a browser restart for the changes to take effect [1]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#newtabpagehidedefaulttopsites "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240625091756/https://www.anoopcnair.com/how-to-add-remove-top-sites-in-edge-browser/ "How To Add Remove Top Sites In Edge Browser HTMD Blog | www.anoopcnair.com" [3]: https://web.archive.org/web/20240623123512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnote-archive-stable-channel#feature-updates-4 "Archived release notes for Microsoft Edge Stable Channel | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240618221222/https://learn.microsoft.com/en-us/mem/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge "Common Education Microsoft Edge configuration | Microsoft Learn | learn.microsoft.com" call: function: SetEdgePolicyViaRegistry parameters: valueName: NewTabPageHideDefaultTopSites # Edge ≥ 77 dwordData: '0' - name: Disable Edge Follow feature recommend: standard # Recommended by CIS docs: |- # refactor-with-variables: • Chromium Policy Caution This script disables the Follow feature in Microsoft Edge. The Follow feature in Edge allows users to receive updates from influencers, websites, or topics directly in the browser [1]. By default, this feature is enabled [1]. The feature sends the URLs of websites you visit to Microsoft's Bing API, compromising privacy [2] [3]. It risks exposing sensitive information, such as search terms and personal details. It creates a personalized feed in Edge's Collections by collecting browsing data [4]. To protect privacy, it's advisable not to send browsing data to third parties [4]. Disabling this feature stops Edge from sending visited URLs to Microsoft [2] [3], and prevents communication with the Follow service [1], keeping browsing data private and local. The Center for Internet Security (CIS) advises disabling this feature to bolster security [4]. This script configures the `EdgeFollowEnabled` Edge policy [1] [3] [5]. Running this script does not require a browser restart for the changes to take effect [1]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#edgefollowenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240625101642/https://www.theverge.com/2023/4/25/23697532/microsoft-edge-browser-url-leak-bing-privacy "Microsoft Edge is leaking the sites you visit to Bing - The Verge | www.theverge.com" [3]: https://web.archive.org/web/20240625101605/https://borncity.com/win/2023/04/27/microsoft-edge-feature-follow-creators-sends-nerly-all-visited-website-urls-to-bing-api/ "Microsoft Edge feature \"Follow creators\" sends nerly all visited website URLs to Bing API | Born's Tech and Windows World | borncity.com" [4]: https://web.archive.org/web/20240625100526/https://www.syxsense.com/syxsense-securityarticles/cis_benchmarks/syx-1033-12814.html "Follow Service Enabled (CIS LEVEL 1 MS Edge) | www.syxsense.com" [5]: https://github.com/privacysexy-forks/Audit-Test-Automation/blob/2ad030524021e94dbd09c7771e6ee4d9794bb4af/ATAPAuditor/AuditGroups/Microsoft%20Edge-CIS-2.0.0%23RegistrySettings.ps1#L3381-L3416 "Audit-Test-Automation/ATAPAuditor/AuditGroups/Microsoft Edge-CIS-2.0.0#RegistrySettings.ps1 at 2ad030524021e94dbd09c7771e6ee4d9794bb4af · fbprogmbh/Audit-Test-Automation | github.com" call: function: SetEdgePolicyViaRegistry parameters: valueName: EdgeFollowEnabled # Edge ≥ 98 dwordData: '0' - name: Disable Edge Shopping Assistant recommend: strict # Recommended by DISA docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities • Microsoft recommends This script disables Microsoft Edge's shopping features. Microsoft refers to these features as *shopping assistant* [1] [2] [3] [4], *shopping features* [2] [5], or *Microsoft Shopping* [5]. These features allow users to compare prices, receive coupons, and use autofill during checkout to speed up the process [2]. They also provide notifications for coupons and rebates when shopping online [5]. Disabling these features addresses several privacy concerns: - **Data Collection and Profiling:** Microsoft collects extensive data about users' shopping habits and online activities. This includes users' shopping habits [5], preferences [5], websites visited [4] [5], and search history [4]. This contributes to detailed user profiling. - **Continuous Network Communication:** The browser continuously communicates with Microsoft servers. It receives retailer information [5]. It sends data about visited shopping sites and system details to Microsoft servers [5]. - **Email Scanning:** Microsoft Edge scans users' email accounts for promotional coupons [5]. The email data sent may include sensitive information. - **Targeted Advertising and Tracking:** Collected data can be used to tailor precise ads, enhancing targeted advertising efforts. Edge modifies URLs for affiliate tracking, which aids persistent online tracking [5]. - **Persistent Cookies:** Persistent cookies are used for various functions including debugging, fraud detection, and analytics [5], further compromising user privacy. - **Data Sharing:** Data is shared with Bing Rebates and Shopping services [5], potentially exposing sensitive user information to third parties [4]. This aggregation of data could lead to more detailed collection of personal information. Running this script prevents the automatic activation of features such as price comparison, coupons, and express checkout on retail websites [2]. Authorities like The Center for Internet Security (CIS) [1] [4] recommend this script for enhanced security. Microsoft recommends this script for users who favor a streamlined browser setup without unsolicited suggestions or interruptions [3]. This script configures the `EdgeShoppingAssistantEnabled` Edge policy to disable Edge's shopping features [1] [2] [3]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://github.com/privacysexy-forks/Audit-Test-Automation/blob/2ad030524021e94dbd09c7771e6ee4d9794bb4af/ATAPAuditor/AuditGroups/Microsoft%20Edge-CIS-2.0.0%23RegistrySettings.ps1#L4315-L4350 "Audit-Test-Automation/ATAPAuditor/AuditGroups/Microsoft Edge-CIS-2.0.0#RegistrySettings.ps1 at 2ad030524021e94dbd09c7771e6ee4d9794bb4af · fbprogmbh/Audit-Test-Automation | github.com" [2]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#edgeshoppingassistantenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240618221222/https://learn.microsoft.com/en-us/mem/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge "Common Education Microsoft Edge configuration | Microsoft Learn | learn.microsoft.com" [4]: https://archive.ph/2024.06.26-144015/https://www.syxsense.com/syxsense-securityarticles/cis_benchmarks/syx-1033-12839.html "Edge Shopping Assistant Enabled (CIS LEVEL 1 MS Edge) | www.syxsense.com" [5]: https://web.archive.org/web/20240623123514/https://learn.microsoft.com/en-us/microsoft-edge/privacy-whitepaper/#shopping "Microsoft Edge Privacy Whitepaper - Microsoft Edge Developer documentation | Microsoft Learn | learn.microsoft.com" call: function: SetEdgePolicyViaRegistry parameters: valueName: EdgeShoppingAssistantEnabled # Edge ≥ 87 dwordData: '0' - name: Disable Edge Search bar on desktop recommend: strict # refactor-with-variables: • Chromium Policy Caution docs: |- This script disables the **Search bar** feature. This feature is formerly known as **Edge bar** [1] [2] [3] [4] [5] and **Web Widget** [1] [2] [3] [4] [6] [7]. This feature allows users to perform web searches directly from their desktop or within applications [5] [8]. The search is powered by Bing [6] [7], or the default search engine of Microsoft Edge [6] [7] [8]. It provides search and URL suggestions [6] [7] [8]. It also displays personalized news and content such as headlines, weather, sports, traffic, along with some tools [4] [5]. Users can access the Search bar from the "More tools" menu or jump list in Microsoft Edge [6] [7] [8]. The Search bar is enabled by default across all profiles unless disabled [6] [7] [8]. It does not start at Windows startup by default [1] [2] [9]. This feature raises privacy concerns as it collects data to provide personalized content [4] [5]. Once opened, it remains active even after you close Microsoft Edge [3]. You must explicitly close it using the "Quit" option in the System tray or the 3-dot menu [6] [7]. Running this script will disable: - The Search bar [6] [7] [8]. - The option to launch the Search bar from Microsoft Edge "More tools" menu [6] [7] [8] - The option to launch the Search bar from Microsoft Edge jump list menu [6] [7] [8] - Automatical launch of the Search bar at Windows startup [1] [2] [9]. - The option to start the Edge bar at Windows startup in Microsoft Edge settings [1] [2] [9]. The script configures the following Edge policies: | Edge policy | Affected Edge versions | |-----------------------------------------|-------------------------------| | `WebWidgetAllowed` [3] [6] [7] | Edge ≥ 88 and ≤ 119 [6] [7] | | `WebWidgetIsEnabledOnStartup` [1] [2] | Edge ≥ 88 and ≤ 119 [1] [2] | | `SearchbarAllowed` [8] | Edge ≥ 117 [8] | | `SearchbarIsEnabledOnStartup` [9] | Edge ≥ 117 [9] | > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#webwidgetisenabledonstartup "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240517212629/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::WebWidgetIsEnabledOnStartup "Enable the Web widget | admx.help" [3]: https://web.archive.org/web/20240517212623/https://www.elevenforum.com/t/enable-or-disable-edge-bar-in-microsoft-edge.6001/ "Enable or Disable Edge Bar in Microsoft Edge Tutorial | Windows 11 Forum | elevenforum.com" [4]: https://web.archive.org/web/20210506115349/https://blogs.msn.com/enus-get-started-with-the-web-widget/ "EN-US - Get started with the Web widget - Microsoft News | blogs.msn.com" [5]: https://web.archive.org/web/20240517205709/https://ntp.msn.com/web-widget "Edge bar | ntp.msn.com" [6]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#webwidgetallowed "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [7]: https://web.archive.org/web/20240517212639/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::WebWidgetAllowed "Allow the Web widget at Windows startup | admx.help" [8]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#searchbarallowed "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [9]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#searchbarisenabledonstartup "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" call: - function: SetEdgePolicyViaRegistry parameters: valueName: WebWidgetAllowed # Edge ≥ 88 and ≤ 119 dwordData: '0' - function: SetEdgePolicyViaRegistry parameters: valueName: WebWidgetIsEnabledOnStartup # Edge ≥ 88 and ≤ 119 dwordData: '0' - function: SetEdgePolicyViaRegistry parameters: valueName: SearchbarAllowed # Edge ≥ 117 dwordData: '0' - function: SetEdgePolicyViaRegistry parameters: valueName: SearchbarIsEnabledOnStartup # Edge ≥ 117 dwordData: '0' - name: Disable Edge Microsoft Rewards recommend: strict docs: |- # refactor-with-variables: • Chromium Policy Caution This script disables Microsoft Rewards in Edge. This feature is enabled by default, activating the Microsoft Rewards experience in Edge [1]. Users participating in search and earn markets will notice this feature within their Microsoft Edge user profile [1] [2]. Microsoft Rewards encourages users to earn points through Bing searches, which can be redeemed for items at the Microsoft Store [1]. However, this feature involves tracking user activities, which may pose privacy risks by potentially sharing sensitive data with third parties [1]. Running this script prevents Microsoft Rewards notifications and features from appearing in Edge [1], enhancing privacy. The script modifies the `ShowMicrosoftRewards` policy to turn off these features [2] [3] It's recommended for those who prefer not to have their search activities monitored or used for advertising purposes. The Center for Internet Security suggests disabling these features, viewing them as a potential security risk [1]. After applying this script, the Microsoft Rewards experience will no longer be visible in the Edge user profile [1]. Changes will take effect after restarting the browser [3]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240618232029/https://www.tenable.com/audits/items/CIS_Microsoft_Edge_v1.1.0_L2.audit:e25958b42c6f13d957a456bfbfd06744 "1.106 Ensure 'Show Microsoft Rewards experiences' is set to 'D... | Tenable® | www.tenable.com" [2]: https://web.archive.org/web/20240618232113/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::ShowMicrosoftRewards_recommended "Show Microsoft Rewards experiences | admx.help" [3]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#showmicrosoftrewards "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" call: - function: SetEdgePolicyViaRegistry parameters: valueName: ShowMicrosoftRewards # Edge ≥ 88 dwordData: '0' - function: ShowEdgeRestartSuggestion - name: Disable Edge Bing suggestions in address bar recommend: strict docs: |- # refactor-with-variables: • Chromium Policy Caution This script disables suggestions from Microsoft Search in Bing within the address bar. This enhances privacy by reducing unsolicited data sharing with Bing. By default, Microsoft Edge may display results powered by Microsoft Search in Bing within the address bar suggestions [1] [2]. This occurs even if Bing is not the default search provider [1]. This feature can raise privacy concerns, as it involves sending query data to Bing. This script stops the display of Microsoft Search in Bing suggestions in the address bar as users type their search terms [1] [2]. It modifies the `AddressBarMicrosoftSearchInBingProviderEnabled` Edge policy [1] [2]. This script specifically targets Bing suggestions without affecting other search providers [1] [2]. Additionally, the script disables internal search results for users logged in with an Entra ID (Azure AD) within their organization [1] [2]. The changes take effect after restarting the browser [1]. > **Caution**: > - This will block the display of internal search results within an organization when logged in. > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#addressbarmicrosoftsearchinbingproviderenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240619091742/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::AddressBarMicrosoftSearchInBingProviderEnabled "Enable Microsoft Search in Bing suggestions in the address bar | admx.help" call: - function: SetEdgePolicyViaRegistry parameters: valueName: AddressBarMicrosoftSearchInBingProviderEnabled # Edge ≥ 81 dwordData: '0' - function: ShowEdgeRestartSuggestion - name: Disable Edge "Find on Page" data collection recommend: standard # Recommended by CIS docs: |- # refactor-with-variables: • Chromium Policy Caution This script stops Edge from sending data to Microsoft during 'Find on Page' searches, enhancing privacy. 'Find on Page' allows users to search for text on a webpage, highlighting matches and suggesting related terms [1] [2] [3] [4] [5]. This feature sends data to Microsoft for processing [1] [3] [4]. This data transmission is enabled by default [1] [3]. The data includes the text of the webpage, search terms, and a service token [5]. Sharing browsing and search history may expose data to third parties [3]. After applying this script, the 'Find on Page' feature remains usable, but without sending data to Microsoft [1] [3]. Instead, all related matches are generated on the user's device, significantly enhancing privacy without sacrificing functionality. Local processing minimizes exposure of sensitive data and aligns with security best practices from the CIS (Center for Internet Security) [3] [6]. This script configures the `RelatedMatchesCloudServiceEnabled` Edge policy [1] [3] [4] [6]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#relatedmatchescloudserviceenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240623123237/https://www.microsoft.com/en-us/edge/features/find-on-page?ch=1&form=MA13FJ "Find on Page | Microsoft Edge | www.microsoft.com" [3]: https://web.archive.org/web/20240623123235/https://www.syxsense.com/syxsense-securityarticles/cis_benchmarks/syx-1033-12793.html "Related Matches Cloud Service Enabled (CIS LEVEL 1 MS Edge) | www.syxsense.com" [4]: https://web.archive.org/web/20240623123512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnote-archive-stable-channel#feature-updates-4 "Archived release notes for Microsoft Edge Stable Channel | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20240623123514/https://learn.microsoft.com/en-us/microsoft-edge/privacy-whitepaper/#find-on-page "Microsoft Edge Privacy Whitepaper - Microsoft Edge Developer documentation | Microsoft Learn | learn.microsoft.com" [6]: https://github.com/privacysexy-forks/Audit-Test-Automation/blob/72d878930bc5b31295d50271314e591fa087ee42/ATAPAuditor/AuditGroups/Microsoft%20Edge-CIS-1.1.0%23RegistrySettings.ps1#L2159-L2193 "Audit-Test-Automation/ATAPAuditor/AuditGroups/Microsoft Edge-CIS-1.1.0#RegistrySettings.ps1 at 72d878930bc5b31295d50271314e591fa087ee42 · privacysexy-forks/Audit-Test-Automation | github.com" call: function: SetEdgePolicyViaRegistry parameters: valueName: RelatedMatchesCloudServiceEnabled # Edge ≥ 99 dwordData: '0' - name: Disable Edge sign-in prompt on new tab page recommend: standard docs: |- # refactor-with-variables: • Chromium Policy Caution This script removes the sign-in prompt from the new tab page in Microsoft Edge to minimize distractions and protect your privacy. By default, Microsoft Edge shows a sign-in prompt on the new tab page, asking users to log in [1]. This prompt, which resembles advertising, can compromise your privacy by encouraging the sharing of personal information. After applying this script, the sign-in prompt will no longer appear on the new tab page [1]. This change leads to a cleaner and more private browsing environment. This script configures the `SignInCtaOnNtpEnabled` Edge policy [1]. This change only takes effect after restarting the browser [1]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#signinctaonntpenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" call: - function: SetEdgePolicyViaRegistry parameters: valueName: SignInCtaOnNtpEnabled # Edge ≥ 99 dwordData: '0' - function: ShowEdgeRestartSuggestion - category: Harden Edge privacy # Same name as Linux > "Harden Firefox privacy" docs: |- This category contains scripts designed to enhance privacy settings in Microsoft Edge by reducing tracking mechanisms encountered during web browsing. These scripts do not block data collection conducted directly by Microsoft through Edge. Instead, these scripts empower users by providing control over the exposure of their browsing data to external entities, thereby significantly enhancing privacy. children: - name: Enable Edge tracking prevention recommend: strict # Recommended by DISA docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities This script configures Microsoft Edge's tracking prevention to the 'Strict' level, enhancing user privacy by blocking extensive web tracking The tracking prevention feature in Microsoft Edge restricts online trackers from accessing browser storage and network resources, which helps safeguard user data [1]. By default, the 'Balanced' level is activated [1] [2]. While the 'Balanced' level does not block ads or analytics [1], this script activates the 'Strict' level to provide a higher degree of privacy by blocking these elements [1]. Although recommended for maximum privacy, the 'Strict' level may disrupt some website functionalities [3] [4]. Authorities like The Defense Information Systems Agency (DISA) [4] and The Center for Internet Security (CIS) [2] recommend this script for enhanced security. DISA categorizes the absence of this setting as a medium severity security vulnerability [4]. Once applied, this script prevents users from changing the tracking prevention level themselves [3] [4]. This script configures the `TrackingPrevention` Edge policy [1] [2] [3] [4]. Running this script does not require a browser restart for the changes to take effect [2]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. > - Aggressive tracking prevention may cause some websites to not function properly. [1]: https://web.archive.org/web/20240623143037/https://learn.microsoft.com/en-us/microsoft-edge/web-platform/tracking-prevention "Tracking prevention in Microsoft Edge - Microsoft Edge Developer documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com" [3]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#trackingprevention "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240623143146/https://www.stigviewer.com/stig/microsoft_edge/2023-06-02/finding/V-235766 "Tracking of browsing activity must be disabled. | www.stigviewer.com" call: function: SetEdgePolicyViaRegistry parameters: valueName: TrackingPrevention # Edge ≥ 78 dwordData: '3' # 3: Strict | 2: Balanced | 1: Basic | 0: Off (no tracking prevention) - name: Block Edge third party cookies recommend: strict # refactor-with-variables: • Chromium Policy Caution • Authorities docs: |- This script blocks third-party cookies in Microsoft Edge, enhancing your privacy by reducing tracking across various webpages. It prevents websites from setting cookies unless they match the domain in the address bar [1]. This action limits potential tracking activities by third-party entities, which could otherwise track your web activities and gather information about you [2]. Third-party cookies are enabled and not blocked by default on Edge [1]. Disabling third-party cookies may impact the performance of websites like Microsoft 365 or Salesforce, which depend on these cookies for some of their features [2]. Authorities like The Center for Internet Security (CIS) [1] recommend this script for enhanced security. This script configures the `BlockThirdPartyCookies` Edge policy [1] [2]. Running this script does not require a browser restart for the changes to take effect [1]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. > - Some websites may not function properly without third-party cookies. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#blockthirdpartycookies "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com" call: function: SetEdgePolicyViaRegistry parameters: valueName: BlockThirdPartyCookies # Edge ≥ 77 dwordData: '0' - name: Enable Do Not Track requests recommend: standard # refactor-with-variables: • Chromium Policy Caution docs: |- This script enables Do Not Track requests in Microsoft Edge. Do Not Track communicates to websites that you prefer not to have your browsing activity tracked [1]. It enhances privacy by signaling your tracking preferences to websites, though compliance is not guaranteed. By default, Edge does not send Do Not Track requests [1]. This script ensures these requests are always sent to websites that seek tracking information [1]. Additionally, Microsoft endorses this script as it helps create a cleaner browser interface by reducing unsolicited suggestions [2] and improves privacy by better controlling data connections [3]. This script configures the `ConfigureDoNotTrack` Edge policy [1] [2]. Running this script does not require a browser restart for the changes to take effect [1]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#configuredonottrack "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240618221222/https://learn.microsoft.com/en-us/mem/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge [3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#132-microsoft-edge-enterprise call: function: SetEdgePolicyViaRegistry parameters: valueName: ConfigureDoNotTrack # Edge ≥ 77 dwordData: '0' - name: Disable Edge search and site suggestions recommend: strict docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities This script disables search suggestions based on typed characters in Microsoft Edge, enhancing user privacy by preventing typed data collection. When you type in the address bar, Microsoft Edge sends characters to Microsoft servers to provide search and site suggestions [1] [2]. This data-sharing feature is enabled by default [1]. Running this script prevents these suggestions from appearing [3]. It ensures your inputs remain private and are not used to generate suggestions or telemetry [1] [2]. Authorities like The Defense Information Systems Agency (DISA) [2] and The Center for Internet Security (CIS) [4] recommend this script for enhanced security. DISA categorizes the absence of this setting as a medium severity security vulnerability [2]. Microsoft recommends this script for privacy and managing connections [5]. Impacts of running this script: - Disables search suggestions and auto-suggest features in the address bar [1] [2]. - Blocks the collection of typed characters and visited URLs for telemetry by Microsoft [1] [2]. - Retains local history and favorites suggestions, without sending this data to Microsoft [1] [2]. - Prevents users from changing this configuration [1] [2]. This script configures the `SearchSuggestEnabled` Edge policy [1] [2] [3] [4] [5]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#searchsuggestenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240623154047/https://www.stigviewer.com/stig/microsoft_edge/2021-02-16/finding/V-235729 "Search suggestions must be disabled. | www.stigviewer.com" [3]: https://web.archive.org/web/20240623153945/https://learn.microsoft.com/en-us/microsoftsearch/edge-shortcuts "Customize address bar shortcuts for Microsoft Edge | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com" [5]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#132-microsoft-edge-enterprise "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com" call: function: SetEdgePolicyViaRegistry parameters: valueName: SearchSuggestEnabled # Edge ≥ 77 dwordData: '0' - name: Disable outdated Edge automatic image enhancement recommend: standard # Removed feature docs: |- # refactor-with-variables: • Chromium Policy Caution This script disables the automatic image enhancement feature. This feature is present in Microsoft Edge versions 97 to 121 [1]. It improves image sharpness, color, lighting, and contrast [1]. This feature uploads viewed images online to Microsoft for processing [2]. Starting with version 122, Microsoft Edge has removed this feature, limiting this script's use to versions 97 to 121 [1]. This script configures the `EdgeEnhanceImagesEnabled` Edge policy [1]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#edgeenhanceimagesenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240623171433/https://www.malwarebytes.com/blog/news/2023/06/edge-browser-feature-sends-images-you-view-back-to-microsoft "Edge browser feature sends images you view back to Microsoft | www.malwarebytes.com" call: function: SetEdgePolicyViaRegistry parameters: valueName: EdgeEnhanceImagesEnabled # Edge ≥ 97 and Edge ≤ 121 dwordData: '0' - name: Disable Edge quick links on the new tab page recommend: strict # May reduce productivity / personal preferences docs: |- # refactor-with-variables: • Chromium Policy Caution This script disables the display of quick links on the new tab page in Microsoft Edge. By default, Microsoft Edge displays quick links on the new tab page [1]. This feature provides one-click access to your most frequently visited sites by automatically adding them to this menu [2]. Running this script will hide these quick links and disable the user's ability to modify this setting in the NTP settings flyout [1]. This may reduce convenience as users will need to manually enter website addresses, but it enhances privacy by preventing the inadvertent exposure of frequently visited sites. The changes made by this script apply only to Microsoft Edge profiles associated with local user accounts, Microsoft Accounts, or Active Directory accounts [1]. They do not affect Enterprise new tab pages configured through Azure Active Directory [1]. This script configures the `NewTabPageQuickLinksEnabled` Edge policy [1] [2]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#newtabpagequicklinksenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240623172131/https://www.thewindowsclub.com/hide-quick-links-on-a-new-tab-page-in-edge "How to hide Quick Links on a New tab page in Edge using Registry Editor | www.thewindowsclub.com" call: function: SetEdgePolicyViaRegistry parameters: valueName: NewTabPageQuickLinksEnabled # Edge ≥ 91 dwordData: '0' - name: Disable Edge remote background images on new tab page recommend: strict # Minor privacy impact docs: |- # refactor-with-variables: • Chromium Policy Caution This script disables background images recevied by Microsoft servers on new tab. By default, if you do not run this script, all background image types on the new tab page are enabled [1] [2]. It allows using custom image disabling only daily background image type [1] [2]. Disabling this feature removes unecessary network traffic with Microsoft servers that may leak data and your usage of behavior. It also optimizes system by simplifying the browser usage and removing nunnecssary network traffic. This script configures the `NewTabPageAllowedBackgroundTypes` Edge policy to value `1` (`DisableImageOfTheDay`) [1] [2]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#newtabpageallowedbackgroundtypes "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240623173326/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::NewTabPageAllowedBackgroundTypes "Configure the background types allowed for the new tab page layout | admx.help" call: function: SetEdgePolicyViaRegistry parameters: valueName: NewTabPageAllowedBackgroundTypes # Edge ≥ 86 dwordData: '1' # DisableImageOfTheDay (1) = Disable daily background image type | DisableCustomImage (2) = Disable custom background image type | DisableAll (3) = Disable all background image types - name: Disable Edge Collections feature recommend: strict docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities This script disables the Collections feature in Microsoft Edge. By default, if this script is not executed, users can access and use the Collections feature in Microsoft Edge [1]. The Collections feature in Edge compiles and manages web content—articles, images, and videos—for activities like shopping, trip planning, or research [2] [3]. This feature syncs across devices when logged into Microsoft Edge, keeping your collections updated no matter where you access the browser [2]. The Collections feature enables efficient collection, organization, sharing, and exporting of content, with seamless integration into Office [1] [4]. The feature lets users save and categorize web pages, text, images, and videos into groups for specific projects or interests [3]. Additionally, it enhances saved items with thumbnails and metadata, such as price and star ratings [3]. This feature raises several privacy concerns: - Microsoft analyzes saved web pages to understand item names and primary images [3]. - Data is stored on Microsoft servers once a user signs into Edge [2]. - Microsoft analyzes data from Collections to personalize advertising and user experiences [5]. Authorities like The Defense Information Systems Agency (DISA) [4] recommend this script for enhanced security. DISA categorizes the absence of this setting as a medium severity security vulnerability [4]. Running this script prevents access to this feature [1] [6], thereby mitigating associated privacy risks and adhering to security recommendations This script configures the `EdgeCollectionsEnabled` Edge policy [1] [4] [6]. This change only takes effect after restarting the browser [6]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240623183109/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::EdgeCollectionsEnabled "Enable the Collections feature | admx.help" [2]: https://web.archive.org/web/20240623182734/https://support.microsoft.com/en-us/microsoft-edge/organize-your-ideas-with-collections-in-microsoft-edge-60fd7bba-6cfd-00b9-3787-b197231b507e "Organize your ideas with Collections in Microsoft Edge - Microsoft Support | support.microsoft.com" [3]: https://web.archive.org/web/20240623123514/https://learn.microsoft.com/en-us/microsoft-edge/privacy-whitepaper/#collections "Microsoft Edge Privacy Whitepaper - Microsoft Edge Developer documentation | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240623183057/https://www.stigviewer.com/stig/microsoft_edge/2021-02-16/finding/V-235770 "The collections feature must be disabled. | www.stigviewer.com" [5]: https://web.archive.org/web/20240623170024/https://support.microsoft.com/en-us/microsoft-edge/microsoft-edge-browsing-activity-for-personalized-advertising-and-experiences-37aa831e-6372-238e-f33f-7cd3f0e53679 "Microsoft Edge browsing activity for personalized advertising and experiences - Microsoft Support | support.microsoft.com" [6]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#edgecollectionsenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" call: - function: SetEdgePolicyViaRegistry parameters: valueName: EdgeCollectionsEnabled # Edge ≥ 78 dwordData: '0' - function: ShowEdgeRestartSuggestion - name: Disable Edge failed page data collection and suggestions recommend: standard docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities This script prevents Microsoft Edge from sending data to Microsoft and suggesting alternatives when URLs fail to load. By default, Edge contacts a web service to suggest URLs and searches upon encountering network errors like DNS failures [1] [2] [3]. This feature presents several privacy concerns, including: - Exposing the websites a user visits [4] - Redirecting to potentially malicious sites if the service is compromised [4]. Authorities like The Defense Information Systems Agency (DISA) [2] recommend this script for enhanced security. DISA categorizes the absence of this setting as a medium severity security vulnerability [2]. Running this script ensures: - Edge will not request suggestions from the web service but will display a standard error page instead [1] [2] [3]. - Once applied, users cannot change the setting [1] [2] [3]. This script configures the `AlternateErrorPagesEnabled` Edge policy [1] [2] [3] [4] [5]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#alternateerrorpagesenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240623190006/https://www.stigviewer.com/stig/microsoft_edge/2021-02-16/finding/V-235768 "Suggestions of similar web pages in the event of a navigation error must be disabled. | www.stigviewer.com" [3]: https://web.archive.org/web/20240623185848/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::AlternateErrorPagesEnabled "Suggest similar pages when a webpage can't be found | admx.help" [4]: https://web.archive.org/web/20240623185753/https://www.syxsense.com/syxsense-securityarticles/cis_benchmarks/syx-1033-12845.html "Alternate Error Pages Enabled (CIS LEVEL 1 MS Edge) | www.syxsense.com" [5]: https://github.com/privacysexy-forks/Audit-Test-Automation/blob/2ad030524021e94dbd09c7771e6ee4d9794bb4af/ATAPAuditor/AuditGroups/Microsoft%20Edge-CIS-2.0.0%23RegistrySettings.ps1#L4603-L4637 "Audit-Test-Automation/ATAPAuditor/AuditGroups/Microsoft Edge-CIS-2.0.0#RegistrySettings.ps1 at 2ad030524021e94dbd09c7771e6ee4d9794bb4af · fbprogmbh/Audit-Test-Automation | github.com" call: function: SetEdgePolicyViaRegistry parameters: valueName: AlternateErrorPagesEnabled # Edge ≥ 80 dwordData: '0' - name: Disable outdated Edge games menu docs: |- # refactor-with-variables: • Chromium Policy Caution This script disables the outdated games menu in older versions of Microsoft Edge. The games menu in Microsoft Edge offers one-click access to various free-to-play casual and arcade games, including Microsoft Solitaire, Microsoft Jewel, Microsoft Mahjong, and the Microsoft Edge Surf Game [1]. In modern versions, this menu is integrated into the sidebar [2] [3]. Disabling the games menu leads to a less cluttered browser interface. Microsoft recommends this script for those favoring a streamlined browser setup without unsolicited suggestions or interruptions [3]. Minimizing unnecessary features enhances security and privacy by reducing data exposure and attack surface. Moreover, removing these features can improve system performance by reducing resource usage. This script targets older versions of Edge where games were accessible from the options menu [1]. By default, this menu is enabled and accessible on these versions [2]. It configures the `AllowGamesMenu` Edge policy to prevent access to the games menu [2] [3]. The change takes effect after restarting the browser [2]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240623225633/https://blogs.windows.com/windowsexperience/2022/06/23/welcome-to-the-best-browser-for-gamers/ "Welcome to the best browser for gamers | Windows Experience Blog | blogs.windows.com" [2]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#allowgamesmenu "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240623225719/https://www.microsoft.com/en-us/edge/features/games-menu?ch=1&form=MA13FJ "Games menu | www.microsoft.com" call: - function: SetEdgePolicyViaRegistry parameters: valueName: AllowGamesMenu # Edge ≥ 99 dwordData: '0' - function: ShowEdgeRestartSuggestion - name: Disable Edge in-app support recommend: strict docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities • Microsoft recommends This script disables the in-app support feature of Microsoft Edge. The in-app support allows users to contact Microsoft support directly from the browser [1]. This feature is enabled by default, activating the Microsoft Rewards experience in Edge [1]. It cannot be disabled by users through the standard browser settings [1]. This feature leads to sharing of browser usage data with Microsoft. Microsoft support agents directly from the browser [1]. Authorities like The Center for Internet Security (CIS) [2] recommend this script for enhanced security. Microsoft recommends this script for users who favor a streamlined browser setup without unsolicited suggestions or interruptions [3]. This script configures the `InAppSupportEnabled` Edge policy [1] [2] [3]. The change takes effect after restarting the browser [1]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#inappsupportenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://github.com/privacysexy-forks/Audit-Test-Automation/blob/2ad030524021e94dbd09c7771e6ee4d9794bb4af/ATAPAuditor/AuditGroups/Microsoft%20Edge-CIS-2.0.0%23RegistrySettings.ps1#L4029-L4063 "Audit-Test-Automation/ATAPAuditor/AuditGroups/Microsoft Edge-CIS-2.0.0#RegistrySettings.ps1 at 2ad030524021e94dbd09c7771e6ee4d9794bb4af · fbprogmbh/Audit-Test-Automation | github.com" [3]: https://web.archive.org/web/20240618221222/https://learn.microsoft.com/en-us/mem/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge "Common Education Microsoft Edge configuration | Microsoft Learn | learn.microsoft.com" call: - function: SetEdgePolicyViaRegistry parameters: valueName: InAppSupportEnabled # Edge ≥ 98 dwordData: '0' - function: ShowEdgeRestartSuggestion - name: Disable Edge payment data storage and ads recommend: standard docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities This script disables Microsoft Edge's AutoFill feature for payment data and suppresses payment-related advertisements, enhancing privacy by preventing the storage and suggestion of unsolicited financial information. By default, Microsoft Edge allows users to save and autofill payment information, such as credit and debit card details, for quicker transactions in web forms [1] [2]. This script prevents the browser from storing new payment data [1] [2] and stops suggestions for financial instruments like 'Buy Now, Pay Later' options during checkout [1]. Authorities like The Defense Information Systems Agency (DISA) [2] and The Center for Internet Security (CIS) [3] recommend this script for enhanced security. DISA categorizes the absence of this setting as a medium severity security vulnerability [2]. Furthermore, Microsoft recommends the use of this script for a cleaner browser interface free from unsolicited suggestions [4] and to improve privacy by controlling data connections [5]. This script configures the `AutofillCreditCardEnabled` Edge policy [1] [2] [3] [4] [5]. Running this script does not require a browser restart for the changes to take effect [1]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#autofillcreditcardenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240624224149/https://www.stigviewer.com/stig/microsoft_edge/2022-09-09/finding/V-235745 "AutoFill for credit cards must be disabled. | www.stigviewer.com" [3]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com" [4]: https://web.archive.org/web/20240618221222/https://learn.microsoft.com/en-us/mem/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge "Common Education Microsoft Edge configuration | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#132-microsoft-edge-enterprise "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com" call: function: SetEdgePolicyViaRegistry parameters: valueName: AutofillCreditCardEnabled # Edge ≥ 77 dwordData: '0' - name: Disable Edge address data storage recommend: strict docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities This script disables the AutoFill feature for addresses in Microsoft Edge, ensuring that address data is not stored or automatically completed in web forms. The AutoFill feature, by default, allows users to quickly complete address forms using previously stored information [1] [2]. Running this script results in: - No new address information being saved [1] [2]. - AutoFill not suggesting or filling in any previously stored address information [1] [2]. - AutoFill remaining inactive for address forms, except in payment and password fields [1]. - Microsoft Edge will not suggest, store, or AutoFill any new address entries [1]. Authorities like The Defense Information Systems Agency (DISA) [2] and The Center for Internet Security (CIS) [3] recommend this script for enhanced security. DISA categorizes the absence of this setting as a medium severity security vulnerability [2]. Furthermore, Microsoft supports the use of this script for a cleaner browser interface free from unsolicited suggestions [4] and to improve privacy by controlling data connections [5]. This script configures the `AutofillAddressEnabled` Edge policy [1] [2] [3] [4] [5]. Running this script does not require a browser restart for the changes to take effect [1]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#autofilladdressenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240624224149/https://www.stigviewer.com/stig/microsoft_edge/2022-09-09/finding/V-235745 "Autofill for addresses must be disabled. | www.stigviewer.com" [3]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com" [4]: https://web.archive.org/web/20240618221222/https://learn.microsoft.com/en-us/mem/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge "Common Education Microsoft Edge configuration | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#132-microsoft-edge-enterprise "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com" call: function: SetEdgePolicyViaRegistry parameters: valueName: AutofillAddressEnabled # Edge ≥ 77 dwordData: '0' - name: Disable Edge experimentation and remote configurations recommend: standard docs: |- # refactor-with-variables: • Chromium Policy Caution This script disables the Experimentation and Configuration Service in Microsoft Edge, effectively stopping automatic updates and data exchanges that are typically used for testing new features and optimizing the user experience. This service sends payloads to Edge that may contain experimental features and settings recommendations designed to improve user experience [1]. It may also change the browser's behavior on specific websites, for example, by overriding the User Agent string [1]. By default, the service operates in `FullMode`, downloading both experimental and configuration data [1]. In certain configurations, the service may download only the settings recommendations (`ConfigurationsOnlyMode`) [1]. Disabling this service through this script sets it to `RestrictedMode`, meaning no data will be sent back to Microsoft [2], and no payloads will be delivered [1]. This setting is recommended by authorities like The Center for Internet Security (CIS) for enhanced security [2] and by Microsoft to control data connections more securely [3]. This service can potentially compromise privacy because it involves sending data back to Microsoft, which includes feedback on development features and actions taken on certain domains [2]. It can also deliver a payload that contains a list of actions to take on certain domains [2]. This script configures the `ExperimentationAndConfigurationServiceControl` Edge policy [1]. Running this script does not require a browser restart for the changes to take effect [1]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#experimentationandconfigurationservicecontrol "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com" [3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#132-microsoft-edge-enterprise call: function: SetEdgePolicyViaRegistry parameters: valueName: ExperimentationAndConfigurationServiceControl # Edge ≥ 77 dwordData: '0' # RestrictedMode (0) = Disable | ConfigurationsOnlyMode (1) = Configurations | FullMode (2) = Configurations + Experiments - name: Disable Edge automatic startup recommend: standard docs: |- # refactor-with-variables: • Chromium Policy Caution This script disables the Startup Boost feature in Microsoft Edge. Startup Boost enables Edge to launch more quickly by allowing certain processes to start at OS sign-in [1]. It keeps running in the background even after all browser windows are closed [1] [2]. While this can decrease the browser's start time [2], it might also pose privacy and security risks. Disabling this feature prevents Edge from starting automatically with your computer, enhancing privacy by stopping the background processes that could transmit data without active user interaction. This also bolsters security by ensuring no residual or malicious scripts continue to operate after the browser is closed [3]. Additionally, it may improve system performance by freeing up resources otherwise used by these background processes. The Center for Internet Security (CIS) recommends disabling this feature to secure personal data and reduce potential vulnerabilities [3]. This script configures the `StartupBoostEnabled` Edge policy [1] [4]. Running this script does not require a browser restart for the changes to take effect [1]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#startupboostenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240625103236/https://support.microsoft.com/en-us/topic/get-help-with-startup-boost-ebef73ed-5c72-462f-8726-512782c5e442 "Get help with startup boost - Microsoft Support | support.microsoft.com" [3]: https://web.archive.org/web/20240625103212/https://www.syxsense.com/syxsense-securityarticles/cis_benchmarks/syx-1033-12749.html "Startup Boost Enabled (CIS LEVEL 1 MS Edge) | www.syxsense.com" [4]: https://github.com/privacysexy-forks/Audit-Test-Automation/blob/2ad030524021e94dbd09c7771e6ee4d9794bb4af/ATAPAuditor/AuditGroups/Microsoft%20Edge-CIS-2.0.0%23RegistrySettings.ps1#L685-L720 call: function: SetEdgePolicyViaRegistry parameters: valueName: StartupBoostEnabled # Edge ≥ 88 dwordData: '0' - name: Disable Edge external connectivity checks recommend: standard # Edge can still rely on native connectivity check APIs docs: |- # refactor-with-variables: • Chromium Policy Caution This script disables the automatic use of a web service for resolving navigation errors in Microsoft Edge. By default, Microsoft Edge contacts a web service to diagnose connectivity issues, especially in public networks such as those in hotels and airports [1] [2]. This functionality can unintentionally reveal network-related information, potentially including sensitive personal data [2]. The Center for Internet Security (CIS) recommends deactivating this feature to prevent potential privacy breaches and security threats from network data leaks [2]. Running this script ensures that Edge relies solely on native APIs to handle network connectivity and navigation errors, enhancing privacy by not transmitting data to external services [1] [2]. It ensures that all navigational errors are managed locally without external web services, maintaining the resolution process entirely within the system [1] [2]. This action does not impede Edge's ability to resolve connectivity issues using its native capabilities [1] [2]. This script configures the `ResolveNavigationErrorsUseWebService` Edge policy [1]. Running this script does not require a browser restart for the changes to take effect [1]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#resolvenavigationerrorsusewebservice "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com" call: function: SetEdgePolicyViaRegistry parameters: valueName: ResolveNavigationErrorsUseWebService # Edge ≥ 77 dwordData: '0' - name: Disable Edge Family Safety settings recommend: strict docs: |- # refactor-with-variables: • Chromium Policy Caution This script disables the Family Safety settings in Microsoft Edge. Microsoft Family Safety collects personal information such as names, email addresses, birth dates, and other diagnostic data [1]. By default, Edge features a dedicated family settings page and offers a Kids Mode for safer browsing experiences tailored for children [2]. This script: - Removes the Family page from the settings menu, which provides information on features associated with Microsoft Family Safety [2]. - Blocks navigation to the `edge://settings/family` URL [2]. - Disables Kids Mode, a child-friendly environment that includes custom themes and restricted browsing, and requires a device password to exit [2]. Disabling these features helps protect privacy by preventing the collection of personal and diagnostic data associated with family settings. It prevents the unintentional sharing or management of children's browsing data and other sensitive details via Edge's Family Safety protocols. This script configures the `FamilySafetySettingsEnabled` Edge policy [2]. Running this script does not require a browser restart for the changes to take effect [2]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20231008130529/https://support.microsoft.com/en-us/account-billing/family-safety-data-collection-and-privacy-options-3d01b791-e48a-498f-bfa6-97f0d373cd9c "Family Safety data collection and privacy options - Microsoft Support" [2]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#familysafetysettingsenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" call: function: SetEdgePolicyViaRegistry parameters: valueName: FamilySafetySettingsEnabled # Edge ≥ 83 dwordData: '0' - name: Disable Edge site information gathering from Bing recommend: strict docs: |- # refactor-with-variables: • Chromium Policy Caution This script disables the Site Safety Services in Microsoft Edge. By default, this service displays top site information in the page information dialog [1]. Clicking the lock icon in the address bar causes Edge to retrieve detailed site information from Microsoft Bing [2] [3]. Although intended to enhance security by providing detailed website information [3], this feature also collects data about your visits, posing privacy risks. This script stops Edge from displaying this information [1], enhancing your privacy by reducing data transmission to Microsoft. It prevents Microsoft from automatically querying or storing information about the sites you visit, thereby maintaining greater control over your personal browsing data. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#sitesafetyservicesenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240625110427/https://www.tenforums.com/browsers-email/148535-latest-microsoft-edge-released-windows-212.html#post2292645 "Latest Microsoft Edge released for Windows - Page 212 - Windows 10 Forums | www.tenforums.com" [3]: https://web.archive.org/web/20240625111427/https://www.digitalinformationworld.com/2021/09/microsoft-edge-to-soon-have-feature.html "Microsoft Edge to soon have a feature that will allow its users to be able to know more about a site in its information box | www.digitalinformationworld.com" call: function: SetEdgePolicyViaRegistry parameters: valueName: SiteSafetyServicesEnabled # Edge ≥ 101 dwordData: '0' - category: Configure Edge (Legacy) docs: |- This category contains scripts for configuring Edge (Legacy). Edge (Legacy) has been replaced by Edge (Chromium) [1] [2]. It is no longer included on modern Windows versions starting with Windows 10 20H2 [1]. Additionally, it is systematically removed from older Windows versions through updates [2]. [1]: https://web.archive.org/web/20240517225921/https://blogs.windows.com/windowsexperience/2020/06/16/whats-next-for-windows-10-updates/ "What’s next for Windows 10 updates | Windows Experience Blog | blogs.windows.com" [2]: https://web.archive.org/web/20240517223534/https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-microsoft-edge-to-replace-microsoft-edge-legacy-with-april-s/ba-p/2114224 "New Microsoft Edge to replace Microsoft Edge Legacy with April’s Windows 10 Update Tuesday release - Microsoft Community Hub | techcommunity.microsoft.com" children: - name: Disable Edge (Legacy) Live Tile data collection recommend: standard docs: |- # refactor-with-variables: Same • live tiles • Performance + Privacy • Edge (Legacy) only This script disables Live Tile data collection in Edge (Legacy). **Live Tiles**, a feature within UWP apps, automatically collect and display updated information directly on the Start menu, without opening the app [1]. The Live Tiles feature, once available on Windows 8.1 and 10 [2], has been replaced by the **Widgets** feature in Windows 11 [3]. By default, pinning a Live Tile to the Start menu allows Microsoft Edge to collect and send metadata to Microsoft [4] [5] [6]. This script prevents Edge from sending this metadata [4] [5] [6]. It also blocks the collection of Live Tile metadata from `ieonline.microsoft.com` when you pin a Live Tile to the Start menu [6]. This limitation may affect the user experience [4] [5] [6]. Disabling this feature reduces potential privacy risks by preventing data sharing. This may also improve system performance by reducing processing workload. This script configures the `PreventLiveTileDataCollection` policy [4] [5] [6]. This script only applies to Edge (Legacy) and does not impact newer versions of Edge. [1]: https://web.archive.org/web/20240502092842/https://learn.microsoft.com/en-us/archive/msdn-magazine/2017/april/uwp-apps-develop-hosted-web-apps-for-uwp#getting-started "UWP Apps - Develop Hosted Web Apps for UWP | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240502095239/https://answers.microsoft.com/en-us/windows/forum/all/live-tiles-what-are-they/71084023-f50b-4531-973d-3ba03d2c0d44 "Live Tiles, what are they? - Microsoft Community | answers.microsoft.com" [3]: https://web.archive.org/web/20240502093116/https://www.microsoft.com/en-ca/windows/windows-11-specifications "Windows 11 Specs and System Requirements | Microsoft | www.microsoft.com" [4]: https://web.archive.org/web/20240314101034/https://learn.microsoft.com/en-us/previous-versions/windows/edge-legacy/group-policies/telemetry-management-gp#prevent-microsoft-edge-from-gathering-live-tile-information-when-pinning-a-site-to-start "Microsoft Edge - Telemetry and data collection group policies | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20240624133131/https://learn.microsoft.com/en-us/previous-versions/windows/edge-legacy/available-policies#prevent-microsoft-edge-from-gathering-live-tile-information-when-pinning-a-site-to-start "Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) | Microsoft Learn | learn.microsoft.com" [6]: https://web.archive.org/web/20240314125209/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection "Browser Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" call: function: SetLegacyEdgePolicyViaRegistry parameters: policySubkey: Main valueName: PreventLiveTileDataCollection dwordData: "1" - name: Disable Edge (Legacy) search suggestions recommend: standard docs: |- # refactor-with-variables: Same • Performance + Privacy • Edge (Legacy) only This script disables the search suggestions feature in the Address bar of Edge (Legacy). By default, typing in the Address bar of Edge (Legacy) displays search suggestions [1] [2] [3], potentially compromising privacy by sending typed data to Microsoft. This script prevents such data sharing by disabling the search suggestions feature [1] [2] [3]. As a result, users will no longer receive search suggestions when typing in the Address bar, thereby enhancing privacy [1] [2] [3]. Disabling this feature reduces potential privacy risks by preventing data sharing. This may also improve system performance by reducing processing workload. This script configures the `ShowSearchSuggestionsGlobal` policy [1] [2] [3]. This script only applies to Edge (Legacy) and does not impact newer versions of Edge. [1]: https://web.archive.org/web/20240314100851/https://learn.microsoft.com/en-us/previous-versions/windows/edge-legacy/group-policies/address-bar-settings-gp "Microsoft Edge - Address bar group policies | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240624135139/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.MicrosoftEdge::AllowSearchSuggestionsinAddressBar "Configure search suggestions in Address bar | admx.help" [3]: https://web.archive.org/web/20240624133131/https://learn.microsoft.com/en-us/previous-versions/windows/edge-legacy/configure-search-suggestions-in-address-bar "Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) | Microsoft Learn | learn.microsoft.com" call: function: SetLegacyEdgePolicyViaRegistry parameters: policySubkey: SearchScopes valueName: ShowSearchSuggestionsGlobal dwordData: "0" - name: Disable Edge (Legacy) Books telemetry recommend: standard docs: |- # refactor-with-variables: • Edge (Legacy) only This script prevents Microsoft Edge (Legacy) from sending additional telemetry data from the Books tab. By default, Edge collects basic telemetry data based on your device settings [1]. This script ensures that only this basic telemetry is collected, and no extra data is transmitted when accessing the Books feature. This script configures the `EnableExtendedBooksTelemetry` Edge policy [1]. This script only applies to Edge (Legacy) and does not impact newer versions of Edge. [1]: https://web.archive.org/web/20240314125209/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#enableextendedbookstelemetry "Browser Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" call: function: SetLegacyEdgePolicyViaRegistry parameters: policySubkey: BooksLibrary valueName: EnableExtendedBooksTelemetry dwordData: "0" - category: Configure Internet Explorer children: - name: Disable Internet Explorer geolocation recommend: standard call: function: SetRegistryValue parameters: keyPath: HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation valueName: PolicyDisableGeolocation dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Internet Explorer InPrivate logging recommend: standard call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE valueName: DisableLogging dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Internet Explorer CEIP (Customer Experience Improvement Program) recommend: standard docs: https://www.stigviewer.com/stig/internet_explorer_8/2014-07-03/finding/V-15492 call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM valueName: DisableCustomerImprovementProgram dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable legacy WCM policy calls recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 0 /f revertCode: >- :: Default value is `0` since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 0 /f - name: Disable SSLv3 fallback recommend: standard docs: https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2018-04-02/finding/V-64729 call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings valueName: EnableSSL3Fallback dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable certificate error ignoring recommend: standard docs: https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2017-03-01/finding/V-64717 call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings valueName: PreventIgnoreCertErrors dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Configure Chrome docs: |- # Similar to "Configure Edge" This category contains scripts that adjust Google Chrome settings to enhance privacy, security, and potentially improve system performance Google Chrome collects a variety of data: - **Browsing Data**: URLs, cached content, and IP addresses from visited pages [1]. - **Personal Information and Passwords**: Data used to autofill forms and sign into sites [1]. - **Cookies and Site Data**: Information from websites you visit [1]. - **Download Records**: Details of your internet downloads [1]. - **Usage Statistics and Crash Reports**: Includes performance stats and crash data [1]. - **Media Licenses and Identifiers**: Locally stored session identifiers and media licenses [1]. - **Location Data**: Estimated location based on Wi-Fi and cell signal data [1]. - **Information for Web Services**: Data sent to Google during the use of web services [1]. - **Search and Navigation Data**: Data typed into the omnibox for search predictions [1]. - **Autofill and Payment Information**: Information about web forms, passwords, and payment methods stored for autofill [1]. - **Sync Data**: Browsing history and other browser settings synced across devices [1]. - **Incognito and Guest Mode Data**: Data not saved when using these browser modes [1]. This data collection raises privacy concerns because it can be used for personal identification, targeted advertising, and product improvement [1]. Additionally, Google Chrome may share aggregated, non-personally identifiable information with third parties like publishers and advertisers [1]. These scripts enable you to configure Google Chrome to limit these data collection practices, enhancing your online privacy, security, and system performance. [1]: https://web.archive.org/web/20230402091425/https://www.google.com/chrome/privacy/ "Chrome Browser Privacy Policy - Google Chrome | www.google.com" children: - name: Disable outdated Chrome Software Reporter Tool recommend: standard # Outdated component, removal improves security and privacy docs: |- # refactor-with-variables: • Performance + Privacy This script blocks the execution of the Chrome Software Reporter Tool, enhancing your privacy by preventing unnecessary data transmissions to Google, and boosting system performance through reduced resource consumption. This tool is also known as the *Software Reporter Tool* [1] [2] [3], *Software Reporter Tool for Chrome Cleanup* [4], *Chrome Cleanup Tool* [2] [3] and *Software Removal Tool* [2]. It exists in Google Chrome [1] versions prior to v111 [3]. Newer versions of Google Chrome do not include this tool [3]. This tool scans for harmful software that may disrupt Chrome's operations [1] [3] [5] [6]. It automatically removes software that degrades your browsing experience [1] [3] [5] [6]. It can connect to the Internet, monitor applications, record keyboard and mouse inputs, and manipulate other programs [2]. It reports findings to Google [1] [3] [4], which raises privacy concerns due to potential data collection and online reporting. The Software Reporter Tool may also significantly consume CPU and memory resources [1] [3] [4] [5], potentially leading to performance issues. By disabling it, you reduce CPU and memory usage, potentially speeding up your computer. It is located in the `%LOCALAPPDATA%\Google\Chrome\User Data\SwReporter` directory [1] [2] [3] [5]. Its executable name is `software_reporter_tool.exe` [1] [2] [3] [4] [5] [6]. This file reappears with each update of Chrome [3]. Instead of deleting or moving the file, the script blocks its execution to ensure it remains disabled after Chrome updates. Disabling this feature reduces potential privacy risks by preventing data sharing. This may also improve system performance by reducing processing workload. Disabling this tool protects your privacy by: - Preventing sending scan results to Google [1] [3] [4]. - Some malware disguise themselves as `software_reporter_tool.exe` [2] so running this script will also protect you against these. - This outdated component [3] may contain known vulnerabilities; disabling it helps mitigate these security risks by reducing your attack surface. > **Caution**: Disabling this component may limit Chrome's ability to automatically detect and remove problematic software. [1]: https://web.archive.org/web/20240528101432/https://www.softwaretestinghelp.com/software-reporter-tool/ "Software Reporter Tool: How To Disable Chrome Cleanup Tool | www.softwaretestinghelp.com" [2]: https://web.archive.org/web/20240528101420/https://www.file.net/process/software_reporter_tool.exe.html "software_reporter_tool.exe Windows process - What is it? | www.file.net" [3]: https://web.archive.org/web/20240528101406/https://www.thewindowsclub.com/disable-google-chrome-software-reporter-tool "How to disable Google Chrome Software Reporter Tool | www.thewindowsclub.com" [4]: https://web.archive.org/web/20240528101617/https://support.google.com/chrome/a/thread/99323901/the-software-reporter-tool-exe-is-malware-admins-need-control-back-over-this-unwanted-software?hl=en "The software_reporter_tool.exe is malware - admins need control back over this unwanted software. - Chrome Enterprise & Education Community | support.google.com" [5]: https://web.archive.org/web/20240528101401/https://appuals.com/how-to-fix-software-reporter-tool-high-cpu-usage/ "How to Fix Software Reporter Tool High CPU usage | appuals.com" [6]: https://archive.ph/2018.05.24-082444/https://productforums.google.com/forum/%23!topic/chrome/bFhfVkR-ENo "Clarification from a Google community specialist | What is software_reporter_tool in this version of Chrome? Software Reporter Tool - Google Product Forums | productforums.google.com" call: function: TerminateAndBlockExecution parameters: executableNameWithExtension: software_reporter_tool.exe - category: Configure Chrome cleanup children: - name: Disable sharing scanned software data with Google recommend: standard # DISA recommends docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities • Performance + Privacy • Active Directory only This script stops the Chrome Cleanup Tool from sending scan data to Google, enhancing privacy. By default, when the Chrome Cleanup Tool detects unwanted software, it reports metadata about the scan and the software to Google [1] [2]. The reported data includes file metadata, automatically installed extensions, and registry keys [1] [2]. Users can choose to share cleanup results with Google to enhance future software detection [1] [2]. Disabling this feature reduces potential privacy risks by preventing data sharing. This may also improve system performance by reducing processing workload. Authorities like The Defense Information Systems Agency (DISA) [2] recommend this script for enhanced security. DISA categorizes the absence of this setting as a medium severity security vulnerability [2]. This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [1] [2]. It is effective only on computers under organizational management, such as those in workplaces or schools. It's not applicable to personal computers that are not managed by an organization. This script configures the `ChromeCleanupReportingEnabled` policy [1] [2]. Changing this policy does not require restarting the browser to take effect [1]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20200606120247/https://www.chromium.org/administrators/policy-list-3#ChromeCleanupReportingEnabled "Policy List - The Chromium Projects | www.chromium.org" [2]: https://web.archive.org/web/20240624111317/https://www.stigviewer.com/stig/google_chrome_current_windows/2018-09-06/finding/V-81593 "Chrome Cleanup reporting must be disabled. | www.stigviewer.com" call: function: SetChromePolicyViaRegistry parameters: valueName: ChromeCleanupReportingEnabled # Chrome ≥ 68 dwordData: "0" - name: Disable Chrome system cleanup scans recommend: standard # DISA recommends docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities • Performance + Privacy • Active Directory only This script disables Chrome system cleanup scans to enhance user privacy and improve system performance. By default, Chrome Cleanup Tool periodically scans the system for unwanted software and prompts the user for removal [1] [2]. This feature can also be manually triggered from the `chrome://settings/cleanup` page [1] [2]. Running this script stops the Chrome Cleanup Tool from performing system scans and cleanups [1] [2], which protects your system's information from being analyzed and shared. It also disables the manual trigger of this feature from the settings page [1] [2]. Disabling this feature reduces potential privacy risks by preventing data sharing. This may also improve system performance by reducing processing workload. Authorities like The Defense Information Systems Agency (DISA) [2] recommend this script for enhanced security. DISA categorizes the absence of this setting as a medium severity security vulnerability [2]. This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [1] [2]. It is effective only on computers under organizational management, such as those in workplaces or schools. It's not applicable to personal computers that are not managed by an organization. This script configures the `ChromeCleanupEnabled` policy [1] [2]. Changes will take effect after restarting the browser [1]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20200606120247/https://www.chromium.org/administrators/policy-list-3#ChromeCleanupEnabled "Policy List - The Chromium Projects | www.chromium.org" [2]: https://web.archive.org/web/20240624112722/https://www.stigviewer.com/stig/google_chrome_current_windows/2018-09-06/finding/V-81591 "Chrome Cleanup must be disabled. | www.stigviewer.com" call: - function: SetChromePolicyViaRegistry parameters: valueName: ChromeCleanupEnabled # Chrome ≥ 68 dwordData: "0" - function: ShowChromeRestartSuggestion - name: Disable Chrome metrics reporting recommend: standard # DISA recommends docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities • Performance + Privacy • Active Directory only This script disables Chrome's metrics reporting, enhancing user privacy and system performance. By default, Chrome may send anonymous usage and crash-related data to Google [1] [2]. If no user preference is set, Chrome follows the initial choice made during installation or first run [1] [2]. This script ensures that anonymous reporting of usage and crash-related data is stopped, preventing this data from being sent to Google [1] [2]. Additionally, it locks this setting, making it immutable by users [1] [2]. Disabling this feature reduces potential privacy risks by preventing data sharing. This may also improve system performance by reducing processing workload. Authorities like The Defense Information Systems Agency (DISA) [2] recommend this script for enhanced security. DISA categorizes the absence of this setting as a medium severity security vulnerability [2]. This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [1] [2]. It is effective only on computers under organizational management, such as those in workplaces or schools. It's not applicable to personal computers that are not managed by an organization. This script configures the `MetricsReportingEnabled` policy [1] [2]. Changes will take effect after restarting the browser [1]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20200606120247/https://www.chromium.org/administrators/policy-list-3#MetricsReportingEnabled "Policy List - The Chromium Projects | www.chromium.org" [2]: https://web.archive.org/web/20240624113958/https://www.stigviewer.com/stig/google_chrome_v23_windows/2013-01-11/finding/V-35780 "Metrics reporting to Google must be disabled | www.stigviewer.com" call: - function: SetChromePolicyViaRegistry parameters: valueName: MetricsReportingEnabled # Chrome ≥ 8 dwordData: "0" - function: ShowChromeRestartSuggestion - category: Configure Firefox docs: |- This category provides scripts for enhancing Firefox privacy by limiting data shared with Mozilla. children: - name: Disable Firefox default browser and system data reporting recommend: standard docs: |- This script disables the Firefox *Default Browser Agent*. The agent collects and sends information about the user's default browser to Mozilla [1] Disabling it halts the transmission of details such as the currently set default browser, the previous one, and the operating system's locale and version number [2] [3]. This enhances privacy by preventing browser preferences and usage data from being shared with Mozilla. The script configures `HKLM\SOFTWARE\Policies\Mozilla\Firefox!DisableDefaultBrowserAgent` registry key to prevent the Default Browser Agent from taking any actions [4]. [1]: https://web.archive.org/web/20231201223153/https://firefox-source-docs.mozilla.org/toolkit/mozapps/defaultagent/default-browser-agent/index.html "Default Browser Agent — Firefox Source Docs documentation | firefox-source-docs.mozilla.org" [2]: https://web.archive.org/web/20240313164703/https://blog.mozilla.org/data/2020/03/16/understanding-default-browser-trends/ "Understanding default browser trends – Data@Mozilla | blog.mozilla.org" [3]: https://web.archive.org/web/20240313164715/https://github.com/mozilla-services/mozilla-pipeline-schemas/pull/495/files#diff-48f14d6bdea5bf803f8b8cff5f018172 "Bug 1602463 - Add a schema for the new default-browser ping · Pull Request #495 · mozilla-services/mozilla-pipeline-schemas · GitHub | github.com/mozilla-services" [4]: https://web.archive.org/web/20240529061535/https://github.com/privacysexy-forks/policy-templates#disabledefaultbrowseragent "GitHub - privacysexy-forks/policy-templates: Policy Templates for Firefox | github.com/privacysexy-forks" call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Mozilla\Firefox valueName: DisableDefaultBrowserAgent dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2), last tested on Firefox v126 - name: Disable Firefox background browser checks recommend: standard docs: |- This script stops Firefox from automatically checking its default browser status and reporting to Mozilla every 24 hours [1] [2] by disabling specific scheduled tasks that initiate Firefox's *Default Browser Agent*. It protects your privacy by preventing regular data sharing. ### Overview of default task statuses `\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB` (tested on version 118): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | `\Mozilla\Firefox Default Browser Agent D2CEEC440E2074BD` (tested on version 118): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟡 N/A (missing) | | Windows 11 22H2 | 🟡 N/A (missing) | [1]: https://web.archive.org/web/20231201223153/https://firefox-source-docs.mozilla.org/toolkit/mozapps/defaultagent/default-browser-agent/index.html "Default Browser Agent — Firefox Source Docs documentation | firefox-source-docs.mozilla.org" [2]: https://web.archive.org/web/20240313164703/https://blog.mozilla.org/data/2020/03/16/understanding-default-browser-trends/ "Understanding default browser trends – Data@Mozilla | blog.mozilla.org" call: - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Mozilla\' -TaskName 'Firefox Default Browser Agent 308046B0AF4A39CB' taskPathPattern: \Mozilla\ taskNamePattern: Firefox Default Browser Agent 308046B0AF4A39CB - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Mozilla\' -TaskName 'Firefox Default Browser Agent D2CEEC440E2074BD' taskPathPattern: \Mozilla\ taskNamePattern: Firefox Default Browser Agent D2CEEC440E2074BD - name: Disable Firefox telemetry data collection recommend: standard docs: |- This script disables Firefox's telemetry to prevent the collection and transmission of browser performance and usage data to Mozilla [1]. Disabling telemetry prevents both the storage and transmission of this data [1], ensuring users' browsing habits remain private. The telemetry is disabled by configuring `HKLM\SOFTWARE\Policies\Mozilla\Firefox!DisableTelemetry` registry key [1]. [1]: https://web.archive.org/web/20240529061535/https://github.com/privacysexy-forks/policy-templates#disabletelemetry "privacysexy-forks/policy-templates: Policy Templates for Firefox | github.com/privacysexy-forks" call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Mozilla\Firefox valueName: DisableTelemetry dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2), last tested on Firefox v126 - category: Disable Google background automatic updates docs: |- This category includes scripts to manage the automatic updates of various Google products in background. These products include Google Chrome, Google Earth, along with other applications [1]. This category aims to give users control over the automatic update processes running in the background, without disabling manual updates or affecting the overall functionality of Google products [1]. Google Chrome checks for, downloads, and installs updates in the background [2], without requiring user interaction [2]. This includes constant network communication in background with Google servers, which reveals data about your device and usage behavior. By using the scripts provided, users can stop automatic update services and scheduled tasks related to Google software updates. This empowers users to initiate updates at their discretion, ensuring they have the final say in what gets installed on their systems. [1]: https://web.archive.org/web/20231026233855/https://github.com/google/omaha "google/omaha: Google Update for Windows | github.com/google" [2]: https://web.archive.org/web/20110218173854/http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95414 "Update Google Chrome : Install or update Google Chrome - Google Chrome Help | google.com/support" children: # 💡 Valuable resources of information for this category: # - https://bugs.chromium.org: Chromium project's bug tracker # - https://github.com/google/omaha: The open-source version of Google Update - name: Disable "Google Update Service" services recommend: standard # Safe-to-disable as they're stopped by default docs: |- This script disables the "Google Update Service" services. These services are identified as `gupdate` and `gupdatem` [1] [2] [3]. They are responsible for keeping Google software up to date by initiating updates [4]. They are linked to the `GoogleUpdate.exe` executable located in the `%PROGRAMFILES%\Google\Update` directory [5] [6] [7]. The services operate based on a client/service model, where the client requests services to conduct updates [1]. Despite both services being named "Google Update Service" [3] [8] [9], they are associated with different aspects of updating. The `gupdate` service is linked to regular update check [2] [5] [7], while `gupdatem` is connected to medium level service updates [2] [5] [6]. According to Google's documentation, these services play a crucial role in maintaining the software's security and functionality [3]. These services will uninstall themselves if no Google software is utilizing them [3]. However, there are privacy and security concerns associated with these services. They continuously run in the background, sending data back to Google [10] [11], and they log Event Logs [12] [13] [14] [15] [16], which reveals information about the system's state. There have also been vulnerabilities found in these services in the past, adding an additional layer of risk [17]. Disabling these services do not affect manual updates as these services are started for manual updates automatically [4]. Often administrators choose to delete these services to prevent auto-updates [9], a practice that is acknowledged by the Google team [9]. By disabling these services, this script aims to give users more control over their system and mitigate potential privacy and security risks, albeit at the cost of not receiving automatic software updates from Google. ### Overview of default service statuses Google Update Service (`gupdate`) (tested on version Chrome 123.0.6312.106): | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 21H1) | 🔴 Stopped | Automatic | | Windows 11 (≥ 22H2) | 🔴 Stopped | Automatic | Google Update Service (`gupdatem`) (tested on version Chrome 123.0.6312.106): | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 21H1) | 🔴 Stopped | Manual | | Windows 11 (≥ 22H2) | 🔴 Stopped | Manual | [1]: https://archive.ph/2023.10.26-231300/https://github.com/google/omaha/blob/8fa5322c5c35d0cede28f4c32454cb0285490b6d/omaha/goopdate/omaha3_idl.idl%23L178-L186 "omaha/omaha/goopdate/omaha3_idl.idl at 8fa5322c5c35d0cede28f4c32454cb0285490b6d · google/omaha | github.com/google" [2]: https://archive.ph/2023.10.26-231313/https://github.com/google/omaha/blob/8fa5322c5c35d0cede28f4c32454cb0285490b6d/omaha/common/omaha_customization_unittest.cc%23L290-L299 "omaha/omaha/common/omaha_customization_unittest.cc at 8fa5322c5c35d0cede28f4c32454cb0285490b6d · google/omaha | github.com/google" [3]: https://archive.ph/2023.10.26-224813/https://github.com/google/omaha/blob/8fa5322c5c35d0cede28f4c32454cb0285490b6d/omaha/internal/grit/goopdateres.grd%23L166-L177 "omaha/omaha/internal/grit/goopdateres.grd at 8fa5322c5c35d0cede28f4c32454cb0285490b6d · google/omaha · GitHub | github.com/google" [4]: https://archive.ph/2023.10.26-231136/https://bugs.chromium.org/p/chromium/issues/detail?id=137915%23c138 "Comment 138 | 137915 - Update failed (error:3) | bugs.chromium.org" [5]: https://archive.ph/2023.10.26-231114/https://bugs.chromium.org/p/chromium/issues/detail?id=114356 "114356 - Loading issue... | bugs.chromium.org" [6]: https://web.archive.org/web/20231026231058/http://windows.fyicenter.com/4677_Google_Update_Service_gupdatem_-GoogleUpdate_exe_Service_on_Windows_7.html '"Google Update Service (gupdatem) - GoogleUpdate.exe" Service on Windows 7 | windows.fyicenter.com' [7]: https://web.archive.org/web/20231026231059/http://windows.fyicenter.com/4676_Google_Update_Service_gupdate_-GoogleUpdate_exe_Service_on_Windows_7.html '"Google Update Service (gupdate) - GoogleUpdate.exe" Service on Windows 7 | windows.fyicenter.com' [8]: https://archive.ph/2023.10.26-231235/https://bugs.chromium.org/p/chromium/issues/detail?id=948427%23c9 "Comment 9 | 948427 - Update disabled not working in Chrome 73.0.3683.86 | bugs.chromium.org" [9]: https://archive.ph/2023.10.26-231246/https://bugs.chromium.org/p/chromium/issues/detail?id=1096494 "1096494 - google update service should never be deleted | bugs.chromium.org" [10]: https://web.archive.org/web/20231026231341/https://support.google.com/chrome/thread/207230079/high-ghost-data-usage-by-chrome-on-pc-past-midnight?hl=en "High ghost data usage by Chrome on PC past midnight - Google Chrome Community | support.google.com" [11]: https://web.archive.org/web/20231026231335/https://support.google.com/chrome/thread/113993958/why-gupdate-uses-all-my-bandwidth-stopping-my-surfing-completely?hl=en 'Why "gupdate" uses all my bandwidth, stopping my surfing completely? - Google Chrome Community | support.google.com' [12]: https://archive.ph/2023.10.26-231121/https://bugs.chromium.org/p/chromium/issues/detail?id=237227 "237227 - Update service spam to Event Log | bugs.chromium.org" [13]: https://archive.ph/2023.10.26-231148/https://bugs.chromium.org/p/chromium/issues/detail?id=71377%23c5 'Comment 5 | 71377 - Random but frequent crashes after downloads, "CSRBthFtpShellExt.dll_unloaded" | bugs.chromium.org' [14]: https://archive.ph/2023.10.26-231155/https://bugs.chromium.org/p/chromium/issues/detail?id=100548%23c2 "Comment 2 | 100548 - Please remove Googe Update from the Google Chrome Enterprise installation | bugs.chromium.org" [15]: https://archive.ph/2023.10.26-231214/https://bugs.chromium.org/p/chromium/issues/detail?id=309362%23c12 'Comment 12 | 309362 - "Nearly up-to-date! Relaunch Google Chrome to finish updating." message is not going away | bugs.chromium.org' [16]: https://archive.ph/2023.10.26-231222/https://bugs.chromium.org/p/chromium/issues/detail?id=338776%23c3 "Comment 3 | 338776 - CRITICAL REGRESSION: unable to update to new version - relaunch after update does not finish updating - chromium | bugs.chromium.org" [17]: https://archive.ph/2023.10.26-231205/https://bugs.chromium.org/p/chromium/issues/detail?id=167737 "167737 - Security: Unquoted search path vulnerability in GoogleUpdate.exe | bugs.chromium.org" call: - function: DisableService parameters: serviceName: gupdate # Check: (Get-Service -Name gupdate).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - function: DisableService parameters: serviceName: gupdatem # Check: (Get-Service -Name gupdatem).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable Google automatic updates scheduled tasks (breaks Google Credential Provider) recommend: strict docs: |- This script disables the scheduled tasks used by Google to automatically update its software on Windows. The Google Update service creates two main tasks [1]: - `GoogleUpdateTaskMachineCore`: Initiates automatic updates [2]. - `GoogleUpdateTaskMachineUA`: Corresponds to "Updates app" [3]. In newer versions of the Google Update service, these task names have random suffixes appended to them [4]. Both of these tasks call the executable file `C:\Program Files (x86)\Google\Update\GoogleUpdate.exe` [5] [6]. This process is officially named as "Google Installer" [7] or "Constant Shell" [8]. It is responsible for handling updates [9] [10]. Disabling these tasks can impact the functionality of the "Google Credential Provider for Windows" (GCPW) service [11] [12]. GCPW is a tool used to manage devices with Google endpoint management [13]. This tool is typically used to offer access to Google Workspace services on managed computers [13]. It allows users to sign in to a Windows 10 or 11 device using their Google Account for work or school [14]. These tasks are described by Google as following [15]: > Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security > vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Google software using it. ### Overview of default task statuses `\GoogleUpdateTaskMachineCore{RandomString}` [4] (tested since Chrome version 118): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Running | | Windows 11 22H2 | 🟢 Running | `\GoogleUpdateTaskMachineUA{RandomString}` [4] (tested since Chrome version 118): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | `\GoogleUpdateTaskMachineCore` [16] (used by older versions of Chrome): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟡 N/A (missing) | | Windows 11 22H2 | 🟡 N/A (missing) | `\GoogleUpdateTaskMachineUA` [16] (used by older versions of Chrome): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟡 N/A (missing) | | Windows 11 22H2 | 🟡 N/A (missing) | [1]: https://archive.ph/2023.10.25-184810/https://bugs.chromium.org/p/chromium/issues/detail?id=114356%23c2 "Comment 2 | 114356 - Google Update Services (gupdate & gupdatem) | bugs.chromium.org" [2]: https://archive.ph/2023.10.25-184936/https://bugs.chromium.org/p/chromium/issues/detail?id=440549%23c51 "Comment 51 | 440549 - Google Chrome Auto-Update Not working consistently / Google Update GPO policy not honored. | bugs.chromium.org" [3]: https://archive.ph/2023.10.25-185011/https://bugs.chromium.org/p/chromium/issues/detail?id=440549%23c52 "Comment 52 | 440549 - Google Chrome Auto-Update Not working consistently / Google Update GPO policy not honored. | bugs.chromium.org" [4]: https://archive.ph/2023.10.25-184839/https://github.com/google/omaha/blob/8fa5322c5c35d0cede28f4c32454cb0285490b6d/omaha/common/scheduled_task_utils_internal.h "omaha/omaha/common/scheduled_task_utils_internal.h at 8fa5322c5c35d0cede28f4c32454cb0285490b6d · google/omaha | github.com/google" [5]: https://archive.ph/2023.10.25-185032/https://bugs.chromium.org/p/chromium/issues/detail?id=137915%23c55 "Comment 55 | 137915 - Update failed (error:3) | bugs.chromium.org" [6]: https://archive.ph/2023.10.25-185051/https://bugs.chromium.org/p/chromium/issues/detail?id=1394589%23c12 "Comment 12 | 1394589 - chrome 108 prematurely stopped checking for updates under Windows 7 - chromium" [7]: https://web.archive.org/web/20231025184531/https://strontic.github.io/xcyclopedia/library/GoogleUpdate.exe-6BF197B8C7DE4B004C5D6FA415FC7867.html "GoogleUpdate.exe | Google Installer | STRONTIC | strontic.github.io" [8]: https://archive.ph/2023.10.25-185455/https://github.com/google/omaha/blob/8fa5322c5c35d0cede28f4c32454cb0285490b6d/doc/Omaha3Walkthrough.md?plain=1%23L11 "omaha/doc/Omaha3Walkthrough.md at 8fa5322c5c35d0cede28f4c32454cb0285490b6d · google/omaha | github.com/google" [9]: https://web.archive.org/web/20231025184546/https://www.shouldiblockit.com/googleupdate.exe-8f0de4fef8201e306f9938b0905ac96a.aspx "GoogleUpdate.exe - Should I Block It? (MD5 8f0de4fef8201e306f9938b0905ac96a) | shouldiblockit.com" [10]: https://web.archive.org/web/20231025185202/https://raw.githubusercontent.com/google/omaha/8fa5322c5c35d0cede28f4c32454cb0285490b6d/doc/GoogleUpdateOnAScheduleOverview.html "omaha/doc/GoogleUpdateOnAScheduleOverview.html at 8fa5322c5c35d0cede28f4c32454cb0285490b6d · google/omaha | github.com/google" [11]: https://web.archive.org/web/20231025184142/https://support.google.com/a/answer/9572621?hl=en#zippy=%2Cyour-administrator-doesnt-allow-you-to-sign-in-with-this-account-try-a-different-account "Troubleshoot GCPW - Google Workspace Admin Help | support.google.com" [12]: https://web.archive.org/web/20231025184249/https://cloud.google.com/knowledge/kb/error-message-received-when-trying-to-login-000003983 "Error message received when trying to login | Google Cloud | cloud.google.com" [13]: https://web.archive.org/web/20231025184232/https://support.google.com/a/topic/24642?hl=en "Manage devices for your organization - Google Workspace Admin Help | support.google.com" [14]: https://web.archive.org/web/20231025184204/https://support.google.com/a/answer/9250996?hl=en "Install Google Credential Provider for Windows - Google Workspace Admin Help | support.google.com" [15]: https://github.com/google/omaha/blob/8fa5322c5c35d0cede28f4c32454cb0285490b6d/omaha/internal/grit/goopdateres.grd#L166-L177 "omaha/omaha/internal/grit/goopdateres.grd at 8fa5322c5c35d0cede28f4c32454cb0285490b6d · google/omaha · GitHub | github.com/google" [16]: https://archive.ph/2023.10.25-185536/https://bugs.chromium.org/p/chromium/issues/detail?id=1274960 "1274960 - GoogleUpdateSetup.exe don't check ACL of Schedule task files GoogleUpdateTaskMachineCore and GoogleUpdateTaskMachineUA - chromium | bugs.chromium.org" call: - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'GoogleUpdateTaskMachineCore' taskPathPattern: \ taskNamePattern: GoogleUpdateTaskMachineCore - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'GoogleUpdateTaskMachineUA' taskPathPattern: \ taskNamePattern: GoogleUpdateTaskMachineUA - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'GoogleUpdateTaskMachineCore{*}' taskPathPattern: \ taskNamePattern: GoogleUpdateTaskMachineCore{*} - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'GoogleUpdateTaskMachineUA{*}' taskPathPattern: \ taskNamePattern: GoogleUpdateTaskMachineUA{*} - category: Disable Adobe background automatic updates docs: |- This category includes scripts designed to disable Adobe's background automatic update services and tasks. These automatic updates run in the background [1], typically starting up with your PC, and work to keep your Adobe software up to date [1]. By disabling them, you optimize your system's performance, reduce unwanted data collection, and minimize your vulnerability surface. These scripts only disable automatic updates; manual updates are still possible. [1]: https://web.archive.org/web/20230624030406/https://helpx.adobe.com/x-productkb/global/adobe-background-processes.html "Why do I need the Adobe background processes? | helpx.adobe.com" children: - name: Disable "Adobe Acrobat Update Service" service recommend: standard docs: |- This script disables the `AdobeARMservice` service. This service is officially named "Adobe Acrobat Update Service" [1]. It starts automatically when your PC boots, runs in the background, and installs updates if found [1] [2]. Its primary function is to keep your Adobe software up to date [1]. Disabling this service can help optimize your system's performance and reduce unwanted data collection. ### Overview of default service statuses `AdobeARMservice` (tested on Adobe Acrobat version 23.006): | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | | Windows 11 (≥ 22H2) | 🟢 Running | Automatic | [1]: https://web.archive.org/web/20231027145411/https://www.shouldiblockit.com/armsvc.exe-2873.aspx "armsvc.exe - Should I Block It? (Adobe Acrobat Update Service) | shouldiblockit.com" [2]: https://web.archive.org/web/20231027145343/https://www.file.net/process/armsvc.exe.html "armsvc.exe Windows process - What is it? | file.net" call: function: DisableService parameters: serviceName: AdobeARMservice # Check: (Get-Service -Name AdobeARMservice).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable "Adobe Update Service" service recommend: standard docs: |- This script disables the `adobeupdateservice` service. This service is responsible for updating Creative Cloud desktop apps [1] [2]. It runs continuously in the background [3]. It manages the privileges required for various actions, such as installing app updates and syncing fonts [3]. This allows Adobe to perform its actions without prompting you for your system password or approval [3]. This service has had vulnerabilities in the past, including the Privilege Escalation Unquoted Service Path vulnerability [4], making it a potential security risk. The service's executable is typically found at `C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe` [1] [2]. ### Overview of default service statuses `adobeupdateservice` (tested on Adobe Acrobat version 23.006): | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 21H1) | 🟡 Missing | N/A | | Windows 11 (≥ 22H2) | 🟡 Missing | N/A | [1]: https://web.archive.org/web/20231027145409/https://helpx.adobe.com/creative-cloud/kb/all-apps-displayed-aam.html "Not all apps displayed for download | Creative Cloud desktop app" [2]: https://web.archive.org/web/20231027145700/https://helpx.adobe.com/se/xd/kb/adobe-xd-not-compatible-on-windows-machine.html "Adobe XD appears as not compatible on Creative Cloud desktop app | helpx.adobe.com" [3]: https://web.archive.org/web/20230624030406/https://helpx.adobe.com/x-productkb/global/adobe-background-processes.html "Why do I need the Adobe background processes? | helpx.adobe.com" [4]: https://web.archive.org/web/20231027145430/https://www.exploit-db.com/exploits/39954 "AdobeUpdateService 3.6.0.248 - Unquoted Service Path Privilege Escalation - Windows local Exploit | exploit-db.com" call: function: DisableService parameters: serviceName: adobeupdateservice # Check: (Get-Service -Name adobeupdateservice).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual ignoreMissingOnRevert: 'true' - name: Disable "Adobe Acrobat Update Task" scheduled task recommend: standard docs: |- This script disables the "Adobe Acrobat Update Task" scheduled task. It is responsible for keeping your Adobe Reader and Acrobat applications up to date with the latest enhancements and security fixes [1]. By disabling it, you reduce the system's exposure to potential vulnerabilities, though at the cost of not receiving automatic updates in the background. ### Overview of default task statuses `\Adobe Acrobat Update Task` [1] (tested on Adobe Acrobat version 23.006): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | [1]: https://web.archive.org/web/20231027145509/http://windows.fyicenter.com/4324_Adobe_Acrobat_Update_Task_Scheduled_Task_on_Windows_7.html '"Adobe Acrobat Update Task" Scheduled Task on Windows 7 | windows.fyicenter.com' call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'Adobe Acrobat Update Task' taskPathPattern: \ taskNamePattern: Adobe Acrobat Update Task - name: Disable "Razer Game Scanner Service" recommend: standard docs: |- ### Overview of default task statuses `\Adobe Acrobat Update Task` [1] (tested with Razer Synapse 3.9.311 and Razer Cortex 10.12.6.0): | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 21H1) | 🟡 Missing | N/A | | Windows 11 (≥ 22H2) | 🟡 Missing | N/A | call: function: DisableService parameters: serviceName: Razer Game Scanner Service # Check: (Get-Service -Name 'Razer Game Scanner Service').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual ignoreMissingOnRevert: 'true' - name: Disable "Logitech Gaming Registry Service" recommend: standard docs: |- ### Overview of default service statuses `LogiRegistryService` (tested on Logitech Gaming Software version on 04.49): | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | | Windows 11 (≥ 22H2) | 🟢 Running | Automatic | call: function: DisableService parameters: serviceName: LogiRegistryService # Check: (Get-Service -Name 'LogiRegistryService').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - category: Disable Dropbox background automatic updates docs: |- This category focuses on disabling continuous background processes related to automatic updates of Dropbox. Although these processes are intended to keep Dropbox up to date, they can be intrusive and use system resources unnecessarily. Disabling them does not prevent updates, but stops the automatic background processes that are running constantly, contributing to both privacy and system optimization. Users have to manually update Dropbox to ensure they have the latest version and security features. children: - name: Disable "Dropbox Update Service" services recommend: standard docs: |- Dropbox operates using two Windows services, `dbupdate` and `dbupdatem`, to manage automatic updates [1]. Disabling these services can help enhance privacy and optimize system performance. ### Overview of default service statuses `dbupdate` (Dropbox Update Service, tested on Dropbox version 184.4): | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 22H2) | 🔴 Stopped | Automatic | | Windows 11 (≥ 22H2) | 🔴 Stopped | Automatic | `dbupdatem` (Dropbox Update Service, tested on Dropbox version 184.4): | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 22H2) | 🔴 Stopped | Automatic | | Windows 11 (≥ 22H2) | 🔴 Stopped | Automatic | [1]: https://web.archive.org/web/20231101153431/https://belkasoft.com/investigating_dropbox_desktop_app "Investigating the Dropbox Desktop App for Windows with Belkasoft X | belkasoft.com" call: - function: DisableService parameters: serviceName: dbupdate # Check: (Get-Service -Name 'dbupdate').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - function: DisableService parameters: serviceName: dbupdatem # Check: (Get-Service -Name 'dbupdatem').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable Dropbox automatic updates scheduled tasks recommend: standard docs: |- This script disables the scheduled tasks that Dropbox uses to trigger updates. These tasks, named `DropboxUpdateTaskMachineUA` and `DropboxUpdateTaskMachineCore`, are referred to as "Dropbox Update tasks" by Dropbox [1]. Disabling these scheduled tasks can further enhance privacy and optimize system performance. Dropbox disables these tasks for enterprise installations by default [1]. ### Overview of default task statuses `\DropboxUpdateTaskMachineCore` (tested on Dropbox version 184.4): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | `\DropboxUpdateTaskMachineUA` (tested on Dropbox version 184.4): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | [1]: https://archive.ph/2023.11.01-153622/https://github.com/dropbox/DropboxBusinessScripts/blob/4f4c32ddd488b29e7fd16a40966761e70a758239/QA%20Installer/Dropbox%20Enterprise%20Installer.ps1%23L127-L136 "DropboxBusinessScripts/QA Installer/Dropbox Enterprise Installer.ps1 at 4f4c32ddd488b29e7fd16a40966761e70a758239 · dropbox/DropboxBusinessScripts | github.com/dropbox" call: - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'DropboxUpdateTaskMachineUA' taskPathPattern: \ taskNamePattern: DropboxUpdateTaskMachineUA - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'DropboxUpdateTaskMachineCore' taskPathPattern: \ taskNamePattern: DropboxUpdateTaskMachineCore - category: Disable Media Player data collection children: - name: Disable sending Windows Media Player statistics recommend: standard code: reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t "REG_DWORD" /d "0" /f # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2), but key exists as `1` once Media Player in installed on Windows 10 22H2 revertCode: reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t "REG_DWORD" /d "1" /f - name: Disable metadata retrieval recommend: standard call: - function: SetRegistryValue parameters: keyPath: HKCU\Software\Policies\Microsoft\WindowsMediaPlayer valueName: PreventCDDVDMetadataRetrieval dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKCU\Software\Policies\Microsoft\WindowsMediaPlayer valueName: PreventMusicFileMetadataRetrieval dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKCU\Software\Policies\Microsoft\WindowsMediaPlayer valueName: PreventRadioPresetsRetrieval dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\WMDRM valueName: DisableOnline dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Windows Media Player Network Sharing Service" (`WMPNetworkSvc`) recommend: standard docs: |- Details: [Windows Media Player Network Sharing Service - Windows 10 Service - batcmd.com | batcmd.com](https://web.archive.org/web/20240314091022/https://batcmd.com/windows/10/services/wmpnetworksvc/) ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 22H2) | 🔴 Stopped | Manual | | Windows 11 (≥ 22H2) | 🔴 Stopped | Manual | call: function: DisableService parameters: serviceName: WMPNetworkSvc # Check: (Get-Service -Name 'WMPNetworkSvc').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable CCleaner data collection call: - function: SetRegistryValue parameters: keyPath: HKCU\Software\Piriform\CCleaner valueName: Monitoring dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23) - function: SetRegistryValue parameters: keyPath: HKCU\Software\Piriform\CCleaner valueName: HelpImproveCCleaner dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23) - function: RunInlineCode parameters: code: reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 0 /f revertCode: >- # `1` by default on Windows 10 22H2, missing key on Windows 11 23H2 (CCleaner v6.23) reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 1 /f - function: SetRegistryValue parameters: keyPath: HKCU\Software\Piriform\CCleaner valueName: UpdateAuto dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23) - function: SetRegistryValue parameters: keyPath: HKCU\Software\Piriform\CCleaner valueName: UpdateCheck dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23) - function: RunInlineCode parameters: code: reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 0 /f revertCode: >- # `0` by default on Windows 10 22H2, missing key on Windows 11 23H2 (CCleaner v6.23) reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 1 /f - function: SetRegistryValue parameters: keyPath: HKCU\Software\Piriform\CCleaner valueName: (Cfg)HealthCheck dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23) - function: SetRegistryValue parameters: keyPath: HKCU\Software\Piriform\CCleaner valueName: (Cfg)QuickClean dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23) - function: SetRegistryValue parameters: keyPath: HKCU\Software\Piriform\CCleaner valueName: (Cfg)QuickCleanIpm dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23) - function: SetRegistryValue parameters: keyPath: HKCU\Software\Piriform\CCleaner valueName: (Cfg)GetIpmForTrial dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23) - function: SetRegistryValue parameters: keyPath: HKCU\Software\Piriform\CCleaner valueName: (Cfg)SoftwareUpdater dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23) - function: SetRegistryValue parameters: keyPath: HKCU\Software\Piriform\CCleaner valueName: (Cfg)SoftwareUpdaterIpm dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23) - category: Security improvements docs: |- This category encompasses a range of scripts designed to improve the security of your system by enforcing security best practices. These scripts help protect your system against various types of cyber threats and unauthorized access. children: - category: Improve network security docs: |- This category is dedicated to improving network security. It aims to minimize vulnerabilities by offering various settings that improve the integrity and confidentiality of data transmitted over the network. It features a range of measures to protect data transmission from unauthorized access, interception, and other cyber threats to maintain a secure and private communication environment. By improving network security, you secure your system and data from attackers, ISPs, VPN companies, and state actors. children: - category: Enable strong secret key requirements docs: |- # refactor-with-variables: Same • Key Size Caution This category contains scripts that enhance system security by implementing stronger encryption key lengths. Stronger keys help prevent unauthorized data access and potential leaks. These scripts aim to protect your data when sent over network (Internet), making sure your security matches up with the latest guidelines and practices. > **Caution**: > - Using bigger keys increases security but may not work with some old or less secure apps. > - This can make your device slower and drain the battery faster. children: - name: Enable strong Diffie-Hellman key requirement recommend: standard # Default on modern Windows, less size considered insecure docs: |- # refactor-with-variables: Same • Key Size Caution • handshake This script improves your security by setting the `Diffie-Hellman` [1] [2] [3] key exchange to a minimum of 2048 bits. This is a secure way to exchange keys over public networks. This script only affects the *SSL/TLS handshake* process. The *SSL/TLS handshake* is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection. By default, modern Windows versions use a 2048-bit size for Diffie-Hellman key exchanges [1]. Sizes under 1024 bits are considered weak [4] [5]. NIST in USA [4] and Federal Office for Information Security (BSI) in Germany [3] disallows usage of sizes under 2048 bits. NSA (National Security Agency) recommends at least 3072 bits [6]. This script hardens your system's security by using keys of adequate strength, following best practices. > **Caution**: > - Using bigger keys increases security but may not work with some old or less secure apps. > - This can make your device slower and drain the battery faster. [1]: https://web.archive.org/web/20240402105325/https://learn.microsoft.com/en-us/security-updates/securityadvisories/2016/3174644 "Microsoft Security Advisory 3174644 | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240402112853/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings "Transport Layer Security (TLS) registry settings | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderugen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" [4]: https://web.archive.org/web/20240402105205/https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf "NIST Special Publication 800-131A Revision 2 | Transitioning the Use of Cryptographic Algorithms and Key Lengths | nvlpubs.nist.gov" [5]: https://web.archive.org/web/20240402112905/https://weakdh.org/ "Weak Diffie-Hellman and the Logjam Attack | weakdh.org" [6]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov" call: function: RequireTLSMinimumKeySize parameters: algorithmName: Diffie-Hellman keySizeInBits: '2048' - name: Enable strong RSA key requirement (breaks Hyper-V VMs) recommend: strict # Microsoft deprecated it and will end support; but breaks Hyper-V VMs, see #363 docs: |- # refactor-with-variables: Same • Key Size Caution • handshake This script improves your security by enforcing a minimum of 2048 bits for RSA encryption keys (`PKCS` [1] [2]). RSA encryption keys play a crucial role in securing communications over the internet. The Public-Key Cryptography Standards (PKCS) define how to use RSA keys for secure communication encryption. Using keys that are too weak can expose your data to unauthorized access. This script only affects the *SSL/TLS handshake* process. The *SSL/TLS handshake* is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection. From Windows 10, version 1507, and Windows Server 2016 onwards, the default RSA key size is 1024 bits [2]. However, this script raises the client-side minimum to 2048 bits, aligning with modern security standards. Server-side RSA key strength relies on the server certificate [2]. Since 2013, internet standards and regulatory bodies have banned 1024-bit RSA keys due to security vulnerabilities [3]. These entities, including the Federal Office for Information Security (BSI) in Germany [2] and the National Institute of Standards and Technology (NIST) in the USA [4] [5], now recommend the use of keys that are 2048 bits or longer. RSA key exchanges of 2048 bits or are widely accepted. In 2012, Microsoft deprecated 1024-bit RSA keys for their applications [5] [6] and will end support for them in Windows by March 2024 [3]. While 2048-bit keys balances security with efficiency [7], a shift towards stronger 4096-bit RSA keys is emerging. Projects like Debian [8], Fedora [9], and CaCert.org [10] use larger keys for long-term tasks. However, this script disrupts connections to Hyper-V virtual machines, which still require 1024-bit keys [11]. It does not affect other virtual environments such as Docker, WSL, or Windows Sandbox [11]. > **Caution**: > - The script prevents access to Hyper-V VMs. > - Using bigger keys increases security but may not work with some old or less secure apps. > - This can make your device slower and drain the battery faster. [1]: https://web.archive.org/web/20240403064025/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings?tabs=rsa "Transport Layer Security (TLS) registry settings | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" [3]: https://web.archive.org/web/20240403064138/https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features "Deprecated features in the Windows client - What's new in Windows | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240402105205/https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf "NIST Special Publication 800-131A Revision 2 | Transitioning the Use of Cryptographic Algorithms and Key Lengths | nvlpubs.nist.gov" [5]: https://web.archive.org/web/20240403064107/https://github.com/undergroundwires/privacy.sexy/pull/165 "request by bricedobson | undergroundwires/privacy.sexy | GitHub.com" [6]: https://web.archive.org/web/20240403064204/https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/rsa-keys-under-1024-bits-are-blocked/ba-p/1128997 "RSA keys under 1024 bits are blocked - Microsoft Community Hub | techcommunity.microsoft.com" [7]: https://web.archive.org/web/20240402113046/https://danielpocock.com/rsa-key-sizes-2048-or-4096-bits/ "RSA Key Sizes: 2048 or 4096 bits? | danielpocock.com" [8]: https://web.archive.org/web/20240402105239/https://wiki.debian.org/Keysigning#Step_1:_Create_a_RSA_keypair "Keysigning - Debian Wiki | wiki.debian.org" [9]: https://web.archive.org/web/20240402105244/https://fedoraproject.org/security/ "Fedora keeps you safe | The Fedora Project | fedoraproject.org" [10]: https://web.archive.org/web/20240402112840/http://www.cacert.org/policy/CertificationPracticeStatement.html#p6.1.5 "Certification Practice Statement (CPS) | cacert.org" [11]: https://web.archive.org/web/20240519131322/https://github.com/undergroundwires/privacy.sexy/issues/363 "Hyper-V VM connection issues after running \"Standard\" · Issue #363 · undergroundwires/privacy.sexy" call: function: RequireTLSMinimumKeySize parameters: algorithmName: PKCS keySizeInBits: '2048' ignoreServerSide: 'true' # Controlled by the specified server certificate - category: Disable insecure connections docs: |- # refactor-with-variables: Same • Compatibility Caution This category includes scripts designed to enhance users' security and privacy by disabling outdated or vulnerable connections across the system. It safeguards data against interception, unauthorized access, and attacks that exploit outdated technology vulnerabilities, including man-in-the-middle attacks and data breaches. By disabling these insecure connections, these scripts follow cybersecurity best practices and recommendations. Although Windows supports insecure connections for compatibility, prioritizing security, these scripts disable them. > **Caution:** This may cause compatibility issues with older devices or software. children: - category: Disable insecure ciphers docs: |- # refactor-with-variables: Same • Compatibility Caution This category improves network security by disabling outdated and less secure cipher suites. **Cipher suites** are sets of cryptographic algorithms used to secure network connections [1]. They include **ciphers**, known as **bulk encryption algorithms** [1] or simply **bulk ciphers** [2]. Ciphers encrypt messages exchanged between clients and servers [1]. Using outdated cipher suites exposes data to risks of interception and tampering during transmission [2]. Disabling insecure ciphers meets security standards set by NIST [3], CIS [4], IRS [5], OWASP [6] and Germany's Federal Office for Information Security (BSI) [7]. This enhances data confidentiality and integrity [4]. It also protects against threats such as attackers exploiting cryptographic weaknesses, malicious insiders, state actors, and cybercriminals [8]. > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240421101955/https://learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel "Cipher Suites in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240421102018/https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/ "Recommendations for TLS/SSL Cipher Hardening | Acunetix | www.acunetix.com" [3]: https://web.archive.org/web/20240420183152/https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240421101142/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_IIS_8_Benchmark_v1_4_0.pdf "CIS Microsoft IIS 8 Benchmark v1.4.0 | paper.bobylive.com" [5]: https://web.archive.org/web/20240404112509/https://www.irs.gov/privacy-disclosure/encryption-requirements-of-publication-1075 "Encryption Requirements of Publication 1075 | Internal Revenue Service | www.irs.gov" [6]: https://web.archive.org/web/20240421101557/https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html "WSTG - v4.2 | OWASP Foundation | owasp.org" [7]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" [8]: https://web.archive.org/web/20240421102031/https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography "M10: Insufficient Cryptography | OWASP Foundation | owasp.org" children: - name: Disable insecure "RC2" ciphers recommend: strict # Considered weak and vulnerable by numerous authoritative sources, may be incompatible with third-party apps. docs: |- # refactor-with-variables: Same • Compatibility Caution • handshake • authorities • cipher suite This script disables RC2 ciphers. This script only affects the *SSL/TLS handshake* process. The *SSL/TLS handshake* is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection. Authorities like Microsoft [1] [2] [3], NIST (FIPS) [4], CIS [5], Federal Office for Information Security (BSI) [6], OWASP [7], and NSA (National Security Agency) [8] classify this algorithm as weak and recommend against its use. By disabling RC2, the script enhances network security and data integrity [5], as these ciphers are susceptible to cryptographic attacks. This script disables these cipher algorithms: - `RC2 40/128` [1] [4] [5] [6] (40-bit RC2 [4]) - Enabled by default [4]. - Disabling it disallows the following cipher suites: - `SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5` [1] [4] - `TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5` [1] [4] - `RC2 56/128` [2] [4] [5] [6] (56-bit RC2 [4]) - Enabled by default [4]. - Disabling it disallows the following cipher suites: - `SSL_RSA_WITH_DES_CBC_SHA` [2] - `TLS_RSA_WITH_DES_CBC_SHA` [2] - `RC2 128/128` [3] [4] [6] (128-bit RC2 [4]) - Enabled by default [4]. > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240421111726/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::RC2_40 "RC2 40/128 | admx.help" [2]: https://web.archive.org/web/20240421111927/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::RC2_56 "RC2 56/128 | admx.help" [3]: https://web.archive.org/web/20240421111841/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::RC2_128 "RC2 128/128 | admx.help" [4]: https://web.archive.org/web/20240420183152/https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20240421101142/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_IIS_8_Benchmark_v1_4_0.pdf "CIS Microsoft IIS 8 Benchmark v1.4.0 | paper.bobylive.com" [6]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" [7]: https://web.archive.org/web/20240421101557/https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html "WSTG - v4.2 | OWASP Foundation | owasp.org" [8]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov" call: - function: DisableTLSCipher parameters: algorithmName: RC2 40/128 - function: DisableTLSCipher parameters: algorithmName: RC2 56/128 - function: DisableTLSCipher parameters: algorithmName: RC2 128/128 - name: Disable insecure "RC4" ciphers recommend: strict # Considered weak and vulnerable by numerous authoritative sources, may be incompatible with third-party apps. docs: |- # refactor-with-variables: Same • Compatibility Caution • handshake • authorities • cipher suite This script disables the RC4 ciphers. This script only affects the *SSL/TLS handshake* process. The *SSL/TLS handshake* is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection. Authorities like Microsoft [1] [2] [3] [4] [5], NIST (FIPS) [6], CIS [7], Federal Office for Information Security (BSI) [8], OWASP [9], and NSA (National Security Agency) [10] classify this algorithm as weak and recommend against its use. This script disables these cipher algorithms: - `RC4 128/128` [1] [6] [7] [8] (128-bit RC4 [6]): - Enabled by default [6] [7]. - Disabling it disallows the following cipher suites: - `SSL_RSA_WITH_RC4_128_MD5` [1] [6] - `SSL_RSA_WITH_RC4_128_SHA` [1] [6] - `TLS_RSA_WITH_RC4_128_MD5` [1] [6] - `TLS_RSA_WITH_RC4_128_SHA` [1] [6] - `RC4 64/128` [2] [6] [7] [8] (64-bit RC4 [6]): - Enabled by default [6]. - Disabling it affects the functionality of the **Microsoft Money application [6]. - `RC4 56/128` [3] [6] [7] [8] (56-bit RC4 [6]): - Enabled by default [6]. - Disabling it disallows the following cipher suites: - `TLS_RSA_EXPORT1024_WITH_RC4_56_SHA` [3] [6] - `RC4 40/128` [4] [6] [7] [8] (40-bit RC4 [6]): - Enabled by default [6]. - Disabling this algorithm will disallow the following cipher suites: - `SSL_RSA_EXPORT_WITH_RC4_40_MD5` [4] [6] - `TLS_RSA_EXPORT_WITH_RC4_40_MD5` [4] [6] > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240421101752/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::RC4_128 "RC4 128/128 | admx.help" [2]: https://web.archive.org/web/20240421101700/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::RC4_64 "RC4 64/128 | admx.help" [3]: https://web.archive.org/web/20240421101714/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::RC4_56 "RC4 56/128 | admx.help" [4]: https://web.archive.org/web/20240421101730/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::RC4_40 "RC4 40/128 | admx.help" [5]: https://web.archive.org/web/20150315105026/http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx "Security Advisory 2868725: Recommendation to disable RC4 - Security Research & Defense - Site Home - TechNet Blogs" [6]: https://web.archive.org/web/20240420183152/https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com" [7]: https://web.archive.org/web/20240421101142/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_IIS_8_Benchmark_v1_4_0.pdf "CIS Microsoft IIS 8 Benchmark v1.4.0 | paper.bobylive.com" [8]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" [9]: https://web.archive.org/web/20240421101557/https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html "WSTG - v4.2 | OWASP Foundation | owasp.org" [10]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov" call: - function: DisableTLSCipher parameters: algorithmName: RC4 128/128 - function: DisableTLSCipher parameters: algorithmName: RC4 64/128 - function: DisableTLSCipher parameters: algorithmName: RC4 56/128 - function: DisableTLSCipher parameters: algorithmName: RC4 40/128 - name: Disable insecure "DES" cipher recommend: strict # Considered weak and vulnerable by numerous authoritative sources, may be incompatible with third-party apps. docs: |- # refactor-with-variables: Same • Compatibility Caution • handshake • authorities • cipher suite This script disables the `DES 56/56` [1] [2] [3] [4] cipher, also known as *DES 56* [2] or *56-bit DES* [2]. This script only affects the *SSL/TLS handshake* process. The *SSL/TLS handshake* is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection. Authorities like Microsoft [1], NIST (FIPS) [2], CIS [3], Federal Office for Information Security (BSI) [4], OWASP [5], and NSA (National Security Agency) [6] consider this cipher weak and either discourage or disallow its use This algorithm is enabled by default on Windows [2]. Disabling RC2 ciphers helps maintain data confidentiality and integrity by preventing the use of these weak encryption methods in network communications [3]. Disabling this algorithm will disallow the following cipher suites: - `SSL_RSA_WITH_DES_CBC_SHA` [1] [2] - `TLS_RSA_WITH_DES_CBC_SHA` [1] [2] > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240421101711/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::DES_56 "DES 56/56 | admx.help" [2]: https://web.archive.org/web/20240420183152/https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240421101142/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_IIS_8_Benchmark_v1_4_0.pdf "CIS Microsoft IIS 8 Benchmark v1.4.0 | paper.bobylive.com" [4]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" [5]: https://web.archive.org/web/20240421101557/https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html "WSTG - v4.2 | OWASP Foundation | owasp.org" [6]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov" call: function: DisableTLSCipher parameters: algorithmName: DES 56/56 # Some sources on Internet mention existence of `DES 56` value, but it there is no official documentation pointing to it. - name: Disable insecure "Triple DES" cipher recommend: strict # Considered weak and vulnerable by numerous authoritative sources, may be incompatible with third-party apps. docs: |- # refactor-with-variables: Same • Compatibility Caution • handshake • authorities • cipher suite This script disables the `Triple DES 168` [1] [2] [3] (`Triple DES 168/168` before Windows Vista [2] [4]) cipher, also known as *3DES* [1] [3] [5] [6], *The Triple Data Encryption Algorithm (TDEA)* [6] [7] and **TDES** [8]. This script only affects the *SSL/TLS handshake* process. The *SSL/TLS handshake* is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection. Authorities like Apple [5] [9], NIST [5] [7] Federal Office for Information Security (BSI) [4], NSA (National Security Agency) [8], and Office of the Chief Information Security Officer [6] classify this cipher as weak and recommend against its use. This algorithm is enabled by default on Windows [2]. Disabling 3DES secures your communication by mitigating vulnerabilities like Sweet32 Birthday attacks [5], and the limited amount of data that can be processed under a single key [6]. Disabling this algorithm will disallow the following cipher suites: - `SSL_CK_DES_192_EDE_CBC_WITH_MD5` [1] - `SSL_RSA_WITH_3DES_EDE_CBC_SHA` [2] - `SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA` [2] - `TLS_RSA_WITH_3DES_EDE_CBC_SHA` [1] [2] - `TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA` [1] [2] > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240421101519/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::3DES "Triple DES 168 | admx.help" [2]: https://web.archive.org/web/20240420183152/https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240421101142/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_IIS_8_Benchmark_v1_4_0.pdf "CIS Microsoft IIS 8 Benchmark v1.4.0 | paper.bobylive.com" [4]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" [5]: https://web.archive.org/web/20240421101545/https://sweet32.info/ "Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN" [6]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov" [7]: https://web.archive.org/web/20240402105205/https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf "NIST Special Publication 800-131A Revision 2 | Transitioning the Use of Cryptographic Algorithms and Key Lengths | nvlpubs.nist.gov" [8]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov" [9]: https://web.archive.org/web/20240426092153/https://developer.apple.com/library/archive/releasenotes/MacOSX/WhatsNewInOSX/Articles/OSXv10.html "macOS Sierra 10.12 | developer.apple.com" call: - function: DisableTLSCipher parameters: algorithmName: Triple DES 168 # After Windows Vista - function: DisableTLSCipher parameters: algorithmName: Triple DES 168/168 # Before Windows Vista - name: Disable insecure "NULL" cipher recommend: standard # Disables encryption, turned off by default. docs: |- # refactor-with-variables: Same • Compatibility Caution • handshake • authorities • cipher suite This script disables the `NULL` [1] [2] [3] [4] cipher. This script only affects the *SSL/TLS handshake* process. The *SSL/TLS handshake* is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection. This algorithm provides no encryption [1] [5], leaving data completely unprotected. Authorities like Microsoft [2], NIST (FIPS) [1], CIS [3], and Federal Office for Information Security (BSI) [4], NSA (National Security Agency) [6] classify this algorithm as weak and recommend against its use. This cipher is disabled by default [1]. Disabling these ciphers ensures that no data is transmitted in plaintext, which is crucial for maintaining data confidentiality and integrity [3]. Disabling this algorithm will disallow the following cipher suites: - `TLS_RSA_WITH_NULL_SHA` [2] - `TLS_RSA_WITH_NULL_SHA256` [2] > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240420183152/https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240421101539/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::NULL "NULL | admx.help" [3]: https://web.archive.org/web/20240421101142/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_IIS_8_Benchmark_v1_4_0.pdf "CIS Microsoft IIS 8 Benchmark v1.4.0 | paper.bobylive.com" [4]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" [5]: https://web.archive.org/web/20240421101051/https://datatracker.ietf.org/doc/html/rfc2410 "RFC 2410 - The NULL Encryption Algorithm and Its Use With IPsec | datatracker.ietf.org" [6]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov" call: function: DisableTLSCipher parameters: algorithmName: 'NULL' - category: Disable insecure hashes docs: |- # refactor-with-variables: Same • Compatibility Caution • vulnerability This category includes scripts to disable insecure hash algorithms during cryptographic operations. Hash algorithms are essential for internet security, electronic banking, and document signing. Insecure hashes, however, are susceptible to collision attacks [1] [2]. This vulnerability enables attackers to spoof content, perform phishing, or execute man-in-the-middle attacks [3] [4]. Consequently, an attacker could intercept or modify data transmitted over what is believed to be a secure connection, without being detected. For instance, attackers could exploit this to divert your payments to their accounts, creating significant risks. > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240426084410/https://www.win.tue.nl/hashclash/rogue-ca/ "MD5 considered harmful today | win.tue.nl" [2]: https://web.archive.org/web/20240426084414/https://phys.org/news/2017-02-cwi-google-collision-industry-standard.html "CWI, Google announce first collision for Industry Security Standard SHA-1 | phys.org" [3]: https://web.archive.org/web/20240426084414/https://learn.microsoft.com/en-us/archive/technet-wiki/32288.windows-enforcement-of-sha1-certificates#microsoft-sha-1-plan "Windows Enforcement of SHA1 Certificates | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240426084436/https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2014/2862973 "Microsoft Security Advisory 2862973 | Microsoft Learn | learn.microsoft.com" children: - name: Disable insecure "MD5" hash recommend: strict # Considered weak and vulnerable by numerous authoritative sources, incompatible with third-party apps such as MEGA. docs: |- # refactor-with-variables: Same • Compatibility Caution • handshake • vulnerability • authorities • cipher suite This script disables the use of the `MD5` [1] [2] [3] hash algorithm during the SSL/TLS handshake process. This script only affects the *SSL/TLS handshake* process. The *SSL/TLS handshake* is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection. This algorithm is vulnerable to collision attacks [4] [5]. This vulnerability enables attackers to spoof content, perform phishing, or execute man-in-the-middle attacks [6]. Consequently, an attacker could intercept or modify data transmitted over what is believed to be a secure connection, without being detected. For instance, attackers could exploit this to divert your payments to their accounts, creating significant risks. Authorities like NIST (FIPS) [2], Federal Office for Information Security (BSI) [3], Microsoft [6], OWASP [4] [7], Internet Engineering Task Force (IETF) [8], Google [9] [10], Firefox [11] and OpenVPN [12] classify this algorithm as weak and recommend against its use. This algorithm is enabled by default on Windows [2]. Disabling this algorithm disallows the following cipher suites: - `SSL_CK_DES_192_EDE3_CBC_WITH_MD5` [1] - `SSL_CK_DES_64_CBC_WITH_MD5` [1] - `SSL_CK_RC4_128_EXPORT40_MD5` [1] - `SSL_CK_RC4_128_WITH_MD5` [1] - `SSL_RSA_EXPORT_WITH_RC4_40_MD5` [2] - `SSL_RSA_WITH_RC4_128_MD5` [2] - `SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5` [2] - `TLS_RSA_EXPORT_WITH_RC4_40_MD5` [1] [2] - `TLS_RSA_WITH_NULL_MD5` [1] - `TLS_RSA_WITH_RC4_128_MD5` [1] [2] - `TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5` [2] > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240426090518/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::MD5 "MD5 | admx.help" [2]: https://web.archive.org/web/20240423073705/https://learn.microsoft.com/en-US/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" [4]: https://web.archive.org/web/20240426090555/https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection "WSTG - v4.1 | OWASP Foundation | owasp.org" [5]: https://web.archive.org/web/20240426090632/https://link.springer.com/chapter/10.1007/11426639_2 "How to Break MD5 and Other Hash Functions | SpringerLink | link.springer.com" [6]: https://web.archive.org/web/20240426084436/https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2014/2862973 "Microsoft Security Advisory 2862973 | Microsoft Learn | learn.microsoft.com" [7]: https://web.archive.org/web/20240426090632/https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html "WSTG - v4.2 | OWASP Foundation | owasp.org" [8]: https://web.archive.org/web/20240426090640/https://www.rfc-editor.org/rfc/rfc9155.html "RFC 9155: Deprecating MD5 and SHA-1 Signature Hashes in TLS 1.2 and DTLS 1.2 | www.rfc-editor.org" [9]: https://web.archive.org/web/20240426090758/https://security.googleblog.com/2018/10/modernizing-transport-security.html "Google Online Security Blog: Modernizing Transport Security | security.googleblog.com" [10]: https://archive.ph/2024.04.26-145435/https://chromestatus.com/feature/5759116003770368 "TLS 1.0 and TLS 1.1 - Chrome Platform Status | chromestatus.com" [11]: https://web.archive.org/web/20240426090747/https://wiki.mozilla.org/CA:MD5and1024 "CA:MD5and1024 - MozillaWiki | wiki.mozilla.org" [12]: https://web.archive.org/web/20240426090919/https://openvpn.net/faq/md5-signature-algorithm-support/ "MD5 Signature Algorithm Support | OpenVPN | openvpn.net" call: function: DisableTLSHash parameters: algorithmName: MD5 - name: Disable insecure "SHA-1" hash recommend: strict # Considered weak and vulnerable by numerous authoritative sources, may be incompatible with third-party apps docs: |- # refactor-with-variables: Same • Compatibility Caution • handshake • vulnerability • authorities • cipher suite This script disables `SHA` [1] [2] [3] hash algorithm, also known as *Secure Hash Algorithm (SHA-1)* [2]. This script only affects the *SSL/TLS handshake* process. The *SSL/TLS handshake* is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection. This algorithm is vulnerable to collision attacks [4] [5] [6] [7]. This vulnerability enables attackers to spoof content, perform phishing, or execute man-in-the-middle attacks [8]. Consequently, an attacker could intercept or modify data transmitted over what is believed to be a secure connection, without being detected. For instance, attackers could exploit this to divert your payments to their accounts, creating significant risks. Authorities like NIST (FIPS) [2], Federal Office for Information Security (BSI) [3], Mozilla [5], Microsoft [8], Google [4] [9] [10], OWASP [11], Internet Engineering Task Force (IETF) [12], and Apple [13] classify this algorithm as weak and recommend against its use. Disabling this algorithm disallows the following cipher suites: - `SSL_RSA_WITH_RC4_128_SHA` [2] - `SSL_RSA_WITH_DES_CBC_SHA` [2] - `SSL_RSA_WITH_3DES_EDE_CBC_SHA` [2] - `SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA` [2] - `SSL_RSA_EXPORT1024_WITH_RC4_56_SHA` [2] - `TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA` [1] - `TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA` [1] - `TLS_DHE_DSS_WITH_AES_128_CBC_SHA` [1] - `TLS_DHE_DSS_WITH_AES_256_CBC_SHA` [1] - `TLS_DHE_DSS_WITH_DES_CBC_SHA` [1] - `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256` [1] - `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384` [1] - `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521` [1] - `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256` [1] - `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384` [1] - `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521` [1] - `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256` [1] - `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384` [1] - `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521` [1] - `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256` [1] - `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384` [1] - `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521` [1] - `TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA` [1] [2] - `TLS_RSA_EXPORT1024_WITH_RC4_56_SHA` [1] [2] - `TLS_RSA_WITH_3DES_EDE_CBC_SHA` [1] [2] - `TLS_RSA_WITH_AES_128_CBC_SHA` [1] - `TLS_RSA_WITH_AES_256_CBC_SHA` [1] - `TLS_RSA_WITH_DES_CBC_SHA` [1] [2] - `TLS_RSA_WITH_NULL_SHA` [1] - `TLS_RSA_WITH_RC4_128_SHA` [1] [2] > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240426091852/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::SHA "SHA | admx.help" [2]: https://web.archive.org/web/20240423073705/https://learn.microsoft.com/en-US/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" [4]: https://web.archive.org/web/20240426091847/https://chromestatus.com/feature/4832850040324096 "Deprecate TLS SHA-1 server signatures - Chrome Platform Status | chromestatus.com" [5]: https://web.archive.org/web/20240426091939/https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-public-web/ "The end of SHA-1 on the Public Web - Mozilla Security Blog | blog.mozilla.org" [6]: https://web.archive.org/web/20240426084414/https://phys.org/news/2017-02-cwi-google-collision-industry-standard.html "CWI, Google announce first collision for Industry Security Standard SHA-1 | phys.org" [7]: https://web.archive.org/web/20240426092016/https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html "Google Online Security Blog: Announcing the first SHA1 collision | security.googleblog.com" [8]: https://web.archive.org/web/20240426084414/https://learn.microsoft.com/en-us/archive/technet-wiki/32288.windows-enforcement-of-sha1-certificates#microsoft-sha-1-plan "Windows Enforcement of SHA1 Certificates | Microsoft Learn | learn.microsoft.com" [9]: https://web.archive.org/web/20240426091810/https://chromium.googlesource.com/chromium/src/+/main/docs/security/tls-sha1-server-signatures.md "Chromium Docs - TLS SHA-1 Server Signatures | chromium.googlesource.com" [10]: https://web.archive.org/web/20240426090758/https://security.googleblog.com/2018/10/modernizing-transport-security.html "Google Online Security Blog: Modernizing Transport Security | security.googleblog.com" [11]: https://web.archive.org/web/20240421101557/https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html "WSTG - v4.2 | OWASP Foundation | owasp.org" [12]: https://web.archive.org/web/20240426090640/https://www.rfc-editor.org/rfc/rfc9155.html "RFC 9155: Deprecating MD5 and SHA-1 Signature Hashes in TLS 1.2 and DTLS 1.2 | www.rfc-editor.org" [13]: https://web.archive.org/web/20240426092153/https://developer.apple.com/library/archive/releasenotes/MacOSX/WhatsNewInOSX/Articles/OSXv10.html "macOS Sierra 10.12 | developer.apple.com" call: function: DisableTLSHash parameters: algorithmName: SHA - name: Disable insecure renegotiation recommend: strict # Important security improvement, but may limit compatibility with older software. docs: |- # refactor-with-variables: Same • Compatibility Caution This script enhances your security by reducing risks associated with secure communications. By running this script, you proactively enhance your online privacy and secure against well-known TLS vulnerabilities. TLS secures internet communications. It allows parties such as browsers and websites to update their encryption settings through **renegotiation** [2]. Without safeguards, attackers could intercept and compromise these communications [1] [2] [3] [4] [5] [6]. Insecure renegotiation can let attackers hijack communications from the start, enabling unauthorized control [1], data manipulation [3] [6], DoS attacks [3], and identity spoofing [4] [5] [6]. To counter these threats, this script implements measures standardized in RFC 5746 [1] [2], effectively closing the loophole that allowed these vulnerabilities. This script enhances security by blocking insecure renegotiation attempts and aims to improve compatibility with older software. It modifies the following system settings to achieve this: - `HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL!AllowInsecureRenegoClients` [1] [3]: Stops the client from responding to insecure renegotiation attempts [1] [3]. - `HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL!AllowInsecureRenegoServers` [1] [3]: Stops the server from responding to insecure renegotiation attempts [1] [3]. - `HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL!DisableRenegoOnClient` [3] [4]: Prevents the client from initiating or responding to insecure renegotiation requests [3] [4]. - `HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL!DisableRenegoOnServer` [3] [4]: Prevents the server from initiating or responding to insecure renegotiation requests [3] [4]. - `HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL!UseScsvForTls` [1]: Enhances compatibility with older software, preventing potential communication issues [1]. This script may impact the functionality of software using outdated and insecure communication methods [3]. Affected software includes older versions of: - Internet Explorer [3] [4] - Internet Information Services (IIS) [3] [4] - Exchange ActiveSync [3] [4] - Outlook [3] > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240329131258/https://support.microsoft.com/en-us/topic/ms10-049-vulnerabilities-in-schannel-could-allow-remote-code-execution-d4258037-ad3a-c00c-250f-6c67a408bd7c "MS10-049: Vulnerabilities in SChannel could allow remote code execution - Microsoft Support | support.microsoft.com" [2]: https://web.archive.org/web/20240329131244/https://datatracker.ietf.org/doc/html/rfc5746 "RFC 5746 - Transport Layer Security (TLS) Renegotiation Indication Extension | ietf.org" [3]: https://web.archive.org/web/20240329131420/https://blogs.iis.net/windowsserver/isa-2006-tmg-2010-disable-client-initiated-ssl-renegotiation-protecting-against-dos-attacks-and-malicious-data-injection "Windows Server team Blog - ISA 2006 / TMG 2010: DISABLE CLIENT-INITIATED SSL RENEGOTIATION, PROTECTING AGAINST DOS ATTACKS AND MALICIOUS DATA INJECTION | blogs.iis.net" [4]: https://web.archive.org/web/20100213193718/http://support.microsoft.com/kb/977377 "Microsoft Security Advisory: Vulnerability in TLS/SSL could allow spoofing | support.microsoft.com" [6]: https://web.archive.org/web/20240329131308/https://nvd.nist.gov/vuln/detail/cve-2009-3555 "NVD - cve-2009-3555 | nvd.nist.gov" [5]: https://web.archive.org/web/20100212053756/http://www.microsoft.com/technet/security/advisory/977377.mspx "Microsoft Security Advisory (977377): Vulnerability in TLS/SSL Could Allow Spoofing | www.microsoft.com" call: - function: SetRegistryValue parameters: keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL valueName: AllowInsecureRenegoClients dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing default value since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL valueName: AllowInsecureRenegoServers dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing default value since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL valueName: DisableRenegoOnServer dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing default value since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL valueName: DisableRenegoOnClient dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing default value since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL valueName: UseScsvForTls dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing default value since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - category: Disable insecure protocols docs: |- # refactor-with-variables: Same • Compatibility Caution • authorities This category focuses on enhancing user privacy by disabling legacy and insecure communication protocols. It targets protocols that expose users to security vulnerabilities due to their outdated nature. Retaining obsolete protocols creates a false sense of security because they may seem secure but are vulnerable to exploitation [1]. Authorities like NIST [1] (FIPS [2]), NSA (National Security Agency) [1], Office of the Chief Information Security Officer [2], Microsoft [3], Mozilla [4], PCI Security Standards Council [5], the Center for Internet Security [6], and IETF [9] recommend disabling insecure and obsolete protocols. Most modern operating systems [3] and browsers [4] disable these protocols by default. However, certain protocols remain active on some Windows systems [3] [7], posing security risks. It is crucial to disable these protocols to mitigate risks from well-known attacks such as POODLE [5] and BEAST [5]. This category excludes the following protocols: - **DTLS 1.1**: DTLS 1.1 does not exist [8] [9]; its numbering was skipped to align with TLS versioning [8]. - **TLS 1.2**, and **DTLS 1.2** (based on TLS 1.2 [8]): TLS 1.2 and DTLS 1.2 are enabled by default on Windows [7] and are approved by authorities like NIST [2], and German Federal Office for Information Security [10]. Disabling them could affect application functionality, and earlier versions are not widely supported by Windows [7] [10]. > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov" [2]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov" [3]: https://web.archive.org/web/20240429200538/https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-10-11-deprecation-in-windows "TLS 1.0 and TLS 1.1 deprecation in Windows - Win32 apps | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240429202616/https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/ "Removing Old Versions of TLS - Mozilla Security Blog | blog.mozilla.org" [5]: https://web.archive.org/web/20240429194236/https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls "Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS | blog.pcisecuritystandards.org" [6]: https://web.archive.org/web/20240429201328/https://www.tenable.com/audits/items/CIS_NGINX_v2.0.1_Level_1_Webserver.audit:fc59c7d0c53f27720fcbca1df8f8fcc2 "4.1.4 Ensure only modern TLS protocols are used | Tenable® | www.tenable.com" [7]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com" [8]: https://web.archive.org/web/20240429193737/https://datatracker.ietf.org/doc/html/rfc6347 "RFC 6347 - Datagram Transport Layer Security Version 1.2 | datatracker.ietf.org" [9]: https://web.archive.org/web/20240429200613/https://datatracker.ietf.org/doc/html/rfc8996/ "RFC 8996 - Deprecating TLS 1.0 and TLS 1.1 | datatracker.ietf.org" [10]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" children: - name: Disable insecure "SMBv1" protocol recommend: standard # Recommended by Microsoft, very old, has significant security vulnerabilities docs: |- # refactor-with-variables: Same • Compatibility Caution This script improves network security by disabling the outdated SMBv1 protocol. **SMBv1**, or **Server Message Block version 1**, is an outdated network protocol developed for file and printer sharing across networks [1] [2]. This protocol is well-known for its vulnerabilities to cyber attacks [1] [2] [3] [4] [5]. Microsoft deprecated SMBv1 in 2014 [6] [7]. Since 2007, newer and more secure versions of this protocol have replaced SMBv1 in modern versions of Windows [6]. It is still enabled by default in older Windows versions [1]. Microsoft advises disabling this protocol to strengthen security [1] [8]. SMB1 is not necessary for most users, as Microsoft ensures vendor support for at least SMB 2.0 [2]. The primary reasons for disabling SMBv1 include: - It uses the outdated MD5 hash algorithm, vulnerable to security attacks [3]. - It fails to meet modern security standards set by FIPS [3], CISA (US-CERT) [5], CIS (Department of Defense) [3], and Microsoft Security Baseline [8]. - It lacks the efficiency and performance improvements present in newer versions of the protocol [2]. - It is vulnerable to various cyber threats [1] [2] [3] [4] [5], , including ransomware and malware [1] [2]. Disabling SMBv1 may lead to compatibility issues with older network devices and software [1] [3] [6] [9]. This may affect file sharing and print services on systems like Windows Server 2003 [3] and some older Network Attached Storage (NAS) devices [3]. These systems are insecure and are no longer supported. This script makes the following changes to your system: - Removal of SMBv1 components: - `SMB1Protocol` [2] [3] [4] [10] (also known as `FS-SMB1` [2] [11]) - `SMB1Protocol-Client` [10] - `SMB1Protocol-Server` [10]. - Disabling the `mrxsmb10` (SMB 1.x MiniRedirector [12]) driver, linked with SMBv1 [1] [4] [13], and adjusting related settings to keep older systems stable [1] [4] [13]. - Disabling server side processing of SMBv1 protocol using `HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters!SMBv1` registry key [1] [14] [15]. These changes require a system reboot to take effect [1] [4] [9]. > **Caution:** This may cause compatibility issues with older devices or software. ### Overview of default feature statuses `SMB1Protocol`: | | | | ---- | --- | | **Feature name** | `SMB1Protocol` | | **Display name** | SMB 1.0/CIFS File Sharing Support | | **Description** | Support for the SMB 1.0/CIFS file sharing protocol, and the Computer Browser protocol. | | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | `SMB1Protocol-Client`: | | | | ---- | --- | | **Feature name** | `SMB1Protocol-Client` | | **Display name** | SMB 1.0/CIFS Client | | **Description** | Support for the SMB 1.0/CIFS client for accessing legacy servers. | | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | `SMB1Protocol-Server`: | | | | ---- | --- | | **Feature name** | `SMB1Protocol-Server` | | **Display name** | SMB 1.0/CIFS Server | | **Description** | Support for the SMB 1.0/CIFS file server for sharing data with legacy clients and browsing the network neighborhood. | | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | ### Overview of default service statuses SMB 1.x MiniRedirector (`mrxsmb10`): | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 11 (≥ 23H2) | 🟡 Missing | N/A | | Windows 10 (≥ 22H2) | 🟡 Missing | N/A | [1]: https://web.archive.org/web/20240413122756/https://learn.microsoft.com/en-us/archive/blogs/secguide/disabling-smbv1-through-group-policy "Disabling SMBv1 through Group Policy | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240413124106/https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858 "Stop using SMB1 - Microsoft Community Hub | techcommunity.microsoft.com" [3]: https://web.archive.org/web/20240413124245/https://www.stigviewer.com/stig/microsoft_windows_10/2023-09-29/finding/V-220729 "The Server Message Block (SMB) v1 protocol must be disabled on the system. | www.stigviewer.com" [4]: https://web.archive.org/web/20240413122807/https://learn.microsoft.com/en-US/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=server "Server | How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20240413124050/https://www.cisa.gov/news-events/alerts/2017/01/16/smb-security-best-practices "SMB Security Best Practices | CISA | www.cisa.gov" [6]: https://web.archive.org/web/20240413122812/https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows "SMBv1 is not installed by default in Windows 10 version 1709, Windows Server version 1709 and later versions | Microsoft Learn | learn.microsoft.com" [7]: https://web.archive.org/web/20240413124101/https://learn.microsoft.com/en-us/archive/blogs/josebda/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect "The Deprecation of SMB1 – You should be planning to get rid of this old SMB dialect | Microsoft Learn | learn.microsoft.com" [8]: https://web.archive.org/web/20240413122800/https://learn.microsoft.com/en-us/archive/blogs/secguide/security-baseline-for-windows-10-creators-update-v1703-draft "Security baseline for Windows 10 \"Creators Update\" (v1703) – DRAFT | Microsoft Learn | learn.microsoft.com" [9]: https://web.archive.org/web/20240413125713/https://learn.microsoft.com/en-US/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=client "Client | How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows | Microsoft Learn | learn.microsoft.com" [10]: https://web.archive.org/web/20240413124113/https://learn.microsoft.com/en-us/powershell/module/smbshare/remove-smbcomponent?view=windowsserver2025-ps&wt.mc_id=ps-gethelp "Remove-SmbComponent (SmbShare) | Microsoft Learn | learn.microsoft.com" [11]: https://web.archive.org/web/20240413124320/https://www.stigviewer.com/stig/windows_server_2016/2020-06-16/finding/V-73299 "The Server Message Block (SMB) v1 protocol must be uninstalled. | www.stigviewer.com" [12]: https://web.archive.org/web/20240413124418/https://revertservice.com/10/mrxsmb10/ "SMB 1.x MiniRedirector (mrxsmb10) Service Defaults in Windows 10 | revertservice.com" [13]: https://web.archive.org/web/20240413124409/https://www.stigviewer.com/stig/windows_server_20122012_r2_domain_controller/2019-01-16/finding/V-73523 "The Server Message Block (SMB) v1 protocol must be disabled on the SMB client. | www.stigviewer.com" [14]: https://web.archive.org/web/20240413124606/https://admx.help/?Category=security-compliance-toolkit&Policy=Microsoft.Policies.SecGuide::Pol_SecGuide_0001_SMBv1_Server "Configure SMB v1 server | admx.help" [15]: https://web.archive.org/web/20240418073214/https://support.microsoft.com/en-us/topic/908332b7-49de-a86c-dba3-401b9fe8116f "Server service configuration and tuning - Microsoft Support | support.microsoft.com" call: - function: DisableWindowsFeature parameters: featureName: SMB1Protocol # Get-WindowsOptionalFeature -FeatureName 'SMB1Protocol' -Online disabledByDefault: 'true' - function: DisableWindowsFeature parameters: featureName: SMB1Protocol-Client # Get-WindowsOptionalFeature -FeatureName 'SMB1Protocol-Client' -Online disabledByDefault: 'true' - function: DisableWindowsFeature parameters: featureName: SMB1Protocol-Server # Get-WindowsOptionalFeature -FeatureName 'SMB1Protocol-Server' -Online disabledByDefault: 'true' - function: DisableService parameters: serviceName: mrxsmb10 # Check: (Get-Service -Name 'mrxsmb10').StartType defaultStartupMode: Automatic # Allowed values: Boot | System | Automatic | Manual ignoreMissingOnRevert: 'true' # This service is only available when SMB1 feature is installed - function: RunInlineCode # This ensures that `lanmanworkstation` does not depend on `mrxsmb10` to avoid potential system issues. # Its configuration is already the OS default on modern versions of Windows, see: `sc qc lanmanworkstation`. parameters: code: sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi revertCode: sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi - function: SetRegistryValue parameters: keyPath: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters valueName: SMBv1 dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing value by default since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - function: ShowComputerRestartSuggestion - name: Disable insecure "NetBios" protocol recommend: standard docs: |- # refactor-with-variables: Same • Compatibility Caution This script enhances your network's security by turning off NetBIOS over TCP/IP for all network interfaces. NetBIOS is a protocol primarily used for backward compatibility with older Windows systems [1] [2]. NetBIOS and LLMNR are susceptible to hacking techniques like spoofing [1] [2] [3] [4] [5] and man-in-the-middle attacks [1] [2] [6], risking your credentials and unauthorized network access [2] [5] [6]. NetBIOS was initially created for communication between applications in small networks [1] [3] [5] [7]. Its lack of authentication makes it easy for attackers to redirect traffic or fake network services [1] [2] [3] [4] [5] [6]. Disabling NetBIOS helps protect against these security risks and reduces the exposure of Windows-specific services to potential attackers. The script disables NetBIOS by changing a specific registry values (`HKLM\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\{Interface}!NetbiosOptions` [1] [8]) from their default of `0` (enabled) [5] to `2` (disabled) [5] [8] for each network interface. > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240218210552/https://bobcares.com/blog/disable-netbios-and-llmnr-protocols-in-windows-using-gpo/ "Disable NetBIOS and LLMNR Protocols in Windows Using GPO | bobcares.com" [5]: https://web.archive.org/web/20240218210635/https://10dsecurity.com/blog-saying-goodbye-netbios.html "Saying Goodbye To NetBIOS | 10-D Security | 10dsecurity.com" [3]: https://web.archive.org/web/20240218210736/https://4sysops.com/archives/disable-netbios-in-windows-networks/ "Disable NetBIOS in Windows networks – 4sysops | 4sysops.com" [4]: https://web.archive.org/web/20240218211817/https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning/ "Local Network Attacks: LLMNR and NBT-NS Poisoning - Stern Security | www.sternsecurity.com" [2]: https://web.archive.org/web/20240218211748/https://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP "NetBIOS over TCP/IP - Wikipedia | en.wikipedia.org" [6]: https://web.archive.org/web/20240218210724/http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html "Packetstan: NBNS Spoofing on your way to World Domination | www.packetstan.com" [7]: https://web.archive.org/web/20240218211730/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc940063%28v=technet.10%29?redirectedfrom=MSDN "NetBIOS Over TCP/IP | Microsoft Learn | learn.microsoft.com" [8]: https://web.archive.org/web/20240218210626/https://learn.microsoft.com/en-us/archive/msdn-technet-forums/c5f3c095-1ad2-4963-b075-787f800b81f2 "Disabling NETBIOS via GP | Microsoft Learn | social.technet.microsoft.com" call: function: RunPowerShell parameters: code: |- $key = 'HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces' Get-ChildItem $key | ForEach { Set-ItemProperty -Path "$key\$($_.PSChildName)" -Name NetbiosOptions -Value 2 -Verbose } revertCode: |- $key = 'HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces' Get-ChildItem $key | ForEach { Set-ItemProperty -Path "$key\$($_.PSChildName)" -Name NetbiosOptions -Value 0 -Verbose } - name: Disable insecure "SSL 2.0" protocol recommend: standard # Outdated protocol, removed from Windows docs: |- # refactor-with-variables: Same • Compatibility Caution • identified as • authorities • previously enabled This script disables the SSL 2.0 protocol. This protocol is identified as `SSL 2.0` on Windows [1] [2] [3], and also known as *SSL2* [4] [5]. Modern Windows systems no longer include SSL 2.0 due to its security flaws [2] [4]. It was previously enabled by default [4], posing significant security risks from well-known vulnerabilities [5]. Authorities like NIST (FIPS) [6], NSA (National Security Agency) [7], PCI Security Standards Council [8], IETF [5], and Federal Office for Information Security (BSI) [3] recommend disabling this insecure and obsolete protocol. > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240429203554/https://admx.help/?Category=Schannel&Policy=Microsoft.Policies.SSLControl::PROTO_Enable_SSL_2_0 "Secure Sockets Layer (SSL) 2.0 | admx.help" [2]: https://web.archive.org/web/20180228160431/https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#ssl-20 "Transport Layer Security (TLS) registry settings | Microsoft Docs | docs.microsoft.com" [3]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" [4]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20240429203545/https://datatracker.ietf.org/doc/html/rfc6176 "RFC 6176 - Prohibiting Secure Sockets Layer (SSL) Version 2.0 | datatracker.ietf.org" [6]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov" [7]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov" [8]: https://web.archive.org/web/20240429194236/https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls "Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS | blog.pcisecuritystandards.org" call: function: DisableTLSProtocol parameters: protocolName: SSL 2.0 - name: Disable insecure "SSL 3.0" protocol recommend: standard # Outdated protocol, disabled by default docs: |- # refactor-with-variables: Same • Compatibility Caution • identified as • authorities • previously enabled This script disables the SSL 3.0. This protocol is identified as `SSL 3.0` on Windows [1] [2] [3], and also known as *SSL3* [4] or *SSLv3* [5]. Modern Windows systems disable SSL 3.0 by default due to its security flaws [2] [4]. It was previously enabled by default [4], posing significant security risks from well-known vulnerabilities, including the POODLE [6] [7] [8] [9] and BEAST [7] attacks. Authorities like NIST (FIPS) [8] [9], IETF [6], Apple [5], PCI Security Standards Council [7], Federal Office for Information Security (BSI) [3], Office of the Chief Information Security Officer [8] NSA (National Security Agency) [10], and The Center for Internet Security (CIS) [9] recommend disabling this insecure and obsolete protocol. > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240429205252/https://admx.help/?Category=Schannel&Policy=Microsoft.Policies.SSLControl::PROTO_Enable_SSL_3_0 "Secure Sockets Layer (SSL) 3.0 | admx.help" [2]: https://web.archive.org/web/20180228160431/https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#ssl-30 "Transport Layer Security (TLS) registry settings | Microsoft Docs | docs.microsoft.com" [3]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" [4]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20240426092153/https://developer.apple.com/library/archive/releasenotes/MacOSX/WhatsNewInOSX/Articles/OSXv10.html "macOS Sierra 10.12 | developer.apple.com" [6]: https://web.archive.org/web/20240429205513/https://datatracker.ietf.org/doc/html/rfc7568 "RFC 7568 - Deprecating Secure Sockets Layer Version 3.0 | datatracker.ietf.org" [7]: https://web.archive.org/web/20240429194236/https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls "Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS | blog.pcisecuritystandards.org" [8]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov" [9]: https://web.archive.org/web/20240429201328/https://www.tenable.com/audits/items/CIS_NGINX_v2.0.1_Level_1_Webserver.audit:fc59c7d0c53f27720fcbca1df8f8fcc2 "4.1.4 Ensure only modern TLS protocols are used | Tenable® | www.tenable.com" [10]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov" call: function: DisableTLSProtocol parameters: protocolName: SSL 3.0 - name: Disable insecure "TLS 1.0" protocol recommend: strict # Newly disabled by Microsoft, but may lead to compatibility issues docs: |- # refactor-with-variables: Same • Compatibility Caution • identified as • authorities • browsers • previously enabled This script disables the TLS 1.0 [1] [2] [3] protocol. This protocol is identified as `TLS 1.0` on Windows [1] [2] [3]. Although deprecated and unsupported in newer Windows versions [4], it remains enabled by default in older versions [5]. This protocol has well-documented security vulnerabilities [6], including security attacks such as BEAST and Klima [7]. Major browsers, including Safari [8], Firefox [9], Chrome [10] and Edge [11], now disable this protocol by default. Authorities like NIST (FIPS) [7], IETF [6] [9], NSA (National Security Agency) [7] [12], Apple [8], Mozilla [9], Microsoft [4] [11], Google [10], PCI Security Standards Council [13] [14], Federal Office for Information Security (BSI) in Germany [3], Office of the Chief Information Security Officer [11], and The Center for Internet Security (CIS) [14] recommend disabling this insecure and obsolete protocol. While disabling TLS 1.0 improves security, it may disrupt certain older applications that depend on this protocol [4] [7]. > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240429210356/https://admx.help/?Category=Schannel&Policy=Microsoft.Policies.SSLControl::PROTO_Enable_TLS_1_0 "Transport Layer Security (TLS) 1.0 | admx.help" [2]: https://web.archive.org/web/20180228160431/https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#dtls-10 "Transport Layer Security (TLS) registry settings | Microsoft Docs | docs.microsoft.com" [3]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" [4]: https://web.archive.org/web/20240429200538/https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-10-11-deprecation-in-windows "TLS 1.0 and TLS 1.1 deprecation in Windows - Win32 apps | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com" [6]: https://web.archive.org/web/20240429200613/https://datatracker.ietf.org/doc/html/rfc8996/ "RFC 8996 - Deprecating TLS 1.0 and TLS 1.1 | datatracker.ietf.org" [7]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov" [8]: https://web.archive.org/web/20240429210701/https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/ "Deprecation of Legacy TLS 1.0 and 1.1 Versions | WebKit | webkit.org" [9]: https://web.archive.org/web/20240429202616/https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/ "Removing Old Versions of TLS - Mozilla Security Blog | blog.mozilla.org" [10]: https://archive.ph/2024.04.26-145435/https://chromestatus.com/feature/5759116003770368 "TLS 1.0 and TLS 1.1 - Chrome Platform Status | chromestatus.com" [11]: https://web.archive.org/web/20240029210517/https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/ "Modernizing TLS connections in Microsoft Edge and Internet Explorer 11 - Microsoft Edge Blog | blogs.windows.com" [12]: https://web.archive.org/web/20240429104097/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov" [13]: https://web.archive.org/web/20240029194213/https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls "Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS | blog.pcisecuritystandards.org" [14]: https://web.archive.org/web/20240429201328/https://www.tenable.com/audits/items/CIS_NGINX_v2.0.1_Level_1_Webserver.audit:fc59c7d0c53f27720fcbca1df8f8fcc2 "4.1.4 Ensure only modern TLS protocols are used | Tenable® | www.tenable.com" call: function: DisableTLSProtocol parameters: protocolName: TLS 1.0 - name: Disable insecure "TLS 1.1" protocol recommend: strict # Deprecated by Microsoft, but may lead to compatibility issues docs: |- # refactor-with-variables: Same • Compatibility Caution • identified as • authorities • browsers • previously enabled This protocol is identified as `TLS 1.1` on Windows [1] [2] [3]. Although deprecated and unsupported in newer Windows versions [4], it remains enabled by default in older versions [5]. This protocol contains fundamental well-documented security vulnerabilities [6]. Major browsers [7], including Safari [8], Firefox [9], Chrome [10] and Edge [11], now disable this protocol by default. Authorities like NIST (FIPS) [12], IETF [6] [9], NSA (National Security Agency) [12] [13], Apple [8], Mozilla [9], Microsoft [4] [11], Google [10], PCI Security Standards Council [3], Federal Office for Information Security (BSI) in Germany [3], Office of the Chief Information Security Officer [12], and The Center for Internet Security (CIS) [7] recommend disabling this insecure and obsolete protocol. While disabling TLS 1.1 improves security, it may disrupt certain older applications that depend on this protocol [4] [12]. > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240429211424/https://admx.help/?Category=Schannel&Policy=Microsoft.Policies.SSLControl::PROTO_Enable_TLS_1_1 "Transport Layer Security (TLS) 1.1 | admx.help" [2]: https://web.archive.org/web/20180228160431/https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-11 "Transport Layer Security (TLS) registry settings | Microsoft Docs | docs.microsoft.com" [3]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" [4]: https://web.archive.org/web/20240429200538/https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-10-11-deprecation-in-windows "TLS 1.0 and TLS 1.1 deprecation in Windows - Win32 apps | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com" [6]: https://web.archive.org/web/20240429200613/https://datatracker.ietf.org/doc/html/rfc8996/ "RFC 8996 - Deprecating TLS 1.0 and TLS 1.1 | datatracker.ietf.org" [7]: https://web.archive.org/web/20240429201328/https://www.tenable.com/audits/items/CIS_NGINX_v2.0.1_Level_1_Webserver.audit:fc59c7d0c53f27720fcbca1df8f8fcc2 "4.1.4 Ensure only modern TLS protocols are used | Tenable® | www.tenable.com" [8]: https://web.archive.org/web/20240429210701/https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/ "Deprecation of Legacy TLS 1.0 and 1.1 Versions | WebKit | webkit.org" [9]: https://web.archive.org/web/20240429202616/https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/ "Removing Old Versions of TLS - Mozilla Security Blog | blog.mozilla.org" [10]: https://archive.ph/2024.04.26-145435/https://chromestatus.com/feature/5759116003770368 "TLS 1.0 and TLS 1.1 - Chrome Platform Status | chromestatus.com" [11]: https://web.archive.org/web/20240429210548/https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/ "Modernizing TLS connections in Microsoft Edge and Internet Explorer 11 - Microsoft Edge Blog | blogs.windows.com" [12]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov" [13]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov" call: function: DisableTLSProtocol parameters: protocolName: TLS 1.1 - name: Disable insecure "DTLS 1.0" protocol docs: |- # refactor-with-variables: Same • Compatibility Caution • identified as • authorities • DTLS explanation This script disables the DTLS 1.0 protocol. This protocol is identified as `DTLS 1.0` on Windows [1] [2]. It is enabled by default [2]. DTLS (*Datagram Transport Layer Security*) provides secure communication over the UDP protocol [3]. Based on the TLS protocol, DTLS offers equivalent security measures [3]. Common uses include online gaming, DNS lookups, and VPN services. It is considered insecure [4] [5] and has been deprecated by Microsoft due to its vulnerabilities [6]. It's based on TLS 1.1 [4], which is also deprecated and insecure [4] [5] [6] [7]. Authorities like NIST (FIPS) [7], IETF [4], Microsoft [6], and NSA (National Security Agency) [5] recommend disabling this insecure and obsolete protocol. > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20180228160431/https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#dtls-10 "Transport Layer Security (TLS) registry settings | Microsoft Docs | docs.microsoft.com" [2]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240503122222/https://learn.microsoft.com/en-us/windows-server/security/tls/datagram-transport-layer-security-protocol "Datagram Transport Layer Security protocol | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240429200613/https://datatracker.ietf.org/doc/html/rfc8996/ "RFC 8996 - Deprecating TLS 1.0 and TLS 1.1 | datatracker.ietf.org" [5]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov" [6]: https://web.archive.org/web/20240429200538/https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-10-11-deprecation-in-windows "TLS 1.0 and TLS 1.1 deprecation in Windows - Win32 apps | Microsoft Learn | learn.microsoft.com" [7]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov" call: function: DisableTLSProtocol parameters: protocolName: DTLS 1.0 - name: Disable insecure "LM & NTLM" protocols recommend: standard docs: |- This script improves security by setting the LanMan authentication level to send NTLMv2 responses only, refusing LM and NTLM [1] [2], which are older and less secure methods [1] [3]. While Kerberos v5 is the default authentication protocol for domain accounts, NTLM is still used for compatibility with older systems and for authenticating logons to standalone computers [1]. The script modifies the `HKLM\System\CurrentControlSet\Control\Lsa!LmCompatibilityLevel` registry key to enforce this security measure [1] [2]. > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240510175526/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63801 "The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM. | www.stigviewer.com" [2]: https://web.archive.org/web/20240315114408/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level "Network security LAN Manager authentication level - Windows 10 | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240510182417/https://support.microsoft.com/en-us/topic/security-guidance-for-ntlmv1-and-lm-network-authentication-da2168b6-4a31-0088-fb03-f081acde6e73 "Security guidance for NTLMv1 and LM network authentication - Microsoft Support | support.microsoft.com" call: function: SetRegistryValue parameters: keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Lsa valueName: LmCompatibilityLevel dataType: REG_DWORD data: "5" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable insecure connections from .NET apps recommend: strict # Default since .NET 4.6 and above, absence considered vulnerability, but can still break legacy apps docs: |- # refactor-with-variables: Same • authorities • applies to all .NET This script improves security by enforcing secure network connections across all .NET applications. By setting the `SchUseStrongCrypto` configuration [1] [2] [3] [4], it prevents the use of outdated and insecure connections, including: - Protocols weaker than TLS 1.1 [1] [4] and TLS 1.2 [1] [2] [4]. - Cipher algorithms such as RC4 [4] [5], NULL [6], DES [6], and export suites [6]. - Hash algorithms like MD5 [6]. Authorities like Microsoft [1], and Department of Defense (DoD) [3] recommend this configuration as part of their security guidelines. This script applies to all .NET applications on the system [1]. A ***.NET application*** is any software developed using Microsoft's .NET platform [7]. This includes many third-party and system applications on Windows, like PowerShell [8]. A .NET application can be various of types, ranging from mobile apps to cloud services [7]. This script affects only the client-side (outgoing) connections of an application [1]. It secures outgoing data from the application without changing how incoming data is handled. You must restart your system after running this script to activate the security improvements [2] [5]. > **Caution:** This script may disrupt applications relying on legacy services that lack support for > modern cryptographic standards [1]. [1]: https://web.archive.org/web/20240503121044/https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls "Transport Layer Security (TLS) best practices with .NET Framework | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240503121339/https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enabling-strong-authentication-for-net-applications "Manage SSL/TLS protocols and cipher suites for AD FS | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240503121520/https://www.stigviewer.com/stig/tanium_7.x/2022-08-24/finding/V-253876 "The SchUseStrongCrypto registry value must be set. | www.stigviewer.com" [4]: https://web.archive.org/web/20240503121100/https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client "How to enable Transport Layer Security (TLS) 1.2 on clients - Configuration Manager | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20240503121456/https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/2960358 "Microsoft Security Advisory 2960358 | Microsoft Learn | learn.microsoft.com" [6]: https://web.archive.org/web/20240503121605/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server#sch_use_strong_crypto-option-changes "TLS (Schannel SSP) | Microsoft Learn" [7]: https://web.archive.org/web/20240503121040/https://en.wikipedia.org/wiki/.NET ".NET - Wikipedia | en.wikipedia.org" [8]: https://web.archive.org/web/20240503103126/https://learn.microsoft.com/en-us/powershell/scripting/overview?view=powershell-7.4 "What is PowerShell? - PowerShell | Microsoft Learn | learn.microsoft.com" call: - function: SetDotNetRegistryKey parameters: valueName: SchUseStrongCrypto valueData: '1' - function: ShowComputerRestartSuggestion - category: Enable secure connections docs: |- # refactor-with-variables: Same • Compatibility Caution This category configures essential security settings to protect network communications. Newer security standards offer improved protection against vulnerabilities found in older versions [1]. Scripts within this category enhance your privacy and security by enabling these standards to maintain the integrity of network communications. > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240429201328/https://www.tenable.com/audits/items/CIS_NGINX_v2.0.1_Level_1_Webserver.audit:fc59c7d0c53f27720fcbca1df8f8fcc2 "4.1.4 Ensure only modern TLS protocols are used | Tenable® | www.tenable.com" children: - name: Enable secure "DTLS 1.2" protocol recommend: standard # Enabled by default ≥ Windows 10, version 1607, script does not run on older versions docs: |- # refactor-with-variables: Same • Compatibility Caution • DTLS explanation • minimum version safeguard This script enables the DTLS 1.2 protocol. This protocol is identified as `DTLS 1.2` on Windows [1] [2]. DTLS (*Datagram Transport Layer Security*) provides secure communication over the UDP protocol [3]. Based on the TLS protocol, DTLS offers equivalent security measures [3]. Common uses include online gaming, DNS lookups, and VPN services. Despite being superseded by the more secure DTLS 1.3 [4], DTLS 1.2 is still approved by authorities like NIST [5], NSA [6], and the German Federal Office for Information Security [2]. DTLS 1.2 is based on TLS 1.2 [7]. It's supported by Windows since Windows 10 version 1607 and by Windows Server 2016 Standard [8] [9]. privacy.sexy chooses DTLS 1.2 over DTLS 1.3 due to the lack of support for DTLS 1.3 on Windows platforms [8]. This script only works on Windows 10 version 1607 or newer. This restriction is in place to maintain system stability by allowing only supported Windows versions to use the protocol. > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240402112853/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-dtls-and-ssl-protocol-version-settings "Transport Layer Security (TLS) registry settings | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" [3]: https://web.archive.org/web/20240503122222/https://learn.microsoft.com/en-us/windows-server/security/tls/datagram-transport-layer-security-protocol "Datagram Transport Layer Security protocol | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240503121839/https://datatracker.ietf.org/doc/html/rfc9147 "RFC 9147 - The Datagram Transport Layer Security (DTLS) Protocol Version 1.3 | datatracker.ietf.org" [5]: https://web.archive.org/web/20240503122007/https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf "Implementation Guidance for FIPS 140-3 and the Cryptographic Module Validation Program | National Institute of Standards and Technology Canadian Centre for Cyber Security | csrc.nist.gov" [6]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov" [7]: https://web.archive.org/web/20240429193737/https://datatracker.ietf.org/doc/html/rfc6347 "RFC 6347 - Datagram Transport Layer Security Version 1.2 | datatracker.ietf.org" [8]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com" [9]: https://web.archive.org/web/20240503121605/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server#dtls-12 "TLS (Schannel SSP) | Microsoft Learn" call: function: EnableTLSProtocol parameters: protocolName: DTLS 1.2 minimumWindowsVersion: Windows10-1607 - name: Enable secure "TLS 1.3" protocol recommend: standard # Enabled by default ≥ Windows 11, script does not run on older versions docs: |- # refactor-with-variables: Same • Compatibility Caution • Authorities • minimum version safeguard This script enables the TLS 1.3 protocol. This protocol is identified as `TLS 1.3` on Windows [1]. TLS 1.3 is the latest and most secure version of the TLS protocol [2]. It is supported starting with Windows 11 and Windows Server 2022 [3] [4]. On these systems, TLS 1.3 is enabled by default [3]. Authorities like NSA (National Security Agency) [5] [6], Federal Office for Information Security (BSI) [1], The Center for Internet Security [7], NIST [8], Microsoft [9], Mozilla [10], and Apple [11] recommend using this protocol for its enhanced security. This script only works on Windows 11 or newer. This restriction is in place to maintain system stability [3] [4] by allowing only supported Windows versions to use the protocol. > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" [2]: https://web.archive.org/web/20240503122214/https://datatracker.ietf.org/doc/html/rfc8446 "RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3 | datatracker.ietf.org" [3]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240503122422/https://github.com/undergroundwires/privacy.sexy/issues/175 "Add TLS 1.3 support warning · Issue #175 · undergroundwires/privacy.sexy | github.com" [5]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov" [6]: https://web.archive.org/web/20240503122227/https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf "NIST SP 800-52 Rev. 2: Guidelines for the Selection, Configuration, and Use of Transport | nvlpubs.nist.gov" [7]: https://web.archive.org/web/20240429201328/https://www.tenable.com/audits/items/CIS_NGINX_v2.0.1_Level_1_Webserver.audit:fc59c7d0c53f27720fcbca1df8f8fcc2 "4.1.4 Ensure only modern TLS protocols are used | Tenable® | www.tenable.com" [8]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov" [9]: https://web.archive.org/web/20240429200538/https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-10-11-deprecation-in-windows "TLS 1.0 and TLS 1.1 deprecation in Windows - Win32 apps | Microsoft Learn | learn.microsoft.com" [10]: https://web.archive.org/web/20240429202616/https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/ "Removing Old Versions of TLS - Mozilla Security Blog | blog.mozilla.org" [11]: https://web.archive.org/web/20240429210701/https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/ "Deprecation of Legacy TLS 1.0 and 1.1 Versions | WebKit | webkit.org" call: function: EnableTLSProtocol parameters: protocolName: TLS 1.3 minimumWindowsVersion: Windows11 - name: Enable secure connections for legacy .NET apps recommend: strict # Default since .NET 4.6 and above, but can still break legacy apps docs: |- # refactor-with-variables: Same • Compatibility Caution • applies to all .NET This script provides secure connections for older .NET Framework applications. It enables the automatic adoption of newer, more secure protocols as supported by the operating system [1]. If the operating system supports newer TLS versions, applications will automatically use these without any need for modifications to the application code or .NET Framework settings [1] [2] [3]. For example, this configuration enables .NET Framework 3.5 applications, which do not natively support TLS 1.2, to adopt TLS 1.2 [2]. This script applies to all .NET applications on the system [1]. A ***.NET application*** is any software developed using Microsoft's .NET platform [4]. This includes many third-party and system applications on Windows, like PowerShell [5]. A .NET application can be various of types, ranging from mobile apps to cloud services [4]. This script modifies the `SystemDefaultTlsVersions` configuration [1] [2] [3] [6] [7]. This setting enables the operating system to automatically select the most secure available protocol for .NET applications [1]. Thus, applications automatically benefit from future security enhancements and new protocols added to the operating system, without the need for updates [1]. This maintains ongoing security as new TLS versions emerge and older ones are retired [1]. It may also resolve compatibility issues with older devices or software [7]. However, it may also result in compatibility issues if the system defaults are too restrictive [8]. > **Caution:** This may cause compatibility issues with older devices or software. [1]: https://web.archive.org/web/20240503121044/https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls "Transport Layer Security (TLS) best practices with .NET Framework | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240503120928/https://support.microsoft.com/en-us/topic/cumulative-update-for-windows-10-version-1511-and-windows-server-2016-technical-preview-4-may-10-2016-aaff80d8-b207-2238-fc9c-bf13fea1c566 "Cumulative Update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: May 10, 2016 - Microsoft Support | support.microsoft.com" [3]: https://web.archive.org/web/20240503120718/https://support.microsoft.com/en-us/topic/support-for-tls-system-default-versions-included-in-the-net-framework-3-5-on-windows-8-1-and-windows-server-2012-r2-499ff5ef-a88a-128b-c639-ed038b7d2d5f "Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2 - Microsoft Support | support.microsoft.com" [4]: https://web.archive.org/web/20240503121040/https://en.wikipedia.org/wiki/.NET ".NET - Wikipedia | en.wikipedia.org" [5]: https://web.archive.org/web/20240503103126/https://learn.microsoft.com/en-us/powershell/scripting/overview?view=powershell-7.4 "What is PowerShell? - PowerShell | Microsoft Learn | learn.microsoft.com" [6]: https://web.archive.org/web/20240503121100/https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client "How to enable Transport Layer Security (TLS) 1.2 on clients - Configuration Manager | Microsoft Learn | learn.microsoft.com" [7]: https://web.archive.org/web/20240503121004/https://learn.microsoft.com/en-us/security/engineering/solving-tls1-problem "Solving the TLS 1.0 Problem | Microsoft Learn | learn.microsoft.com" [8]: https://web.archive.org/web/20240503121004/https://learn.microsoft.com/en-us/answers/questions/717566/schusestrongcrypto-registry-value-does-windows-neg#answer-719469 "SchUseStrongCrypto registry value: does WIndows negotiation include older TLS versions? - Microsoft Q&A | learn.microsoft.com" call: function: SetDotNetRegistryKey parameters: valueName: SystemDefaultTlsVersions valueData: '1' - category: Disable insecure remote administration access docs: |- # refactor-with-variables: Same • Remote Connectivity Caution This category improves security by disabling insecure remote administration features. Organizations use remote administration tools to manage multiple systems from a central location, performing tasks such as software updates, system checks, and configuration changes. However, if not properly secured, unauthorized users could exploit these tools to access sensitive data or control systems. This category addresses such vulnerabilities by disabling outdated or insecure remote access methods, thus securing systems against potential cyber threats. While these measures maintain information confidentiality and integrity, they may restrict some remote management functionalities. > **Caution:** > This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote > administration is necessary. children: - name: Disable basic authentication in WinRM recommend: standard docs: |- # refactor-with-variables: Same • Remote Connectivity Caution This script configures the Windows Remote Management (WinRM) client to disable **basic authentication** [1] [2]. Basic authentication is a security protocol where a user provides a username and password in plain text for verification [3]. It improves security by preventing the interception and misuse of plain text passwords [1]. It achieves this by modifying the `HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client!AllowBasic` registry key [1] [2]. While WinRM clients do not use Basic authentication by default [2], this script ensures that this less secure method remains disabled. > **Caution:** > This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote > administration is necessary. [1]: https://web.archive.org/web/20240510175428/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63335 "The Windows Remote Management (WinRM) client must not use Basic authentication. | www.stigviewer.com" [2]: https://web.archive.org/web/20240510175528/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-remotemanagement#allowbasicauthentication_client "RemoteManagement Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240510223209/https://datatracker.ietf.org/doc/html/rfc7617 "RFC 7617 - The 'Basic' HTTP Authentication Scheme | datatracker.ietf.org" call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client valueName: AllowBasic dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable unauthorized user account discovery (anonymous SAM enumeration) recommend: standard docs: |- # refactor-with-variables: Same • Remote Connectivity Caution This script increases your system's security by preventing unauthorized users from seeing account names in the Security Accounts Manager (SAM) [1] [2] [3] [4] [5] [6]. The Security Accounts Manager (SAM) is a database in Windows that stores user account information and is critical for user authentication processes. When account names are exposed, attackers might use them for guessing passwords or tricking people into revealing sensitive information [4] [6] [7] [8]. This is a security action recommended by organizations like the Department of Defense [1], NASA [2], IRS [8], NIST [6], CIS [4], and Microsoft [3]. The change is enacted through the `HKLM\SYSTEM\CurrentControlSet\Control\Lsa!RestrictAnonymousSAM` registry value [1] [2] [4] [5]. By default, it's enabled [4] and Windows restricts this setting if the registry value does not exist [3]. While the script protects against these threats, it may also affect compatibility with older systems. It prevents trust with Windows NT 4.0 domains [4] [5] [7] [9] and causes issues for older systems such as Windows NT 3.51 and Windows 95 when accessing server resources [4] [5] [7]. Typically, anonymous connections are requested by earlier versions of clients (down-level clients) during SMB session setup [7]. The script has no impact on domain controllers since their behavior in this aspect is controlled by different settings [5] [7]. The policy setting does not require a restart to become effective [5], and there is no impact on current systems where the default behavior already includes this restriction [4]. Despite the potential interoperability issues with older systems, the script maintains a security posture that is important in modern networks to minimize unauthorized access and protect user privacy. > **Caution:** > This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote > administration is necessary. [1]: https://web.archive.org/web/20231105200434/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63745 "Anonymous enumeration of SAM accounts must not be allowed. | www.stigviewer.com" [2]: https://web.archive.org/web/20231105200713/https://asapdata.arc.nasa.gov/share/Paul/CIS_Microsoft_Windows_Server_2016_RTM_Release_1607_Benchmark_v1.1.0.pdf "CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark | nasa.gov" [3]: https://web.archive.org/web/20231105200918/https://learn.microsoft.com/en-us/azure/governance/policy/samples/guest-configuration-baseline-windows#security-options---network-access "Reference - Azure Policy guest configuration baseline for Windows - Azure Policy | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20231105201133/https://community.mis.temple.edu/mis5170sec001sec701sp2018/files/2018/02/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.1.pdf "CIS Microsoft Windows Server 2012 R2 Benchmark | temple.edu" [5]: https://web.archive.org/web/20231105201446/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj852230%28v=ws.11%29 "Network access: Do not allow anonymous enumeration of SAM accounts | Microsoft Learn | learn.microsoft.com" [6]: https://web.archive.org/web/20230927174843/https://csrc.nist.gov/CSRC/media/Projects/United-States-Government-Configuration-Baseline/data/documentation/USGCB-Windows-Settings.xls "USGCB Windows Settings | nist.gov" [7]: https://web.archive.org/web/20231105201346/https://support.microsoft.com/en-us/topic/client-service-and-program-issues-can-occur-if-you-change-security-settings-and-user-rights-assignments-0cb6901b-dcbf-d1a9-e9ea-f1b49a56d53a "Client, service, and program issues can occur if you change security settings and user rights assignments - Microsoft Support | support.microsoft.com" [8]: https://web.archive.org/web/20231105200853/https://www.irs.gov/pub/irs-utl/safeguards-scsem-win-server2016.xlsx "IRS Office of Safeguards SCSEM | irs.gov" [9]: https://web.archive.org/web/20231105201413/https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/trust-between-windows-ad-domain-not-work-correctly "Trust between a Windows NT domain and an Active Directory domain can't be established or it doesn't work as expected - Windows Server | Microsoft Learn | learn.microsoft.com" code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "RestrictAnonymousSAM" /t REG_DWORD /d 1 /f revertCode: |- :: Default value is `1` on modern Windows versions (Windows 10 since 22H2, Windows 11 since 22H2) reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "RestrictAnonymousSAM" /t REG_DWORD /d 1 /f - name: Disable anonymous access to named pipes and shares recommend: standard docs: |- # refactor-with-variables: Same • Remote Connectivity Caution This script restricts anonymous access to Named Pipes and Shares [1] [2]. It reduces security risks by preventing unauthorized access [1] [2]. *Named Pipes* allow programs on a computer or network to communicate with each other. *Anonymous access* lets users connect to services without a username or password, increasing the risk of unauthorized access. It configures the `HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters!RestrictNullSessAccess` registry setting [1] [2] to control null session access, which is a common exploit method via shared folders [2]. > **Caution:** > This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote > administration is necessary. [1]: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63759 "Anonymous access to Named Pipes and Shares must be restricted. | www.stigviewer.com" [2]: https://web.archive.org/web/20240510180133/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares "Network access Restrict anonymous access to Named Pipes and Shares - Windows 10 | Microsoft Learn | learn.microsoft.com" code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d 1 /f revertCode: |- :: Default value is `1` on modern Windows versions (Windows 10 since 22H2, Windows 11 since 23H2) reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d 1 /f - name: Disable hidden remote file access via administrative shares (breaks remote system management software) recommend: strict docs: |- # refactor-with-variables: Same • Remote Connectivity Caution This script improves your privacy and security by disabling Windows administrative shares, which are typically used for remote access to your computer's file system. Windows automatically creates hidden administrative shares, such as `C$` and `D$`, that allow system administrators remote access to every disk volume on your computer [1] [2]. These shares are often targeted as potential attack vectors [3]. Disabling administrative shares is generally a good practice for enhancing security. It is recommended by various security standards and compliance frameworks, including some government standards [3], PCI-DSS [4], and CIS [2]. It reduces the system's vulnerability to unauthorized remote access. These shares are often used for system administrators to perform tasks like software installation and vulnerability scanning remotely [1]. Disabling them may limit remote management capabilities. This might require setting up network shares manually for specific folders or drives, which is more secure but requires additional effort. Some software, such as Microsoft Systems Management Server (SMS) [2], Microsoft Operations Manager [2], Microsoft PsTools [5], and certain third-party network backup applications [2], rely on administrative shares. Therefore, disabling these shares could disrupt their functionality. > **Caution:** > This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote > administration is necessary. [1]: https://web.archive.org/web/20230831114315/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/remove-administrative-shares "Remove administrative shares - Windows Server | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20231206152703/http://www.itref.ir/uploads/editor/1edad0.pdf "CIS Microsoft Windows 8 Benchmark | itref.ir" [3]: https://web.archive.org/web/20230831124304/https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/Business-Partner-System-Security-Manual-BPSSM.pdf "CMS Manual System | Pub 100-17 Medicare Business Partners | Department of Health & Human Services (DHHS) & Centers for Medicare & Medicaid Services (CMS) | cms.gov" [4]: https://web.archive.org/web/20230831124324/https://www.unifiedcompliance.com/products/search-authority-documents/authority-document/1071/ "Payment Card Organizations > PCI Security Standards Council | Unified Compliance | www.unifiedcompliance.com" [5]: https://web.archive.org/web/20240510180222/https://github.com/undergroundwires/privacy.sexy/issues/249 "Disabling administrative shares breaks PsTools | undergroundwires/privacy.sexy | github.com" call: function: SetRegistryValue parameters: keyPath: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters valueName: AutoShareWks dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable anonymous enumeration of shares recommend: standard docs: |- # refactor-with-variables: Same • Remote Connectivity Caution This script disables the anonymous enumeration of shares to prevent unauthorized users from listing account names and shared resources, which could serve as a roadmap for attackers [1]. It configures the `HKLM\SYSTEM\CurrentControlSet\Control\LSA!RestrictAnonymous` registry key to ensure that such enumeration is blocked, improving system security against potential breaches [1]. > **Caution:** > This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote > administration is necessary. [1]: https://web.archive.org/web/20240510180528/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63749 "Anonymous enumeration of shares must be restricted. | www.stigviewer.com" code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d "1" /f revertCode: |- # 0 by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d "0" /f - name: Disable "Telnet Client" feature recommend: standard # Already disabled by default in Windows docs: |- # refactor-with-variables: Same • Remote Connectivity Caution This script disables the **Telnet Client** feature in Windows. The Telnet Client enables remote server connections [1]. It is inherently insecure because it transmits all data, including sensitive credentials, in clear text without encryption [2] [3]. This lack of encryption makes it vulnerable to interception and misuse [3]. Due to these security flaws, entities such as NIST [2], Department of Defense [2] and Microsoft [1] recommend removing or disabling this feature. Although this feature is disabled by default in newer versions of Windows [1], ensuring that it remains disabled can prevent accidental or unauthorized use. > **Caution:** > This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote > administration is necessary. ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `TelnetClient` | | **Display name** | Telnet Client | | **Description** | Allows you to connect to other computers remotely. | | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | [1]: https://web.archive.org/web/20231207105605/https://social.technet.microsoft.com/wiki/contents/articles/38433.windows-10-enabling-telnet-client.aspx "Windows 10: Enabling Telnet Client - TechNet Articles - United States (English) - TechNet Wiki | social.technet.microsoft.com" [2]: https://web.archive.org/web/20240413140012/https://www.stigviewer.com/stig/microsoft_windows_10/2023-09-29/finding/V-220721 "The Telnet Client must not be installed on the system. | stigviewer.com" [3]: https://web.archive.org/web/20240413140230/https://it.mst.edu/policies/secure-telnet/ "Secure Telnet – Information Technology | Missouri S&T | it.mst.edu" call: function: DisableWindowsFeature parameters: featureName: TelnetClient # Get-WindowsOptionalFeature -FeatureName 'TelnetClient' -Online disabledByDefault: 'true' - name: Remove "RAS Connection Manager Administration Kit (CMAK)" capability docs: |- # refactor-with-variables: Same • Remote Connectivity Caution This script removes the "RAS Connection Manager Administration Kit (CMAK)" (`RasCMAK.Client` [1]) capability. CMAK is a tool that allows the creation of profiles for connecting to remote servers and networks [1]. Though useful for remote connections, this capability might be unnecessary for many users. Removing it can simplify the system's network configuration and enhance security by reducing potential attack vectors. This capability is not included in the standard installation of Windows [1]. > **Caution:** > This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote > administration is necessary. [1]: https://web.archive.org/web/20240411120309/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11#networking-tools "Available features on demand | Microsoft Learn | learn.microsoft.com" call: function: UninstallCapability parameters: capabilityName: RasCMAK.Client - name: Disable Windows Remote Assistance feature recommend: standard docs: |- This script disables the Windows Remote Assistance feature to improve your system's privacy and security. Windows Remote Assistance allows a third party to remotely access your PC [1]. This capability, known as *Solicited Remote Assistance* [2], enables another user to view or take control of your computer [2] [3] [4] [5]. Disabling Remote Assistance improves security by: - Preventing others from remotely viewing or controlling your computer [2]. - Reducing the risk of exploitation from RDP-related vulnerabilities [5]. - Reducing the attack surface by eliminating unnecessary remote access functionalities. The script modifies the following settings to achieve this: - It configures `fAllowToGetHelp` to block users from requesting remote assistance [3]. - It configures `fAllowFullControl` to prevent remote users from gaining full control of the system [4]. These changes are applied via: - The application setting in the Windows registry at `HKLM\System\CurrentControlSet\Control\Remote Assistance` [6]. - The Group Policy setting at `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services` [2]. > **Caution:** > This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote > administration is necessary. [1]: https://web.archive.org/web/20240510233757/https://support.microsoft.com/en-us/windows/solve-pc-problems-remotely-with-remote-assistance-and-easy-connect-cf384ff4-6269-d86e-bcfe-92d72ed55922 "Solve PC problems remotely with Remote Assistance and Easy Connect - Microsoft Support | support.microsoft.com" [2]: https://web.archive.org/web/20240510233343/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63651 "Solicited Remote Assistance must not be allowed. | www.stigviewer.com" [3]: https://web.archive.org/web/20240510233528/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp "fAllowToGetHelp | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240510233541/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowfullcontrol "fAllowFullControl | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20240510233611/https://learn.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-053 "Microsoft Security Bulletin MS12-053 - Critical | Microsoft Learn | learn.microsoft.com" [6]: https://web.archive.org/web/20240510233842/https://support.microsoft.com/en-us/topic/an-update-to-disable-the-chat-feature-in-remote-assistance-msra-exe-is-available-for-windows-7-sp1-and-windows-server-2008-r2-sp1-a29674bc-ea7b-d5ab-1314-95cd3b93fcb3 "An update to disable the Chat feature in Remote Assistance (MSRA.exe) is available for Windows 7 SP1 and Windows Server 2008 R2 SP1 - Microsoft Support | support.microsoft.com" call: - function: RunInlineCode parameters: code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 0 /f revertCode: |- # 1 by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 1 /f - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services valueName: AllowBasic dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable non-essential network components docs: |- This category focuses on disabling or removal of specific networking features. These are generally considered unnecessary or less secure for most users. Disabling these features contributes to a more secure and privacy-focused environment by eliminating potential vulnerabilities and reducing the system's attack surface. These features may utilize outdated protocols or lack robust encryption and authentication methods, making them vulnerable to cyberattacks. If these features are not essential for your daily operations, it is advisable to disable them to enhance your system's security. The scripts target specific networking tools and protocols, ideal for users who don't need these features, thus streamlining the system and potentially improving performance. > **Caution:** Disabling a networking component may cause connectivity issues if required for specific operations. children: - name: Disable "Net.TCP Port Sharing" feature recommend: strict docs: |- # refactor-with-variables: Same • Generic Connectivity Caution This script disables the "Net.TCP Port Sharing" feature. This feature is part of Windows Communication Foundation (WCF) [1]. This feature enables multiple WCF applications to share the same TCP port [1]. It manages incoming connections and routes them to the appropriate application based on the destination address found in the message stream [1]. This increases the system's attack surface [2]: - When applications share the same port, more applications are exposed to network traffic. - It runs under a system account with high permissions, making the system vulnerable to extensive access by attackers if compromised [2]. - Poor application configuration can increase risk of serious damage if an application is compromised [1]. - The security of the system depends significantly on how well each individual application handles security. It's disabled by default on Windows due to security concerns [1]. > **Caution:** Disabling a networking component may cause connectivity issues if required for specific operations. ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `WCF-TCP-PortSharing45` | | **Display name** | TCP Port Sharing | | **Description** | TCP Port Sharing | | **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled | | **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled | [1]: https://web.archive.org/web/20240314102452/https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/net-tcp-port-sharing "Net.TCP Port Sharing - WCF | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240413140234/https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-03-09/finding/V-3487 "Services will be documented and unnecessary services will not be installed or will be disabled. | stigviewer.com" call: function: DisableWindowsFeature parameters: featureName: WCF-TCP-PortSharing45 # Get-WindowsOptionalFeature -FeatureName 'WCF-TCP-PortSharing45' -Online - name: Disable "SMB Direct" feature recommend: strict docs: |- # refactor-with-variables: Same • Generic Connectivity Caution This script disables "SMB Direct" feature. SMB Direct improves file transfer speeds across networks by utilizing network adapters that are Remote Direct Memory Access (RDMA) capable [1]. Although not inherently insecure [2], maintaining unnecessary software can increase the attack surface, especially if the underlying RDMA hardware has vulnerabilities. > **Caution:** Disabling a networking component may cause connectivity issues if required for specific operations. ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `SMB Direct` | | **Display name** | SMB Direct | | **Description** | Remote Direct Memory Access (RDMA) support for the SMB 3.x file sharing protocol | | **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled | | **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled | [1]: https://web.archive.org/web/20240314102437/https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-direct?tabs=disable "Improve performance of a file server with SMB Direct | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240413124106/https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858 "Stop using SMB1 - Microsoft Community Hub | techcommunity.microsoft.com" call: function: DisableWindowsFeature parameters: featureName: SmbDirect # Get-WindowsOptionalFeature -FeatureName 'SmbDirect' -Online - name: Disable "TFTP Client" feature recommend: standard # Disabled by default docs: |- # refactor-with-variables: Same • Generic Connectivity Caution This script disables the "TFTP Client" feature. The TFTP Client supports file transfers using the *Trivial File Transfer Protocol (TFTP)*. TFTP protocol is insecure because it lacks authentication and encryption capabilities [1] [2] [3]. This makes data transferred via TFTP vulnerable to eavesdropping and tampering [2] [3]. Although TFTP's simplicity can be advantageous in certain contexts, such as configuring network devices, its security risks generally outweigh these benefits. Disabling it helps mitigate the risk of unauthorized data access and simplifies system security management [1] [2]. > **Caution:** Disabling a networking component may cause connectivity issues if required for specific operations. ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `TFTP` | | **Display name** | TFTP Client | | **Description** | Transfer files using the Trivial File Transfer Protocol | | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | [1]: https://web.archive.org/web/20240413142327/https://www.stigviewer.com/stig/windows_server_2016/2018-03-07/finding/V-73297 "The TFTP Client must not be installed. | www.stigviewer.com" [2]: https://web.archive.org/web/20240413142325/https://www.tenable.com/audits/items/Juniper_Hardening_Junos_Devices.audit:0343769f1ea790c8345e961c9a442ec6 "Access Security - Disable insecure or unnecessary access servi... | Tenable® | www.tenable.com" [3]: https://archive.ph/2024.04.13-142535/https://www.infosecinstitute.com/resources/incident-response-resources/network-traffic-analysis-for-ir-tftp-with-wireshark/ "Network traffic analysis for IR: TFTP with Wireshark | Infosec | www.infosecinstitute.com" call: function: DisableWindowsFeature parameters: featureName: TFTP # Get-WindowsOptionalFeature -FeatureName 'TFTP' -Online disabledByDefault: 'true' - name: Remove "RIP Listener" capability docs: |- # refactor-with-variables: *Caution** This script removes the "RIP Listener" (`RIP.Listener` [1]) capability. The RIP Listener listens for route updates from routers using the Routing Information Protocol version 1 (RIPV1) [1]. RIPV1 is an older protocol that might be redundant in modern networks, despite its specific utilities. Removing this feature can contribute to a more secure system by eliminating unnecessary network listening capabilities. This capability is not included in the standard installation of Windows [1]. > **Caution:** Disabling a networking component may cause connectivity issues if required for specific operations. [1]: https://web.archive.org/web/20240411120309/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11#networking-tools "Available features on demand | Microsoft Learn | learn.microsoft.com" call: function: UninstallCapability parameters: capabilityName: RIP.Listener - name: Remove "Simple Network Management Protocol (SNMP)" capability docs: |- # refactor-with-variables: Same • Generic Connectivity Caution This script removes the "Simple Network Management Protocol (SNMP)" (`SNMP.Client` [1]) capability. SNMP is used for monitoring and managing network devices [1]. While it provides valuable information for network administration, it may not be essential for all users and can expose the system to additional network traffic and potential vulnerabilities. This capability is not included in the standard installation of Windows [1]. > **Caution:** Disabling a networking component may cause connectivity issues if required for specific operations. [1]: https://web.archive.org/web/20240411120309/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11#networking-tools "Available features on demand | Microsoft Learn | learn.microsoft.com" call: function: UninstallCapability parameters: capabilityName: SNMP.Client - name: Remove "SNMP WMI Provider" capability docs: |- # refactor-with-variables: Same • Generic Connectivity Caution This script removes the "SNMP WMI Provider" (`WMI-SNMP-Provider.Client` [1]) capability. This feature enables Windows Management Instrumentation (WMI) clients to access SNMP information [1]. SNMP is used for monitoring and managing network devices [1]. Integrating SNMP data into WMI, this capability may be extraneous for those not needing SNMP monitoring. Removing this capability can simplify the system's management interfaces and improve its security posture by limiting the ways in which network information is accessed and exposed. This capability is not included in the standard installation of Windows [1]. > **Caution:** Disabling a networking component may cause connectivity issues if required for specific operations. [1]: https://web.archive.org/web/20240411120309/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11#networking-tools "Available features on demand | Microsoft Learn | learn.microsoft.com" call: function: UninstallCapability parameters: capabilityName: WMI-SNMP-Provider.Client - category: Disable clipboard data collection docs: |- This category includes scripts that focus on disabling various aspects of clipboard data collection in Windows. The clipboard is a critical component of the operating system, often containing sensitive data such as usernames, passwords, and other personal information [1]. However, features such as clipboard history and device synchronization can significantly increase privacy and security risks. By default, Windows tends to store clipboard data in an unencrypted format [2], making it easily accessible to malicious applications or scripts. Additionally, data synchronization features can lead to sensitive information being stored on remote servers or shared across devices, increasing the risk of data exposure. The scripts in this category address these risks by disabling the related features.. While these features offer convenience and productivity benefits, they can inadvertently compromise user privacy and security. > **Caution**: Applying these scripts may lead to a loss of certain functionalities. Users who rely on these features for their daily tasks should > consider the trade-offs before proceeding with these changes. [1]: https://web.archive.org/web/20240119160347/https://github.com/undergroundwires/privacy.sexy/issues/247 "Disable Clipboard History · Issue #247 · undergroundwires/privacy.sexy · GitHub | github.com" [2]: https://web.archive.org/web/20240119151846/https://ghostvolt.com/blog/Is-the-Windows-Clipboard-Function-History-or-Sync-Secure.html "Is the Windows Clipboard Function, History or Sync Secure | ghostvolt.com" children: - name: Disable Cloud Clipboard (breaks clipboard sync) recommend: strict docs: |- This script disables the Cloud Clipboard feature [1], also known as the cross-device clipboard [2]. The Cloud Clipboard, introduced in the Windows 10 October 2018 Update [3], synchronizes clipboard contents across Windows devices [1] [2] [4]. While this feature enhances usability, it can pose a privacy risk as sensitive information like passwords or credit card details [5] might be inadvertently synchronized and stored on Microsoft servers. Disabling Cloud Clipboard is recommended in secure environments where clipboard data should remain local to the system, avoiding potential exposure or misuse of sensitive information [6]. The Center for Internet Security (CIS) recommends disabling this feature in such settings for enhanced security [6]. Moreover, Microsoft acknowledges that disabling network connections linked to the Cloud Clipboard can improve privacy [1]. This script secures your clipboard data by preventing unauthorized access from other processes on your computer or network, reducing the risk of data theft. The script configures the following registry keys: - `HKLM\SOFTWARE\Policies\Microsoft\Windows\System!AllowCrossDeviceClipboard`: Disables the Cloud Clipboard feature, preventing clipboard synchronization across devices [1] [2] [6]. - `HKCU\SOFTWARE\Microsoft\Clipboard!CloudClipboardAutomaticUpload`: Stops the automatic upload of clipboard data to the cloud [7]. > **Caution**: After running this script, clipboard contents will not synchronize across devices [1] [2] [6]. > Text or images copied on one device will not be accessible on other devices [3] [4] [5]. > This enhances privacy and security but limits the clipboard's functionality across your Windows devices. [1]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#30-cloud-clipboard "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" [2]: https://web.archive.org/web/20240119150031/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#allowcrossdeviceclipboard "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20210619004804/https://community.windows.com/en-us/stories/cloud-clipboard-windows-10 "Copy and paste across Windows 10 devices using cloud clipboard | Windows Community | community.windows.com" [4]: https://web.archive.org/web/20240119150040/https://support.microsoft.com/en-us/windows/clipboard-in-windows-c436501e-985d-1c8d-97ea-fe46ddf338c6 "Clipboard in Windows - Microsoft Support | support.microsoft.com" [5]: https://web.archive.org/web/20240119160347/https://github.com/undergroundwires/privacy.sexy/issues/247 "Disable Clipboard History · Issue #247 · undergroundwires/privacy.sexy · GitHub | github.com" [6]: https://web.archive.org/web/20240119145854/https://www.tenable.com/audits/items/CIS_MS_InTune_for_Windows_11_Level_2_BitLocker_v1.0.0.audit:19bea796bd6a86f37028214bbed97ffd "18.8.31.1 Ensure 'Allow Clipboard synchronization across devic... | Tenable® | www.tenable.com" [7]: https://web.archive.org/web/20240119145950/https://www.elevenforum.com/t/enable-or-disable-clipboard-sync-across-devices-in-windows-11.976/ "Enable or Disable Clipboard Sync Across Devices in Windows 11 Tutorial | Windows 11 Forum | elevenforum.com" call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System valueName: AllowCrossDeviceClipboard dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKCU\Software\Microsoft\Clipboard valueName: CloudClipboardAutomaticUpload dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable clipboard history recommend: standard docs: |- This script deactivates the clipboard history feature in Windows, a feature that is enabled by default [1] [2]. Regularly, users copy sensitive data such as usernames and passwords to their clipboard, making clipboard history valuable to attackers for gathering information for post-exploitation activities like lateral movement. Microsoft introduced clipboard history in the Windows 10 October 2018 Update [1], offering enhanced functionality, including multi-device sync and customizable history management [1]. Despite these benefits, clipboard history poses several security risks: - **Plain Text Storage**: Clipboard data is stored unencrypted, making it vulnerable to access by malicious applications [3]. - **Persistent Memory**: The data remains in memory until overwritten or the machine restarts, exposing it to unauthorized access by other users or malware [3]. - **Process Accessibility**: Most running processes and applications can access clipboard data, increasing the risk if any are malicious [3]. - **Open Network Threats**: Malicious website scripts could potentially access clipboard data, leading to data theft [3]. - **Windows Clipboard History**: Stores the last 25 copied text and image items, which could include sensitive information [3]. - **Increased Attack Surface**: Clipboard history is susceptible to exploitation by malware that silently accesses and logs clipboard data [3]. Microsoft's privacy statement also indicates that clipboard data could be used for marketing and advertising purposes [4]. Given these risks, especially when handling sensitive data like passwords or credit card numbers [5], it is advisable for users concerned about security to disable clipboard history to safeguard their privacy. This script modifies Windows Registry keys to turn off clipboard history and sync features: - `HKCU\Software\Microsoft\Clipboard!EnableClipboardHistory`: Disables the local clipboard history for the current user [6] [7] [8]. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\System!AllowClipboardHistory`: Disables the policy for storing clipboard contents [2] [9]. [1]: https://web.archive.org/web/20210619004804/https://community.windows.com/en-us/stories/cloud-clipboard-windows-10 "Copy and paste across Windows 10 devices using cloud clipboard | Windows Community | community.windows.com" [2]: https://web.archive.org/web/20240119153212/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#allowclipboardhistory "Experience Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240119151846/https://ghostvolt.com/blog/Is-the-Windows-Clipboard-Function-History-or-Sync-Secure.html "Is the Windows Clipboard Function, History or Sync Secure | ghostvolt.com" [4]: https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement "Microsoft Privacy Statement – Microsoft privacy | privacy.microsoft.com" [5]: https://web.archive.org/web/20240119160347/https://github.com/undergroundwires/privacy.sexy/issues/247 "Disable Clipboard History · Issue #247 · undergroundwires/privacy.sexy · GitHub | github.com" [6]: https://web.archive.org/web/20240119153118/https://www.elevenforum.com/t/enable-or-disable-clipboard-history-in-windows-11.973/ "Enable or Disable Clipboard History in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com" [7]: https://web.archive.org/web/20240119153113/https://itechbrand.com/how-to-enable-and-use-clipboard-history-on-windows-10/ "How to: Enable and Use Clipboard History on Windows 10 | ITechBrand | itechbrand.com" [8]: https://web.archive.org/web/20240119153250/https://labs.withsecure.com/tools/sharpcliphistory "SharpClipHistory | WithSecure™ Labs | labs.withsecure.com" [9]: https://web.archive.org/web/20240119153231/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.OSPolicy::AllowClipboardHistory "Allow Clipboard History | admx.help" call: - function: SetRegistryValue parameters: keyPath: HKCU\Software\Microsoft\Clipboard valueName: EnableClipboardHistory dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System valueName: AllowClipboardHistory dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable background clipboard data collection (`cbdhsvc`) (breaks clipboard history and sync) recommend: strict docs: |- This script disables `cbdhsvc` also known as "Clipboard User Service" [1]. This service is responsible for clipboard history and synchronization across devices [1]. Microsoft acknowledges that disabling this service does not adversely affect the system's core functionality [2]. Disabling this service enhances your security by reducing your system's vulnerability surface. This service has been historically susceptible to vulnerabilities such as Privilege Escalation vulnerability [3]. Turning off `cbdhsvc` also helps improve system performance by reducing the number of background processes as `cbdhsvc` runs automatically in the background [1]. Additionally, it enhances privacy by preventing the storage and sharing of clipboard history with Microsoft servers. Clipboard data often contains sensitive information, including passwords and credit card numbers [4]. > **Caution**: Disabling this service will remove the functionalities for clipboard history and synchronization across devices. > If you depend on these features, you should weigh the benefits against the loss of these functionalities. [1]: https://web.archive.org/web/20240119153912/https://learn.microsoft.com/en-us/windows/application-management/per-user-services-in-windows "Per-user services - Windows Application Management | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services#per-user-services "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn" [3]: https://archive.ph/2024.01.19-154717/https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21869 "CVE-2022-21869 - Security Update Guide - Microsoft - Clipboard User Service Elevation of Privilege Vulnerability | rc.microsoft.com" [4]: https://web.archive.org/web/20240119160347/https://github.com/undergroundwires/privacy.sexy/issues/247 "Disable Clipboard History · Issue #247 · undergroundwires/privacy.sexy · GitHub | github.com" call: function: DisablePerUserService parameters: # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\cbdhsvc").Start # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\cbdhsvc_*").Start serviceName: cbdhsvc defaultStartupMode: Automatic - category: Enable protection against Meltdown and Spectre docs: https://support.microsoft.com/en-us/topic/kb4072698-windows-server-and-azure-stack-hci-guidance-to-protect-against-silicon-based-microarchitectural-and-speculative-execution-side-channel-vulnerabilities-2f965763-00e2-8f98-b632-0d96f30c8c8e children: - name: Mitigate Spectre Variant 2 and Meltdown in host operating system code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d 3 /f wmic cpu get name | findstr "Intel" >nul && ( reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 0 /f ) wmic cpu get name | findstr "AMD" >nul && ( reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 64 /f ) revertCode: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d 3 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 3 /f - name: Mitigate Spectre Variant 2 and Meltdown in Hyper-V call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization valueName: MinVmVersionForCpuBasedMitigations dataType: REG_SZ data: "1.0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Enable Data Execution Prevention (DEP) call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer valueName: NoDataExecutionPrevention dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System valueName: DisableHHDEP dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable AutoPlay and AutoRun recommend: standard docs: - https://en.wikipedia.org/wiki/AutoRun - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63667 - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63671 - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63673 call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer valueName: NoDriveTypeAutoRun dataType: REG_DWORD data: "255" # 255 (0xff) deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer valueName: NoAutorun dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer valueName: NoAutoplayfornonVolume dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable lock screen camera access recommend: standard docs: https://www.stigviewer.com/stig/windows_8_8.1/2014-06-27/finding/V-43237 call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization valueName: NoLockScreenCamera dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable storage of the LAN Manager password hashes recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63797 code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d "1" /f revertCode: |- :: `1` as default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d "1" /f - name: Disable "Always install with elevated privileges" in Windows Installer recommend: standard docs: https://www.stigviewer.com/stig/windows_8/2013-07-03/finding/V-34974 call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer valueName: AlwaysInstallElevated dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Enable Structured Exception Handling Overwrite Protection (SEHOP) recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-68849 call: function: SetRegistryValue parameters: keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel valueName: DisableExceptionChainValidation dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Enable security against PowerShell 2.0 downgrade attacks recommend: standard docs: |- See: [The Windows PowerShell 2.0 feature must be disabled on the system. | stigviewer.com](https://web.archive.org/web/20240406114721/https://www.stigviewer.com/stig/windows_10/2017-02-21/finding/V-70637) ### Overview of default feature statuses `MicrosoftWindowsPowerShellV2`: | | | | ---- | --- | | **Feature name** | `MicrosoftWindowsPowerShellV2` | | **Display name** | Windows PowerShell 2.0 Engine | | **Description** | Adds or Removes Windows PowerShell 2.0 Engine | | **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled | | **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled | `MicrosoftWindowsPowerShellV2Root`: | | | | ---- | --- | | **Feature name** | `MicrosoftWindowsPowerShellV2Root` | | **Display name** | Windows PowerShell 2.0 | | **Description** | Adds or Removes Windows PowerShell 2.0 | | **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled | | **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled | call: - function: DisableWindowsFeature parameters: featureName: MicrosoftWindowsPowerShellV2 # Get-WindowsOptionalFeature -FeatureName 'MicrosoftWindowsPowerShellV2' -Online - function: DisableWindowsFeature parameters: featureName: MicrosoftWindowsPowerShellV2Root # Get-WindowsOptionalFeature -FeatureName 'MicrosoftWindowsPowerShellV2Root' -Online - name: Disable "Windows Connect Now" wizard recommend: standard docs: - https://web.archive.org/web/20240314130322/https://learn.microsoft.com/en-us/windows/win32/wcn/about-windows-connect-now - https://www.stigviewer.com/stig/windows_server_20122012_r2_domain_controller/2019-01-16/finding/V-15698 call: - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows\WCN\UI valueName: DisableWcnUi dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars valueName: DisableFlashConfigRegistrar dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars valueName: DisableInBand802DOT11Registrar dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars valueName: DisableUPnPRegistrar dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars valueName: DisableWPDRegistrar dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars valueName: EnableRegistrars dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Block tracking hosts docs: |- This category includes scripts that enhance privacy by blocking communications with hosts known for tracking and data collection. A **host** is a domain name serving as an address for a computer or resource on the Internet. These hosts are often used by software applications, operating systems, and services to collect data, which can include personal information, usage patterns, and more. By modifying the **hosts file** (a simple text file on your computer that maps domain names to IP addresses), these scripts stop your computer from connecting to servers that collect user data. This not only reduces personal data sent to companies and third-party trackers, enhancing privacy, but may also optimize system performance by minimizing unnecessary network requests. > **Caution**: These scripts may interfere with the functionality of apps or services relying on the blocked data. > Balance privacy with functionality according to your preferences and needs. children: # Excluded hosts: # - browser.events.data.microsoft.com # Breaks "Windows Admin Center": https://web.archive.org/web/20240502104500/https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/deploy/network-requirements # Breaks "Secure File Exchange": https://www.kuketz-forum.de/t/ms-teams-und-die-verbindungen-dorthin/537/4, https://web.archive.org/web/20240502104821/https://github.com/easylist/easylist/issues/15697 - name: Block Windows crash report hosts recommend: standard docs: |- This script prevents Windows from sending crash reports to Microsoft, enhancing your privacy. Windows Error Reporting (WER) creates minidumps (small memory snapshots at crash time) and sends them to Microsoft [1]. Although intended to improve software by analyzing crash data, this feature raises privacy concerns such as: - Inclusion of sensitive information within the dumps, such as personal data and passwords [2] [3]. - Data sharing with Microsoft and other third parties through the Windows Desktop Application Program [1]. To safeguard your privacy, this script blocks specific hosts that Windows uses to transmit crash data, ensuring these minidump files remain on your local machine and are not sent to Microsoft or its partners. The blocked hosts are: - `oca.telemetry.microsoft.com` [4] - `oca.microsoft.com` [4] - `kmwatsonc.events.data.microsoft.com` [4] [1]: https://web.archive.org/web/20240217185113/https://learn.microsoft.com/en-us/windows/win32/dxtecharts/crash-dump-analysis "Crash Dump Analysis - Win32 apps | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240107005535/https://blog.carnal0wnage.com/2013/07/mimikatz-minidump-and-mimikatz-via-bat.html "Mimikatz Minidump and mimikatz via bat file Carnal0wnage - Blog Carnal0wnage Blog | blog.carnal0wnage.com" [3]: https://web.archive.org/web/20240217185037/https://learn.microsoft.com/en-us/troubleshoot/windows-client/performance/read-small-memory-dump-file "Read small memory dump files - Windows Client | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240217185108/https://learn.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization "Configure Windows diagnostic data in your organization (Windows 10 and Windows 11) - Windows Privacy | Microsoft Learn | learn.microsoft.com" call: - function: BlockViaHostsFile parameters: domain: oca.telemetry.microsoft.com - function: BlockViaHostsFile parameters: domain: oca.microsoft.com - function: BlockViaHostsFile parameters: domain: kmwatsonc.events.data.microsoft.com - name: Block Windows error reporting hosts recommend: standard docs: |- This script improves your privacy by preventing "Windows Error Reporting (WER)" from sending data about hardware and software issues back to Microsoft. WER is designed to collect diagnostic information [1] and report it back to Microsoft [1] [6], aiming to improve user experience by offering solutions to encountered problems [1]. However, this feature can inadvertently expose sensitive system information. By default, error reporting information is sent to Microsoft [6], which may include details that users prefer to keep private. > **Caution**: This script may prevent receiving automatic solutions or feedback for reported errors [1]. ### Blocked Hosts The blocked hosts are: - `watson.telemetry.microsoft.com` [2] [3] [4] [5] [7] - `umwatsonc.events.data.microsoft.com` [2] - `ceuswatcab01.blob.core.windows.net` [2] - `ceuswatcab02.blob.core.windows.net` [2] - `eaus2watcab01.blob.core.windows.net` [2] - `eaus2watcab02.blob.core.windows.net` [2] - `weus2watcab01.blob.core.windows.net` [2] - `weus2watcab02.blob.core.windows.net` [2] - `co4.telecommand.telemetry.microsoft.com` [5] [6] - `cs11.wpc.v0cdn.net` [5] [6] - `cs1137.wpc.gammacdn.net` [5] [6] - `modern.watson.data.microsoft.com` [5] [6] [1]: https://web.archive.org/web/20240217185900/https://learn.microsoft.com/en-us/windows/win32/wer/about-wer "About WER - Win32 apps | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240217185108/https://learn.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization "Configure Windows diagnostic data in your organization (Windows 10 and Windows 11) - Windows Privacy | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240217185904/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints "Connection endpoints for Windows 11 Enterprise - Windows Privacy | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240217185950/https://learn.microsoft.com/en-us/windows/privacy/windows-11-endpoints-non-enterprise-editions "Windows 11 connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20240217190247/https://learn.microsoft.com/en-us/hololens/hololens-offline "Manage connection endpoints for HoloLens | Microsoft Learn | learn.microsoft.com" [6]: https://web.archive.org/web/20240217204237/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-1903-endpoints "Connection endpoints for Windows 10 Enterprise, version 1903 - Windows Privacy | Microsoft Learn | learn.microsoft.com" [7]: https://web.archive.org/web/20240217204251/https://www.michaelhorowitz.com/Windows10.spying.onsettings.php "Windows 10 spies on your use of System Settings | www.michaelhorowitz.com" call: - function: BlockViaHostsFile parameters: domain: watson.telemetry.microsoft.com - function: BlockViaHostsFile parameters: domain: umwatsonc.events.data.microsoft.com - function: BlockViaHostsFile parameters: domain: ceuswatcab01.blob.core.windows.net - function: BlockViaHostsFile parameters: domain: ceuswatcab02.blob.core.windows.net - function: BlockViaHostsFile parameters: domain: eaus2watcab01.blob.core.windows.net - function: BlockViaHostsFile parameters: domain: eaus2watcab02.blob.core.windows.net - function: BlockViaHostsFile parameters: domain: weus2watcab01.blob.core.windows.net - function: BlockViaHostsFile parameters: domain: weus2watcab02.blob.core.windows.net - function: BlockViaHostsFile parameters: domain: co4.telecommand.telemetry.microsoft.com - function: BlockViaHostsFile parameters: domain: cs11.wpc.v0cdn.net - function: BlockViaHostsFile parameters: domain: cs1137.wpc.gammacdn.net - function: BlockViaHostsFile parameters: domain: modern.watson.data.microsoft.com - name: Block telemetry and user experience hosts recommend: standard docs: |- This script improves privacy by blocking data sharing to the *Windows Connected User Experiences and Telemetry* component [1]. This component is responsible for collecting and transmitting diagnostic data and usage information to Microsoft [1] [2], which is used to identify and fix problems, enhancing product and service offerings [2]. While the collection of this data is intended to improve user experience by allowing Microsoft to address issues and enhance functionality [2], it raises privacy concerns for users who prefer to keep their diagnostic information private. Blocking these endpoints prevents the automatic transmission of this data to Microsoft [2], safeguarding user privacy. > **Caution**: This script may impact the delivery of diagnostic and usage-based solutions from Microsoft [1] [2]. ### Blocked Hosts The blocked hosts are: - `functional.events.data.microsoft.com` [2] - `browser.events.data.msn.com` [2] [3] [4] - `self.events.data.microsoft.com` [2] [3] - `v10.events.data.microsoft.com` [1] [2] [5] [6] [9] - `v10c.events.data.microsoft.com` [1] - `us-v10c.events.data.microsoft.com` [1] - `eu-v10c.events.data.microsoft.com` [1] - `v10.vortex-win.data.microsoft.com` [1] [6] [7] - `vortex-win.data.microsoft.com` [8] - `telecommand.telemetry.microsoft.com` [2] - `www.telecommandsvc.microsoft.com` [2] - `umwatson.events.data.microsoft.com` [3] [4] - `watsonc.events.data.microsoft.com` [1] - `eu-watsonc.events.data.microsoft.com` [1] - `v20.events.data.microsoft.com` [9] [1]: https://web.archive.org/web/20240217185108/https://learn.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization "Configure Windows diagnostic data in your organization (Windows 10 and Windows 11) - Windows Privacy | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240217185904/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints "Connection endpoints for Windows 11 Enterprise - Windows Privacy | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240217204251/https://www.michaelhorowitz.com/Windows10.spying.onsettings.php "Windows 10 spies on your use of System Settings | www.michaelhorowitz.com" [4]: https://web.archive.org/web/20240217205130/https://www.thewindowsclub.com/edge-waiting-for-browser-events-data-msn-com "Edge Waiting for browser.events.data.msn.com | thewindowsclub.com" [5]: https://web.archive.org/web/20240217185950/https://learn.microsoft.com/en-us/windows/privacy/windows-11-endpoints-non-enterprise-editions "Windows 11 connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com" [6]: https://web.archive.org/web/20240217190247/https://learn.microsoft.com/en-us/hololens/hololens-offline "Manage connection endpoints for HoloLens | Microsoft Learn | learn.microsoft.com" [7]: https://web.archive.org/web/20240217204237/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-1903-endpoints "Connection endpoints for Windows 10 Enterprise, version 1903 - Windows Privacy | Microsoft Learn | learn.microsoft.com" [8]: https://web.archive.org/web/20240217205118/https://support.microsoft.com/en-us/topic/update-for-customer-experience-and-diagnostic-telemetry-2649a645-0d3d-fa61-0773-ef84c0a8c8ac#ID0EDDBH "Update for customer experience and diagnostic telemetry - Microsoft Support | support.microsoft.com" [9]: https://web.archive.org/web/20240219205201/https://learn.microsoft.com/en-us/windows/privacy/windows-endpoints-2004-non-enterprise-editions "Windows 10, version 2004, connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com" call: - function: BlockViaHostsFile parameters: domain: functional.events.data.microsoft.com - function: BlockViaHostsFile parameters: domain: browser.events.data.msn.com - function: BlockViaHostsFile parameters: domain: self.events.data.microsoft.com - function: BlockViaHostsFile parameters: domain: v10.events.data.microsoft.com - function: BlockViaHostsFile parameters: domain: v10c.events.data.microsoft.com - function: BlockViaHostsFile parameters: domain: us-v10c.events.data.microsoft.com - function: BlockViaHostsFile parameters: domain: eu-v10c.events.data.microsoft.com - function: BlockViaHostsFile parameters: domain: v10.vortex-win.data.microsoft.com - function: BlockViaHostsFile parameters: domain: vortex-win.data.microsoft.com - function: BlockViaHostsFile parameters: domain: telecommand.telemetry.microsoft.com - function: BlockViaHostsFile parameters: domain: www.telecommandsvc.microsoft.com - function: BlockViaHostsFile parameters: domain: umwatson.events.data.microsoft.com - function: BlockViaHostsFile parameters: domain: watsonc.events.data.microsoft.com - function: BlockViaHostsFile parameters: domain: eu-watsonc.events.data.microsoft.com - name: Block remote configuration sync hosts recommend: strict docs: |- This script blocks specific hosts used by applications, such as "System Initiated User Feedback" and the "Xbox" app [1] [2], to dynamically update their configuration [1] [2] These endpoints play a crucial role in remotely configuring diagnostics-related settings and data collection [3]. For instance, they allow for the remote blocking of events being sent back to Microsoft or enrolling a device in the Windows diagnostic data processor configuration [3]. Blocking these hosts can enhance your privacy by preventing certain data from being collected and sent to Microsoft. > **Caution**: Using this script might disrupt the normal operation of applications that depend on syncing their > configurations online, leading to potential functionality issues [1]. ### Blocked Hosts The blocked hosts are: - `settings-win.data.microsoft.com` [1] [2] [3] [4] [5] - `settings.data.microsoft.com` [1] [2] [5] [1]: https://web.archive.org/web/20240217185904/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints "Connection endpoints for Windows 11 Enterprise - Windows Privacy | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240217185950/https://learn.microsoft.com/en-us/windows/privacy/windows-11-endpoints-non-enterprise-editions "Windows 11 connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240217185108/https://learn.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization "Configure Windows diagnostic data in your organization (Windows 10 and Windows 11) - Windows Privacy | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240217205118/https://support.microsoft.com/en-us/topic/update-for-customer-experience-and-diagnostic-telemetry-2649a645-0d3d-fa61-0773-ef84c0a8c8ac#ID0EDDBH "Update for customer experience and diagnostic telemetry - Microsoft Support | support.microsoft.com" [5]: https://web.archive.org/web/20240217204251/https://www.michaelhorowitz.com/Windows10.spying.onsettings.php "Windows 10 spies on your use of System Settings | www.michaelhorowitz.com" call: - function: BlockViaHostsFile parameters: domain: settings-win.data.microsoft.com - function: BlockViaHostsFile parameters: domain: settings.data.microsoft.com - category: Block third-party app hosts docs: |- This category includes scripts that block network connections to third-party applications that collect data. These scripts stop your system from sending data to third parties, thereby protecting your personal information and possibly improving system performance by cutting down on superfluous data transfers. children: - name: Block Dropbox telemetry hosts recommend: standard docs: |- This script prevents your computer from sending personal data to Dropbox's data collection servers [1], improving your privacy. Dropbox collects data such as: - **Account Information**: Includes your name, email, phone number, payment details, and address shared during account creation or when upgrading plans [2]. - **Your Files**: Covers data on files you save in Dropbox, their usage, and details [2]. - **Contacts**: If granted access, Dropbox stores contacts [2]. - **Usage Information**: Tracks how you use Dropbox services, including file management and electronic signature activities [2]. - **Device Information**: Includes information from your devices like IP addresses, browsers, location data [2]. - **User Settings**: Uses cookies and pixel tags to remember your settings [2]. - **DocSend and Dropbox Analytics**: Collects data, including device and ID information, when you view content via these services [2]. - **Marketing Information**: Tracks your interactions with Dropbox or its representatives [2]. Dropbox also shares collected data with third parties, affiliates, and other users [2]. Applying this script significantly reduces the data Dropbox collects, directly enhancing your privacy protection. ### Blocked Hosts The blocked hosts are: - `telemetry.dropbox.com` [3] - `telemetry.v.dropbox.com` [4] [1]: https://web.archive.org/web/20240123113411/https://www.dropboxforum.com/t5/Integrations/Why-So-Much-Telemetry/m-p/463436/highlight/true#M4616 "Re: Why So Much Telemetry ? - Page 3 - Dropbox Community | www.dropboxforum.com" [2]: https://web.archive.org/web/20240123113313/https://www.dropbox.com/privacy "Privacy Policy - Dropbox | www.dropbox.com" [3]: https://web.archive.org/web/20240123113357/https://www.dropboxforum.com/t5/Integrations/Why-So-Much-Telemetry/td-p/455961/page/2 "Why So Much Telemetry ? - Page 2 - Dropbox Community | dropboxforum.com" [4]: https://web.archive.org/web/20240123113411/https://www.dropboxforum.com/t5/Integrations/Why-So-Much-Telemetry/m-p/456421/highlight/true#M4592 "Re: Why So Much Telemetry ? - Dropbox Community | www.dropboxforum.com" call: - function: BlockViaHostsFile parameters: domain: telemetry.dropbox.com - function: BlockViaHostsFile parameters: domain: telemetry.v.dropbox.com - name: Block Spotify Live Tile hosts docs: |- # refactor-with-variables: Same • live tiles This script enhances privacy by preventing the Spotify application from fetching and displaying live updates on its Live Tile [1]. Spotify, known for being pre-installed with Windows [2], can collect data in the background without user consent. This script stops the transmission of real-time data to the Spotify Live Tile [1], which may contain user-specific content or usage patterns. **Live Tiles**, a feature within UWP apps, automatically collect and display updated information directly on the Start menu, without opening the app [3]. The Live Tiles feature, once available on Windows 8.1 and 10 [4], has been replaced by the **Widgets** feature in Windows 11 [5]. > **Caution**: Using this script may have side effects on Spotify functionalities beyond the Live Tile, potentially influencing other app > features or the Spotify website experience [6]. ### Blocked Hosts The blocked hosts are: - `spclient.wg.spotify.com` [1] [1]: https://web.archive.org/web/20240217185950/https://learn.microsoft.com/en-us/windows/privacy/windows-11-endpoints-non-enterprise-editions "Windows 11 connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240219224242/https://www.windowslatest.com/2022/09/28/spotify-app-is-automatically-getting-installed-on-windows-10-windows-11/ "Spotify app is automatically getting installed on Windows 10 & Windows 11 | windowslatest.com" [3]: https://web.archive.org/web/20240502092842/https://learn.microsoft.com/en-us/archive/msdn-magazine/2017/april/uwp-apps-develop-hosted-web-apps-for-uwp#getting-started "UWP Apps - Develop Hosted Web Apps for UWP | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240502095239/https://answers.microsoft.com/en-us/windows/forum/all/live-tiles-what-are-they/71084023-f50b-4531-973d-3ba03d2c0d44 "Live Tiles, what are they? - Microsoft Community | answers.microsoft.com" [5]: https://web.archive.org/web/20240502093116/https://www.microsoft.com/en-ca/windows/windows-11-specifications "Windows 11 Specs and System Requirements | Microsoft | www.microsoft.com" [6]: https://web.archive.org/web/20240219205516/https://wiki.archlinux.org/title/spotify "Spotify - ArchWiki | wiki.archlinux.org" call: function: BlockViaHostsFile parameters: domain: spclient.wg.spotify.com - name: Block location data sharing hosts recommend: strict docs: |- This script improves user privacy by disabling the transmission of location data to Microsoft's servers [1] [2] [3] [4] [5]. Location data is utilized by various Windows applications [1] [2] [3] [4] [5], including the Camera app [6] [7], to provide location-based services. However, the collection of such data raises privacy concerns as it involves transmitting potentially sensitive information such as OS version, device details, nearby wireless access points (including MAC addresses and signal strengths), and various unique identifiers [6]. Sending this data to Microsoft allows for detailed profiling of your location and movements [6]. This has led to privacy lawsuits alleging unauthorized tracking of users without their consent, particularly regarding the Camera app's location tracking capabilities [6] [7]. By blocking the specified hosts, this script prevents Windows apps from accessing and sending location data [1] [2] [3] [4] [5], thereby safeguarding your privacy. > **Caution**: This script may impact the functionality of apps that rely on location data [1] [3] [4] [5]. > Users should weigh the benefits of enhanced privacy against the potential loss of location-based features in certain applications. ### Blocked Hosts The blocked hosts are: - `inference.location.live.net` [1] [2] [3] [4] [6] [7] - `location-inference-westus.cloudapp.net` [3] [5] [1]: https://web.archive.org/web/20240217185904/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints "Connection endpoints for Windows 11 Enterprise - Windows Privacy | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240217185950/https://learn.microsoft.com/en-us/windows/privacy/windows-11-endpoints-non-enterprise-editions "Windows 11 connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240217204237/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-1903-endpoints "Connection endpoints for Windows 10 Enterprise, version 1903 - Windows Privacy | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240217210446/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-1909-endpoints "Connection endpoints for Windows 10 Enterprise, version 1909 - Windows Privacy | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20240217210611/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-1809-endpoints "Connection endpoints for Windows 10, version 1809 - Windows Privacy | Microsoft Learn | learn.microsoft.com" [6]: https://web.archive.org/web/20240217210525/https://www.zdnet.com/article/windows-phone-does-transmit-location-information-without-user-consent/ "Windows Phone DOES transmit location information without user consent | ZDNET | www.zdnet.com" [7]: https://web.archive.org/web/20240217220328/https://www.slashgear.com/microsoft-denies-windows-phone-camera-location-tracking-accusations-05177143/ "Microsoft Denies Windows Phone Camera Location Tracking Accusations - SlashGear | www.slashgear.com" call: - function: BlockViaHostsFile parameters: domain: inference.location.live.net - function: BlockViaHostsFile parameters: domain: location-inference-westus.cloudapp.net - name: Block maps data and updates hosts recommend: strict # refactor-with-variables: Same excluded host: `r.bing.com` docs: |- This script blocks servers that update offline maps [1] [2] and provide Bing Maps APIs for geospatial [3] and location services [4] [5]. This action enhances privacy by preventing the transmission of your location data to Microsoft. > **Caution:** > This script has potential side effects: > - Impacts apps and websites using Bing Maps for location services, including third-party ones. > - Disables offline map updates [1] [2], potentially leading to less accurate and outdated maps. ### Blocked Hosts The blocked hosts are: - `maps.windows.com` [1] [2] - `dev.virtualearth.net` [2] [4] [6] - `ecn.dev.virtualearth.net` [1] [2] [3] - `ecn-us.dev.virtualearth.net` [1] [6] - `weathermapdata.blob.core.windows.net` [1] The following hosts are excluded (not blocked): - `r.bing.com` [6] [7] [8]: Blocking this host impacts several features, including Cortana [1] [2], Live Tiles [1] [2], Copilot [9] [10] [11], and Bing Maps [6] [7] [8]. - `ssl.bing.com` [2]: This host is not only associated with Maps but also other functionality such as viewing and deleting search history for your privacy [12] and Bing Webmaster APIs [13]. [1]: https://web.archive.org/web/20240217185904/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints "Connection endpoints for Windows 11 Enterprise - Windows Privacy | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240217185950/https://learn.microsoft.com/en-us/windows/privacy/windows-11-endpoints-non-enterprise-editions "Windows 11 connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240217220311/https://learn.microsoft.com/en-us/bingmaps/articles/geospatial-endpoint-service "Geospatial Endpoint Service - Bing Maps | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240217220300/https://learn.microsoft.com/en-us/bingmaps/rest-services/locations/find-a-location-by-address "Find a Location by Address - Bing Maps | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20240217220332/https://learn.microsoft.com/en-us/bingmaps/rest-services/common-parameters-and-types/base-url-structure "Bing Maps REST URL Structure - Bing Maps | Microsoft Learn | learn.microsoft.com" [6]: https://web.archive.org/web/20240426134902/https://learn.microsoft.com/en-us/fabric/security/power-bi-allow-list-urls "Add Power BI URLs to allowlist - Microsoft Fabric | Microsoft Learn | learn.microsoft.com" [7]: https://web.archive.org/web/20240426134243/https://stackoverflow.com/questions/73457359/how-do-i-catch-an-error-due-to-wrong-latitude-or-longitude-in-bing-maps-v8-web-c "javascript - How do I catch an error due to wrong latitude or longitude in Bing Maps V8 Web Control? - Stack Overflow | stackoverflow.com" [8]: https://web.archive.org/web/20240426134404/https://answers.microsoft.com/en-us/bing/forum/all/bing-maps-not-working-in-edge-or-chrome/55092382-e1a0-466c-ac83-f5ff25eacff1 "Bing maps not working in Edge or Chrome - Microsoft Community | answers.microsoft.com" [9]: https://web.archive.org/web/20240426133944/https://github.com/undergroundwires/privacy.sexy/issues/329#issuecomment-2062563970 "[BUG]: Bing (search engine) is broken · Issue #329 · undergroundwires/privacy.sexy" [10]: https://archive.ph/2024.04.26-134254/https://github.com/privacysexy-forks/ios_rule_script/blob/f0ec2a3c74940ba7f54557439f943a2359e9f792/rule/Clash/Copilot/Copilot.yaml "ios_rule_script/rule/Clash/Copilot/Copilot.yaml at f0ec2a3c74940ba7f54557439f943a2359e9f792 · privacysexy-forks/ios_rule_script | github.com" [11]: https://web.archive.org/web/20240426134112/https://urlscan.io/result/5c8c89a7-4d4a-4030-8bf2-381fded08b51#transactions "copilot.microsoft.com - urlscan.io | urlscan.io" [12]: https://web.archive.org/web/20240502094006/https://ssl.bing.com/profile/history "Search - Search History | ssl.bing.com" [13]: https://web.archive.org/web/20240502094210/https://learn.microsoft.com/en-us/bingwebmaster/getting-started#webmaster-api-interface "Getting Started with Webmaster API | Microsoft Learn | learn.microsoft.com" call: - function: BlockViaHostsFile parameters: domain: maps.windows.com - function: BlockViaHostsFile parameters: domain: ecn.dev.virtualearth.net - function: BlockViaHostsFile parameters: domain: ecn-us.dev.virtualearth.net - function: BlockViaHostsFile parameters: domain: weathermapdata.blob.core.windows.net - name: Block Spotlight ads and suggestions hosts recommend: strict docs: |- This script blocks specific hosts used by Windows Spotlight to retrieve metadata, which includes image references, app suggestions, Microsoft account notifications, and Windows tips [1] [2] [3]. Windows Spotlight aims to deliver dynamic content on the lock screen and other parts of the Windows interface, such as personalized ads and tips [1] [3]. By blocking these hosts, the script effectively prevents Windows Spotlight from downloading new lock screen images, app suggestions, account notifications, and tips [1] [2] [3]. It improves your privacy by reducing unsolicited content and potential data collection. > **Caution:** While Spotlight attempts to update content, suggested apps, Microsoft account notifications, and Windows tips won't be downloaded once the script is in place [1] [3]. ### Blocked Hosts The blocked hosts are: - `arc.msn.com` [1] [2] [3] - `ris.api.iris.microsoft.com` [1] [2] [3] - `api.msn.com` [1] - `assets.msn.com` [1] - `c.msn.com` [1] - `g.msn.com` [3] - `ntp.msn.com` [1] - `srtb.msn.com` [1] - `www.msn.com` [1] - `fd.api.iris.microsoft.com` [1] - `staticview.msn.com` [1] - `mucp.api.account.microsoft.com` [2] - `query.prod.cms.rt.microsoft.com` [3] [1]: https://web.archive.org/web/20240217185904/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints "Connection endpoints for Windows 11 Enterprise - Windows Privacy | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240217185950/https://learn.microsoft.com/en-us/windows/privacy/windows-11-endpoints-non-enterprise-editions "Windows 11 connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240217204237/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-1903-endpoints "Connection endpoints for Windows 10 Enterprise, version 1903 - Windows Privacy | Microsoft Learn | learn.microsoft.com" call: - function: BlockViaHostsFile parameters: domain: arc.msn.com - function: BlockViaHostsFile parameters: domain: ris.api.iris.microsoft.com - function: BlockViaHostsFile parameters: domain: api.msn.com - function: BlockViaHostsFile parameters: domain: assets.msn.com - function: BlockViaHostsFile parameters: domain: c.msn.com - function: BlockViaHostsFile parameters: domain: g.msn.com - function: BlockViaHostsFile parameters: domain: ntp.msn.com - function: BlockViaHostsFile parameters: domain: srtb.msn.com - function: BlockViaHostsFile parameters: domain: www.msn.com - function: BlockViaHostsFile parameters: domain: fd.api.iris.microsoft.com - function: BlockViaHostsFile parameters: domain: staticview.msn.com - function: BlockViaHostsFile parameters: domain: mucp.api.account.microsoft.com - function: BlockViaHostsFile parameters: domain: query.prod.cms.rt.microsoft.com - name: Block Cortana and Live Tiles hosts recommend: strict # refactor-with-variables: Same • Same excluded host: `r.bing.com` • live tiles docs: |- This script blocks specific hosts associated with Cortana and Live Tiles, thereby enhancing your preventing updates to Cortana's greetings, tips, and Live Tiles [1]. **Cortana** and **Live Tiles**, part of the Universal Windows Platform (UWP), enable voice-activated app control and deliver timely information directly to users [2]: - **Live Tiles**, a feature within UWP apps, automatically collect and display updated information directly on the Start menu, without opening the app [2]. The Live Tiles feature, once available on Windows 8.1 and 10 [3], has been replaced by the **Widgets** feature in Windows 11 [4]. - **Cortana** is a voice-based interactive digital assistant on Windows devices [2]. Cortana listens to commands, activates the relevant app, passes the speech to/text commands to app [2]. > **Caution**: > Blocking these hosts may reduce functionality, affecting not only Cortana and Live Tiles but also voice > commands and voice-activated apps [2]. ### Blocked Hosts The blocked hosts are: - `business.bing.com` [1] [5] - `c.bing.com` [1] [5] - `th.bing.com` [1] - `edgeassetservice.azureedge.net` [1] [5] - `c-ring.msedge.net` [1] - `fp.msedge.net` [1] [5] - `I-ring.msedge.net` [1] - `s-ring.msedge.net` [1] [5] - `dual-s-ring.msedge.net` [1] - `creativecdn.com` [1] - `a-ring-fallback.msedge.net` [1] - `fp-afd-nocache-ccp.azureedge.net` [1] - `prod-azurecdn-akamai-iris.azureedge.net` [1] [5] - `widgetcdn.azureedge.net` [1] [5] - `widgetservice.azurefd.net` [1] [5] - `fp-vs.azureedge.net` [5] - `ln-ring.msedge.net` [5] - `t-ring.msedge.net` [5] - `t-ring-fdv2.msedge.net` [5] - `tse1.mm.bing.net` [5] The following hosts are excluded (not blocked): - `r.bing.com` [1] [5]: Blocking this host impacts several features, including Cortana [1] [5], Live Tiles [1] [5], Copilot [6] [7] [8], and Bing Maps [9] [10] [11]. - `www.bing.com` [1] [5]: Blocking this host prevents access to the Bing search engine and its associated tools [12], impacting more than just Cortana and Live Tiles. [1]: https://web.archive.org/web/20240217185904/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints "Connection endpoints for Windows 11 Enterprise - Windows Privacy | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240502092842/https://learn.microsoft.com/en-us/archive/msdn-magazine/2017/april/uwp-apps-develop-hosted-web-apps-for-uwp#getting-started "UWP Apps - Develop Hosted Web Apps for UWP | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240502095239/https://answers.microsoft.com/en-us/windows/forum/all/live-tiles-what-are-they/71084023-f50b-4531-973d-3ba03d2c0d44 "Live Tiles, what are they? - Microsoft Community | answers.microsoft.com" [4]: https://web.archive.org/web/20240502093116/https://www.microsoft.com/en-ca/windows/windows-11-specifications "Windows 11 Specs and System Requirements | Microsoft | www.microsoft.com" [5]: https://web.archive.org/web/20240217185950/https://learn.microsoft.com/en-us/windows/privacy/windows-11-endpoints-non-enterprise-editions "Windows 11 connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com" [6]: https://web.archive.org/web/20240426133944/https://github.com/undergroundwires/privacy.sexy/issues/329#issuecomment-2062563970 "[BUG]: Bing (search engine) is broken · Issue #329 · undergroundwires/privacy.sexy" [7]: https://archive.ph/2024.04.26-134254/https://github.com/privacysexy-forks/ios_rule_script/blob/f0ec2a3c74940ba7f54557439f943a2359e9f792/rule/Clash/Copilot/Copilot.yaml "ios_rule_script/rule/Clash/Copilot/Copilot.yaml at f0ec2a3c74940ba7f54557439f943a2359e9f792 · privacysexy-forks/ios_rule_script | github.com" [8]: https://web.archive.org/web/20240426134112/https://urlscan.io/result/5c8c89a7-4d4a-4030-8bf2-381fded08b51#transactions "copilot.microsoft.com - urlscan.io | urlscan.io" [9]: https://web.archive.org/web/20240426134902/https://learn.microsoft.com/en-us/fabric/security/power-bi-allow-list-urls "Add Power BI URLs to allowlist - Microsoft Fabric | Microsoft Learn | learn.microsoft.com" [10]: https://web.archive.org/web/20240426134243/https://stackoverflow.com/questions/73457359/how-do-i-catch-an-error-due-to-wrong-latitude-or-longitude-in-bing-maps-v8-web-c "javascript - How do I catch an error due to wrong latitude or longitude in Bing Maps V8 Web Control? - Stack Overflow | stackoverflow.com" [11]: https://web.archive.org/web/20240426134404/https://answers.microsoft.com/en-us/bing/forum/all/bing-maps-not-working-in-edge-or-chrome/55092382-e1a0-466c-ac83-f5ff25eacff1 "Bing maps not working in Edge or Chrome - Microsoft Community | answers.microsoft.com" [12]: https://web.archive.org/web/20240502092817/https://en.wikipedia.org/wiki/Microsoft_Bing "Microsoft Bing - Wikipedia | en.wikipedia.org" call: - function: BlockViaHostsFile parameters: domain: business.bing.com - function: BlockViaHostsFile parameters: domain: c.bing.com - function: BlockViaHostsFile parameters: domain: th.bing.com - function: BlockViaHostsFile parameters: domain: edgeassetservice.azureedge.net - function: BlockViaHostsFile parameters: domain: c-ring.msedge.net - function: BlockViaHostsFile parameters: domain: fp.msedge.net - function: BlockViaHostsFile parameters: domain: I-ring.msedge.net - function: BlockViaHostsFile parameters: domain: s-ring.msedge.net - function: BlockViaHostsFile parameters: domain: dual-s-ring.msedge.net - function: BlockViaHostsFile parameters: domain: creativecdn.com - function: BlockViaHostsFile parameters: domain: a-ring-fallback.msedge.net - function: BlockViaHostsFile parameters: domain: fp-afd-nocache-ccp.azureedge.net - function: BlockViaHostsFile parameters: domain: prod-azurecdn-akamai-iris.azureedge.net - function: BlockViaHostsFile parameters: domain: widgetcdn.azureedge.net - function: BlockViaHostsFile parameters: domain: widgetservice.azurefd.net - function: BlockViaHostsFile parameters: domain: fp-vs.azureedge.net - function: BlockViaHostsFile parameters: domain: ln-ring.msedge.net - function: BlockViaHostsFile parameters: domain: t-ring.msedge.net - function: BlockViaHostsFile parameters: domain: t-ring-fdv2.msedge.net - function: BlockViaHostsFile parameters: domain: tse1.mm.bing.net - name: Block Edge experimentation hosts recommend: standard docs: |- This script blocks the connection between Microsoft Edge and the Experimentation and Configuration Service (ECS) [1]. ECS delivers various updates to Microsoft Edge, including configurations, feature rollouts, and experiments [1]: - **Configurations** aim to ensure the product's health, security, and privacy compliance [1]. These settings are uniform for all users, based on their platforms and channels, and can enable or disable features as necessary [1]. - **Controlled Feature Rollout (CFR)** gradually introduces a new feature to a portion of the user base [1]. - **Experiments** test new features and functionalities within Microsoft Edge that are still under development [1]. These features are not visible to all users and are activated or deactivated through experiment flags [1]. By blocking communication with ECS, this script prevents Microsoft Edge from receiving updates related to these payloads [1]. It enhances user privacy by limiting exposure to experimental features and configurations that may collect data or alter the browsing experience without the user's explicit consent. ### Blocked Hosts The blocked hosts are: - `config.edge.skype.com` [2] [1]: https://web.archive.org/web/20240219203636/https://learn.microsoft.com/en-us/deployedge/edge-configuration-and-experiments "Microsoft Edge configurations and experimentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240217204251/https://www.michaelhorowitz.com/Windows10.spying.onsettings.php "Windows 10 spies on your use of System Settings | www.michaelhorowitz.com" call: function: BlockViaHostsFile parameters: domain: config.edge.skype.com - name: Block Photos app sync hosts recommend: strict docs: |- This script blocks connections to hosts the Photos app uses to download configuration files and interact with the shared infrastructure of the Office 365 portal, including browser-based Office applications [1] [2]. > **Caution**: This script may affect the Photos app's ability to download configuration files and connect to Office 365 [1] [2], > potentially impacting its functionality. ### Blocked Hosts The blocked hosts are: - `evoke-windowsservices-tas.msedge.net` [1] [2] [1]: https://web.archive.org/web/20240217185904/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints "Connection endpoints for Windows 11 Enterprise - Windows Privacy | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240217185950/https://learn.microsoft.com/en-us/windows/privacy/windows-11-endpoints-non-enterprise-editions "Windows 11 connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com" call: function: BlockViaHostsFile parameters: domain: evoke-windowsservices-tas.msedge.net - name: Block OneNote Live Tile hosts recommend: strict # refactor-with-variables: Same • live tiles docs: |- This script blocks the communication used by OneNote Live Tile [1]. It enhances privacy by preventing OneNote from retrieving live data updates [1], which might include user-specific content or usage patterns. **Live Tiles**, a feature within UWP apps, automatically collect and display updated information directly on the Start menu, without opening the app [2]. The Live Tiles feature, once available on Windows 8.1 and 10 [3], has been replaced by the **Widgets** feature in Windows 11 [4]. > **Caution**: This script could lead to broader implications beyond the Live Tile functionality. > It may affect OneNote's overall performance and features, such as the ability to use stickers add-ins and access certain assets > within the Office suite [5]. This could potentially hinder the user experience by limiting the functionality of OneNote's dynamic > content and integrations. ### Blocked Hosts The blocked hosts are: - `cdn.onenote.net` [1] [1]: https://web.archive.org/web/20240217185950/https://learn.microsoft.com/en-us/windows/privacy/windows-11-endpoints-non-enterprise-editions "Windows 11 connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240502092842/https://learn.microsoft.com/en-us/archive/msdn-magazine/2017/april/uwp-apps-develop-hosted-web-apps-for-uwp#getting-started "UWP Apps - Develop Hosted Web Apps for UWP | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240502095239/https://answers.microsoft.com/en-us/windows/forum/all/live-tiles-what-are-they/71084023-f50b-4531-973d-3ba03d2c0d44 "Live Tiles, what are they? - Microsoft Community | answers.microsoft.com" [4]: https://web.archive.org/web/20240502093116/https://www.microsoft.com/en-ca/windows/windows-11-specifications "Windows 11 Specs and System Requirements | Microsoft | www.microsoft.com" [5]: https://web.archive.org/web/20240219212903/https://macadmins.software/docs/Network_Traffic.pdf "Microsoft Word - Network_Traffic.docx | macadmins.software" call: function: BlockViaHostsFile parameters: domain: cdn.onenote.net - name: Block Weather Live Tile hosts recommend: strict # refactor-with-variables: Same • live tiles docs: |- This script blocks the communication used by Weather app [1] [2] and its Live Tile feature [3]. **Live Tiles**, a feature within UWP apps, automatically collect and display updated information directly on the Start menu, without opening the app [4]. The Live Tiles feature, once available on Windows 8.1 and 10 [5], has been replaced by the **Widgets** feature in Windows 11 [6]. > **Caution:** This script breaks Weather app [1] [2] and its tile [3]. ### Blocked Hosts The blocked hosts are: - `tile-service.weather.microsoft.com` [1] [2] [1]: https://web.archive.org/web/20240217185950/https://learn.microsoft.com/en-us/windows/privacy/windows-11-endpoints-non-enterprise-editions "Windows 11 connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240217185904/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints "Connection endpoints for Windows 11 Enterprise - Windows Privacy | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240219205201/https://learn.microsoft.com/en-us/windows/privacy/windows-endpoints-2004-non-enterprise-editions "Windows 10, version 2004, connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240502092842/https://learn.microsoft.com/en-us/archive/msdn-magazine/2017/april/uwp-apps-develop-hosted-web-apps-for-uwp#getting-started "UWP Apps - Develop Hosted Web Apps for UWP | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20240502095239/https://answers.microsoft.com/en-us/windows/forum/all/live-tiles-what-are-they/71084023-f50b-4531-973d-3ba03d2c0d44 "Live Tiles, what are they? - Microsoft Community | answers.microsoft.com" [6]: https://web.archive.org/web/20240502093116/https://www.microsoft.com/en-ca/windows/windows-11-specifications "Windows 11 Specs and System Requirements | Microsoft | www.microsoft.com" call: function: BlockViaHostsFile parameters: domain: tile-service.weather.microsoft.com - category: Privacy over security children: - category: Disable Microsoft Defender docs: |- This category offers scripts to disable Windows security components known as *Microsoft Defender*. Although designed to protect you, these features may compromise your privacy and decrease computer performance. Privacy concerns include: - Sending personal data to Microsoft for analysis [1] [2] [3]. - The labeling of efforts to block telemetry (data collection by Microsoft) as security threats [4] [5]. - The incorrect flagging of privacy-enhancing scripts from privacy.sexy as malicious software [6]. Turning off Microsoft Defender improves your computer's speed by freeing up system resources [7]. However, disabling these features could result in: - Potential program malfunctions [8], as these security features are integral to Windows [9]. - Lowered defenses against malware and other online threats. These scripts target only the Defender features built into Windows and do not impact other Defender services available with Microsoft 365 subscriptions [10] [11]. > **Caution**: > These scripts **may reduce your security** and **cause issues with software** relying on them. > Consider an alternative security solutions to maintain protection. [1]: https://web.archive.org/web/20240409170914/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus?view=o365-worldwide "Cloud protection and Microsoft Defender Antivirus | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240409170815/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/data-storage-privacy?view=o365-worldwide "Microsoft Defender for Endpoint data storage and privacy | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement "Microsoft Privacy Statement – Microsoft privacy | privacy.microsoft.com" [4]: https://web.archive.org/web/20240409170735/https://www.bleepingcomputer.com/news/microsoft/windows-10-hosts-file-blocking-telemetry-is-now-flagged-as-a-risk/ "Windows 10: HOSTS file blocking telemetry is now flagged as a risk | www.bleepingcomputer.com" [5]: https://web.archive.org/web/20240409171701/https://www.zdnet.com/article/windows-10-telemetry-secrets/ "Windows 10 telemetry secrets: Where, when, and why Microsoft collects your data | ZDNET | www.zdnet.com" [6]: https://web.archive.org/web/20240409171415/https://github.com/undergroundwires/privacy.sexy/issues/296#issuecomment-1858704482 "Recent Windows 11 Security Update marks \"privacy-script\" as Virus or unwanted Software [BUG]: · Issue #296 · undergroundwires/privacy.sexy · GitHub | github.com" [7]: https://web.archive.org/web/20240409171447/https://support.microsoft.com/en-us/windows/turn-off-defender-antivirus-protection-in-windows-security-99e6004f-c54c-8509-773c-a4d776b77960 "Turn off Defender antivirus protection in Windows Security - Microsoft Support" [8]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" [9]: https://web.archive.org/web/20240409171217/https://borncity.com/win/2023/10/17/windows-10-11-microsoft-defender-can-no-longer-be-disabled/ "Windows 10/11: Microsoft Defender can no longer be disabled | Born's Tech and Windows World | borncity.com" [10]: https://web.archive.org/web/20240409164749/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com" [11]: https://web.archive.org/web/20240409171421/https://learn.microsoft.com/en-us/defender/ "Microsoft Defender products and services | Microsoft Learn" # See defender status: Get-MpComputerStatus children: - category: Disable Microsoft Defender firewall docs: |- This category provides scripts to disable the Microsoft Defender Firewall. This firewall serves as a security gate for your computer. It controls network traffic to and from a computer [1] [2] [3] [4] [5]. It blocks all incoming traffic by default and allows outgoing traffic [1]. It enables users to block connections [1] [3] [5] [6] [7]. For enhanced security, users can require a VPN for all connections with IPSec rules [1] [3] [7]. This can protect your computer from unauthorized access [1] [4] [6] [8]. Microsoft has renamed the firewall several times to reflect branding changes: 1. **Internet Connection Firewall** initially [3]. 2. **Windows Firewall** with the release of Windows XP Service Pack 2 [3]. 3. **Windows Defender Firewall** starting with Windows 10 build 1709 (September 2017) [4] [5]. 4. **Microsoft Defender Firewall** from Windows 10 version 2004 onwards [5] [6]. 5. **Windows Firewall** again in 2023 [9]. Considerations: - Malware or unauthorized users can bypass it if they gain direct access to the computer [10]. - Default firewall settings often provide limited security unless properly configured [10]. This is the case for most users. - The firewall is enabled by default [1] [2] [4] [5]. It still operates in the background when turned off [7]. This can compromise privacy. - Firewall logs detail user behavior [11]. They fall under [Microsoft's privacy policy](https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement). This allows Microsoft to access and analyze these logs to study your behavior. Turning off this firewall may optimize system performance by reducing background tasks [7]. It enhances privacy by preventing the collection of firewall logs [11]. However, this could increase security risks by exposing your system to more threats [1] [4] [6] [8]. > **Caution**: > Turning off the Microsoft Defender Firewall **may reduce your security**. > Consider an alternative security solution to maintain protection. [1]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240408093812/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com" [3]: https://web.archive.org/web/20041020065757/http://support.microsoft.com/kb/875357 "Troubleshooting Windows Firewall settings in Windows XP Service Pack 2 | support.microsoft.com" [4]: https://web.archive.org/web/20240408093959/https://microsoft.fandom.com/wiki/Windows_Firewall "Windows Firewall | Microsoft Wiki | Fandom | microsoft.fandom.com" [5]: https://web.archive.org/web/20240408094033/https://www.tenforums.com/tutorials/70699-how-turn-off-microsoft-defender-firewall-windows-10-a.html "How to Turn On or Off Microsoft Defender Firewall in Windows 10 | Tutorials | www.tenforums.com" [6]: https://web.archive.org/web/20240408094038/https://support.microsoft.com/en-us/windows/turn-microsoft-defender-firewall-on-or-off-ec0844f7-aebd-0583-67fe-601ecf5d774f "Turn Microsoft Defender Firewall on or off - Microsoft Support | support.microsoft.com" [7]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" [8]: https://web.archive.org/web/20240408094004/https://learn.microsoft.com/en-us/mem/intune/user-help/you-need-to-enable-defender-firewall-windows "Enable Windows Defender Firewall | Microsoft Learn | learn.microsoft.com" [9]: https://web.archive.org/web/20240408093851/https://learn.microsoft.com/en-us/mem/intune/fundamentals/whats-new#microsoft-defender-firewall-profiles-are-renamed-to-windows-firewall "What's new in Microsoft Intune | Microsoft Learn | learn.microsoft.com" [10]: https://web.archive.org/web/20240408101037/https://softwareg.com.au/blogs/internet-security/what-is-a-major-weakness-with-a-network-host-based-firewall "What Is A Major Weakness With A Network Host-Based Firewall | softwareg.com.au" [11]: https://web.archive.org/web/20240409085528/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-logging?tabs=intune "Configure Windows Firewall logging - Windows Security | Microsoft Learn | learn.microsoft.com" children: - category: Disable Microsoft Defender Firewall services and drivers docs: |- This section contains scripts to disable the essential services and drivers of Microsoft Defender Firewall. Microsoft Defender Firewall uses services and drivers to operate. Services run background tasks, while drivers help hardware and software communicate. Even with the firewall disabled in settings, its services and drivers continue running [1], potentially monitoring network traffic and consuming resources. These scripts directly disable these components, bypassing standard Windows settings and their limitations. Disabling these firewall services and drivers can enhance privacy by preventing potential network traffic monitoring by Microsoft. Additionally, it may improve system performance by freeing up system resources otherwise consumed by these components. However, this can pose security risks and disrupt other software. Microsoft Defender Firewall blocks unauthorized network access to protect against malicious attacks [2]. Disabling it can leave your system vulnerable to such threats. Additionally, this could affect software relying on the firewall [1]. > **Caution**: These scripts **may reduce your security** and **cause issues with software** relying on the firewall [1]. [1]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com" children: - name: >- Disable "Windows Defender Firewall Authorization Driver" service (breaks Microsoft Store, `netsh advfirewall`, winget, Windows Sandbox, Docker, WSL) docs: |- # refactor-with-variables: Same • Firewall Service Caution This script disables the **Windows Defender Firewall Authorization Driver** service. This service is a kernel mode driver crucial for inspecting network traffic entering and exiting your computer [1] [2]. Disabling this service can enhance privacy by reducing Microsoft's capability to monitor and analyze your network traffic. It also improves system performance by decreasing background resource consumption. The driver is identified by the file `mpsdrv.sys` [1] [2] [3]. This file is a component of **Microsoft Protection Service** [3]. This service encompasses the **Windows Defender Firewall** (`mpssvc`) [4] [5]. Disabling this driver disables **Windows Defender Firewall** [1] [2]. This action can significantly increase security risks [6]. Restart your computer after running this script to ensure all changes take effect [7]. > **Caution**: Disabling this service causes problems with software that depends on it [8] such as: > - Prevents **Microsoft Store** app downloads [9] [10], impacting **winget** CLI functionality [11]. > - Disables **`netsh advfirewall`** commands, used for Windows Firewall management [8]. > - Disables **Windows Sandbox** [7] [12], an isolated environment for safely running applications [13]. > - Disables **Docker** [14], a platform for developing and running applications in isolated environments [15]. > - Disables **Windows Subsystem for Linux (WSL)** [14], which lets Linux programs run directly on Windows [16]. ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 22H2) | 🟢 Running | Manual | | Windows 11 (≥ 23H2) | 🟢 Running | Manual | [1]: https://web.archive.org/web/20240314091039/https://batcmd.com/windows/10/services/mpsdrv/ "Windows Defender Firewall Authorization Driver - Windows 10 Service - batcmd.com | batcmd.com" [2]: https://web.archive.org/web/20240406223537/https://revertservice.com/10/mpsdrv/ "Windows Defender Firewall Authorization Driver (mpsdrv) Service Defaults in Windows 10 | revertservice.com" [3]: https://web.archive.org/web/20240406223542/https://www.file.net/process/mpsdrv.sys.html "mpsdrv.sys Windows process - What is it? | www.file.net" [4]: https://web.archive.org/web/20231122132150/https://strontic.github.io/xcyclopedia/library/MPSSVC.dll-AA441F7C99AAACBA2538E90D7693637A.html "MPSSVC.dll | Microsoft Protection Service | STRONTIC | strontic.github.io" [5]: https://web.archive.org/web/20231122132143/https://batcmd.com/windows/10/services/mpssvc/ "Windows Defender Firewall - Windows 10 Service - batcmd.com | batcmd.com" [6]: https://web.archive.org/web/20121106033255/http://technet.microsoft.com/en-us/library/cc753180.aspx "Basic Firewall Policy Design | technet.microsoft.com" [7]: https://web.archive.org/web/20240526095128/https://github.com/undergroundwires/privacy.sexy/issues/364 "[BUG]: FYI : Disable \"Windows Defender Firewall\" service also break Windows Sandbox. · Issue #364 · undergroundwires/privacy.sexy" [8]: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior "Use netsh advfirewall firewall context - Windows Server | Microsoft Learn | learn.microsoft.com" [9]: https://web.archive.org/web/20240406224105/https://github.com/undergroundwires/privacy.sexy/issues/104#issuecomment-962651791 "[BUG][help wanted]: Cannot enable Windows Defender · Issue #104 · undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy" [10]: https://web.archive.org/web/20200620033533/https://www.walkernews.net/2012/09/23/how-to-fix-windows-store-app-update-error-code-0x80073d0a/ "How To Fix Windows Store App Update Error Code 0x80073D0A? – Walker News | www.walkernews.net" [11]: https://web.archive.org/web/20240406223635/https://github.com/undergroundwires/privacy.sexy/issues/142 "[BUG]: \"Standard\" profile limits Winget CLI Functionality · Issue #142 · undergroundwires/privacy.sexy · GitHub | github.com" [12]: https://web.archive.org/web/20240526095212/https://github.com/undergroundwires/privacy.sexy/issues/115 "[BUG]: I broke my Windows Sandbox and I'd like it back · Issue #115 · undergroundwires/privacy.sexy" [13]: https://web.archive.org/web/20240526110752/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview "Windows Sandbox - Windows Security | Microsoft Learn | learn.microsoft.com" [14]: https://web.archive.org/web/20240526095244/https://github.com/undergroundwires/privacy.sexy/issues/152 "[BUG]: Docker / wsl2 fails to start after using script · Issue #152 · undergroundwires/privacy.sexy" [15]: https://web.archive.org/web/20240526110733/https://docs.docker.com/get-started/overview/ "Docker overview | Docker Docs | docs.docker.com" [16]: https://web.archive.org/web/20240526110720/https://learn.microsoft.com/en-us/windows/wsl/about "What is Windows Subsystem for Linux | Microsoft Learn | learn.microsoft.com" [17]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" call: - function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config parameters: serviceName: mpsdrv # Check: (Get-Service -Name 'mpsdrv').StartType defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - function: SoftDeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\drivers\mpsdrv.sys' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - function: ShowComputerRestartSuggestion - name: >- Disable "Windows Defender Firewall" service (breaks Microsoft Store, `netsh advfirewall`, winget, Windows Sandbox, Docker, WSL) docs: |- # refactor-with-variables: Same • Firewall Service Caution This script disables the **Windows Defender Firewall** service (identified as `MpsSvc` [1] [2] [3] [4]). This component acts as a gatekeeper for your computer, filtering incoming and outgoing network traffic based on established security rules [1] [5] to prevent unauthorized access [3] [4]. This service runs the firewall component of Windows [4]. It starts automatically [3] and runs the `%WINDIR%\System32\MPSSVC.dll` driver [3]. This file is also referred to as **Microsoft Protection Service** [6]. Beyond firewall functionality, it plays an important role in **Windows Service Hardening** to protect Windows services [7] [8]. It also enforces **network isolation** in virtualized environments [7] [9]. Disabling this service can enhance privacy by reducing Microsoft's capability to monitor and analyze your network traffic. It also improves system performance by decreasing background resource consumption. However, it may expose the system to substantial security threats [10]. This risk is partly mitigated by boot-time filters that are triggered to protect the computer during startup or when the firewall service stops unexpectedly [2]. Restart your computer after running this script to ensure all changes take effect [11]. > **Caution**: Disabling this service causes problems with software that depends on it [12] such as: > - Prevents **Microsoft Store** app downloads (error code `0x80073D0A` [7] [13]), impacting **winget** CLI functionality [14]. > - Disables **`netsh advfirewall`** commands, used for Windows Firewall management [15]. > - Disables **Windows Sandbox** [11] [16], an isolated environment for safely running applications [17]. > - Disables **Docker** [18], a platform for developing and running applications in isolated environments [19]. > - Disables **Windows Subsystem for Linux (WSL)** [18], which lets Linux programs run directly on Windows [20]. ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | | Windows 11 (≥ 23H2) | 🟢 Running | Automatic | [1]: https://web.archive.org/web/20231206185904/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd349801%28v=ws.10%29 "Windows Firewall Service | learn.microsoft.com" [2]: https://web.archive.org/web/20110131034058/http://blogs.technet.com:80/b/networking/archive/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy.aspx "Stopping the Windows Authenticating Firewall Service and the boot time policy - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs | blogs.technet.com" [3]: https://web.archive.org/web/20231122132143/https://batcmd.com/windows/10/services/mpssvc/ "Windows Defender Firewall - Windows 10 Service - batcmd.com | batcmd.com" [4]: https://web.archive.org/web/20240406233529/https://en.wikipedia.org/wiki/Windows_Firewall "Windows Firewall - Wikipedia | wikipedia.org" [5]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com" [6]: https://web.archive.org/web/20231122132150/https://strontic.github.io/xcyclopedia/library/MPSSVC.dll-AA441F7C99AAACBA2538E90D7693637A.html "MPSSVC.dll | Microsoft Protection Service | STRONTIC | strontic.github.io" [7]: https://web.archive.org/web/20200620033533/https://www.walkernews.net/2012/09/23/how-to-fix-windows-store-app-update-error-code-0x80073d0a/ "How To Fix Windows Store App Update Error Code 0x80073D0A? – Walker News | www.walkernews.net" [8]: https://web.archive.org/web/20240406232832/https://techcommunity.microsoft.com/t5/ask-the-performance-team/ws2008-windows-service-hardening/ba-p/372702 "WS2008: Windows Service Hardening - Microsoft Community Hub | techcommunity.microsoft." [9]: https://web.archive.org/web/20240406232844/https://learn.microsoft.com/en-us/virtualization/windowscontainers/container-networking/network-isolation-security "Network isolation and security | Microsoft Learn | learn.microsoft.com" [10]: https://web.archive.org/web/20121106033255/http://technet.microsoft.com/en-us/library/cc753180.aspx "Basic Firewall Policy Design | technet.microsoft.com" [11]: https://web.archive.org/web/20240526095128/https://github.com/undergroundwires/privacy.sexy/issues/364 "[BUG]: FYI : Disable \"Windows Defender Firewall\" service also break Windows Sandbox. · Issue #364 · undergroundwires/privacy.sexy" [12]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" [13]: https://web.archive.org/web/20240406224105/https://github.com/undergroundwires/privacy.sexy/issues/104#issuecomment-962651791 "[BUG][help wanted]: Cannot enable Windows Defender · Issue #104 · undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy" [14]: https://web.archive.org/web/20240406223635/https://github.com/undergroundwires/privacy.sexy/issues/142 "[BUG]: \"Standard\" profile limits Winget CLI Functionality · Issue #142 · undergroundwires/privacy.sexy · GitHub | github.com" [15]: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior "Use netsh advfirewall firewall context - Windows Server | Microsoft Learn | learn.microsoft.com" [16]: https://web.archive.org/web/20240526095212/https://github.com/undergroundwires/privacy.sexy/issues/115 "[BUG]: I broke my Windows Sandbox and I'd like it back · Issue #115 · undergroundwires/privacy.sexy" [17]: https://web.archive.org/web/20240526110752/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview "Windows Sandbox - Windows Security | Microsoft Learn | learn.microsoft.com" [18]: https://web.archive.org/web/20240526095244/https://github.com/undergroundwires/privacy.sexy/issues/152 "[BUG]: Docker / wsl2 fails to start after using script · Issue #152 · undergroundwires/privacy.sexy" [19]: https://web.archive.org/web/20240526110733/https://docs.docker.com/get-started/overview/ "Docker overview | Docker Docs | docs.docker.com" [20]: https://web.archive.org/web/20240526110720/https://learn.microsoft.com/en-us/windows/wsl/about "What is Windows Subsystem for Linux | Microsoft Learn | learn.microsoft.com" call: - function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config parameters: serviceName: MpsSvc # Check: (Get-Service -Name 'MpsSvc').StartType defaultStartupMode: Automatic # Allowed values: Boot | System | Automatic | Manual - function: SoftDeleteFiles parameters: fileGlob: '%WINDIR%\System32\mpssvc.dll' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - function: ShowComputerRestartSuggestion - name: Disable firewall via command-line utility # ❗️ Following must be enabled and in running state: # - mpsdrv ("Windows Defender Firewall Authorization Driver") # - bfe (Base Filtering Engine) # - mpssvc ("Windows Defender Firewall") # If the dependent services are not running, the script fails with: # "An error occurred while attempting to contact the "Windows Defender Firewall" service. Make sure that the service is running and try your request again." # Requires rebooting after reverting privacy.sexy scripts for the services mpsdrv, mpssvc docs: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior call: function: RunPowerShell parameters: code: |- if(!(Get-Command 'netsh' -ErrorAction Ignore)) { throw '"netsh" does not exist, is system installed correctly?' } $message=netsh advfirewall set allprofiles state off 2>&1 if($?) { Write-Host "Successfully disabled firewall." } else { if($message -like '*Firewall service*') { Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?' } else { throw "Cannot disable: $message" } } revertCode: |- if(!(Get-Command 'netsh' -ErrorAction Ignore)) { throw '"netsh" does not exist, is system installed correctly?' } $message=netsh advfirewall set allprofiles state on 2>&1 if($?) { Write-Host "Successfully enabled firewall." } else { if($message -like '*Firewall service*') { Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?' } else { throw "Cannot enable: $message" } } - name: Disable Firewall via registry # Lower-level, good in case command-line utility is not available/functioning docs: - https://web.archive.org/web/20240314124804/https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpfas/2100c552-7f37-4a7f-9fa0-2a864ab87212 - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17415 - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17416 - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2018-02-21/finding/V-17417 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_1 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_2 call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile valueName: EnableFirewall dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile valueName: EnableFirewall dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile valueName: EnableFirewall dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile valueName: EnableFirewall dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: RunInlineCode parameters: code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f # "StandardProfile", "DomainProfile" and "PublicProfile" exists HKLM\SYSTEM\CurrentControlSet they're not deleted but set to default state revertCode: |- # HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f - name: Disable "Firewall & network protection" section in "Windows Security" docs: |- This script hides the "Firewall & network protection" section in the "Windows Security" interface. Previously, this interface was called "Windows Defender Security Center" [1]. The "Firewall & network protection" section provides details about the device's firewalls and network connections [2]. It shows the status of both the Windows Defender Firewall and any other third-party firewalls [2]. However, after using this script, users will no longer see this section in the "Windows Security" interface [3]. This script sets the `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection!UILockdown" registry key to hide the Firewall and network protection area [3]. [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" [2]: https://web.archive.org/web/20231013154106/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection "Firewall and network protection in Windows Security - Windows Security | Microsoft Learn" [3]: https://web.archive.org/web/20231013154312/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disablenetworkui "WindowsDefenderSecurityCenter Policy CSP - Windows Client Management | Microsoft Learn" call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection valueName: UILockdown dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Microsoft Defender Antivirus # Deprecated since Windows 10 version 1903 docs: - https://web.archive.org/web/20240314125156/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpywareDefender call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender valueName: DisableAntiSpyware dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Defender features # Status: Get-MpPreference children: - category: Disable Defender Antivirus cloud protection service docs: https://web.archive.org/web/20240523173753/https://learn.microsoft.com/en-us/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus?view=o365-worldwide # Formerly known as: Microsoft MAPS (Microsoft Active Protection Service), Microsoft SpyNet children: - category: Disable Defender cloud protection features children: - name: Disable block at first sight docs: # What is block at first sight? How does it work? How to turn on/off? - https://web.archive.org/web/20240314123430/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps call: - function: SetMpPreference parameters: property: DisableBlockAtFirstSeen # Status: Get-MpPreference | Select-Object -Property DisableBlockAtFirstSeen value: $True # Set: Set-MpPreference -Force -DisableBlockAtFirstSeen $True default: $False # Default: False (Enabled) | Remove-MpPreference -Force -DisableBlockAtFirstSeen | Set-MpPreference -Force -DisableBlockAtFirstSeen $False - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet valueName: DisableBlockAtFirstSeen dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Maximize time for extended cloud check timeout # Requires "Block at First Sight", "Join Microsoft MAPS", "Send file samples when further analysis is required" docs: - https://web.archive.org/web/20240314122554/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#cloudextendedtimeout - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_MpBafsExtendedTimeout call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine valueName: MpBafsExtendedTimeout dataType: REG_DWORD data: "50" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Minimize cloud protection level # Requires "Join Microsoft MAPS" docs: - https://web.archive.org/web/20240314122554/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#cloudblocklevel - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_MpCloudBlockLevel call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine valueName: MpCloudBlockLevel dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable notifications to turn off security intelligence # Requires "Join Microsoft MAPS" docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureDisableNotification call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates valueName: SignatureDisableNotification dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Defender cloud export for analysis children: - name: Disable Microsoft Defender SpyNet reporting recommend: strict docs: - https://www.stigviewer.com/stig/windows_7/2012-07-02/finding/V-15713 # Manage with registry policy - https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting # Managing with MDM policy - https://web.archive.org/web/20240314122554/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowcloudprotection # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#mapsreporting call: # 0: Disabled, 1: Basic, 2: Advanced (default) - function: SetMpPreference parameters: property: MAPSReporting # Status: Get-MpPreference | Select-Object -Property MAPSReporting value: "'0'" # Set: Set-MpPreference -Force -MAPSReporting 0 default: "'2'" # Default: 2 (Advanced) | Remove-MpPreference -Force -MAPSReporting | Set-MpPreference -Force -MAPSReporting 2 - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet valueName: SpynetReporting dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable sending file samples for further analysis recommend: strict docs: - https://web.archive.org/web/20240314122554/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#submitsamplesconsent - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SubmitSamplesConsent # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#submitsamplesconsent call: # 0 = 'Always Prompt', 1 = 'Send safe samples automatically' (default), 2 = 'Never send', 3 = 'Send all samples automatically' - function: SetMpPreference parameters: property: SubmitSamplesConsent # Status: Get-MpPreference | Select-Object -Property SubmitSamplesConsent value: "'2'" # Set: Set-MpPreference -Force -SubmitSamplesConsent 2 default: "'1'" # Default: 1 (Send safe samples automatically) | Remove-MpPreference -Force -SubmitSamplesConsent | Set-MpPreference -Force -SubmitSamplesConsent 1 setDefaultOnWindows11: 'true' # `Remove-MpPreference` sets it to 0 instead 1 (OS default) in Windows 11 - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet valueName: SubmitSamplesConsent dataType: REG_DWORD data: "2" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Malicious Software Reporting" tool diagnostic data recommend: strict docs: |- This script disables the diagnostic data sent by Microsoft's Malicious Software Removal Tool (MSRT) [1]. Starting from its version 5.39 in August 2016, MSRT was observed to transmit a "Heartbeat Report" to Microsoft every time it operated [2]. This happens even when the Customer Experience Improvement Program (CEIP) is turned off, and even if "DiagTrack" is not installed on the computer [2]. Such a report can be confirmed by viewing the MRT log located at `%windir%\debug\mrt.log` [2]. This script enhances user privacy by setting a specific system key, `HKLM\SOFTWARE\Policies\Microsoft\MRT!DontReportInfectionInformation`, to halt this data sharing with Microsoft [1] [2]. [1]: https://web.archive.org/web/20231009135123/https://admx.help/?Category=Windows10_Telemetry&Policy=Microsoft.Policies.Win10Privacy::DontReportInfection "Disable Malicious Software Reporting tool diagnostic data | admx.help" [2]: https://web.archive.org/web/20231009134353/https://www.askwoody.com/2016/telemetry-from-the-malicious-software-removal-tool/ "Telemetry from the Malicious Software Removal Tool @ AskWoody" call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\MRT valueName: DontReportInfectionInformation dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable uploading files for threat analysis in real-time # Requires "Join Microsoft MAPS" recommend: strict docs: https://web.archive.org/web/20231206191442/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_RealtimeSignatureDelivery call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates valueName: RealtimeSignatureDelivery dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Potentially Unwanted Application (PUA) feature # Already disabled as default docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75147 - https://web.archive.org/web/20240314124740/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus?view=o365-worldwide - https://web.archive.org/web/20160410000519/https://blogs.technet.microsoft.com/mmpc/2015/11/25/shields-up-on-potentially-unwanted-applications-in-your-enterprise/ - https://admx.help/?Category=security-compliance-toolkit&Policy=Microsoft.Policies.SecGuide::Pol_SecGuide_0101_WDPUA - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Root_PUAProtection # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps call: - function: SetMpPreference parameters: # 0 = 'Disabled' (default), 1 = 'Enabled', 2 = 'AuditMode' property: PUAProtection # Status: Get-MpPreference | Select-Object -Property PUAProtection value: "'0'" # Set: Set-MpPreference -Force -PUAProtection 0 default: "'0'" # Default: 0 (Disabled) | Remove-MpPreference -Force -PUAProtection | Set-MpPreference -Force -PUAProtection 0 - function: SetRegistryValue # For legacy versions: Windows 10 v1809 and Windows Server 2019 parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine valueName: MpEnablePus dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue # For newer Windows versions parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender valueName: PUAProtection dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable tamper protection # Added in Windows 10, version 1903 docs: - https://www.thewindowsclub.com/how-to-enable-tamper-protection-in-windows-10 - https://web.archive.org/web/20240314124546/https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configurationtamperprotection call: - function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2) # ❌ Fails with "ERROR: Access is denied." in Windows 11 21H2 | ✅ Works in Windows 10 >= 20H2 parameters: code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "4" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /f 2>nul - function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2) parameters: code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t REG_DWORD /d "2" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /f 2>nul - name: Disable file hash computation feature # Added in Windows 10, version 2004 docs: - https://web.archive.org/web/20240314124546/https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configuration-enablefilehashcomputation - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_EnableFileHashComputation - https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-windows-10-and-windows-server-version/ba-p/1543631 call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine valueName: EnableFileHashComputation dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable "Windows Defender Exploit Guard" docs: https://web.archive.org/web/20231020130741/https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ children: - name: Disable prevention of users and apps from accessing dangerous websites docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_EnableNetworkProtection call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection valueName: EnableNetworkProtection dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable controlled folder access docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess - https://web.archive.org/web/20240314124339/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders?view=o365-worldwide call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access valueName: EnableControlledFolderAccess dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable network inspection system features children: - name: Disable protocol recognition docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2019-12-12/finding/V-75209 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_DisableProtocolRecognition call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\NIS valueName: DisableProtocolRecognition dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable definition retirement docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_DisableSignatureRetirement call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS valueName: DisableSignatureRetirement dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Minimize rate of detection events docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_ThrottleDetectionEventsRate call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS valueName: ThrottleDetectionEventsRate dataType: REG_DWORD data: "10000000" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable real-time protection children: - name: Disable real-time monitoring docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRealtimeMonitoring - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75227 # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerealtimemonitoring call: # Enabled by default (DisableRealtimeMonitoring is false) - function: SetMpPreference parameters: property: DisableRealtimeMonitoring # Status: Get-MpPreference | Select-Object -Property DisableRealtimeMonitoring value: $True # Set: Set-MpPreference -Force -DisableRealtimeMonitoring $True # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected default: $False # Default: False (Enabled) | Remove-MpPreference -Force -DisableRealtimeMonitoring | Set-MpPreference -Force -DisableRealtimeMonitoring $False - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection valueName: DisableRealtimeMonitoring dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable intrusion prevention system (IPS) docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableIntrusionPreventionSystem # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableintrusionpreventionsystem call: - function: SetMpPreference parameters: property: DisableIntrusionPreventionSystem # Status: Get-MpPreference | Select-Object -Property DisableIntrusionPreventionSystem value: $True # Set: Set-MpPreference -Force -DisableIntrusionPreventionSystem $True # ❌ Windows 11 and Windows 10: Does not fail but does not change the value default: $False # Default: empty (no value) | Remove-MpPreference -Force -DisableIntrusionPreventionSystem | Set-MpPreference -Force -DisableIntrusionPreventionSystem $False # ❗️ Default is empty (no value), but cannot set this way using Set-MpPreference, so $False is set - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection valueName: DisableIntrusionPreventionSystem dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Information Protection Control (IPC) docs: https://web.archive.org/web/20231207105520/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableInformationProtectionControl call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection valueName: DisableInformationProtectionControl dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Defender monitoring of behavior children: - name: Disable behavior monitoring docs: - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75229 # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablebehaviormonitoring call: - function: SetMpPreference parameters: property: DisableBehaviorMonitoring # Status: Get-MpPreference | Select-Object -Property DisableBehaviorMonitoring value: $True # Set: Set-MpPreference -Force -DisableBehaviorMonitoring $True # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected default: $False # Default: False | Remove-MpPreference -Force -DisableBehaviorMonitoring | Set-MpPreference -Force -DisableBehaviorMonitoring $False - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection valueName: DisableBehaviorMonitoring dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable sending raw write notifications to behavior monitoring docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableRawWriteNotification call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection valueName: DisableRawWriteNotification dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable monitoring of downloads and attachments in Defender children: - name: Disable scanning of all downloaded files and attachments docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75225 # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableioavprotection call: - function: SetMpPreference parameters: property: DisableIOAVProtection # Status: Get-MpPreference | Select-Object -Property DisableIOAVProtection value: $True # Set: Set-MpPreference -Force -DisableIOAVProtection $True # ❌ Windows 11: Does not fail but does not change the value | ✅ Windows 10: Works as expected default: $False # Default: False | Remove-MpPreference -Force -DisableIOAVProtection | Set-MpPreference -Force -DisableIOAVProtection $False - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection valueName: DisableIOAVProtection dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable scanning files larger than 1 KB (minimum possible) docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_IOAVMaxSize call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection valueName: IOAVMaxSize dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Defender monitoring of file and program activity children: - name: Disable file and program activity monitoring docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75223 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableOnAccessProtection call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection valueName: DisableWindowsSpotlightFeatures dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable bidirectional scan for incoming and outgoing file and program activities docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_RealtimeScanDirection # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#realtimescandirection call: # 0='Both': bi-directional (full on-access, default) # 1='Incoming': scan only incoming (disable on-open) # 2='Outcoming': scan only outgoing (disable on-close) - function: SetMpPreference parameters: property: RealTimeScanDirection # Status: Get-MpPreference | Select-Object -Property RealTimeScanDirection value: "'1'" # Set: Set-MpPreference -Force -RealTimeScanDirection 1 default: "'0'" # Default: 0 (Both) | Remove-MpPreference -Force -RealTimeScanDirection | Set-MpPreference -Force -RealTimeScanDirection 0 - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection valueName: RealTimeScanDirection dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable real-time protection process scanning docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75231 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableScanOnRealtimeEnable call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection valueName: DisableScanOnRealtimeEnable dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Defender remediation children: - name: Disable routine remediation docs: - https://web.archive.org/web/20240314124159/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#disableroutinelytakingaction - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRoutinelyTakingAction call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender valueName: DisableRoutinelyTakingAction dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable running scheduled auto-remediation docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Remediation_Scan_ScheduleDay # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#remediationscheduleday call: # 0: 'Every Day' (default), 1: 'Sunday'..., 7: 'Saturday', 8: 'Never' - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Remediation valueName: Scan_ScheduleDay dataType: REG_DWORD data: "8" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: property: RemediationScheduleDay # Status: Get-MpPreference | Select-Object -Property RemediationScheduleDay value: "'8'" # Set: Set-MpPreference -Force -RemediationScheduleDay 8 default: "'0'" # Default: 0 | Remove-MpPreference -Force -RemediationScheduleDay | Set-MpPreference -Force -RemediationScheduleDay 0 - name: Disable remediation actions docs: - https://web.archive.org/web/20240314124221/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Threats_ThreatSeverityDefaultAction # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps # None = 0 (default), Clean = 1, Quarantine = 2, Remove = 3, Allow = 6, UserDefined = 8, NoAction = 9, Block = 10 call: # Not using ThreatIdDefaultAction as it requires known threat IDs - function: SetMpPreference # https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#unknownthreatdefaultaction parameters: property: UnknownThreatDefaultAction # Status: Get-MpPreference | Select-Object -Property UnknownThreatDefaultAction # Setting or removing `UnknownThreatDefaultAction` has same affect for (sets also same value): # `LowThreatDefaultAction`, `ModerateThreatDefaultAction`, `HighThreatDefaultAction`, `SevereThreatDefaultAction`. # E.g. if it's set to 8, all others will also be set to 8, and once it's removed, all others get also removed. # Those properties cannot have different values than `UnknownThreatDefaultAction`, so we only set `UnknownThreatDefaultAction` value: "'9'" # Set: Set-MpPreference -Force -UnknownThreatDefaultAction 9 # Default: 0 (none) # Setting default is not needed because `Remove-MpPreference -Force -UnknownThreatDefaultAction` # works on both Windows 10 and Windows 11 - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats valueName: Threats_ThreatSeverityDefaultAction dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction valueName: "5" dataType: REG_SZ data: "9" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction valueName: "4" dataType: REG_SZ data: "9" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction valueName: "3" dataType: REG_SZ data: "9" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction valueName: "2" dataType: REG_SZ data: "9" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction valueName: "1" dataType: REG_SZ data: "9" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Enable automatically purging items from quarantine folder docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Quarantine_PurgeItemsAfterDelay # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#quarantinepurgeitemsafterdelay call: # Values: # Default: 90 on both Windows 10 21H1 and Windows 11 21H2 # Minimum: 1 # 0 means indefinitely - function: SetMpPreference parameters: property: QuarantinePurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property QuarantinePurgeItemsAfterDelay value: "'1'" # Set: Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 1 default: "'90'" # Default: 90 | Remove-MpPreference -Force -QuarantinePurgeItemsAfterDelay | Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 90 setDefaultOnWindows11: 'true' # `Remove-MpPreference` sets it to 0 instead 90 (OS default) in Windows 11 - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine valueName: PurgeItemsAfterDelay dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable always running antimalware service docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ServiceKeepAlive call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender valueName: ServiceKeepAlive dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) # - # Too good to disable # category: Disable Microsoft Defender "Device Guard" and "Credential Guard" # docs: https://techcommunity.microsoft.com/t5/iis-support-blog/windows-10-device-guard-and-credential-guard-demystified/ba-p/376419 # children: # - # name: Disable LSA protection (disabled by default) # docs: # - https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection # - https://itm4n.github.io/lsass-runasppl/ # - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-deviceguard-unattend-lsacfgflags # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool # call: # - # function: SetRegistryValue # parameters: # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Lsa # valueName: LsaCfgFlags # dataType: REG_DWORD # data: '0' # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) # - # function: SetRegistryValue # parameters: # keyPath: HKLM\Software\Policies\Microsoft\Windows\DeviceGuard # valueName: LsaCfgFlags # dataType: REG_DWORD # data: '0' # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) # - # name: Disable virtualization-based security (disabled by default) # docs: # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool # - https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity # call: # # Virtualization features # - # function: SetRegistryValue # parameters: # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard # valueName: EnableVirtualizationBasedSecurity # dataType: REG_DWORD # data: '0' # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) # - # function: SetRegistryValue # parameters: # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard # valueName: RequirePlatformSecurityFeatures # dataType: REG_DWORD # data: '0' # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) # # Lock: # - # function: SetRegistryValue # parameters: # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard # valueName: Locked # dataType: REG_DWORD # data: '0' # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) # - # function: SetRegistryValue # parameters: # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard # valueName: NoLock # dataType: REG_DWORD # data: '1' # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) # # HypervisorEnforcedCodeIntegrity: # - # function: SetRegistryValue # parameters: # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard # valueName: HypervisorEnforcedCodeIntegrity # dataType: REG_DWORD # data: '0' # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) # - # function: SetRegistryValue # parameters: # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity # valueName: Enabled # dataType: REG_DWORD # data: '0' # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) # - # function: SetRegistryValue # parameters: # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity # valueName: Locked # dataType: REG_DWORD # data: '0' # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) # - # name: Disable System Guard Secure Launch # docs: # - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection # - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard#deviceguard-configuresystemguardlaunch # call: # - # function: SetRegistryValue # parameters: # keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard # valueName: ConfigureSystemGuardLaunch # dataType: REG_DWORD # data: '2' # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) # - # function: SetRegistryValue # parameters: # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard # valueName: Enabled # dataType: REG_DWORD # data: '0' # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) # - # name: Disable Windows Defender Application Control Code Integrity Policy # docs: # - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Windows.DeviceGuard::ConfigCIPolicy # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool # call: # - # function: SetRegistryValue # parameters: # keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard # valueName: DeployConfigCIPolicy # dataType: REG_DWORD # data: '0' # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) # - # function: DeleteFiles # parameters: # fileGlob: '%WINDIR%\System32\CodeIntegrity\SIPolicy.p7b' - name: Disable auto-exclusions docs: - https://web.archive.org/web/20231027190409/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus?view=o365-worldwide - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75159 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAutoExclusions # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableautoexclusions call: - function: SetMpPreference parameters: property: DisableAutoExclusions # Status: Get-MpPreference | Select-Object -Property DisableAutoExclusions value: $True # Set: Set-MpPreference -Force -DisableAutoExclusions $True default: $False # Default: False | Remove-MpPreference -Force -DisableAutoExclusions | Set-MpPreference -Force -DisableAutoExclusions $False setDefaultOnWindows11: 'true' # `Remove-MpPreference` has no affect (does not change the value) in Windows 11 - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions valueName: DisableAutoExclusions dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Defender scans children: - category: Disable scan actions children: - name: Disable signature verification before scanning # Default configuration docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::CheckForSignaturesBeforeRunningScan # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#checkforsignaturesbeforerunningscan call: - function: SetMpPreference parameters: property: CheckForSignaturesBeforeRunningScan # Status: Get-MpPreference | Select-Object -Property CheckForSignaturesBeforeRunningScan value: $False # Set: Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False default: $False # Default: False | Remove-MpPreference -Force -CheckForSignaturesBeforeRunningScan | Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan valueName: CheckForSignaturesBeforeRunningScan dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable creation of daily system restore points # Default behavior docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRestorePoint # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerestorepoint call: - function: SetMpPreference parameters: property: DisableRestorePoint # Status: Get-MpPreference | Select-Object -Property DisableRestorePoint value: $True # Set: Set-MpPreference -Force -DisableRestorePoint $True default: $True # Default: True | Remove-MpPreference -Force -DisableRestorePoint | Set-MpPreference -Force -DisableRestorePoint $True - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan valueName: DisableRestorePoint dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Minimize retention time for files in scan history docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_PurgeItemsAfterDelay # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanpurgeitemsafterdelay call: # Default is 15, minimum is 0 which means never removing items - function: SetMpPreference parameters: property: ScanPurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property ScanPurgeItemsAfterDelay value: "'1'" # Set: Set-MpPreference -Force -ScanPurgeItemsAfterDelay 1 default: "'15'" # Default: 15 | Remove-MpPreference -Force -ScanPurgeItemsAfterDelay | Set-MpPreference -Force -ScanPurgeItemsAfterDelay 15 - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan valueName: PurgeItemsAfterDelay dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable catch-up scans children: - name: Maximize days until mandatory catch-up scan docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_MissedScheduledScanCountBeforeCatchup # Default and minimum is 2, maximum is 20 call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan valueName: MissedScheduledScanCountBeforeCatchup dataType: REG_DWORD data: '20' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable catch-up full scans # Disabled by default docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupFullScan # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupfullscan call: - function: SetMpPreference parameters: property: DisableCatchupFullScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupFullScan value: $True # Set: Set-MpPreference -Force -DisableCatchupFullScan $True default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupFullScan | Set-MpPreference -Force -DisableCatchupFullScan $True - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan valueName: DisableCatchupFullScan dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable catch-up quick scans docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupQuickScan # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupquickscan call: - function: SetMpPreference parameters: property: DisableCatchupQuickScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupQuickScan value: $True # Set: Set-MpPreference -Force -DisableCatchupQuickScan $True default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupQuickScan | Set-MpPreference -Force -DisableCatchupQuickScan $True - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan valueName: DisableCatchupQuickScan dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Defender scan options children: - name: Disable scan heuristics docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableHeuristics call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan valueName: DisableHeuristics dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Minimize CPU usage during scans children: - name: Minimize CPU usage during scans docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_AvgCPULoadFactor # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanavgcpuloadfactor call: # Default: 50, minimum 1 - function: SetMpPreference parameters: property: ScanAvgCPULoadFactor # Status: Get-MpPreference | Select-Object -Property ScanAvgCPULoadFactor value: "'1'" # Set: Set-MpPreference -Force -ScanAvgCPULoadFactor 1 default: "'50'" # Default 50 | Remove-MpPreference -Force -ScanAvgCPULoadFactor | Set-MpPreference -Force -ScanAvgCPULoadFactor 50 - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan valueName: AvgCPULoadFactor dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Minimize CPU usage during idle scans docs: # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps call: - function: SetMpPreference parameters: property: DisableCpuThrottleOnIdleScans # Status: Get-MpPreference | Select-Object -Property DisableCpuThrottleOnIdleScans value: $False # Set: Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $False default: $True # Default: $True | Remove-MpPreference -Force -DisableCpuThrottleOnIdleScans | Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $True - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan valueName: DisableCpuThrottleOnIdleScans dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable scanning when not idle # Default OS setting docs: - https://web.archive.org/web/20231206191436/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanOnlyIfIdle # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanonlyifidleenabled call: - function: SetMpPreference parameters: property: ScanOnlyIfIdleEnabled # Status: Get-MpPreference | Select-Object -Property ScanOnlyIfIdleEnabled value: $True # Set: Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True default: $True # Default: True | Remove-MpPreference -Force -ScanOnlyIfIdleEnabled | Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan valueName: ScanOnlyIfIdle dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable scheduled anti-malware scanner (MRT) docs: |- This script disables the scheduled scans by the Malicious Software Removal Tool (MSRT) provided by Microsoft. Starting from version 5.39 in August 2016, MSRT sends a "Heartbeat Report" to Microsoft every time it runs [1]. This behavior occurs even if certain user preferences like the Customer Experience Improvement Program (CEIP) are turned off or if "DiagTrack" is not on the computer [1]. A record of this "Successfully Submitted Heartbeat Report" can be checked in the MRT log, found at `%windir%\debug\mrt.log` [1]. By using this script, users enhance their privacy by preventing such automatic data transmissions to Microsoft. [1]: https://web.archive.org/web/20231009134353/https://www.askwoody.com/2016/telemetry-from-the-malicious-software-removal-tool/ "Telemetry from the Malicious Software Removal Tool @ AskWoody" call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\MRT valueName: DontOfferThroughWUAU dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Minimize scanned areas children: - name: Disable e-mail scanning # Disabled by default docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableEmailScanning # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableemailscanning call: - function: SetMpPreference parameters: property: DisableEmailScanning # Status: Get-MpPreference | Select-Object -Property DisableEmailScanning value: $True # Set: Set-MpPreference -Force -DisableEmailScanning $False default: $True # Default: True | Remove-MpPreference -Force -DisableEmailScanning | Set-MpPreference -Force -DisableEmailScanning $True - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan valueName: DisableEmailScanning dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable script scanning docs: # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescriptscanning call: function: SetMpPreference parameters: property: DisableScriptScanning # Status: Get-MpPreference | Select-Object -Property DisableScriptScanning value: $True # Set: Set-MpPreference -Force -DisableScriptScanning $True # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected default: $False # Default: False | Remove-MpPreference -Force -DisableScriptScanning | Set-MpPreference -Force -DisableScriptScanning $False - name: Disable reparse point scanning docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableReparsePointScanning call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan valueName: DisableReparsePointScanning dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable scanning mapped network drives during full scan docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningMappedNetworkDrivesForFullScan # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningmappednetworkdrivesforfullscan call: - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan valueName: DisableScanningMappedNetworkDrivesForFullScan dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: property: DisableScanningMappedNetworkDrivesForFullScan # Status: Get-MpPreference | Select-Object -Property DisableScanningMappedNetworkDrivesForFullScan value: $True # Set: Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $False default: $True # Default: True | Remove-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan | Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $True - name: Disable network file scanning docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningNetworkFiles # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningnetworkfiles call: - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan valueName: DisableScanningNetworkFiles dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: property: DisableScanningNetworkFiles # Status: Get-MpPreference | Select-Object -Property DisableScanningNetworkFiles value: $True # Set: Set-MpPreference -Force -DisableScanningNetworkFiles $True default: $False # Default: False | Remove-MpPreference -Force -DisableScanningNetworkFiles | Set-MpPreference -Force -DisableScanningNetworkFiles $False - name: Disable scanning packed executables docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisablePackedExeScanning call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan valueName: DisablePackedExeScanning dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable scanning archive files children: - name: Disable scanning archive files docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableArchiveScanning # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanning call: - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan valueName: DisableArchiveScanning dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: property: DisableArchiveScanning # Status: Get-MpPreference | Select-Object -Property DisableArchiveScanning value: $True # Set: Set-MpPreference -Force -DisableArchiveScanning $True default: $False # Default: False | Remove-MpPreference -Force -DisableArchiveScanning | Set-MpPreference -Force -DisableArchiveScanning $False - name: Minimize scanning depth of archive files docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxDepth call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan valueName: ArchiveMaxDepth dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Minimize file size for scanning archive files docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxSize call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan valueName: ArchiveMaxSize dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable scanning removable drives docs: # Disabled by default - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRemovableDriveScanning # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanningDisableRemovableDriveScanning call: - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan valueName: DisableRemovableDriveScanning dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: property: DisableRemovableDriveScanning # Status: Get-MpPreference | Select-Object -Property DisableRemovableDriveScanning value: $True # Set: Set-MpPreference -Force -DisableRemovableDriveScanning $False default: $True # Default: True | Remove-MpPreference -Force -DisableRemovableDriveScanning | Set-MpPreference -Force -DisableRemovableDriveScanning $True - category: Disable auto-scans children: - name: Disable scheduled scans docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScheduleDay - https://web.archive.org/web/20240314122526/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scheduleday # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanscheduleday call: # Options are: # 0 = 'Every Day' (default), 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday', # 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never' - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan valueName: ScheduleDay dataType: REG_DWORD data: '8' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: property: ScanScheduleDay # Status: Get-MpPreference | Select-Object -Property ScanScheduleDay value: "'8'" # Set: Set-MpPreference -Force -ScanScheduleDay '8' default: "'0'" # Default: 0 (Every Day) | Remove-MpPreference -Force -ScanScheduleDay | Set-MpPreference -Force -ScanScheduleDay '0' - name: Disable randomizing scheduled task times docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RandomizeScheduleTaskTimes # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#randomizescheduletasktimes call: - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender valueName: RandomizeScheduleTaskTimes dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: property: RandomizeScheduleTaskTimes # Status: Get-MpPreference | Select-Object -Property RandomizeScheduleTaskTimes value: $False # Set: Set-MpPreference -Force -RandomizeScheduleTaskTimes $False default: $True # Default: True | Remove-MpPreference -Force -RandomizeScheduleTaskTimes | Set-MpPreference -Force -RandomizeScheduleTaskTimes $True - name: Disable scheduled full-scans docs: - https://web.archive.org/web/20240314122452/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scanparameters - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanParameters # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanparameters call: # Options: 1 = 'Quick Scan' (default), 2 = 'Full Scan' - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan valueName: ScanParameters dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: property: ScanParameters # Status: Get-MpPreference | Select-Object -Property ScanParameters value: "'1'" # Set: Set-MpPreference -Force -ScanParameters '1' default: "'1'" # Default: 1 | Remove-MpPreference -Force -ScanParameters | Set-MpPreference -Force -ScanParameters '1' setDefaultOnWindows11: 'true' # ❌ Remove-MpPreference with -ScanParameters fails due to a buggy behavior where it tries to set it to True on Windows 11 - name: Minimize daily quick scan frequency docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_QuickScanInterval call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan valueName: QuickScanInterval dataType: REG_DWORD data: '24' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable scanning after security intelligence (signature) update docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScanOnUpdate call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates valueName: DisableScanOnUpdate dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Defender updates children: - category: Disable Defender Security Intelligence (signature) updates children: - name: Disable forced security intelligence (signature) updates from Microsoft Update docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ForceUpdateFromMU call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates valueName: ForceUpdateFromMU dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable security intelligence (signature) updates when running on battery power docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScheduledSignatureUpdateonBattery call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates valueName: DisableScheduledSignatureUpdateOnBattery dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable startup check for latest virus and spyware security intelligence (signature) docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_UpdateOnStartup call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates valueName: UpdateOnStartUp dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable catch-up security intelligence (signature) updates # default is one day docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateCatchupInterval # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signatureupdatecatchupinterval call: # Options: 0 = no catch-up; 1 = 1 day; 2 = 2 days, etc - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates valueName: SignatureUpdateCatchupInterval dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: property: SignatureUpdateCatchupInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateCatchupInterval value: "'0'" # Set: Set-MpPreference -Force -SignatureUpdateCatchupInterval '0' default: "'1'" # Default: 1 | Remove-MpPreference -Force -SignatureUpdateCatchupInterval | Set-MpPreference -Force -SignatureUpdateCatchupInterval '1' - name: Minimize spyware security intelligence (signature) updates # default is one day, recommended is 7 days # Maximize period when spyware security intelligence (signature) is considered up-to-dates docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ASSignatureDue - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75241 call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates valueName: ASSignatureDue dataType: REG_DWORD data: '4294967295' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Minimize virus security intelligence (signature) updates # default is one day, recommended is 7 days # Maximize period when virus security intelligence (signature) is considered up-to-date docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_AVSignatureDue - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75243 call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates valueName: AVSignatureDue dataType: REG_DWORD data: '4294967295' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable security intelligence (signature) update on startup docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableUpdateOnStartupWithoutEngine # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signaturedisableupdateonstartupwithoutengine call: - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates valueName: DisableUpdateOnStartupWithoutEngine dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: property: SignatureDisableUpdateOnStartupWithoutEngine # Status: Get-MpPreference | Select-Object -Property SignatureDisableUpdateOnStartupWithoutEngine value: $True # Set: Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $True default: $False # Default: False | Remove-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine | Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $False - name: Disable automatic checks for security intelligence (signature) updates # Already disabled by default docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ScheduleDay # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signaturescheduleday call: # Options: # 0 = 'Every Day', 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday' # 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never' (Default) - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates valueName: ScheduleDay dataType: REG_DWORD data: '8' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: property: SignatureScheduleDay # Status: Get-MpPreference | Select-Object -Property SignatureScheduleDay value: "'8'" # Set: Set-MpPreference -Force -SignatureScheduleDay '8' default: "'8'" # Default: 1 | Remove-MpPreference -Force -SignatureScheduleDay | Set-MpPreference -Force -SignatureScheduleDay '8' - name: Minimize checks for security intelligence (signature) updates docs: - https://web.archive.org/web/20240314122335/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-signatureupdateinterval - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateInterval # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signatureupdateinterval call: # Valid values range from 1 (every hour) to 24 (once per day). # If not specified (0), parameter, Microsoft Defender checks at the default interval - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates valueName: SignatureUpdateInterval dataType: REG_DWORD data: '24' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: property: SignatureUpdateInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateInterval value: "'24'" # Set: Set-MpPreference -Force -SignatureUpdateInterval '24' default: "'0'" # Default: 0 | Remove-MpPreference -Force -SignatureUpdateInterval | Set-MpPreference -Force -SignatureUpdateInterval '0' - category: Disable alternate definition updates children: - name: Disable definition updates via WSUS and Microsoft Malware Protection Center docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateHttpLocation call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates valueName: CheckAlternateHttpLocation dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable definition updates through both WSUS and Windows Update docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateDownloadLocation call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates valueName: CheckAlternateDownloadLocation dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Minimize Defender updates to completed gradual release cycles docs: # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps call: function: SetMpPreference parameters: # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) property: DisableGradualRelease # Status: Get-MpPreference | Select-Object -Property DisableGradualRelease value: $True # Set: Set-MpPreference -Force -DisableGradualRelease $True default: $False # Default: False | Remove-MpPreference -Force -DisableGradualRelease - name: Minimize Defender engine updates to completed release cycles docs: # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps call: function: SetMpPreference parameters: # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) property: EngineUpdatesChannel # Status: Get-MpPreference | Select-Object -Property EngineUpdatesChannel value: "'Broad'" # Set: Set-MpPreference -Force -EngineUpdatesChannel 'Broad' # Valid values: # 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged' # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -EngineUpdatesChannel | Set-MpPreference -Force -EngineUpdatesChannel "'NotConfigured'" - name: Minimize Defender platform updates to completed release cycles docs: # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps call: function: SetMpPreference parameters: # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) property: PlatformUpdatesChannel # Status: Get-MpPreference | Select-Object -Property PlatformUpdatesChannel value: "'Broad'" # Set: Set-MpPreference -Force -PlatformUpdatesChannel 'Broad' # Valid values: # 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged' # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -PlatformUpdatesChannel | Set-MpPreference -Force -PlatformUpdatesChannel "'NotConfigured'" - name: Minimize Defender definition updates to completed gradual release cycles docs: # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps call: # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) function: SetMpPreference parameters: property: DefinitionUpdatesChannel # Status: Get-MpPreference | Select-Object -Property DefinitionUpdatesChannel # Its former name was "SignaturesUpdatesChannel" value: "'Broad'" # Set: Set-MpPreference -Force -DefinitionUpdatesChannel 'Broad' # 0 = 'NotConfigured' (default), 'Beta', Preview' 'Broad', 'Staged' # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -DefinitionUpdatesChannel | Set-MpPreference -Force -DefinitionUpdatesChannel "'NotConfigured'" - category: Disable Microsoft Defender reporting children: - name: Disable Microsoft Defender logging code: |- reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f revertCode: |- # 1 as default in registry reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "1" /f reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "1" /f - name: Disable Microsoft Defender ETW provider (Windows Event Logs) docs: - https://m365internals.com/2021/07/05/why-are-windows-defender-av-logs-so-important-and-how-to-monitor-them-with-azure-sentinel/ - https://web.archive.org/web/20240314124054/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 0 /f revertCode: |- # 1 as default in registry reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 1 /f - name: Disable sending Watson events # Deprecated since February 2015 update http://support.microsoft.com/kb/3036437 docs: https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::reporting_disablegenericreports call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting valueName: DisableGenericRePorts dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Minimize Windows software trace preprocessor (WPP Software Tracing) docs: - https://web.archive.org/web/20240314123926/https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/wpp-software-tracing - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_WppTracingLevel call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting valueName: WppTracingLevel dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable auditing events in Microsoft Defender Application Guard docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppHVSI::AppHVSI_AuditApplicationGuardConfig - https://web.archive.org/web/20240314123716/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\AppHVSI valueName: AuditApplicationGuard dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Defender user interface children: - name: Remove "Windows Security" system tray icon docs: |- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Systray_HideSystray call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray valueName: HideSystray dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Remove "Scan with Microsoft Defender" from context menu docs: - https://windowsreport.com/remove-right-click-windows-defender-scan-windows-10/ - https://web.archive.org/web/20240314174846/https://twigstechtips.blogspot.com/2010/06/windows-remove-with-microsoft-security.html code: |- reg delete "HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /va /f 2>nul reg delete "HKCR\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}" /v "InprocServer32" /f 2>nul reg delete "HKCR\*\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul reg delete "HKCR\Directory\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul reg delete "HKCR\Drive\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul revertCode: |- reg add "HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}" /v "InprocServer32" /t REG_SZ /d "%ProgramFiles%\Windows Defender\shellext.dll" /f reg add "HKCR\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f reg add "HKCR\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /ve /t REG_SZ /d "%ProgramFiles%\Windows Defender\shellext.dll" /f reg add "HKCR\*\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f reg add "HKCR\Directory\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f reg add "HKCR\Drive\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f - name: Remove "Windows Security" icon from taskbar docs: |- This script removes the "Windows Security" icon from the system tray. "Windows Security" is an interface introduced in Windows 10, version 1703 and was originally named "Windows Defender Security Center" [1]. The icon in the system tray is controlled by the `SecurityHealthSystray.exe` file [2] [3]. The script modifies the registry to stop this file from running on startup, effectively removing the icon. It specifically removes `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run!SecurityHealth`. This key exists in modern versions of Windows (tested since Windows 11 22H2 and Windows 10 22H2) with default value of `%windir%\system32\SecurityHealthSystray.exe`. [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" [2]: https://web.archive.org/web/20231013155101/https://www.file.net/process/securityhealthsystray.exe.html "SecurityHealthSystray.exe Windows process - What is it?" [3]: https://web.archive.org/web/20231013155434/https://strontic.github.io/xcyclopedia/library/SecurityHealthSystray.exe-783C99AFD4C2AE6950FA5694389D2CFA.html "SecurityHealthSystray.exe | Windows Security notification icon | STRONTIC | strontic.github.io" code: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f 2>nul # Renamed from WindowsDefender/MSASCuiL.exe in Windows 10 version 1809 revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /t REG_EXPAND_SZ /d "%windir%\system32\SecurityHealthSystray.exe" /f - name: Disable Microsoft Defender Antimalware (AM) user interface docs: |- This script ensures that the Antimalware User Interface (AM UI) remains concealed from users [1], essentially preventing user interactions with the Microsoft Defender Antivirus interface. Several reasons to hide the antivirus interface: 1. **Reduced data sharing**: Whether you're using Defender or disabling it for an alternative solution, minimizing its visible interactions can potentially limit the extent of user data shared with Microsoft. Many users feel more in control of their data when they aren't constantly reminded of a running security service. 2. **Minimized Interruptions**: By hiding the interface, you can prevent users from starting and pausing scans. Eliminating the interface means users aren't prompted or nudged to make selections which might unknowingly share more data. This not only keeps the user experience neat but also minimizes accidental data sharing chances. 3. **Reduced notifications**: With the headless UI mode enabled in Windows 10 (version 1703 and newer), Microsoft Defender Antivirus notifications are hidden, ensuring users aren't overwhelmed with security notifications [2]. This can contribute to a cleaner, less interrupted user experience. By reducing these notifications, the system lessens the chances of users inadvertently triggering options that might share data. 4. **Restricting access**: In earlier versions of Windows 10, activating this mode not only hides the Defender client interface but also restricts users from accessing it [2]. If a user attempts to open the interface, they are met with a warning, indicating that access has been restricted by the system administrator [2]. The script achieves this by making a specific change in the Windows Registry. Specifically, it adds a value named "UILockdown" in the `HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration` registry path, setting its value to `1` [1]. [1]: https://web.archive.org/web/20230810164814/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_UILockdown "Enable headless UI mode" [2]: https://web.archive.org/web/20230810164835/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-worldwide "Hide the Microsoft Defender Antivirus interface | Microsoft Learn" call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration valueName: UILockdown dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Minimize threat history access to administrators docs: # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableprivacymode call: - function: SetMpPreference parameters: property: DisablePrivacyMode # Status: Get-MpPreference | Select-Object -Property DisablePrivacyMode value: $True # Set: Set-MpPreference -Force -DisablePrivacyMode $True default: $False # Default: False | Remove-MpPreference -Force -DisablePrivacyMode | Set-MpPreference -Force -DisablePrivacyMode $False - function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2) parameters: code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /f 2>nul - category: Disable sections in "Windows Security" docs: |- This category provides scripts that let you disable specific sections of the "Windows Security" interface. This interface was introduced in Windows 10, version 1703 and was previously known as "Windows Defender Security Center" [1]. "Windows Security" has various sections, and each can be turned off individually [1]. If all sections are disabled, the interface will display in a restricted mode [1]. [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" children: - name: Disable "Virus and threat protection" section in "Windows Security" docs: |- - [Virus and threat protection in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161059/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection) - [Hide the Virus and threat protection area | admx.help](https://web.archive.org/web/20231013161208/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_UILockdown) call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection valueName: UILockdown dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Ransomware data recovery" section in "Windows Security" docs: |- [Hide the Ransomware data recovery area | admx.help](https://web.archive.org/web/20231013161249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_HideRansomwareRecovery) call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection valueName: HideRansomwareRecovery dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Family options" section in "Windows Security" docs: |- - [Family options in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161356/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options) - [Hide the Family options area | admx.help](https://web.archive.org/web/20231013161503/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FamilyOptions_UILockdown) call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options valueName: UILockdown dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Device performance and health" section in "Windows Security" docs: |- - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161703/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health) - [Hide the Device performance and health area | admx.help](https://web.archive.org/web/20231013161748/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DevicePerformanceHealth_UILockdown) call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health valueName: UILockdown dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Account protection" section in "Windows Security" docs: |- - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161536/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection) - [Hide the Account protection area | admx.help](https://web.archive.org/web/20231013161621/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AccountProtection_UILockdown) call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection valueName: UILockdown dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "App and browser control" section in "Windows Security" docs: |- - [App & browser control in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161813/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control) - [Hide the App and browser protection area | admx.help](https://web.archive.org/web/20231013161834/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AppBrowserProtection_UILockdown) call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection valueName: UILockdown dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable device security sections children: - name: Disable "Device security" section in "Windows Security" docs: |- - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security) - [Hide the Device security area | admx.help](https://web.archive.org/web/20231013161956/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_UILockdown) call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security valueName: UILockdown dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Clear TPM" button in "Windows Security" docs: |- - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#disable-the-clear-tpm-button) - [Disable the Clear TPM button | admx.help](https://web.archive.org/web/20231013162124/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableClearTpmButton) call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security valueName: DisableClearTpmButton dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Secure boot" button in "Windows Security" docs: |- [Hide the Secure boot area | admx.help](https://web.archive.org/web/20231013162210/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideSecureBoot) call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security valueName: HideSecureBoot dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Security processor (TPM) troubleshooter" page in "Windows Security" docs: |- [Hide the Security processor (TPM) troubleshooter page | admx.help](https://web.archive.org/web/20231013162249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideTPMTroubleshooting) call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security valueName: HideTPMTroubleshooting dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "TPM Firmware Update" recommendation in "Windows Security" docs: |- - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#hide-the-tpm-firmware-update-recommendation) - [Hide the TPM Firmware Update recommendation | admx.help](https://web.archive.org/web/20231013162327/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableTpmFirmwareUpdateWarning) call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security valueName: DisableTpmFirmwareUpdateWarning dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Defender notifications children: - category: Disable Windows Security notifications docs: https://web.archive.org/web/20240314130605/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications children: - name: Disable all Defender notifications docs: - https://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableNotifications call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications valueName: DisableNotifications dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications valueName: DisableNotifications dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable non-critical Defender notifications docs: - http://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableEnhancedNotifications - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_DisableEnhancedNotifications call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications valueName: DisableEnhancedNotifications dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications valueName: DisableEnhancedNotifications dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting valueName: DisableEnhancedNotifications dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable notifications from Windows Action Center for security and maintenance # For Windows 10 build 1607 and above docs: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/ call: function: SetRegistryValue parameters: keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance valueName: Enabled dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable all Defender Antivirus notifications docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_Notification_Suppress call: - function: SetRegistryValue parameters: keyPath: HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration valueName: Notification_Suppress dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration valueName: Notification_Suppress dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Defender reboot notifications docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_SuppressRebootNotification call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration valueName: SuppressRebootNotification dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable OS components for Defender # Hackers way of disabling Defender children: - category: Disable Defender scheduled tasks children: - name: Disable "ExploitGuard MDM policy Refresh" task docs: |- This script disables the "ExploitGuard MDM policy Refresh" scheduled task. The task is originally described in the Task Scheduler as: "Task for applying changes to the machine's Exploit Protection settings". Windows Defender Exploit Guard is a security feature in Windows, designed to prevent potential intrusions [1]. It encompasses various components such as "Attack Surface Reduction (ASR)", "Network protection", "Controlled folder access", and "Exploit protection" [1]. Specifically, the "ExploitGuard MDM policy Refresh" task is in charge of refreshing the Exploit Guard policy settings through Mobile Device Management (MDM) policies [2]. MDM offers a method to remotely adjust the ExploitGuard settings on a device [2]. Microsoft rolled out the Exploit Guard feature starting from Windows 10 version 1709 [3] [4]. Notably, the National Security Agency (NSA) in the USA has recommended the use of this feature for enhanced security [3]. ### Overview of default task statuses `\Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | [1]: https://web.archive.org/web/20231020130741/https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ "Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware | Microsoft Security Blog" [2]: https://web.archive.org/web/20231020130744/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-exploit-protection?view=o365-worldwide#mdm "Turn on exploit protection to help mitigate against attacks | Microsoft Learn" [3]: https://web.archive.org/web/20231020130723/https://media.defense.gov/2019/Jul/16/2002158052/-1/-1/0/CSI-WINDOWS-10-FOR-ENTERPRISE-SECURITY-BENEFITS-OF-TIMELY-ADOPTION.PDF "Windows 10 for Enterprises Security Benefits of Timely Adoption | nist.gov" [4]: https://web.archive.org/web/20231020130731/https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy "Windows Defender Exploit Guard policy - Configuration Manager | Microsoft Learn" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\ExploitGuard\' -TaskName 'ExploitGuard MDM policy Refresh' taskPathPattern: \Microsoft\Windows\ExploitGuard\ taskNamePattern: ExploitGuard MDM policy Refresh - name: Disable "Windows Defender Cache Maintenance" task docs: |- This script disables the "Windows Defender Cache Maintenance" scheduled task. The task is scheduled to periodically maintain the cache used by Microsoft Defender Antivirus [1]. It runs the command `C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCacheMaintenance` [1]. The `MpCmdRun.exe` is a command-line tool used to perform various Microsoft Defender Antivirus functions [2]. Cache maintenance involves managing temporary files that Microsoft Defender is either scanning or has quarantined [3] Disabling this task prevents the system from automatically clearing the Defender cache [3]. This is particularly useful if you want to ensure that files are not removed from quarantine or the cache without your explicit action. Disabling this task is reported to optimize system boot speed [4] but it could potentially lead to increased storage use by temporary files. ### Overview of default task statuses `\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | [1]: https://web.archive.org/web/20231102111550/http://windows.fyicenter.com/4439_Windows_Defender_Cache_Maintenance_Scheduled_Task_on_Windows_8.html '"Windows Defender Cache Maintenance" Scheduled Task on Windows 8 | windows.fyicenter.com' [2]: https://web.archive.org/web/20231102111626/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus?view=o365-worldwide "Use the command line to manage Microsoft Defender Antivirus | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20231102111205/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com" [4]: https://web.archive.org/web/20231102111645/https://discussions.citrix.com/topic/417772-very-slow-boot-times/ "Very slow boot times - Provisioning Server for Datacenters - Discussions | discussions.citrix.com" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Cache Maintenance' taskPathPattern: \Microsoft\Windows\Windows Defender\ taskNamePattern: Windows Defender Cache Maintenance - name: Disable "Windows Defender Cleanup" task docs: |- This script disables the "Windows Defender Cleanup" scheduled task. This task is used by Defender to remove unnecessary files, such as corrupted or quarantined items [1]. The task is described in the Task Scheduler as "Periodic cleanup task" [2] [3]. This task executes the following command: `C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCleanup` [2] [3]. ### Overview of default task statuses `\Microsoft\Windows\Windows Defender\Windows Defender Cleanup`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | [1]: https://web.archive.org/web/20231103171411/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com" [2]: https://web.archive.org/web/20231103171352/http://windows.fyicenter.com/4440_Windows_Defender_Cleanup_Scheduled_Task_on_Windows_8.html '"Windows Defender Cleanup" Scheduled Task on Windows 8 | windows.fyicenter.com' [3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Cleanup' taskPathPattern: \Microsoft\Windows\Windows Defender\ taskNamePattern: Windows Defender Cleanup - name: Disable "Windows Defender Scheduled Scan" task docs: |- This script disables the "Windows Defender Scheduled Scan" scheduled task. This scheduled task is responsible for performing automatic regular scans [1] [2]. By disabling this task, users can control the scheduling and frequency of antivirus scans, according to their needs, thus balancing security with system resource management [1] [2]. The task is known as "Periodic scan task" in the Task Scheduler [1] [3] [4]. It executes the following command: `C:\Program Files\Windows Defender\MpCmdRun.exe Scan -ScheduleJob -ScanTrigger 55` [3] [4]. ### Overview of default task statuses `\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | [1]: https://web.archive.org/web/20231103171744/https://support.microsoft.com/en-us/windows/schedule-a-scan-in-microsoft-defender-antivirus-54b64e9c-880a-c6b6-2416-0eb330ed5d2d "Schedule a scan in Microsoft Defender Antivirus - Microsoft Support | support.microsoft.com" [2]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" [3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" [4]: https://web.archive.org/web/20231103171825/http://windows.fyicenter.com/4441_Windows_Defender_Scheduled_Scan_Scheduled_Task_on_Windows_8.html '"Windows Defender Scheduled Scan" Scheduled Task on Windows 8 | windows.fyicenter.com' call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Scheduled Scan' taskPathPattern: \Microsoft\Windows\Windows Defender\ taskNamePattern: Windows Defender Scheduled Scan - name: Disable "Windows Defender Verification" task docs: |- This script disables the "Windows Defender Verification" scheduled task. This task checks for issues with Defender, such as update problems or system file errors [1]. It is also linked to the creation of daily system restore points [2]. Disabling this task can prevent unnecessary system slowdowns and restore point creation, conserving disk space and system resources. It improves privacy by reducing the system state data stored on the device. The task is known as "Periodic verification task" in the Task Scheduler [3] [4]. It executes the following command: `C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdVerification` [3] [4]. ### Overview of default task statuses `\Microsoft\Windows\Windows Defender\Windows Defender Verification`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | [1]: https://web.archive.org/web/20231102111205/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com" [2]: https://web.archive.org/web/20231103172413/https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-system-restore-points/86f77a7f-4ee9-411f-b016-223993c55426 "Windows Defender / System Restore Points - Microsoft Community | answers.microsoft.com" [3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" [4]: https://web.archive.org/web/20231103172432/http://windows.fyicenter.com/4442_Windows_Defender_Verification_Scheduled_Task_on_Windows_8.html '"Windows Defender Verification" Scheduled Task on Windows 8 | windows.fyicenter.com' call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Verification' taskPathPattern: \Microsoft\Windows\Windows Defender\ taskNamePattern: Windows Defender Verification - category: Disable Defender services and drivers # Normally users can disable services on GUI or using commands like "sc config" # However Defender services are protected with different ways # 1. Some cannot be disabled (access error) normally but only with DisableServiceInRegistry # 2. Some cannot be disabled even using DisableServiceInRegistry, must be disabled as TrustedInstaller using RunInlineCodeAsTrustedInstaller children: - name: Disable "Microsoft Defender Antivirus Service" # ❗️ Breaks `Set-MpPreference` PowerShell cmdlet that helps to manage Defender # E.g. `Set-MpPreference -Force -MAPSReporting 0` throws: # `Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference.` # `Target: MAPS_MAPSReporting. FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference` docs: https://web.archive.org/web/20240314091238/https://batcmd.com/windows/10/services/windefend/ call: - function: RunInlineCodeAsTrustedInstaller parameters: code: sc stop "WinDefend" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "2" /f & sc start "WinDefend" >nul 2>&1 # - # ❌ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2 # function: SoftDeleteFiles # parameters: # fileGlob: '%PROGRAMFILES%\Windows Defender\MsMpEng.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... # grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - category: Disable Defender kernel-level drivers children: # - Skipping wdnsfltr ("Windows Defender Network Stream Filter Driver") as it's Windows 1709 only - name: Disable "Microsoft Defender Antivirus Network Inspection System Driver" service docs: https://web.archive.org/web/20240314062056/https://batcmd.com/windows/10/services/wdnisdrv/ call: # Excluding: # - `%SYSTEMROOT%\System32\drivers\wd\WdNisDrv.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 - function: RunInlineCodeAsTrustedInstaller parameters: # "net stop" is used to stop dependent services as well, "sc stop" fails code: net stop "WdNisDrv" /yes >nul & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "3" /f & sc start "WdNisDrv" >nul - function: SoftDeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\drivers\WdNisDrv.sys' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - name: Disable "Microsoft Defender Antivirus Mini-Filter Driver" service docs: - https://web.archive.org/web/20240314091638/https://n4r1b.com/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/ - https://web.archive.org/web/20240314062047/https://batcmd.com/windows/10/services/wdfilter/ call: # Excluding: # - `%SYSTEMROOT%\System32\drivers\wd\WdFilter.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 - function: RunInlineCodeAsTrustedInstaller parameters: code: sc stop "WdFilter" >nul & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "0" /f & sc start "WdFilter" >nul - function: SoftDeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\drivers\WdFilter.sys' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - name: Disable "Microsoft Defender Antivirus Boot Driver" service docs: https://web.archive.org/web/20240314062057/https://batcmd.com/windows/10/services/wdboot/ call: # Excluding: # - `%SYSTEMROOT%\System32\drivers\wd\WdBoot.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 - function: RunInlineCodeAsTrustedInstaller parameters: code: sc stop "WdBoot" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "0" /f & sc start "WdBoot" >nul 2>&1 - function: SoftDeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\drivers\WdBoot.sys' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - name: Disable "Microsoft Defender Antivirus Network Inspection" service docs: - https://web.archive.org/web/20240314091310/https://batcmd.com/windows/10/services/wdnissvc/ - https://www.howtogeek.com/357184/what-is-microsoft-network-realtime-inspection-service-nissrv.exe-and-why-is-it-running-on-my-pc/ call: - function: RunInlineCodeAsTrustedInstaller parameters: code: sc stop "WdNisSvc" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "2" /f & sc start "WdNisSvc" >nul 2>&1 # - # ❌ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2 # function: SoftDeleteFiles # parameters: # fileGlob: '%PROGRAMFILES%\Windows Defender\NisSrv.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... # grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - name: Disable "Windows Defender Advanced Threat Protection Service" service docs: https://web.archive.org/web/20240314091443/https://batcmd.com/windows/10/services/sense/ call: - function: RunInlineCodeAsTrustedInstaller # We must disable it on registry level, "Access is denied" for sc config parameters: code: sc stop "Sense" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "3" /f & sc start "Sense" >nul 2>&1 # Allowed values: Boot | System | Automatic | Manual - function: SoftDeleteFiles parameters: fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\MsSense.exe' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - name: Disable "Windows Security Service" service docs: |- This script disables the "Windows Security Service", also known as `SecurityHealthService` or "Windows Security Health Service" [1]. This service provides unified device protection and health information [2] [3]. It was introduced as part of the "Windows Security" interface in Windows 10, version 1703 and earlier named "Windows Defender Security Center" [2]. Even though the service is related to Microsoft Defender [4], disabling it does not turn off Microsoft Defender Antivirus [1]. By default, Windows manually starts this service [2], but it is observed to run automatically in Windows 10 and 11. The "Windows Security" interface relies on the "Windows Security Service" which further depends on the "Windows Security Center Service" (`wscsvc`) [1]. [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" [2]: https://web.archive.org/web/20231013160338/http://batcmd.com/windows/10/services/securityhealthservice/ "Windows Security Service - Windows 10 Service - batcmd.com" [3]: https://web.archive.org/web/20231013160352/https://strontic.github.io/xcyclopedia/library/SecurityHealthService.exe-96BE970B2CB0BB0A86D8F74C1A3F8596.html "SecurityHealthService.exe | Windows Security Health Service | STRONTIC | strontic.github.io" [4]: https://web.archive.org/web/20231013160458/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#notes-about-protection-states call: - # Windows 10: # ❌ Cannot disable through sc config as Administrator; throws "Access is denied" # ✅ Can disable using registry as Administrator; "DisableServiceInRegistry" function works # ✅ Can disable using registry as TrustedInstaller # Windows 11: # ❌ Cannot disable through sc config as administrator; throws "Access is denied" # ❌ Cannot disable using registry as Administrator; using DisableServiceInRegistry throws "Requested registry access is not allowed." # ✅ Can disable using registry as TrustedInstaller function: RunInlineCodeAsTrustedInstaller parameters: code: sc stop "SecurityHealthService" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v Start /t REG_DWORD /d 4 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v Start /t REG_DWORD /d 3 /f & sc start "SecurityHealthService" >nul 2>&1 - function: SoftDeleteFiles parameters: fileGlob: '%WINDIR%\System32\SecurityHealthService.exe' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - category: Disable SmartScreen docs: - https://en.wikipedia.org/wiki/Microsoft_SmartScreen - https://web.archive.org/web/20240314131452/https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/ children: - category: Disable SmartScreen for apps and files children: - name: Disable SmartScreen for apps and files docs: - https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63685 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsExplorer::EnableSmartScreen call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System valueName: EnableSmartScreen dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable SmartScreen in File Explorer docs: - https://winaero.com/change-windows-smartscreen-settings-windows-10/ - https://www.technobezz.com/how-to-change-the-smartscreen-filter-settings-in-windows-10/ call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer valueName: SmartScreenEnabled dataType: REG_SZ data: 'Off' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer valueName: SmartScreenEnabled dataType: REG_SZ data: 'Off' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable SmartScreen's prevention of application execution docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ShellConfigureSmartScreen - https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63685 call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System valueName: ShellSmartScreenLevel dataType: REG_SZ data: Warn deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable SmartScreen in Microsoft browsers docs: |- This category provides scripts to disable SmartScreen in Microsoft browsers. SmartScreen is a security feature in Edge. When you visit websites or download files, SmartScreen checks the reputation of the URL or file [1]. If SmartScreen determines that the site or file is malicious, it blocks access or download [1]. SmartScreen is enabled by default in Microsoft Edge [1]. SmartScreen feature raises privacy concerns because it sends unhashed URLs, downloaded files, applications being run, IP addresses, and the user's Security Identifier (SID) to Microsoft [1] [2] [3]. This data transmission can potentially allow the company to track browsing history and user activities. The transmission of full file paths and download URLs can expose a significant amount of sensitive and private information about a user's system and network structure. The combination of these data points could enable Microsoft to build a comprehensive profile of user activities and behavior. [1]: https://web.archive.org/web/20240623123514/https://learn.microsoft.com/en-us/microsoft-edge/privacy-whitepaper/#smartscreen "Microsoft Edge Privacy Whitepaper - Microsoft Edge Developer documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240624121703/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-potentially-unwanted-apps "Use Microsoft Edge to protect against potentially unwanted applications | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240624143449/https://www.bleepingcomputer.com/news/microsoft/windows-10-smartscreen-sends-urls-and-app-names-to-microsoft/ "Windows 10 SmartScreen Sends URLs and App Names to Microsoft | www.bleepingcomputer.com" children: - name: Disable Edge SmartScreen docs: |- # refactor-with-variables: • Chromium Policy Caution • Active Directory only • Performance + Privacy This script disables the SmartScreen feature in Edge. SmartScreen provides warning messages to help protect users from potential phishing scams and malicious software [1] [2]. By default, Microsoft Defender SmartScreen is enabled and users can choose whether to use it [1] [2]. Once you run this script, Microsoft Defender SmartScreen will be turned off [1] [2]. Disabling this feature reduces potential privacy risks by preventing data sharing. This may also improve system performance by reducing processing workload. While enabling this setting may increase user autonomy and privacy, it reduces security by allowing access to potentially malicious websites and software [2]. Users should be cautious and understand the risks involved. This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [1] [2]. It is effective only on computers under organizational management, such as those in workplaces or schools. It's not applicable to personal computers that are not managed by an organization. Changing this policy does not require restarting the browser to take effect [1]. This script configures the `SmartScreenEnabled` policy [1] [2]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240314103512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#smartscreenenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240624143208/https://www.stigviewer.com/stig/microsoft_edge/2021-02-16/finding/V-235763 "Microsoft Defender SmartScreen must be enabled. | www.stigviewer.com" call: function: SetEdgePolicyViaRegistry parameters: valueName: SmartScreenEnabled # Edge ≥ 77 dwordData: '0' - name: Disable Edge SmartScreen for potentially unwanted apps docs: |- # refactor-with-variables: • Chromium Policy Caution • Active Directory only • Performance + Privacy This script disables the SmartScreen feature in Edge that specifically targets potentially unwanted applications (PUAs). Microsoft Edge's SmartScreen PUA feature protects against adware, coin miners, bundleware, and other low-reputation software [1] [2]. This feature warns users about potentially harmful applications [1] [2]. Although this feature is turned off by default [2], this script explicitly disables it to ensure it remains inactive, safeguarding against automatic or unintended activations. Disabling this feature reduces potential privacy risks by preventing data sharing. This may also improve system performance by reducing processing workload. This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [1] [2]. It is effective only on computers under organizational management, such as those in workplaces or schools. It's not applicable to personal computers that are not managed by an organization. This script configures the `SmartScreenPuaEnabled` policy [1] [2]. Changing this policy does not require restarting the browser to take effect [1]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240314103512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#smartscreenpuaenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240624121549/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SmartScreenPuaEnabled "Configure Microsoft Defender SmartScreen to block potentially unwanted apps | admx.help" call: function: SetEdgePolicyViaRegistry parameters: valueName: SmartScreenPuaEnabled # Edge ≥ 80 dwordData: '0' - name: Enable Edge SmartScreen bypass docs: |- # refactor-with-variables: • Chromium Policy Caution • Active Directory only • Performance + Privacy This script allows users to bypass Edge SmartScreen warnings. SmartScreen in Edge displays warnings about potentially malicious websites [1] [2]. By default, users can bypass Microsoft Defender SmartScreen warnings and proceed to the site [1]. This script keeps this option, enhancing user privacy by minimizing data sent to Microsoft. Disabling this feature reduces potential privacy risks by preventing data sharing. This may also improve system performance by reducing processing workload. While enabling this setting may increase user autonomy and privacy, it reduces security by allowing access to potentially malicious websites [2]. Users should be cautious and understand the risks involved. This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [1]. It is effective only on computers under organizational management, such as those in workplaces or schools. It's not applicable to personal computers that are not managed by an organization. This script configures the `PreventSmartScreenPromptOverride` policy [1] [2]. Changing this policy does not require restarting the browser to take effect [1]. > **Caution**: > - This will display the message "Your browser is managed by your organization" on the settings page. > - This locks settings and prevents them from being changed on the settings page. [1]: https://web.archive.org/web/20240314103512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#preventsmartscreenpromptoverride "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240624152821/https://www.stigviewer.com/stig/microsoft_edge/2021-06-23/finding/V-235720 "Bypassing Microsoft Defender SmartScreen prompts for sites must be disabled. | www.stigviewer.com" call: function: SetEdgePolicyViaRegistry parameters: valueName: PreventSmartScreenPromptOverride # Edge ≥ 77 dwordData: '0' - name: Disable Edge (Legacy) SmartScreen docs: |- # refactor-with-variables: Same • Edge (Legacy) only This script disables the SmartScreen feature in Edge (Legacy). Edge (Legacy) uses the Windows Defender SmartScreen by default to protect users from phishing scams and malicious software [1] [2]. This feature is enabled by default and cannot be turned off by users [2]. This script disables SmartScreen and prevents users from turning it back on [2]. As a result, users will not receive alerts about potential threats [2]. Disabling this feature reduces potential privacy risks by preventing data sharing. This may also improve system performance by reducing processing workload. While enabling this setting may increase user autonomy and privacy, it reduces security [1]. Users should be cautious and understand the risks involved. This script configures the `EnabledV9` policy [1] [2]. This script only applies to Edge (Legacy) and does not impact newer versions of Edge. [1]: https://web.archive.org/web/20240624152134/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63713 "The Windows Defender SmartScreen filter for Microsoft Edge must be enabled. | www.stigviewer.com" [2]: https://web.archive.org/web/20240624133131/https://learn.microsoft.com/en-us/previous-versions/windows/edge-legacy/available-policies#configure-windows-defender-smartscreen "Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) | Microsoft Learn | learn.microsoft.com" call: function: SetLegacyEdgePolicyViaRegistry parameters: policySubkey: PhishingFilter valueName: EnabledV9 dwordData: "0" - name: Enable Edge (Legacy) SmartScreen bypass docs: |- # refactor-with-variables: Same • Performance + Privacy • Edge (Legacy) only This script allows users to bypass SmartScreen warnings in Edge (Legacy). Edge (Legacy) features a SmartScreen filter that warns users about potentially malicious websites and file downloads [1]. By default, this feature allows users to ignore these warnings and proceed to download files [1]. This script keeps this option, enhancing user privacy by minimizing data sent to Microsoft. Disabling this feature reduces potential privacy risks by preventing data sharing. This may also improve system performance by reducing processing workload. While enabling this setting may increase user autonomy and privacy, it reduces security by allowing downloads from potentially malicious sources [2]. Users should be cautious and understand the risks involved. This script configures the `PreventOverride` policy [1] [2]. This script only applies to Edge (Legacy) and does not impact newer versions of Edge. [1]: https://web.archive.org/web/20240624133131/https://learn.microsoft.com/en-us/previous-versions/windows/edge-legacy/available-policies#configure-windows-defender-smartscreen "Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240624140451/https://www.stigviewer.com/stig/windows_10/2017-02-21/finding/V-63699 "Users must not be allowed to ignore SmartScreen filter warnings for malicious websites in Microsoft Edge. | www.stigviewer.com" call: function: SetLegacyEdgePolicyViaRegistry parameters: policySubkey: PhishingFilter valueName: PreventOverride dwordData: "0" - name: Disable SmartScreen in Internet Explorer docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_Policy_Phishing_9 call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 valueName: '2301' dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable SmartScreen for Windows Store apps children: - name: Disable SmartScreen's "App Install Control" feature docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ConfigureAppInstallControl - https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen - https://web.archive.org/web/20240314103348/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-smartscreen call: - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen valueName: ConfigurgeAppInstallControl dataType: REG_SZ data: Anywhere deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen valueName: ConfigureAppInstallControlEnabled dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable SmartScreen's web content (URLs) checking for apps docs: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general call: - function: SetRegistryValue parameters: keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost valueName: EnableWebContentEvaluation dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f revertCode: |- # Has "1" value in "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" as default reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "1" /f - category: Disable automatic updates docs: |- Disabling automatic updates is often considered counterintuitive when it comes to securing your system. However, there are substantial arguments to consider this option if you're privacy-centric: 1. **Patching and Pre-Approval**: Manual control over update deployment allows for pre-emptive approval of patches. This strategy is useful in environments requiring the highest level of security. For instance, military agencies frequently employ air-gapped systems that mandate careful review of each update to mitigate risks such as potential backdoors or data leaks. Similarly, financial institutions often resort to staged rollouts of updates, subjecting them to an in-depth analysis of their implications on security and privacy before broad implementation. 2. **Telemetry and Data Transmission**: Automatic updates often come embedded with telemetry data collection mechanisms. Disabling these updates facilitates granular control over the data transmitted back to Microsoft servers. Thus, the decision to disable automatic updates allows you to control the timing and nature of information relayed to these servers. 3. **Peer-to-Peer Data Exposure**: Windows employs a Peer-to-Peer (P2P) approach to facilitate update distribution, which can reveal your IP address and some system details to peer systems [1]. 4. **Configurational integrity**: Updates have the capacity to change pre-configured settings without explicit user consent. This could result in unintended alteration of your privacy settings, leaving you exposed until you realize the change. > **Caution**: While controlling updates enhances your privacy, it can leave your system vulnerable to unpatched exploits. Ensure that you manually review and apply updates on a regular basis. You're essentially trading off some security for a heightened level of privacy. [1]: https://web.archive.org/web/20230905120220/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-faq "Delivery Optimization Frequently Asked Questions - Windows Deployment | Microsoft Learn" children: - name: Disable Automatic Updates (AU) feature docs: |- This script deactivates the Automatic Updates feature in Windows. By disabling Automatic Updates, you gain control over when your system is updated, which may be preferable in specific privacy-sensitive environments. The script changes a specific setting in your computer's registry, with a key called `NoAutoUpdate`, which has two possible states [1] [2]: - `0`: Automatic Updates are enabled. - `1`: Automatic Updates are disabled. By default, Windows comes with Automatic Updates enabled, meaning the `NoAutoUpdate` is set to `0` [3]. Running this script will set `NoAutoUpdate` to `1`, turning off Automatic Updates [1] [2] [3]. In doing so, you prevent your computer from automatically receiving updates, which is a feature that could be considered intrusive or unwanted in some privacy-conscious settings. It configure your computer to not automatically download and install updates without your explicit permission. [1]: https://web.archive.org/web/20230807165936/https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 "Configure Automatic Updates in a Non–Active Directory Environment | Microsoft Learn" [2]: https://web.archive.org/web/20221001051250/https://support.microsoft.com/en-us/topic/incorrect-automatic-updates-notification-is-received-even-though-au-options-are-disabled-in-windows-8-1-and-windows-server-2012-r2-18b4b73a-3910-9408-809c-7eaad0e1fbc7 "Incorrect Automatic Updates notification is received even though AU options are disabled in Windows 8.1 and Windows Server 2012 R2 - Microsoft Support" [3]: https://web.archive.org/web/20230711172555/https://learn.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry "Manage additional Windows Update settings - Windows Deployment | Microsoft Learn" call: function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "1" /f # Default value is `0` since Windows 10 21H2 and Windows 11 21H2 revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f - name: Disable automatic installation of Windows updates without user consent docs: |- This script changes how your Windows computer handles automatic updates by modifying the `AUOptions` registry key. After running this script, your computer will notify you before downloading any updates [1] [2] [3]. In the default setup, your Windows system is configured to download and install updates automatically without notifying you [4]. This means that new updates could be installed on your system without your explicit approval. By forcing Windows to notify you before downloading updates, this script hands back control over your system to you. This feature enhances your privacy and minimizes risks because you get to manually review and approve each update before it's installed. To explain the technical aspect, the `AUOptions` registry key is a setting stored under `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU` in your computer's registry [1] [3]. A value of `2` for `AUOptions` means that you will be notified before any updates are downloaded and installed [1] [2]. On older versions of Windows, setting this key to `1` would prevent the system from even checking for updates [5]. However, starting from Windows 10, the key `1` has a different meaning [2][3]. Running this script doesn't disable updates; it just ensures that you are informed and have the final say on whether to download them or not. [1]: https://web.archive.org/web/20230807165936/https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 "Configure Automatic Updates in a Non–Active Directory Environment | Microsoft Learn" [2]: https://web.archive.org/web/20230711172555/https://learn.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry "Manage additional Windows Update settings - Windows Deployment | Microsoft Learn" [3]: https://web.archive.org/web/20230815051303/https://learn.microsoft.com/en-us/windows/deployment/update/waas-restart#registry-keys-used-to-manage-restart "Manage device restarts after updates - Windows Deployment | Microsoft Learn" [4]: https://web.archive.org/web/20230826081345/https://learn.microsoft.com/en-US/troubleshoot/windows-client/deployment/update-windows-update-agent "Update Windows Update Agent to latest version - Windows Client | Microsoft Learn" [5]: https://web.archive.org/web/20221001051250/https://support.microsoft.com/en-us/topic/incorrect-automatic-updates-notification-is-received-even-though-au-options-are-disabled-in-windows-8-1-and-windows-server-2012-r2-18b4b73a-3910-9408-809c-7eaad0e1fbc7 "Incorrect Automatic Updates notification is received even though AU options are disabled in Windows 8.1 and Windows Server 2012 R2 - Microsoft Support" call: function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "2" /f # Default value is `4` since Windows 10 21H2 and Windows 11 21H2 revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "4" /f - name: Disable automatic daily installation of Windows updates docs: |- This script stops Windows from automatically installing updates every day. By doing so, you gain control over when update happen on your computer [1] [2]. By default, Windows is set to automatically update every day [2]. Having control over the update timing allows you to review what is being changed, thereby protecting your privacy and enhancing your system's security. Technically, what the script does is remove a specific setting in the computer's system registry, the `ScheduledInstallDay` key from `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU` [1] [2]. Disabling the scheduled install day ensures that updates won't be forcibly applied on a specific day of the week. [1]: https://web.archive.org/web/20230711172555/https://learn.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry "Manage additional Windows Update settings - Windows Deployment | Microsoft Learn" [2]: https://web.archive.org/web/20230708165017/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#scheduledinstallday "Update Policy CSP - Windows Client Management | Microsoft Learn" call: function: RunInlineCode parameters: code: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /f 2>nul revertCode: >- :: This key does not exist by default since Windows 10 21H2 and Windows 11 21H2 reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /f 2>nul - name: Disable scheduled automatic updates docs: |- This script turns off the automatic installation of Windows updates that are set to occur at a specific time. By doing this, you take back control over when your computer updates itself [1] [2] [3]. The default behavior is to install updates at 3 AM [3]. Windows updates can be important for system security, but automatic installation could occur at inconvenient times and may even restart your computer without prior warning. This could interrupt your tasks and may send data about your system to external servers. By disabling the automatic scheduled installation time, you can manually control when updates are installed [3], ensuring that you're aware of any changes to your system. The script works by removing a specific registry key called `ScheduledInstallTime` under `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU` [2] [3]. This is the system setting that controls the scheduled update time. [1]: https://web.archive.org/web/20230813094618/https://learn.microsoft.com/fr-fr/security-updates/windowsupdateservices/18127152 "Configure Automatic Updates in a Non–Active Directory Environment | Microsoft Learn" [2]: https://web.archive.org/web/20230711172555/https://learn.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry "Manage additional Windows Update settings - Windows Deployment | Microsoft Learn" [3]: https://web.archive.org/web/20230708165017/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#scheduledinstalltime "Update Policy CSP - Windows Client Management | Microsoft Learn" call: function: RunInlineCode parameters: code: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /f 2>nul revertCode: >- :: This key does not exist by default since Windows 10 21H2 and Windows 11 21H2 reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /f 2>nul - category: Disable Windows update services docs: |- The scripts in this category offer users the ability to control Windows services related to system updates. These services manage how and when your system receives updates from Microsoft. By limiting or disabling these services, users can decide when to update their system, reducing unexpected changes. Moreover, a system with fewer running services uses fewer resources, which can improve overall performance. Disabling these update services is also a privacy measure. Some updates can change privacy settings or add features that collect user data. By controlling update services, users can review and approve any changes before they take effect. > **Caution**: Disabling Windows update services may lead to missed critical security patches and feature updates. > Consider the balance between maintaining privacy and ensuring system security and stability. children: # Tips: # - Related services can be seen in `%WINDIR%\WaaS\services` folder. # Excluding: # - Background Intelligent Transfer Service (BITS): Not exclusive to disabling automatic Windows updates, may break third-party apps # - Delivery Optimization (DoSvc): Not exclusive to disabling automatic Windows updates, breaks Microsoft Store downloads. # - Windows Remediation Service (sedsvc): Seems to exist in legacy versions on Windows, does not exist since Windows 10 22H2 and Windows 11 23H2 - name: Disable "Windows Update" (`wuauserv`) service docs: |- This script turns off the Windows Update service, which is technically known as Windows Update Agent [1] [2]. By disabling this service, the automatic detection, download, and installation of updates for both Windows and other installed programs are halted [3] [4]. Update can often come bundled with changes that could affect your privacy settings or introduce features that collect more of your data. Taking control of when and how updates are applied provides you with the opportunity to review any changes before they take effect. By default, the service is enabled and set to start up manually [5]. If you disable this service, you won't be able to use the Windows Update feature for automatic updates [5]. Additionally, other software on your computer won't be able to access the functionalities provided by the Windows Update Agent, commonly known as WUA API [5]. > **Caution:** This script stops Windows Update Agent's ability to check for and manage system updates. This means your system > won't automatically receive important updates, which could leave it vulnerable to specific security risks and performance issues > over time. ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 22H2) | 🔴 Stopped | Manual | | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | [1]: https://web.archive.org/web/20230902020255/https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/additional-resources-for-windows-update "Additional resources for Windows Update - Windows Client | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20231027190503/https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/troubleshoot-software-update-scan-failures "Troubleshoot software update scan failures - Configuration Manager | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20230905120348/https://learn.microsoft.com/en-us/troubleshoot/windows-client/performance/windows-devices-fail-boot-after-installing-kb4041676-kb4041691 "Windows devices may fail to boot after installing October 10 version of KB 4041676 or 4041691 that contained a publishing issue - Windows Client | Microsoft Learn" [4]: https://web.archive.org/web/20230905120345/https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-servicing "Patching Server Core | Microsoft Learn" [5]: https://web.archive.org/web/20231001150100/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Prepare to deploy Windows - Windows Deployment | Microsoft Learn" call: function: DisableService parameters: serviceName: wuauserv # Check: (Get-Service -Name 'wuauserv').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable "Update Orchestrator Service" (`UsoSvc`) docs: |- This script disables the Update Orchestrator Service, also known as "Update Orchestrator Service for Windows Update" [1]. This service is in charge of managing the download and installation of Windows updates [1] [2]. By default, the service is enabled and set to start up manually [1]. While updates can be crucial for the security of your system, this service can sometimes install them without your approval. This lack of control can pose risks to your privacy, as data might be sent from your system without your knowledge. Windows updates relies on this service [1] [3]. If stopped, your devices will not be able to download and install latest updates [1]. Turning off this service can affect the update process and might cause issues like freezing during update scanning [3]. > **Caution**: This script directly affects the orchestration and scheduling of Windows updates. This can lead to > irregularities in receiving updates, potentially causing delays or failures in obtaining critical security patches and > feature updates specific to Windows functionalities. ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | | Windows 11 (≥ 23H2) | 🟢 Running | Automatic | [1]: https://web.archive.org/web/20231004161147/https://learn.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server "Security guidelines for system services in Windows Server 2016 | Microsoft Learn" [2]: https://web.archive.org/web/20230905120348/https://learn.microsoft.com/en-us/troubleshoot/windows-client/performance/windows-devices-fail-boot-after-installing-kb4041676-kb4041691 "Windows devices may fail to boot after installing October 10 version of KB 4041676 or 4041691 that contained a publishing issue - Windows Client | Microsoft Learn" [3]: https://web.archive.org/web/20231001150100/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Prepare to deploy Windows - Windows Deployment | Microsoft Learn" call: function: DisableService parameters: serviceName: UsoSvc # Check: (Get-Service -Name 'UsoSvc').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable "Windows Update Medic Service" (`WaaSMedicSvc`) docs: |- This script disables the Windows Update Medic Service. This service runs quietly in the background [1], making sure that parts related to Windows updates are working as they should [1] [2]. This service can undo any adjustments you've made to your Windows Update settings without your consent. For example, it can re-enable automatic Windows updates [3]. That can interfere if you've tailored these settings for better privacy or security. By default, the service is enabled and its startup setting is set to manual [4] [5]. It executes `%SYSTEMROOT%\System32\WaaSMedicSvc.dll` [5], known as "WaasMedic Service Dll" [6]. It stores remediation configuration such as registry keys, tasks and services at `%WINDIR%\WaaS\` folder [7] [8] [9]. Other related files include: | Path | Description | Windows 10 22H2 | Windows 11 23H2 | | ---- |:-----------:|:---------------:|:---------------:| | `%SYSTEMROOT%\System32\WaaSMedicAgent.exe` | WaasMedic Agent Exe | ✅ Exists | ❌ Missing | | `%SYSTEMROOT%\System32\WaaSMedicCapsule.dll` | WaasMedic Capsule Exe | ✅ Exists | ❌ Missing | | `%SYSTEMROOT%\System32\WaaSMedicPS.dll` | WaaS Medic Proxy Stub library | ✅ Exists | ✅ Exists | | `%SYSTEMROOT%\System32\WaaSAssessment.dll` | WaaS Assessment | ✅ Exists | ✅ Exists | | `%SYSTEMROOT%\System32\Windows.Internal.WaaSMedicDocked.dll` | WaaS Assessment | ❌ Missing | ✅ Exists | | `%WINDIR%\UUS\amd64\WaaSMedicSvcImpl.dll` | WaaS Assessment | ❌ Missing | ✅ Exists | > **Caution:** While this script provides greater control over Windows Update operations and enhances user > privacy by limiting unsolicited data transmission to Microsoft, it's important to be aware of the potential > impacts on system stability and update integrity. Disabling the Windows Update Medic Service prevents the > self-healing capability of Windows Updates, favoring the maintenance of user-defined update preferences. ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 22H2) | 🔴 Stopped | Manual | | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | [1]: https://web.archive.org/web/20230905120805/https://support.microsoft.com/en-us/topic/kb5005322-some-devices-cannot-install-new-updates-after-installing-kb5003214-may-25-2021-and-kb5003690-june-21-2021-66edf7cf-5d3c-401f-bd32-49865343144f "KB5005322—Some devices cannot install new updates after installing KB5003214 (May 25, 2021) and KB5003690 (June 21, 2021) - Microsoft Support" [2]: https://web.archive.org/web/20231001150100/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Prepare to deploy Windows - Windows Deployment | Microsoft Learn" [3]: https://github.com/undergroundwires/privacy.sexy/issues/252 "Disable automatic Updates · Issue #252 · undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy" [4]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn" [5]: https://web.archive.org/web/20231129202405/https://batcmd.com/windows/10/services/waasmedicsvc/ "Windows Update Medic Service - Windows 10 Service | batcmd.com" [6]: https://web.archive.org/web/20231129202715/https://strontic.github.io/xcyclopedia/library/WaaSMedicSvc.dll-4064770B860EF19D55B9DAE32F1B300A.html "WaaSMedicSvc.dll | WaasMedic Service Dll | STRONTIC | strontic.github.io" [7]: https://github.com/undergroundwires/privacy.sexy/issues/272#issuecomment-1821728182 "[BUG]: Windows automatically re-enables Update after 4-5 days · Issue #272 · undergroundwires/privacy.sexy | github.com/undergroundwires" [8]: https://web.archive.org/web/20231127032408/https://www.acepace.net/2019-03-29-upfc/ "What the bleep is UPFC.exe? | www.acepace.net" [9]: https://web.archive.org/web/20231129203543/https://call4cloud.nl/2022/03/before-we-wipe/ "KB5011487 | KB5011493 | 2022-03 | Windows.old wipe Issue | call4cloud.nl" call: - function: DisableServiceInRegistry # Since Windows 10 21H2 and Windows 11 21H2: # - ❗️ Using `sc config` results in "Access in denied", so registry should be used to disable the service. parameters: serviceName: WaaSMedicSvc # Check: (Get-Service -Name 'WaaSMedicSvc').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - function: SoftDeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\WaaSMedicSvc.dll' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 - function: TerminateAndBlockExecution parameters: executableNameWithExtension: WaaSMedicAgent.exe - function: SoftDeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\WaaSMedicAgent.exe' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔍 Missing on Windows 11 since 23H2 - function: SoftDeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\WaaSMedicCapsule.dll' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔍 Missing on Windows 11 since 23H2 - function: SoftDeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\WaaSMedicPS.dll' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 - function: SoftDeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\WaaSAssessment.dll' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 - function: SoftDeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\Windows.Internal.WaaSMedicDocked.dll' grantPermissions: 'true' # 🔍 Missing on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 - function: SoftDeleteFiles parameters: fileGlob: '%WINDIR%\UUS\amd64\WaaSMedicSvcImpl.dll' grantPermissions: 'true' # 🔍 Missing on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 - function: SoftDeleteFiles parameters: fileGlob: '%WINDIR%\WaaS\*' # Includes `services` and `tasks` folders that defines the desired state configuration on remediation. grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 recurse: 'true' - name: Disable automatically enabling Windows Update Medic Service recommend: strict docs: |- This script disables the `upfc.exe` process, preventing it from automatically re-enabling Windows updates [5]. `upfc.exe` is found at `%SYSTEMROOT%\System32\upfc.exe` [1] [2]. This executable is identified by Microsoft as "Updateability From SCM" [1] [2]. SCM refers to the "Service Control Manager (SCM)", a special system process also known as `services.exe` [3]. `upfc.exe` is automatically launched by SCM during system startup [4]. It is part of the Windows Update self-healing mechanism [1]. It recovers Windows Update Medic Service (`WaaSMedicSvc`) once disabled [1] [5]. `upfc.exe` operates early in the boot process and performs several functions [1]: 1. It checks the details of the `WaaSMedicSvc` against a configuration file, ensuring the service's settings match those listed [1]. 2. If discrepancies are found, such as invalid registry settings, `upfc.exe` recreates the service according to the XML configuration file [1]. However, `upfc.exe` also sends data about its operations to Microsoft [1] [5], including details about discrepancies found and any corrective actions taken [1] [5]. This data is part of the telemetry Microsoft collects [1], which raises privacy concerns. This script will skip some of its disabling logic on older Windows versions due to community reports of disabling this service causing BSOD (blue screen of death) [5] [6]. > **Caution:** By disabling `upfc.exe`, this script enhances user privacy by stopping the automatic sending of operational data to Microsoft. > However, it's important to note that this might impact the integrity and security of the Windows Update process. Users should weigh the > privacy benefits against potential security risks before using this script. [1]: https://web.archive.org/web/20231127032408/https://www.acepace.net/2019-03-29-upfc/ "What the bleep is UPFC.exe? | www.acepace.net" [2]: https://web.archive.org/web/20231127032440/https://strontic.github.io/xcyclopedia/library/upfc.exe-299EA296575CCB9D2C1A779062535D5C.html "upfc.exe | Updateability From SCM | STRONTIC | strontic.github.io" [3]: https://en.wikipedia.org/w/index.php?title=Service_Control_Manager&oldid=1063455957 "Service Control Manager - Wikipedia | en.wikipedia.org" [4]: https://web.archive.org/web/20231129135553/https://blogs.windows.com/windows-insider/2018/07/31/announcing-windows-server-2019-insider-preview-build-17723/ "Announcing Windows Server 2019 Insider Preview Build 17723 | Windows Insider Blog | blogs.windows.com" [5]: https://github.com/undergroundwires/privacy.sexy/issues/272 "[BUG]: Windows automatically re-enables Update after 4-5 days · Issue #272 · undergroundwires/privacy.sexy | github.com/undergroundwires" [6]: https://web.archive.org/web/20231129135227/https://www.tenforums.com/windows-updates-activation/104945-stop-windows-10-updates-properly-completely-25.html "Stop Windows 10 Updates Properly and Completely Solved - Page 25 - Windows 10 Forums | www.tenforums.com" call: - function: SoftDeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\upfc.exe' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 beforeIteration: |- # Skip Windows versions older than Windows 10 22H2 (build number 19045) to avoid reported blue screen issues. $osVersion = [System.Environment]::OSVersion.Version function Test-IsBeforeWin10Version22H2 { ($osVersion.Major -lt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -lt 19045)) } if (Test-IsBeforeWin10Version22H2) { Write-Warning 'Skipping the removal of upfc.exe on systems older Windows versions to prevent possible system crashes or errors.' exit 0 } - function: TerminateAndBlockExecution parameters: executableNameWithExtension: upfc.exe - category: Disable Windows update scheduled tasks docs: |- This category includes scripts to disable scheduled tasks that are associated with the automatic functioning of the Windows Update service. These tasks are responsible for various background update-related activities such as checking for updates, downloading, and installing them in the background without user intervention. Disabling these tasks grants users more control over when and how updates are applied. This approach is often preferred by those wishing to manually manage updates or avoid unanticipated system modifications without consent, and it is considered a best practice in high-security environments where precise control over updates is crucial. However, it's important to exercise caution with these changes. Disabling automatic updates can lead to missed critical security patches and feature updates, potentially leaving the system vulnerable. To view all the scheduled tasks related to Windows Update, you can use the following PowerShell command: ```powershell @('\Microsoft\Windows\UpdateOrchestrator\*', '\Microsoft\Windows\WindowsUpdate\*', '\Microsoft\Windows\WaaSMedic\*', '\Microsoft\Windows\InstallService\*') ` | ForEach-Object { Get-ScheduledTask -TaskName '*' -TaskPath $_ -ErrorAction SilentlyContinue } ` | ForEach-Object { Write-Host "$($_.TaskPath)$($_.TaskName)" } ``` children: - name: Disable "RestoreDevice" task docs: |- This script disables the "RestoreDevice" scheduled task. This task is involved in restoring device settings or drivers as part of update processes. ### Overview of default task statuses `\Microsoft\Windows\InstallService\RestoreDevice`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | 🟡 N/A (missing) | | Windows 11 22H2 | 🟡 N/A (missing) | | Windows 11 23H2 | 🟢 Ready | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\InstallService\' -TaskName 'RestoreDevice' taskPathPattern: \Microsoft\Windows\InstallService\ taskNamePattern: RestoreDevice - name: Disable "ScanForUpdates" task docs: |- This script disables the "ScanForUpdates" scheduled task. This task is responsible for performing update scans. Microsoft officially documents this task as part of the Windows updates process [1]. Microsoft suggests disabling this task as a measure to reduce data collection and improve performance [2]. This recommendation is also supported by Citrix for optimization purposes [3]. ### Overview of default task statuses `\Microsoft\Windows\InstallService\ScanForUpdates`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | | Windows 11 23H2 | 🟢 Ready | [1]: https://web.archive.org/web/20231111173058/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004#re-enable-windows-update "Optimizing Windows 10, Build 2004, for a Virtual Desktop role | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#scheduled-tasks "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20231111173043/https://www.citrix.com/blogs/2021/02/17/tm-citrix-optimizer-2-8-whats-new/ "Citrix Optimizer 2.8 – What’s new - Citrix Blogs | www.citrix.com" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\InstallService\' -TaskName 'ScanForUpdates' taskPathPattern: \Microsoft\Windows\InstallService\ taskNamePattern: ScanForUpdates - name: Disable "ScanForUpdatesAsUser" task docs: |- This script disables the "ScanForUpdatesAsUser" scheduled task. This task is responsible for performing update scans under user-specific contexts. Microsoft officially documents this task as part of the Windows updates process [1]. Microsoft suggests disabling this task as a measure to reduce data collection and improve performance [2]. This recommendation is also supported by Citrix for optimization purposes [3]. ### Overview of default task statuses `\Microsoft\Windows\InstallService\ScanForUpdatesAsUser`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | | Windows 11 23H2 | 🟢 Ready | [1]: https://web.archive.org/web/20231111173058/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004#re-enable-windows-update "Optimizing Windows 10, Build 2004, for a Virtual Desktop role | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#scheduled-tasks "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20231111173043/https://www.citrix.com/blogs/2021/02/17/tm-citrix-optimizer-2-8-whats-new/ "Citrix Optimizer 2.8 – What’s new - Citrix Blogs | www.citrix.com" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\InstallService\' -TaskName 'ScanForUpdatesAsUser' taskPathPattern: \Microsoft\Windows\InstallService\ taskNamePattern: ScanForUpdatesAsUser - name: Disable "SmartRetry" task docs: |- This script disables the "SmartRetry" scheduled task. This task handles the automatic retrying of failed updates, attempting to redownload or reinstall updates that didn't install successfully on the first try. Microsoft officially documents this task as part of the Windows updates process [1]. Microsoft suggests disabling this task as a measure to reduce data collection and improve performance [2]. This recommendation is also supported by Citrix for optimization purposes [3]. ### Overview of default task statuses `\Microsoft\Windows\InstallService\SmartRetry`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | | Windows 11 23H2 | 🟢 Ready | [1]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#scheduled-tasks "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20231111172942/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationmanagement "ApplicationManagement Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20231111173043/https://www.citrix.com/blogs/2021/02/17/tm-citrix-optimizer-2-8-whats-new/ "Citrix Optimizer 2.8 – What’s new - Citrix Blogs | www.citrix.com" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\InstallService\' -TaskName 'SmartRetry' taskPathPattern: \Microsoft\Windows\InstallService\ taskNamePattern: SmartRetry - name: Disable "WakeUpAndContinueUpdates" task docs: |- This script disables the "WakeUpAndContinueUpdates" scheduled task. This task is responsible for waking the computer from sleep to continue or complete pending updates. ### Overview of default task statuses `\Microsoft\Windows\InstallService\WakeUpAndContinueUpdates`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | 🔴 Disabled | | Windows 11 22H2 | 🔴 Disabled | | Windows 11 22H3 | 🔴 Disabled | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\InstallService\' -TaskName 'WakeUpAndContinueUpdates' taskPathPattern: \Microsoft\Windows\InstallService\ taskNamePattern: WakeUpAndContinueUpdates disableOnRevert: 'true' - name: Disable "WakeUpAndScanForUpdates" task docs: |- This script disables the "WakeUpAndScanForUpdates" scheduled task. This task is responsible for waking up the system at scheduled times to check for Windows updates. ### Overview of default task statuses `\Microsoft\Windows\InstallService\WakeUpAndScanForUpdates`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | 🔴 Disabled | | Windows 11 22H2 | 🔴 Disabled | | Windows 11 22H3 | 🔴 Disabled | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\InstallService\' -TaskName 'WakeUpAndScanForUpdates' taskPathPattern: \Microsoft\Windows\InstallService\ taskNamePattern: WakeUpAndScanForUpdates disableOnRevert: 'true' - name: Disable "Scheduled Start" task docs: |- This script disables the "Scheduled Start" scheduled task. This task initiates the Windows Update service at predetermined times or under specific conditions to perform tasks like checking for and installing updates. According to the Task Scheduler, this task initiates the Windows Update service for scheduled operations like scans [1]. It executes `%SYSTEMROOT%\System32\sc.exe start wuauserv` [1]. ### Overview of default task statuses `\Microsoft\Windows\WindowsUpdate\Scheduled Start`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | | Windows 11 23H2 | 🟢 Ready | [1]: https://web.archive.org/web/20231111172839/http://windows.fyicenter.com/4451_Scheduled_Start_Scheduled_Task_on_Windows_8.html '"Scheduled Start" Scheduled Task on Windows 8 | windows.fyicenter.com' call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\WindowsUpdate\' -TaskName 'Scheduled Start' taskPathPattern: \Microsoft\Windows\WindowsUpdate\ taskNamePattern: Scheduled Start - name: Disable "Report policies" task docs: | This script disables the "Report policies" scheduled task. This task might be responsible for reporting policy-related information to Windows Update or other system management tools. According to the Task Scheduler, this task executes `%SYSTEMROOT%\System32\UsoClient.exe ReportPolicies`. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\Report policies`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | | Windows 11 23H2 | 🟢 Ready | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'Report policies' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Report policies grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 10 22H2] [≥ Windows 11 22H2] - name: Disable "Schedule Maintenance Work" task docs: |- This script disables the "Schedule Maintenance Work" scheduled task. This task is responsible for performing maintenance activities related to Windows Update, such as cleanup operations or preparation steps for update installations. According to the Task Scheduler, this task executes `%SYSTEMROOT%\System32\UsoClient.exe StartMaintenanceWork`. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | 🔴 Disabled | | Windows 11 22H2 | 🔴 Disabled | | Windows 11 23H2 | 🔴 Disabled | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'Schedule Maintenance Work' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Schedule Maintenance Work disableOnRevert: 'true' grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 10 22H2] [≥ Windows 11 22H2] - name: Disable "Schedule Scan" task docs: |- This script disables the "Schedule Scan" scheduled task. This task responsible for periodically scanning for Windows updates. According to the Task Scheduler, this task executes `%SYSTEMROOT%\System32\UsoClient.exe StartScan`. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\Schedule Scan`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | | Windows 11 23H2 | 🟢 Ready | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'Schedule Scan' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Schedule Scan grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 10 22H2] [≥ Windows 11 22H2] - name: Disable "Schedule Scan Static Task" task docs: |- This script disables the "Schedule Scan Static Task" scheduled task. This task is responsible for running update scans at static, predefined intervals. According to the Task Scheduler, this task conducts a scheduled Windows Update scan. It executes `%SYSTEMROOT%\System32\UsoClient.exe StartScan`. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | | Windows 11 23H2 | 🟢 Ready | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'Schedule Scan Static Task' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Schedule Scan Static Task grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 10 22H2] [≥ Windows 11 22H2] - name: Disable "Schedule Wake To Work" task docs: |- This script disables the "Schedule Wake To Work" scheduled task. This task is responsible for waking the computer from sleep or low-power mode to perform Windows updates. According to the Task Scheduler, this task executes `%SYSTEMROOT%\System32\UsoClient.exe StartWork`. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | 🔴 Disabled | | Windows 11 22H2 | 🔴 Disabled | | Windows 11 23H2 | 🔴 Disabled | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'Schedule Wake To Work' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Schedule Wake To Work disableOnRevert: 'true' grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 10 22H2] [≥ Windows 11 22H2] - name: Disable "Schedule Work" task docs: |- This script disables the "Schedule Work" scheduled task. This task is responsible for scheduling and initiating Windows updates processes at predetermined times. According to the Task Scheduler, this task executes `%SYSTEMROOT%\System32\UsoClient.exe StartWork`. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\Schedule Work`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | 🔴 Disabled | | Windows 11 22H2 | 🔴 Disabled | | Windows 11 23H2 | 🔴 Disabled | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'Schedule Work' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Schedule Work disableOnRevert: 'true' grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 10 22H2] [≥ Windows 11 22H2] - name: Disable "UpdateModelTask" task docs: |- This script disables the "UpdateModelTask Work" scheduled task. This task is responsible for updating Machine Learning (ML) models related to Windows Updates. According to the Task Scheduler, its purpose is to update ML models and it executes `%SYSTEMROOT%\System32\UsoClient.exe StartModelUpdates`. Microsoft suggests disabling it for performance optimization and reduced data collection [1]. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟡 N/A (missing) | | Windows 11 23H2 | 🟡 N/A (missing) | [1]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#scheduled-tasks "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'UpdateModelTask' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: UpdateModelTask grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 10 22H2] - name: Disable "Start Oobe Expedite Work" task docs: |- This script disables the "Start Oobe Expedite Work" scheduled task. This task is responsible for performing tasks related to the "out-of-box experience" (OOBE) in Windows, such as updating system settings, applications, or features soon after a system update or initial setup. According to the Task Scheduler, its purpose is to perform a scheduled Windows Update scan. It executes `%SYSTEMROOT%\System32\UsoClient.exe StartWork`. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | 🟡 N/A (missing) | | Windows 11 22H2 | 🟢 Ready | | Windows 11 23H2 | 🟢 Ready | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'Start Oobe Expedite Work' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Start Oobe Expedite Work grantPermissions: 'true' # 🔒 No permissions, Tested since [≥ Windows 11 22H2] - name: Disable "StartOobeAppsScan_LicenseAccepted" task docs: |- This script disables the "StartOobeAppsScan_LicenseAccepted" scheduled task. This task is responsible for initiating a scan of applications as part of the OOBE process, after a license agreement is accepted, verifying that apps are up-to-date. According to the Task Scheduler, its purpose is to perform a scheduled Windows Update scan. It executes `%SYSTEMROOT%\System32\UsoClient.exe StartOobeAppsScan`. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_LicenseAccepted`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | 🟡 N/A (missing) | | Windows 11 22H2 | 🟢 Ready | | Windows 11 23H2 | 🟢 Ready | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'StartOobeAppsScan_LicenseAccepted' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: StartOobeAppsScan_LicenseAccepted grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 11 22H2] - name: Disable "StartOobeAppsScan_OobeAppReady" task docs: |- This script disables the "StartOobeAppsScan_OobeAppReady" scheduled task. This task is responsible for scanning applications during the OOBE phase, verifying that apps are ready for use after system updates. According to the Task Scheduler, it performs a scheduled Windows Update scan. It executes `%SYSTEMROOT%\System32\UsoClient.exe StartOobeAppsScan`. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_OobeAppReady`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | 🟡 N/A (missing) | | Windows 11 22H2 | 🟢 Ready | | Windows 11 23H2 | 🟢 Ready | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'StartOobeAppsScan_OobeAppReady' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: StartOobeAppsScan_OobeAppReady grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 11 22H2] - name: Disable "StartOobeAppsScanAfterUpdate" task docs: |- This script disables the "StartOobeAppsScanAfterUpdate" scheduled task. This task is responsible for scanning applications following a system update, as part of the OOBE process, to verify that all applications are compatible with the new update. According to the Task Scheduler, it performs a scheduled Windows Update scan. It executes `%SYSTEMROOT%\System32\UsoClient.exe StartOobeAppsScanAfterUpdate`. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScanAfterUpdate`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | 🟡 N/A (missing) | | Windows 11 22H2 | 🟢 Ready | | Windows 11 23H2 | 🟢 Ready | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'StartOobeAppsScanAfterUpdate' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: StartOobeAppsScanAfterUpdate grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 11 22H2] - name: Disable "USO_UxBroker" task docs: |- This script disables the "USO_UxBroker" scheduled task. This task is related to the User Experience (UX) Broker process in Windows, managing user notifications or interactions required after an update. According to the Task Scheduler, this task is responsible for triggering a system reboot following update installations. It executes `%SYSTEMROOT%\System32\MusNotification.exe`. Disabling this task is recommended to reduce data collection and enhance system performance [1]. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | | Windows 11 23H2 | 🟢 Ready | [1]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#scheduled-tasks "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'USO_UxBroker' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: USO_UxBroker grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 10 22H2] [≥ Windows 11 22H2] - name: Disable "UUS Failover Task" task docs: |- This script disables the "UUS Failover Task" scheduled task. This task is responsible for the failover mechanism for updates, designed to handle scenarios where a primary update process fails or encounters issues. According to the Task Scheduler, this task is responsible for performing a scheduled Windows Update scan. It executes `%SYSTEMROOT%\System32\UsoClient.exe HandleUusFailoverSignal`. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\UUS Failover Task`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | 🟡 N/A (missing) | | Windows 11 22H2 | 🟢 Ready | | Windows 11 23H2 | 🟢 Ready | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'UUS Failover Task' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: UUS Failover Task grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 11 22H2] - name: Disable "PerformRemediation" task docs: |- This script disables the "PerformRemediation" scheduled task. This task is responsible for performing remediation or recovery actions for update-related services, ensuring that these services are running in a supported configuration, particularly after updates. According to the Task Scheduler, this task aids in recovering update-related services to a supported configuration. This task restarts Windows Update Medic Service (`WaaSMedicSvc`), even if it is disabled manually [1]. Microsoft suggests disabling this task to minimize data collection and optimize performance [2]. ### Overview of default task statuses `\Microsoft\Windows\WaaSMedic\PerformRemediation`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | | Windows 11 23H2 | 🟢 Ready | [1]: https://github.com/undergroundwires/privacy.sexy/issues/272#issuecomment-1772602388 "[BUG]: Windows automatically re-enables Update after 4-5 days · Issue #272 · undergroundwires/privacy.sexy | github.com/undergroundwires" [2]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#scheduled-tasks "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\WaaSMedic\' -TaskName 'PerformRemediation' taskPathPattern: \Microsoft\Windows\WaaSMedic\ taskNamePattern: PerformRemediation grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 10 22H2] [≥ Windows 11 22H2] - name: Disable outdated Windows Update tasks docs: |- This script disables older scheduled tasks associated with Windows updates, which are no longer present in Windows versions since Windows 10 22H2 and Windows 11 22H2. The script is compatible with Windows 10 and newer versions, skipping any missing tasks on recent systems. These tasks are linked to specific system files and are involved in various update processes, such as downloading and installing updates, rebooting after updates, and more. Disabling these tasks can help reduce unnecessary system activity and potentially enhance privacy by limiting background update operations. ### Overview of older Windows Update tasks | Task path | Related system file | | --------- | ------- | | `\Microsoft\Windows\UpdateOrchestrator\AC Power Download` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\AC Power Install` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Backup Scan` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Battery Saver Deferred Install` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Driver Install` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Maintenance Install` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\MusUx_LogonUpdateResults` | `MusNotification.exe` | | `\Microsoft\Windows\UpdateOrchestrator\MusUx_UpdateInterval` | `MusNotification.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Policy Install` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Reboot` | `MusNotification.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Reboot_AC` | `MusNotification.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery` | `MusNotification.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Refresh Settings` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Resume On Boot` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Schedule Retry Scan` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\USO_Broker_Display` | `MusNotification.exe` | | `\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_Display` | `MusNotification.exe` | | `\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_ReadyToReboot` | `MusNotification.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Universal Orchestrator Idle Start` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Universal Orchestrator Start` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant` | `UpdateAssistant.exe` | | `\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantAllUsersRun` | `UpdateAssistant.exe` | | `\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun` | `UpdateAssistant.exe` | | `\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun` | `UpdateAssistant.exe` | | `\Microsoft\Windows\WindowsUpdate\AUScheduledInstall` | `wuaueng.dll` | | `\Microsoft\Windows\WindowsUpdate\AUSessionConnect` | `wuaueng.dll` | | `\Microsoft\Windows\WindowsUpdate\Automatic App Update` | `wuautoappupdate.dll` | | `\Microsoft\Windows\WindowsUpdate\RUXIM\PLUGScheduler` | `PLUGscheduler.exe` | | `\Microsoft\Windows\WindowsUpdate\Scheduled Start With Network` | `wuauserv` (via `sc`) | | `\Microsoft\Windows\WindowsUpdate\sih` | `SIHClient.exe` | | `\Microsoft\Windows\WindowsUpdate\sihboot` | `SIHClient.exe` | | `\Microsoft\Windows\WindowsUpdate\sihpostreboot` | `SIHClient.exe` | call: - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: AC Power Download - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: AC Power Install - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Backup Scan - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Battery Saver Deferred Install - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Driver Install - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Maintenance Install - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: MusUx_LogonUpdateResults - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: MusUx_UpdateInterval - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Policy Install - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Reboot - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Reboot_AC - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Reboot_Battery - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Refresh Settings - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Resume On Boot - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Schedule Retry Scan - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: StartOobeAppsScan - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: USO_Broker_Display - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: USO_UxBroker_Display - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: USO_UxBroker_ReadyToReboot - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Universal Orchestrator Start - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Universal Orchestrator Idle Start - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: UpdateAssistant - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: UpdateAssistantAllUsersRun - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: UpdateAssistantCalendarRun - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: UpdateAssistantWakeupRun - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\WindowsUpdate\ taskNamePattern: AUScheduledInstall - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\WindowsUpdate\ taskNamePattern: AUSessionConnect - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\WindowsUpdate\ taskNamePattern: Automatic App Update - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\WindowsUpdate\RUXIM\ taskNamePattern: PLUGScheduler - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\WindowsUpdate\ taskNamePattern: Scheduled Start With Network - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\WindowsUpdate\ taskNamePattern: sih - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\WindowsUpdate\ taskNamePattern: sihboot - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\WindowsUpdate\ taskNamePattern: sihpostreboot - category: Maximize auto-update duration docs: |- This category includes scripts designed to extend the intervals between automatic updates. These scripts provide users with greater control over the timing of system updates. By adjusting the schedule of these updates, users can minimize interruptions and potential system instability associated with frequent updates. > **Caution**: Postponing updates can delay critical security fixes and feature enhancements, > increasing potential security risks for your computer. children: - name: Maximize update pause duration docs: |- This script maximizes the pause duration for system updates via the settings interface. It postpones both feature and quality updates in Windows 10 and Windows 11. This is particularly useful for those preferring fewer interruptions from regular updates. By default, the following registry keys are absent in Windows 10 and Windows 11 and are added only when updates are paused through the user interface [1]: - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings!PauseFeatureUpdatesStartTime` - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings!PauseFeatureUpdatesEndTime` - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings!PauseQualityUpdatesStartTime` - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings!PauseQualityUpdatesEndTime` - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings!PauseUpdatesStartTime` (set only in Windows 11 22H2 and later) - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings!PauseUpdatesExpiryTime` This method has been tested and verified on Windows 10 from version 22H2 and Windows 11 from version 22H3 onwards. To ensure functional integrity, all these keys must be added together. While beneficial for Windows Home users [1], note that Group Policy Object (GPO) settings might override these changes. > **Caution**: This script postpones critical security updates, increasing potential security risks for your computer. [1]: https://github.com/undergroundwires/privacy.sexy/issues/272#issuecomment-1772602388 "[BUG]: Windows automatically re-enables Update after 4-5 days · Issue #272 · undergroundwires/privacy.sexy | github.com/undergroundwires" call: function: RunPowerShell parameters: # Note: # - StartTime must be set, or the setting UI on Windows 11 becomes unresponsive for future changes. # - >3000 on Windows 11 does not work, works fine for Windows 10. # Marked: refactor-with-variables # - Getting `$currentTime` is used across multiple scripts. code: |- $currentTime = (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ') $endTime = '2963-01-17T00:00:00Z' reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseFeatureUpdatesStartTime" /t REG_SZ /d "$currentTime" /f reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseFeatureUpdatesEndTime" /t REG_SZ /d "$endTime" /f reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseQualityUpdatesStartTime" /t REG_SZ /d "$currentTime" /f reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseQualityUpdatesEndTime" /t REG_SZ /d "$endTime" /f reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseUpdatesStartTime" /t REG_SZ /d "$currentTime" /f reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseUpdatesExpiryTime" /t REG_SZ /d "$endTime" /f revertCode: |- reg delete "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseFeatureUpdatesStartTime" /f 2>$null reg delete "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseFeatureUpdatesEndTime" /f 2>$null reg delete "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseQualityUpdatesStartTime" /f 2>$null reg delete "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseQualityUpdatesEndTime" /f 2>$null reg delete "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseUpdatesStartTime" /f 2>$null reg delete "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseUpdatesExpiryTime" /f 2>$null - name: Maximize feature update duration (disables resuming updates from settings) docs: |- This script provides control over when and how often Windows feature updates and preview builds occur. These updates bring major changes to the operating system, affecting functionality and user privacy [1] [2]. Key aspects of Windows feature updates include: - Protecting against behavioral issues [1]. - Adding new features [1]. > **Caution**: > > - This script postpones critical security updates, increasing potential security risks for your computer. > - This script disables the option to resume updates through the settings interface. > The update settings will display "Your organization paused some updates for this device", and you won't be able > to resume them there. ### Registry keys The script modifies various Group Policy (GPO), state, and Mobile Device Management (MDM) keys. Group Policy (GPO) keys: - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!PauseFeatureUpdatesStartTime`: Sets the start date for pausing feature updates [3]. It is specified in a date format (yyyy-mm-dd, e.g., 2018-10-28) [4]. This key supersedes the now-obsolete Windows 10 version 1607 key: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!PauseFeatureUpdates` [5]. By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!PauseFeatureUpdatesPeriodInDays`: Specifies the pause duration for feature updates [6]. The range is from 0 (default) to 365 days [6]. By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferFeatureUpdates`: Enables pausing of feature updates and activates `PauseFeatureUpdatesPeriodInDays` [5]. By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3, meaning that the feature updates are not paused [7]. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferFeatureUpdatesPeriodInDays`: Allows pausing of feature updates for a specified number of days [4] [5] [7]. It ranges from 0 to 365 days [5] [7]. This key supersedes the now-obsolete Windows 10 version 1511 key: `HKLM\Policies\Microsoft\Windows\WindowsUpdate!DeferUpgradePeriod` [4] [5]. By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!Pause`: Used for pausing updates in older Windows 10 versions [4]. By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. State keys: - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings!PausedFeatureStatus`: Shows the current status of feature update pause [5]. By default, this key is set to `0` since Windows 10 22H2 and Windows 11 22H3. `0` means feature updates not paused, `1` means feature updates paused, `2` means feature updates have auto-resumed after being paused [5]. - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState!DeferFeatureUpdates`: By default, this key is set to `0` since Windows 10 22H2 and Windows 11 22H3. - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState!FeatureUpdatesPaused`: By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings!PausedFeatureDate`: Records the date when feature updates were paused [5]. By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState!PauseFeatureUpdatesStartTime`: Reflects the start time for pausing Feature Updates. By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. MDM (PolicyManager) keys: - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseFeatureUpdates!value`: Manages pausing of feature updates for Windows 10, version 1607 or later [5]. By default, this key is set to `0` since Windows 10 22H2 and Windows 11 22H3. - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartTime!value`: Specifies the start time for pausing feature updates [3] [4]. By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays!value`: Sets the deferral period for feature updates [4]. By default, this key is set to `0` since Windows 10 22H2 and Windows 11 22H3. - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ConfigureDeadlineForFeatureUpdates!value`: Determines the deadline for automatic feature update installation [5]. The maximum value is limited to 30 days [5]. By default, this key is set to `7` since Windows 10 22H2 and Windows 11 22H3 [5]. [1]: https://web.archive.org/web/20231209161721/https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview "Windows feature updates overview - Windows Deployment | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20231214085615/https://learn.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb "Windows Update for Business - Windows Deployment | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20231209161509/https://learn.microsoft.com/en-us/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004 "Required diagnostic events and fields for Windows 10 (versions 22H2, 21H2, 21H1, 20H2, and 2004) - Windows Privacy | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20230708165017/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update "Update Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20231206151045/https://learn.microsoft.com/en-us/windows/deployment/update/waas-configure-wufb "Configure Windows Update for Business - Windows Deployment | Microsoft Learn | learn.microsoft.com" [6]: https://web.archive.org/web/20231209161617/https://learn.microsoft.com/en-us/mem/intune/protect/windows-update-settings "Windows Update settings you can manage with Intune Update Ring policies for Windows 10/11 devices. | Microsoft Learn | learn.microsoft.com" [7]: https://web.archive.org/web/20231209161658/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::DeferFeatureUpdates "Select when Preview Builds and Feature Updates are received | admx.help" call: function: RunPowerShell parameters: # Note: # - Policy state keys (HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy) are not needed to be modified, but just modified for extra robustness. # Marked: refactor-with-variables # - Getting `$currentTime` is used across multiple scripts. code: |- $currentTime = (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ') # GPO reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseFeatureUpdatesStartTime" /t "REG_SZ" /d "$currentTime" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseFeatureUpdatesPeriodInDays" /d "365" /t "REG_DWORD" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseFeatureUpdates" /t "REG_DWORD" /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferFeatureUpdates" /t "REG_DWORD" /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferFeatureUpdatesPeriodInDays" /d "365" /t "REG_DWORD" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "Pause" /t "REG_DWORD" /d "1" /f # State reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedFeatureStatus" /t "REG_DWORD" /d "1" /f reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedFeatureDate" /t "REG_SZ" /d "$currentTime" /f reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "DeferFeatureUpdates" /d "1" /t "REG_DWORD" /f reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "FeatureUpdatesPaused" /d "1" /t "REG_DWORD" /f reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "PauseFeatureUpdatesStartTime" /t "REG_SZ" /d "$currentTime" /f # MDM (PolicyManager) reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\Pause" /v "value" /t "REG_DWORD" /d "1" /f reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseFeatureUpdates" /v "value" /t "REG_DWORD" /d "1" /f reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartTime" /v "value" /t "REG_SZ" /d "$currentTime" /f reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays" /v "value" /t "REG_DWORD" /d "365" /f reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ConfigureDeadlineForFeatureUpdates" /v "value" /t "REG_DWORD" /d "30" /f revertCode: |- # GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseFeatureUpdatesStartTime" /f 2>$null reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseFeatureUpdatesPeriodInDays" /f 2>$null reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseFeatureUpdates" /f 2>$null reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferFeatureUpdates" /f 2>$null reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferFeatureUpdatesPeriodInDays" /f 2>$null reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "Pause" /f 2>$null # State reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedFeatureStatus" /t "REG_DWORD" /d "0" /f reg delete "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedFeatureDate" /f 2>$null reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "DeferFeatureUpdates" /d "0" /t "REG_DWORD" /f reg delete "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "FeatureUpdatesPaused" /f 2>$null reg delete "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "PauseFeatureUpdatesStartTime" /f 2>$null # MDM (PolicyManager) reg delete "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\Pause" /v "value" /f 2>$null reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseFeatureUpdates" /v "value" /t "REG_DWORD" /d "0" /f reg delete "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartTime" /v "value" /f 2>$null reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays" /v "value" /t "REG_DWORD" /d "0" /f reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ConfigureDeadlineForFeatureUpdates" /v "value" /t "REG_DWORD" /d "7" /f - name: Maximize quality update duration (disables resuming updates from settings) docs: |- This script extends the time between mandatory quality updates, which include security patches [1] [2]. Delaying these updates helps prevent frequent system reboots and disruptions, aiding productivity in professional and critical settings. > **Caution**: > > - This script postpones critical security updates, increasing potential security risks for your computer. > - This script disables the option to resume updates through the settings interface. > The update settings will display "Your organization paused some updates for this device", and you won't be able > to resume them there. ### Registry keys The script modifies various Group Policy (GPO), state, and Mobile Device Management (MDM) keys. Group Policy (GPO) Keys: - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!PauseQualityUpdates`: Pauses quality updates for up to 35 days, or until the setting is reversed [3] [4]. This setting has been available since Windows 10 1607 [3]. By default, this key is not present since Windows 10 22H2 and Windows 11 23H2. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!PauseQualityUpdatesStartTime`: Sets the start date for pausing quality updates [3] [4]. This setting is available since Windows 10 1703, and it activates `PauseQualityUpdates key` [3]. By default, this key is not present since Windows 10 22H2 and Windows 11 23H2. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!Pause`: Defers updates and upgrades in earlier versions of Windows 10 (1511) [3]. By default, this key is not present since Windows 10 22H2 and Windows 11 23H2. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferQualityUpdates`: Defers quality updates for up to 30 days [3] [4]. By default, this key is not present since Windows 10 22H2 and Windows 11 23H2. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferQualityUpdatesPeriodInDays`: Specifies the deferral period for quality updates, up to 35 [3] or 30 [4] [5] days. This setting has been available since Windows 10 1607 [3] [4], and it activates `DeferQualityUpdates` key [3]. By default, this key is not present since Windows 10 22H2 and Windows 11 23H2. State Keys: - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings!PausedQualityStatus`: Indicates if quality updates are currently paused, with `0` as not paused [3]. By default, this key is set to `0`, indicating no pause since Windows 10 22H2 and Windows 11 23H2. - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings!PausedQualityDate`: Indicates the date when the pause of quality updates was initiated [3]. This key is used to disable auto-updates [6]. By default, this key is not present since Windows 10 22H2 and Windows 11 23H2 [6]. - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState!DeferQualityUpdates`: Indicates whether quality updates have been paused. This key is used to disable auto-updates [6]. By default, this key is set to `0`, indicating no pause since Windows 10 22H2 and Windows 11 23H2 [6]. Mobile Device Management (MDM) Keys: - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseQualityUpdates!value`: Manages pausing of quality updates for Windows 10 1607 and later [3]. The default value is `0`, indicating no pause since Windows 10 22H2 and Windows 11 23H2. - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime!value`: Sets the start time for pausing quality updates for Windows 10 1703 and later [3]. By default, this key is not present since Windows 10 22H2 and Windows 11 23H2. - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\Pause!value`: MDM for Windows 10, version 1511 [3]. By default, this key is not present since Windows 10 22H2 and Windows 11 23H2. - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays!value`: Determines the deferral period for quality updates for Windows 10 1607 and later [3]. By default, this key is set to `0`, indicating no pause since Windows 10 22H2 and Windows 11 23H2. - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ConfigureDeadlineForQualityUpdates!value`: Sets the deadline for automatic installation of quality updates for Windows 10 1903 and later, up to 30 days [4]. By default, this key is set to `7` [4], indicating seven days deadline before updates are enforced since Windows 10 22H2 and Windows 11 23H2. [1]: https://web.archive.org/web/20231214091439/https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview "Windows quality updates overview with Autopatch groups experience - Windows Deployment | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20231214085615/https://learn.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb "Windows Update for Business - Windows Deployment | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20231206151045/https://learn.microsoft.com/en-us/windows/deployment/update/waas-configure-wufb#pause-quality-updates "Configure Windows Update for Business - Windows Deployment | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20230708165017/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update "Update Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [5]: https://archive.ph/2023.12.14-092501/https://github.com/MicrosoftDocs/IntuneDocs/blob/main/intune/protect/windows-update-settings.md "IntuneDocs/intune/protect/windows-update-settings.md at main · MicrosoftDocs/IntuneDocs | github.com" [6]: https://web.archive.org/web/20231111173058/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004#re-enable-windows-update "Optimizing Windows 10, Build 2004, for a Virtual Desktop role | Microsoft Learn | learn.microsoft.com" call: function: RunPowerShell parameters: # Marked: refactor-with-variables # - Getting `$currentTime` is used across multiple scripts. code: |- $currentTime = (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ') # GPO reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "Pause" /t "REG_DWORD" /d "1" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseQualityUpdates" /t "REG_DWORD" /d "1" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseQualityUpdatesStartTime" /t "REG_SZ" /d "$currentTime" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferQualityUpdates" /t "REG_DWORD" /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferQualityUpdatesPeriodInDays" /d "35" /t "REG_DWORD" /f # State reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedQualityStatus" /t "REG_DWORD" /d "1" /f reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedQualityDate" /t "REG_SZ" /d "$currentTime" /f reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "DeferQualityUpdates" /d "1" /t "REG_DWORD" /f # MDM (PolicyManager) reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\Pause" /v "value" /t "REG_DWORD" /d "1" /f reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseQualityUpdates" /v "value" /t "REG_DWORD" /d "1" /f reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime" /v "value" /t "REG_SZ" /d "$currentTime" /f reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays" /v "value" /t "REG_DWORD" /d "35" /f reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ConfigureDeadlineForQualityUpdates" /v "value" /t "REG_DWORD" /d "30" /f revertCode: |- # GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "Pause" /f 2>$null reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseQualityUpdates" /f 2>$null reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseQualityUpdatesStartTime" /f 2>$null reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferQualityUpdates" /f 2>$null reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferQualityUpdatesPeriodInDays" /f 2>$null # State reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedQualityStatus" /t "REG_DWORD" /d "0" /f reg delete "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedQualityDate" /f 2>$null reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "DeferQualityUpdates" /t "REG_DWORD" /d "0" /f # MDM (PolicyManager) reg delete "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\Pause" /v "value" /f 2>$null reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseQualityUpdates" /v "value" /t "REG_DWORD" /d "0" /f reg delete "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime" /v "value" /f 2>$null reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays" /v "value" /t "REG_DWORD" /d "0" /f reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ConfigureDeadlineForQualityUpdates" /v "value" /t "REG_DWORD" /d "7" /f - name: Maximize update duration on older Windows versions docs: |- This script extends the time between updates and upgrades, but only works on older Windows versions (version 1511 and earlier) [1] [2]. > **Caution**: > > - This script postpones critical security updates, increasing potential security risks for your computer. > - This script has no effect on newer Windows versions and will not make the intended changes. The script modifies the following keys: - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpgrade!value`: Sets the device to a more predictable update schedule [1]. By default, this key is set to `0` since Windows 10 22H2 and Windows 11 22H3. - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpdate!value`: Pauses quality updates [1]. By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferUpdate`: Determines the delay period for updates [1]. By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferUpgrade`: Determines the delay period for upgrades [1]. By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferUpdatePeriod` [1]. Pauses upgrades for up to 4 weeks [2] [3]. By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferUpgradePeriod` [1] [2] [3]. Pauses upgrades for up to 8 months [2] [3]. By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!PauseDeferrals`: Pauses updates and upgrades for up to 5 weeks [2] [3]. By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. [1]: https://web.archive.org/web/20231206151045/https://learn.microsoft.com/en-us/windows/deployment/update/waas-configure-wufb "Configure Windows Update for Business - Windows Deployment | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20230708165017/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update "Update Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20231209170224/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::DeferUpgrade "Defer Upgrades and Updates | admx.help" call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate valueName: DeferUpdate dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate valueName: DeferUpgrade dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate valueName: DeferUpdatePeriod dataType: REG_DWORD data: '4' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate valueName: DeferUpgradePeriod dataType: REG_DWORD data: '8' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate valueName: PauseDeferrals dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpdate valueName: value dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: RunInlineCode parameters: code: |- reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpgrade" /v "value" /t "REG_DWORD" /d "1" /f revertCode: >- # `0` by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpgrade" /v "value" /t "REG_DWORD" /d "0" /f - category: Configure how downloaded files are handled docs: |- These scripts configures Attachment Manager included in Windows that takes further actions for files that you receive or download such as storing classification metadata and notifying other software [1]. [1]: https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 "Information about the Attachment Manager in Microsoft Windows | support.microsoft.com" children: - name: Disable saving of zone information in downloaded files docs: |- This script disables marking file attachments by using their zone information. The default behavior is for Windows to mark file attachments with their zone information [1]. The zone information of the origin describe whether the file was downloaded from internet, intranet, local, or restricted zone [1]. It is used by Attachment Manager that is included in Windows to help protect the computer from unsafe attachments that can be received with e-mail message or downloaded from Internet [2]. If the Attachment Manager identifies an attachment that might be unsafe, it prevents you from opening the file, or it warns you before you open the file [2]. Preventing this information to be saved: - Increases privacy by no longer leaking information of source. - Decreases security by preventing Windows to determine risks and take risk-based actions [1]. By not preserving the zone information, Windows cannot make proper risk assessments [3]. Disabling it has **Significant** criticality as the configuration introduces additional attack surface according to US government [4]. The Attachment Manager feature warns users when opening or executing files which are marked as being from an untrusted source, unless/until the file's zone information has been removed via the "Unblock" button on the file's properties or via a separate tool such as [Microsoft Sysinternals Streams](https://web.archive.org/web/20240314125039/https://learn.microsoft.com/en-us/sysinternals/downloads/streams) [4]. It is configured using `SaveZoneInformation` value in `\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\` registry subkey [1] [2] [3] [4]. The value is this setting is confusing, according to Microsoft documentation `1` turns it on [2] [3], `2` turns it off [2] [3]. However, according to STIG V-63841, `1` disables saving zone information and `2` enables it [3]. According to my tests, the STIG interprets it right and `1` disables this function off. In clean Windows 10 and 11 installations, this key by default is missing for both `HKCU` and `HKLM`. [1]: https://www.stigviewer.com/stig/windows_10/2019-09-25/finding/V-63841 "Zone information must be preserved when saving attachments. | stigviewer.com" [2]: https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 "Information about the Attachment Manager in Microsoft Windows | support.microsoft.com" [3]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AttachmentManager::AM_MarkZoneOnSavedAtttachments "Do not preserve zone information in file attachments | admx.help" [4]: https://web.archive.org/web/20230102223412/https://www.irs.gov/pub/irs-utl/safeguards-scsem-win-11-v1-1-033122.xlsx "Windows 11 SafeGuards | irs.gov" call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments valueName: SaveZoneInformation dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable notifications to antivirus programs for downloaded files docs: |- Prevents Windows from calling the registered antivirus programs when file attachments are opened [1] [2]. Windows registered antivirus programs for downloaded files from Internet or through e-mail attachments [1]. If multiple programs are registered, they will all be notified [1] [3]. This is disabled by default, so even if you do not configure run this script, Windows does not call the registered antivirus programs when file attachments are opened [1]. If it is enabled, Windows blocks file from being opened when antivirus program fails [1]. It is the recommended setting by Microsoft [1]. Preventing calling antivirus: - Increases privacy by not sharing your file data proactively with installed antiviruses. - Decreases by detecting and mitigating potential malicious software. Disabling it has **Moderate** criticality as it is not an appropriate antivirus configuration according to US government [4]. An updated antivirus program must be installed for this policy setting to function properly [4]. It is configured using `ScanWithAntiVirus` value in `\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\` registry subkey [1] [2] [3] [4]. `3` enables the scans [1] [2] [3], `1` disables it [1] [3], and `2` leaves it optional [1]. In clean Windows 10 and 11 installations, this key by default comes with `3` value in `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus`, and key is missing for `HKCU`. [1]: https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 "Information about the Attachment Manager in Microsoft Windows | support.microsoft.com" [2]: https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-09-02/finding/V-14270 "The system will notify antivirus when file attachments are opened. | stigviewer.com" [3]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AttachmentManager::AM_CallIOfficeAntiVirus "Notify antivirus programs when opening attachments | admx.help" [4]: https://web.archive.org/web/20230102223412/https://www.irs.gov/pub/irs-utl/safeguards-scsem-win-11-v1-1-033122.xlsx "Windows 11 SafeGuards | irs.gov" code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "ScanWithAntiVirus" /t REG_DWORD /d "1" /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "ScanWithAntiVirus" /t REG_DWORD /d "3" /f - name: Remove "Windows Security" app (`SecHealthUI`) (breaks Windows Security user interface) docs: |- This script removes the "Windows Security" app [1], known as `SecHealthUI` [2] [3]. This app serves as the interface for Windows Security [2], helping users monitor and manage their computer's security [4]. It provides alerts and guidance on vulnerabilities through the Action Center [4]. However, uninstalling the "Windows Security" app has significant implications: - It may increase vulnerability to threats by no longer alerting users about security issues or communicating updates through the Action Center [4]. - Disabling its interface can hinder the effective management of security settings, including tamper protection [5]. Despite these risks, removing the app can enhance privacy in several ways: - **Less personal data collection**: Reduces the collection and display of personal and system data such as threats [6], limiting information used to analyze user behavior. - **More control over security settings**: Encourages managing security settings programmatically, reducing accidental misconfigurations and unauthorized access. - **Decreased notifications and alerts**: Reduces the number of notifications that may expose sensitive information. - **User choice in security tools**: Offers freedom to choose alternative privacy-focused security measures. - **Increased anonymity**: By uninstalling the app, users reduce the amount of data shared under the terms of [Microsoft's privacy policy](https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement), which allows Microsoft to collect and share data with external entities when the app is in use. This app comes pre-installed on certain versions of Windows [7] [8]. The package is named `Microsoft.Windows.SecHealthUI` on Windows 10 and `Microsoft.SecHealthUI` on Windows 11 [1] [2]. It operates independently from individual Defender features [9] and is updated separately from the operating system [10]. Uninstalling it does not disable Microsoft Defender Antivirus or Firewall [11], and Windows will continue sending security notifications unless disabled separately [12]. > **Caution**: Uninstalling "Windows Security" app can expose your system to threats and limit your ability to configure > security settings. It should only be done with a full understanding of the consequences. ### Overview of default preinstallation `Microsoft.Windows.SecHealthUI`: | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | `Microsoft.SecHealthUI`: | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231006113851/https://support.microsoft.com/en-us/topic/windows-security-update-a6ac7d2e-b1bf-44c0-a028-41720a242da3 "Windows Security Update - Microsoft Support" [2]: https://github.com/undergroundwires/privacy.sexy/issues/195 "[BUG]: Uninstalling the SecHealthUI fails, despite the app being installed. · Issue #195 · undergroundwires/privacy.sexy" [3]: https://web.archive.org/web/20231006113903/https://download.microsoft.com/download/e/1/0/e10a6884-2e7a-4d80-ac2f-884c39a2a1b2/5001337.csv "Services CSV file | microsoft.com" [4]: https://web.archive.org/web/20231006113932/https://learn.microsoft.com/en-us/windows/win32/devnotes/windows-security-center "The Windows Security app - Win32 apps | Microsoft Learn" [5]: https://web.archive.org/web/20231006115719/https://support.microsoft.com/en-us/windows/prevent-changes-to-security-settings-with-tamper-protection-31d51aaa-645d-408e-6ce7-8d7f8e593f87 "Prevent changes to security settings with Tamper Protection - Microsoft Support" [6]: https://web.archive.org/web/20231006115719/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows | Microsoft Learn" [7]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [8]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" [9]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center#how-windows-security-works-with-windows-security-features "Windows Security - Windows Security | Microsoft Learn" [10]: https://web.archive.org/web/20231006115836/https://support.microsoft.com/en-us/topic/kb5020779-the-vulnerable-driver-blocklist-after-the-october-2022-preview-release-3fcbe13a-6013-4118-b584-fcfbc6a09936 "KB5020779 The vulnerable driver blocklist after the October 2022 preview release - Microsoft Support" [11]: https://web.archive.org/web/20231006115845/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus?view=o365-worldwide "Microsoft Defender Antivirus in the Windows Security app | Microsoft Learn" [12]: https://web.archive.org/web/20231006115826/https://support.microsoft.com/en-us/windows/windows-security-notifications-6a59ce6a-e1e0-4795-b080-ba92d49644b2 "Windows Security notifications - Microsoft Support" call: - function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.Windows.SecHealthUI # Get-AppxPackage Microsoft.Windows.SecHealthUI publisherId: cw5n1h2txyewy - function: UninstallNonRemovableStoreApp # Notes: # - Although not a system app, this app is flagged as 'NonRemovable'. # Therefore, `UninstallNonRemovableStoreApp` is preferred over `UninstallStoreApp`. # - Attempts to remove the app installation files lead to permission errors, even with file ACLs permissions granted. # Therefore, `UninstallNonRemovableStoreApp` is preferred over `UninstallNonRemovableStoreAppWithCleanup`. parameters: packageName: Microsoft.SecHealthUI # Get-AppxPackage Microsoft.SecHealthUI publisherId: 8wekyb3d8bbwe - category: UI for privacy children: - name: Disable lock screen app notifications recommend: standard docs: https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-36687 call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System valueName: DisableLockScreenAppNotifications dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable online content in File Explorer children: - name: Disable online tips recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanel::AllowOnlineTips call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System valueName: AllowOnlineTips dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Internet File Association" service recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellNoUseInternetOpenWith_2 call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer valueName: NoInternetOpenWith dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Order Prints" picture task recommend: standard docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellRemoveOrderPrints_2 - https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000042 call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer valueName: NoOnlinePrintsWizard dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Publish to Web" option for files and folders recommend: standard docs: https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-14255 call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer valueName: NoPublishingWizard dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable provider list downloads for wizards recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63621 call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer valueName: NoWebServices dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Secure recent document lists children: - name: Disable history of recently opened documents recommend: strict docs: https://web.archive.org/web/20231207105611/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::NoRecentDocsHistory code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 1 /f # `0` by default on Windows 10 (22H2 and above), missing by default on Windows 11 (23H2 and above) revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 0 /f - name: Clear recently opened document history upon exit recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::ClearRecentDocsOnExit call: function: SetRegistryValue parameters: keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer valueName: ClearRecentDocsOnExit dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Live Tiles push notifications recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Notifications::NoTileNotification call: function: SetRegistryValue parameters: keyPath: HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications valueName: NoTileApplicationNotification dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable the "Look For An App In The Store" option recommend: standard docs: - https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000030 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellNoUseStoreOpenWith_1 call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer valueName: NoUseStoreOpenWith dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable the display of recently used files in Quick Access recommend: strict docs: - https://matthewhill.uk/windows/group-policy-disable-recent-files-frequent-folder-explorer/ # ShowRecent - https://web.archive.org/web/20231206191753/https://www.howto-connect.com/delete-recent-frequent-from-file-explorer-on-windows-10/ # 3134ef9c-6b18-4996-ad04-ed5912e00eb5 - https://web.archive.org/web/20240314130140/https://learn.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry # Wow6432Node call: - function: SetRegistryValue parameters: keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer valueName: ShowRecent dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: RunInlineCode parameters: code: |- reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f if not %PROCESSOR_ARCHITECTURE%==x86 ( REM is 64 bit? reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f ) revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f if not %PROCESSOR_ARCHITECTURE%==x86 ( REM is 64 bit? reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f ) - name: Disable sync provider notifications call: - function: SetRegistryValue parameters: keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced valueName: ShowSyncProviderNotifications dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - name: Disable hibernation for faster startup and to avoid sensitive data storage docs: |- This script commands your system to deactivate the hibernation feature. Hibernate is a power-saving state that saves your current work and turns off the computer [1]. When your computer hibernates, it saves the contents of its RAM to your hard disk and powers off the machine [2]. Upon starting again, your computer can restore all the open programs and documents from your hard disk to its RAM [1]. If hibernation mode is enabled, sensitive data stored in RAM are be written to disk [2]. The memory can contain private data, passwords, keys and so on. This could be accessed by malicious software or people with physical access to the computer. By disabling hibernation, this script reduces the risk of such potential privacy breaches. It configures hibernate by using `powercfg` command line tool [3]. [1]: https://web.archive.org/web/20230806164910/https://support.microsoft.com/en-us/windows/shut-down-sleep-or-hibernate-your-pc-2941d165-7d0a-a5e8-c5ad-8c972e8e6eff [2]: https://web.archive.org/web/20230712211259/https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/system-sleeping-states [3]: https://web.archive.org/web/20230806165041/https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options code: powercfg -h off revertCode: powercfg -h on - name: Enable camera on/off OSD notifications docs: - https://web.archive.org/web/20240314130237/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-coremmres-nophysicalcameraled - https://archive.ph/2024.03.14-100859/https://www.reddit.com/r/Surface/comments/88nyln/the_webcamled_took_anyone_it_apart/dwm64p5/?rdt=41039 - https://web.archive.org/web/20231206191715/https://answers.microsoft.com/en-us/windows/forum/all/enable-osd-notification-for-webcam/caf1fff4-78d3-4b93-905b-ef657097a44e call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer valueName: NoPhysicalCameraLED dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Remove items from "This PC" and "Browse" in dialog boxes children: - name: Remove "3D Objects" from dialog boxes code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Remove "Desktop" from dialog boxes code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Remove "Documents" from dialog boxes code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Remove "Downloads" from dialog boxes code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Remove "Movies" from dialog boxes code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Remove "Music" from dialog boxes code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Remove "Pictures" from dialog boxes code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Disable app usage tracking recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::DisableMFUTracking call: function: SetRegistryValue parameters: keyPath: HKCU\Software\Policies\Microsoft\Windows\EdgeUI valueName: DisableMFUTracking dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable recent apps recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::DisableRecentApps call: function: SetRegistryValue parameters: keyPath: HKCU\Software\Policies\Microsoft\Windows\EdgeUI valueName: DisableRecentApps dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable backtracking recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::TurnOffBackstack call: function: SetRegistryValue parameters: keyPath: HKCU\Software\Policies\Microsoft\Windows\EdgeUI valueName: TurnOffBackstack dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Remove bloatware children: - category: Remove Windows apps docs: |- This category covers the uninstallation of Windows apps. Windows apps were introduced with Windows 8 and are typically acquired and installed through the Store app [1]. Many of these apps come pre-installed on Windows by default [1]. Uninstalling unused or unwanted apps contributes to privacy by reducing potential data collection points and minimizing your digital footprint. The applications are categorized as: - **Installed**: Included with the OS installation [1] [2]. They are stored in the `C:\Program Files\WindowsApps\{PackageFullName}` directory [1]. - **Provisioned**: Added when you log in with a new user account for the first time [1] [2] [3]. They are located in `C:\Program Files\WindowsApps\{PackageFullName}` [1]. Following PowerShell command can be used to view all provisioned apps: `Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName, PublisherId` [3]. - **System apps**: Integral components of Windows [1] [2]. This category does not target framework apps. Framework apps are packages that get installed automatically if another application requires them [2]. If there are applications depending on these framework packages, you cannot delete the framework app individually [2]. However, if you remove those dependent applications, the associated framework package will be deleted [4]. To list all framework apps, you can use the following command: `Get-AppxPackage | Where-Object { $_.IsFramework -eq $true } | Select-Object -ExpandProperty Name`. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231003110200/https://learn.microsoft.com/en-us/windows/uwp/monetize/install-the-microsoft-advertising-libraries "Install the Microsoft Advertising SDK - Microsoft Store | Microsoft Learn" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://github.com/undergroundwires/privacy.sexy/issues/200 "[BUG]: Microsoft Advertising app removal failure · Issue #200 · undergroundwires/privacy.sexy" children: # 💡 Good information for development: # - Find out package name from store ID: https://archive.ph/2023.10.20-135401/https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn # ❗ Excluded apps with justifications: # - `Microsoft.Windows.ShellExperienceHost`: "Start app", required for different setting windows such as WiFi and battery panes in action bar. # - `Windows.immersivecontrolpanel` : "Settings app", required for settings view. # - Framework apps: # Excluded apps: # Microsoft.UI.Xaml.CBS, Microsoft.NET.Native.Framework.2.2, Microsoft.NET.Native.Runtime.2.2, Microsoft.VCLibs.140.00.UWPDesktop, Microsoft.UI.Xaml.2.7 # Microsoft.VCLibs.140.00, Microsoft.UI.Xaml.2.4, Microsoft.WindowsAppRuntime.CBS, Microsoft.WindowsAppRuntime.1.2, Microsoft.UI.Xaml.2.0, Microsoft.Advertising.Xaml # Microsoft.NET.Native.Framework.1.7, Microsoft.NET.Native.Runtime.1.7- # List out framework packages: # Get-AppxPackage | Where-Object { $_.IsFramework -eq $true } | Select-Object -ExpandProperty Name - name: Remove "App Connector" app recommend: strict docs: |- This script uninstalls the "App Connector" Windows app. The App Connector app accesses elements like your location, camera, contacts, and calendars [1] [2] [3]. This raises some concerns about user privacy [2]. In simpler terms, the App Connector acts as a bridge, facilitating communication between Microsoft services and other apps over the Internet [2] [4] [5]. It's primarily aimed at developers, enabling them to connect with Microsoft cloud services, such as Azure, or with other internet-based applications [4]. It's essentially a means to allow services to interact with tools like Microsoft Power Automate, Microsoft Power Apps, and Azure Logic Apps [4]. Common services that can be connected using this include Salesforce, Office 365, Twitter, Dropbox, and Google services [4]. To secure these connections, connectors typically use OAuth or usernames and passwords [5]. This app comes pre-installed on certain versions of Windows [6]. It was last seen on Windows 10 1511. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20231009125830/https://indiaplus.in/app-connector/ "What Is An App Connector: Windows 10 | indiaplus.in" [2]: https://web.archive.org/web/20231009125808/https://answers.microsoft.com/en-us/windows/forum/all/windows-10-app-connector-and-windows-shell/975e590b-1258-4552-b50f-f8e20e9aa285?page=2 "Windows 10 app connector and Windows Shell Experience - Microsoft Community" [4]: https://web.archive.org/web/20231009125723/https://learn.microsoft.com/en-us/connectors/connectors "Power Platform connectors overview | Microsoft Learn" [3]: https://web.archive.org/web/20231009125714/https://www.howtogeek.com/247661/nobody-knows-what-windows-10s-app-connector-is-and-microsoft-wont-explain-it/ "Nobody Knows What Windows 10's App Connector Is, and Microsoft Won't Explain It | howtogeek.com" [5]: https://web.archive.org/web/20150502190718/https://azure.microsoft.com/en-us/documentation/articles/app-service-logic-data-connectors/ "Microsoft Azure API Apps Data Connectors | API Apps microservice | azure.microsoft.com" [6]: https://web.archive.org/web/20230929130219/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004#delete-the-payload-of-uwp-apps "Optimizing Windows 10, Build 2004, for a Virtual Desktop role | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.Appconnector # Get-AppxPackage Microsoft.Appconnector publisherId: 8wekyb3d8bbwe - category: Remove 3D modeling apps docs: |- This category provides scripts for uninstalling pre-installed 3D modeling applications from Windows. 3D modeling applications allow users to create, visualize, and manipulate three-dimensional objects in a virtual space. They are particularly useful for designers, artists, and professionals who need to create 3D designs for various purposes. These apps, while useful for certain users, might not be required by everyone, thus providing the option to uninstall them. children: - name: Remove insecure "Print 3D" app recommend: standard # Deprecated application with known security vulnerabilities; removal does not impact essential system functionality docs: |- This script uninstalls the "Print 3D" application. This app enhances 3D printing by supporting network printers, optimizing settings, and rendering objects realistically [1]. However, this app poses certain risks. The application can access the Internet, home or work networksm and your 3D objects [1]. It has known serious security vulnerabilities such as "Remote Code Execution Vulnerability" [2]. These vulnerabilities allow attackers to remotely execute malicious code on your system. This app is no longer supported [3], and Microsoft does not plan to issue patches [2]. Removing this app mitigates security risks, enhances privacy by reducing data exposure, and frees up system resources, potentially improving performance. Microsoft has deprecated the "Print 3D" app in favor of the "Microsoft 3D Builder" app [3]. It is recommended to upgrade to this newer application for ongoing support and features. This script removes both the legacy `Windows.Print3D` and the current `Microsoft.Print3D` packages from your system. `Windows.Print3D` package name is changed to `Microsoft.Print3D` since Windows 1903 [4]. See also: [Microsoft Store Page](https://web.archive.org/web/20211207041221/https://www.microsoft.com/en-us/p/print-3d/9pbpch085s3s?activetab=pivot:overviewtab) ### Overview of default preinstallation `Microsoft.Print3D`: This app comes pre-installed on certain versions of Windows [4] [5] [6] [7]. | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | `Windows.Print3D`: This app comes pre-installed on certain versions of Windows [4] [5] [8]. | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20231003172322/https://apps.microsoft.com/store/detail/3d-builder/9WZDNCRFJ3T6?hl=en-us "3D Builder - Microsoft Store Apps | apps.microsoft.com" [2]: https://archive.ph/2024.05.20-104104/https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23378 "CVE-2023-23378 - Security Update Guide - Microsoft - Print 3D Remote Code Execution Vulnerability | msrc.microsoft.com" [3]: https://web.archive.org/web/20240403064138/https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features "Deprecated features in the Windows client - What's new in Windows | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240520104135/https://github.com/MicrosoftDocs/windows-itpro-docs/pull/4153#issuecomment-519160643 "Provisioned Apps list + System Apps list for Windows 10 1903 by RAJU2529 · Pull Request #4153 · MicrosoftDocs/windows-itpro-docs | github.com" [5]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [6]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [7]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" [8]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: - function: UninstallStoreApp parameters: packageName: Microsoft.Print3D # Get-AppxPackage Microsoft.Print3D publisherId: 8wekyb3d8bbwe - function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Windows.Print3D # Get-AppxPackage Windows.Print3D publisherId: cw5n1h2txyewy - name: Remove "Microsoft 3D Builder" app docs: |- This script uninstalls the "Microsoft 3D Builder" app. Microsoft 3D Builder offers tools for creating, viewing, and printing 3D objects [1]. It supports editing various 3D file types with features like material rendering, texture layering, and includes tools to prepare models for 3D printing [1]. This app succeeded the older "Print 3D" app as the default 3D printing software starting with the Windows 10 version 19H1 [2]. This application uses your webcam, microphone, and internet connection [1], posing privacy risks due to potential data exposure. Uninstalling this app reduces privacy risks, frees up system resources, and minimizes the attack surface, thereby enhancing security. See also: [Microsoft Store Page](https://archive.ph/2024.05.23-070639/https://apps.microsoft.com/detail/9wzdncrfj3t6?hl=en-us&gl=US) ### Overview of default preinstallation This app comes pre-installed on certain versions of Windows [3] [4] [5]. Since the Windows 10 version 1709, it has not been installed by default [6]. | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://archive.ph/2024.05.23-070639/https://apps.microsoft.com/detail/9wzdncrfj3t6?hl=en-us&gl=US "3D Builder - Microsoft Store Apps | apps.microsoft.com" [2]: https://web.archive.org/web/20240403064138/https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features "Deprecated features in the Windows client - What's new in Windows | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [4]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [5]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" [6]: https://web.archive.org/web/20240520103449/https://learn.microsoft.com/en-us/windows/whats-new/removed-features "Features and functionality removed in Windows client - What's new in Windows | Microsoft Learn | learn.microsoft.com" call: function: UninstallStoreApp parameters: packageName: Microsoft.3DBuilder # Get-AppxPackage Microsoft.3DBuilder publisherId: 8wekyb3d8bbwe - name: Remove "3D Viewer" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003172807/https://apps.microsoft.com/store/detail/3d-viewer/9NBLGGH42THS?hl=en-us) It's also known as "Microsoft 3D Viewer" [1]. This app comes pre-installed on certain versions of Windows [2] [3] [4]. It was added in Windows 10, version 1703 [3]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.Microsoft3DViewer # Get-AppxPackage Microsoft.Microsoft3DViewer publisherId: 8wekyb3d8bbwe - category: Remove MSN (Bing) apps docs: |- This category includes scripts to uninstall MSN (sometimes branded as "Bing" or just "Microsoft") applications from Windows. MSN apps come bundled with Windows and provide users with information from various domains such as weather, sports, news, and finance. While they offer easy access to curated content right from the desktop, not all users find them essential. If users prefer other sources or tools for this information, they might wish to uninstall these default apps to declutter their system. children: - name: Remove "MSN Weather" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003173207/https://apps.microsoft.com/store/detail/msn-weather/9WZDNCRFJ3Q2?hl=en-us) It's also known as just "Weather" app [1], or previously known as "Bing Weather" [2]. This app comes pre-installed on certain versions of Windows [1] [2] [3] [4]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.BingWeather # Get-AppxPackage Microsoft.BingWeather publisherId: 8wekyb3d8bbwe - name: Remove "MSN Sports" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20221204144111/https://apps.microsoft.com/store/detail/msn-sports/9WZDNCRFHVH4?hl=en-us&gl=us) It's also known as just "Sports" app [1]. This app comes pre-installed on certain versions of Windows [1]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.BingSports # Get-AppxPackage Microsoft.BingSports publisherId: 8wekyb3d8bbwe - name: Remove "Microsoft News" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003194608/https://apps.microsoft.com/store/detail/microsoft-news/9WZDNCRFHVFW?hl=en-us) It's also known as just "News" app [1]. This app comes pre-installed on certain versions of Windows [1] [2]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallStoreApp parameters: packageName: Microsoft.BingNews # Get-AppxPackage Microsoft.BingNews publisherId: 8wekyb3d8bbwe - name: Remove "MSN Money" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003195625/https://apps.microsoft.com/store/detail/msn-money/9WZDNCRFHV4V) It's also known as just "Money" app [1]. This app comes pre-installed on certain versions of Windows [1]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.BingFinance # Get-AppxPackage Microsoft.BingFinance publisherId: 8wekyb3d8bbwe - name: Remove "Cortana" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003195834/https://apps.microsoft.com/store/detail/cortana/9NFFX4SZZ23L) ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | call: function: UninstallStoreApp parameters: packageName: Microsoft.549981C3F5F10 # Get-AppxPackage Microsoft.549981C3F5F10 publisherId: 8wekyb3d8bbwe - name: Remove "App Installer" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003200344/https://apps.microsoft.com/store/detail/app-installer/9NBLGGH4NNS1) It's also known as "Desktop App Installer" app [1]. This app comes pre-installed on certain versions of Windows [1] [2] [3]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.DesktopAppInstaller # Get-AppxPackage Microsoft.DesktopAppInstaller publisherId: 8wekyb3d8bbwe - name: Remove "Get Help" app (breaks built-in troubleshooting) docs: |- This script removes the "Get Help" app. This app comes pre-installed on certain versions of Windows [1] [2] [3]. "Get Help" is an application designed to assist users with Windows-related issues [4]. It offers solutions through troubleshooters, instant answers, and Microsoft support articles. It connects users with Microsoft support agents and the Microsoft community for personalized assistance [4]. Removing "Get Help" not only supports a minimalist system approach but also helps reduce potential data collection. Typically, support tools like "Get Help" gather diagnostic data and user interactions, which are used to improve service and provide tailored support. By uninstalling this app, users can enhance their privacy by reducing their digital footprint. However, removing "Get Help" disrupts some system support functionalities. For instance, the built-in internet troubleshooting feature will cease to function [5]. Attempts to diagnose network problems from the system tray will result in an error message, indicating the absence of an application to manage the troubleshooting process [5]. The script also affects system-generated URLs such as `ms-contact-support://oem/`, which direct to OEM-specific support services [6]. Post-removal, users will need to identify alternative support options for system troubleshooting. See also: [Microsoft Store Page](https://web.archive.org/web/20231003200627/https://apps.microsoft.com/store/detail/get-help/9PKDZBMV1H3T) > **Caution:** Removing the "Get Help" app limits access to Windows' built-in support resources and troubleshooting tools. > This action may hinder your ability to receive direct assistance from Microsoft and utilize automatic problem-solving features for system issues. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [3]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231003200627/https://apps.microsoft.com/store/detail/get-help/9PKDZBMV1H3T "Get Help - Microsoft Store Apps | apps.microsoft.com" [5]: https://github.com/undergroundwires/privacy.sexy/issues/280 '[BUG]: Removing "Get Help" breaks internet troubleshooting · Issue #280 · undergroundwires/privacy.sexy | github.com/undergroundwires' [6]: https://web.archive.org/web/20231106214139/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/customize-get-help-app "Customize the Get Help app | Microsoft Learn | learn.microsoft.com" call: function: UninstallStoreApp parameters: packageName: Microsoft.GetHelp # Get-AppxPackage Microsoft.GetHelp publisherId: 8wekyb3d8bbwe - name: Remove "Microsoft Tips" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003200952/https://apps.microsoft.com/store/detail/microsoft-tips/9WZDNCRDTBJJ) This app comes pre-installed on certain versions of Windows [1] [2] [3] [4]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.Getstarted # Get-AppxPackage Microsoft.Getstarted publisherId: 8wekyb3d8bbwe - category: Remove extension apps docs: |- This category contains scripts to uninstall extension apps. Extension apps are add-ons that enhance functionality related to media, images, and other software capabilities. Many of these extensions come pre-installed on some Windows versions [1]. While they can be helpful, not everyone needs them. Unused extensions can present security risks due to potential critical vulnerabilities [2] [3]. A critical vulnerability is a serious security risk that could allow attackers to gain full control of your system. This risk is heightened because extensions usually have extensive access to the system. By using these scripts, you can remove unnecessary extensions to improve your computer's security and lower the risk of cyber attacks, a proactive measure for security and privacy. > **Caution:** Uninstalling extensions could affect certain features, such as media playback or image processing. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231230081051/https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-80307/Microsoft-Hevc-Video-Extensions.html "Microsoft Hevc Video Extensions : Security vulnerabilities, CVEs | cvedetails.com" [3]: https://web.archive.org/web/20231231094958/https://www.opencve.io/cve?vendor=microsoft&product=raw_image_extension "Microsoft - Raw Image Extension CVE - OpenCVE | www.opencve.io" children: - name: Remove "HEIF Image Extensions" app docs: |- This script uninstalls the "HEIF Image Extensions" app. The HEIF Image Extension lets Windows devices read and write files in the High Efficiency Image File (HEIF) format, commonly with `.heic` or `.heif` extensions [1]. This app contains high severity vulnerabilities in certain versions [2]. A high vulnerability is a serious security risk that could allow attackers to gain full control of your system. Removing this app will improve your system's security and reduce the risk of these threats. This app comes pre-installed on certain versions of Windows [3] [4]. [Microsoft Store Page](https://web.archive.org/web/20231003201158/https://apps.microsoft.com/store/detail/heif-image-extensions/9PMMSR1CGPWG) > **Caution:** Removing this app could impact your ability to view and manage high-efficiency image files in `.heic` or `.heif` formats. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231003201158/https://apps.microsoft.com/store/detail/heif-image-extensions/9PMMSR1CGPWG "HEIF Image Extensions - Microsoft Store Apps | apps.microsoft.com" [2]: https://web.archive.org/web/20231231101743/https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-88754/Microsoft-Heif-Image-Extension.html "Microsoft Heif Image Extension : Security vulnerabilities, CVEs | cvedetails.com" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallStoreApp parameters: packageName: Microsoft.HEIFImageExtension # Get-AppxPackage Microsoft.HEIFImageExtension publisherId: 8wekyb3d8bbwe - name: Remove "VP9 Video Extensions" app docs: |- This script uninstalls the "VP9 Video Extensions" app. The "VP9 Video Extensions" app facilitates the playback of VP9 video format, widely used for internet streaming, across various video applications on Windows [1]. The app leverages hardware capabilities on newer devices for enhanced performance and offers software support where such hardware is absent [1]. This app contains high severity vulnerabilities in certain versions [2]. A high vulnerability is a serious security risk that could allow attackers to gain full control of your system. Removing this app will improve your system's security and reduce the risk of these threats. This app comes pre-installed on certain versions of Windows [3] [4]. [Microsoft Store Page](https://web.archive.org/web/20231003201732/https://apps.microsoft.com/store/detail/vp9-video-extensions/9N4D0MSMP0PT) > **Caution:** Removing this app could impact your ability to play VP9 video content, widely used in internet streaming. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231003201732/https://apps.microsoft.com/store/detail/vp9-video-extensions/9N4D0MSMP0PT "VP9 Video Extensions - Microsoft Apps | apps.microsoft.com" [2]: https://web.archive.org/web/20231231101046/https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-82475/version_id-637349/Microsoft-Vp9-Video-Extensions--.html "Microsoft Vp9 Video Extensions version - : Security vulnerabilities, CVEs | cvedetails.com" [3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [4]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.VP9VideoExtensions # Get-AppxPackage Microsoft.VP9VideoExtensions publisherId: 8wekyb3d8bbwe - name: Remove "Web Media Extensions" app docs: |- This script uninstalls the "Web Media Extensions" app. "Web Media Extensions" package enhances Microsoft Edge and Windows by supporting open source formats commonly used on the web [1]. It enables native playback of media in OGG format and content encoded with Vorbis or Theora codecs [1]. This app contains high severity vulnerabilities in certain versions [2]. A high vulnerability is a serious security risk that could allow attackers to gain full control of your system. Removing this app will improve your system's security and reduce the risk of these threats. This app comes pre-installed on certain versions of Windows [3] [4]. [Microsoft Store Page](https://archive.ph/2023.12.31-102721/https://apps.microsoft.com/detail/9N5TDP8VCMHS?hl=en-us&gl=US) > **Caution:** Removing this app may limit playback of media in OGG format or content encoded with Vorbis or Theora codecs. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://archive.ph/2023.12.31-102721/https://apps.microsoft.com/detail/9N5TDP8VCMHS?hl=en-us&gl=US "Web Media Extensions - Microsoft Apps | apps.microsoft.com" [2]: https://web.archive.org/web/20231231101609/https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-94822/Microsoft-Web-Media-Extensions.html "Microsoft Web Media Extensions : Security vulnerabilities, CVEs | cvedetails.com" [3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [4]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.WebMediaExtensions # Get-AppxPackage Microsoft.WebMediaExtensions publisherId: 8wekyb3d8bbwe - name: Remove "Webp Image Extensions" app docs: |- This script uninstalls the "Webp Image Extensions" app. The "Webp Image Extensions" app allows Microsoft Edge browser to display WebP images [1]. WebP is an advanced image format offering efficient compression to support smaller, high-quality images on the web [1]. This app contains vulnerabilities in certain versions [2]. Removing this app will improve your system's security and reduce the risk of these threats. This app comes pre-installed on certain versions of Windows [3] [4]. [Microsoft Store Page](https://web.archive.org/web/20231003202310/https://apps.microsoft.com/store/detail/webp-image-extensions/9PG2DK419DRG) > **Caution:** Removing this app may affect your ability to view WebP images in the Microsoft Edge browser and other applications. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231003202310/https://apps.microsoft.com/store/detail/webp-image-extensions/9PG2DK419DRG "Webp Image Extensions - Microsoft Store Apps | apps.microsoft.com" [2]: https://web.archive.org/web/20231231095646/https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-88755/Microsoft-Webp-Image-Extension.html "Microsoft Webp Image Extension : Security vulnerabilities, CVEs | cvedetails.com" [3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [4]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.WebpImageExtension # Get-AppxPackage Microsoft.WebpImageExtension publisherId: 8wekyb3d8bbwe - name: Remove "HEVC Video Extensions" app docs: |- This script uninstalls the "HEVC Video Extensions" app. The app is designed to extend the capability of Windows to play and produce HEVC (High Efficiency Video Coding) encoded video content, which is key for high-quality video formats like 4K and Ultra HD [1]. The app utilizes hardware features in newer devices to enhance video quality [1]. However, for devices lacking hardware support, the app provides software support, although the performance might vary based on video resolution and PC capabilities [1]. It also includes the H265 codec, essential for HEVC video processing [2]. This app contains critical severity vulnerabilities in certain versions [3]. A critical vulnerability is a serious security risk that could allow attackers to gain full control of your system. Removing this app will improve your system's security and reduce the risk of these threats. This app comes pre-installed on certain versions of Windows [4]. [Microsoft Store Page](https://archive.ph/2023.12.30-072158/https://apps.microsoft.com/detail/9NMZLZ57R3T7?hl=en-us&gl=US) > **Caution:** Removing this app could impact your ability to handle HEVC-encoded content. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://archive.ph/2023.12.30-072158/https://apps.microsoft.com/detail/9NMZLZ57R3T7?hl=en-us&gl=US "HEVC Video Extensions - Microsoft Apps | apps.microsoft.com" [2]: https://web.archive.org/web/20231230073622/https://learn.microsoft.com/en-us/azure/remote-rendering/resources/troubleshoot#h265-codec-not-available "Troubleshoot - Azure Remote Rendering | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20231230081051/https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-80307/Microsoft-Hevc-Video-Extensions.html "Microsoft Hevc Video Extensions : Security vulnerabilities, CVEs | cvedetails.com" [4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.HEVCVideoExtension # Get-AppxPackage Microsoft.HEVCVideoExtension publisherId: 8wekyb3d8bbwe - name: Remove "Raw Image Extension" app docs: |- This script uninstalls the "Raw Image Extension" app. This app enables viewing support for raw file formats from digital cameras directly in Windows File Explorer and the Photos app [1]. It utilizes the [libraw](https://www.libraw.org/) open source project for this functionality [1]. This app contains critical severity vulnerabilities in certain versions [2]. A critical vulnerability is a serious security risk that could allow attackers to gain full control of your system. Removing this app will improve your system's security and reduce the risk of these threats. [Microsoft Store Page](https://archive.ph/2023.12.30-072308/https://apps.microsoft.com/detail/9NCTDW2W1BH8?hl=en-US&gl=US) > **Caution:** Uninstalling this app may limit your ability to view and handle raw images from digital cameras. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://archive.ph/2023.12.30-072308/https://apps.microsoft.com/detail/9NCTDW2W1BH8?hl=en-US&gl=US "Raw Image Extension - Microsoft Apps | apps.microsoft.com" [2]: https://web.archive.org/web/20231231094958/https://www.opencve.io/cve?vendor=microsoft&product=raw_image_extension "Microsoft - Raw Image Extension CVE - OpenCVE | www.opencve.io" call: function: UninstallStoreApp parameters: packageName: Microsoft.RawImageExtension # Get-AppxPackage Microsoft.RawImageExtension publisherId: 8wekyb3d8bbwe - name: Remove "Microsoft Messaging" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003202812/https://apps.microsoft.com/store/detail/microsoft-messaging/9WZDNCRFJBQ6) It's also known as just "Messaging" [1] or "Skype Video" [1]. This app comes pre-installed on certain versions of Windows [1] [2] [3] [4]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.Messaging # Get-AppxPackage Microsoft.Messaging publisherId: 8wekyb3d8bbwe - name: Remove "Mixed Reality Portal" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003202910/https://apps.microsoft.com/store/detail/mixed-reality-portal/9NG1H8B3ZC7M) This app comes pre-installed on certain versions of Windows [1] [2]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.MixedReality.Portal # Get-AppxPackage Microsoft.MixedReality.Portal publisherId: 8wekyb3d8bbwe - category: Remove Microsoft Office apps docs: |- This category focuses on scripts that help uninstall select Microsoft Office apps that may come pre-installed with Windows. Microsoft Office suite is a popular productivity suite, providing tools for a wide range of tasks like document creation, note-taking, and interactive presentation development. However, while many of these apps like Word, Excel, and PowerPoint are commonly used, some other apps like My Office, OneNote, and Sway might not be essential for all users. Especially, if users have other preferred tools or the web versions suit their needs better. children: - name: Remove "Microsoft 365 (Office)" app recommend: standard docs: |- [Microsoft Store Page](https://archive.ph/2023.10.07-113623/https://apps.microsoft.com/detail/microsoft-365-(office)/9WZDNCRD29V9?hl=en-us&gl=SE) It's formerly known as just "Office" app [1] [2]. This app comes pre-installed on certain versions of Windows [1] [2] [3]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [3]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.MicrosoftOfficeHub # Get-AppxPackage Microsoft.MicrosoftOfficeHub publisherId: 8wekyb3d8bbwe - name: Remove "OneNote" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003203445/https://apps.microsoft.com/store/detail/onenote/9WZDNCRFHVJL) This app was previously known as "OneNote for Windows 10" [1] [2]. This app comes pre-installed on certain versions of Windows [1] [2] [3] [4]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [3]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.Office.OneNote # Get-AppxPackage Microsoft.Office.OneNote publisherId: 8wekyb3d8bbwe - name: Remove "Sway" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003204225/https://apps.microsoft.com/store/detail/sway/9WZDNCRD2G0J?hl=en-us) This app comes pre-installed on certain versions of Windows [1]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallStoreApp parameters: packageName: Microsoft.Office.Sway # Get-AppxPackage Microsoft.Office.Sway publisherId: 8wekyb3d8bbwe - name: Remove "Feedback Hub" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003210719/https://apps.microsoft.com/store/detail/feedback-hub/9NBLGGH4R32N) This app comes pre-installed on certain versions of Windows [1] [2] [3] [4]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.WindowsFeedbackHub # Get-AppxPackage Microsoft.WindowsFeedbackHub publisherId: 8wekyb3d8bbwe - name: Remove "Windows Alarms and Clock" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004092407/https://apps.microsoft.com/store/detail/windows-clock/9WZDNCRFJ3PR) This app was previously named "Windows Alarms & Clock" [1] [2]. This app comes pre-installed on certain versions of Windows [1] [2] [3]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [3]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.WindowsAlarms # Get-AppxPackage Microsoft.WindowsAlarms publisherId: 8wekyb3d8bbwe - name: Remove "Windows Camera" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004092455/https://apps.microsoft.com/store/detail/windows-camera/9WZDNCRFJBBG) It's also known as just "Camera" [1]. This app comes pre-installed on certain versions of Windows [1] [2] [3] [4]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.WindowsCamera # Get-AppxPackage Microsoft.WindowsCamera publisherId: 8wekyb3d8bbwe - name: Remove "Paint 3D" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004092446/https://apps.microsoft.com/store/detail/paint-3d/9NBLGGH5FV99) This app comes pre-installed on certain versions of Windows [1] [2] [3]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [3]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.MSPaint # Get-AppxPackage Microsoft.MSPaint publisherId: 8wekyb3d8bbwe - name: Remove "Windows Maps" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004092559/https://apps.microsoft.com/store/detail/windows-maps/9WZDNCRDTBVB) It is also known as just "Maps" [1]. This app comes pre-installed on certain versions of Windows [1] [2] [3] [4]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.WindowsMaps # Get-AppxPackage Microsoft.WindowsMaps publisherId: 8wekyb3d8bbwe - name: Remove "Minecraft for Windows" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004092835/https://apps.microsoft.com/store/detail/minecraft-for-windows/9nblggh2jhxj) ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | call: function: UninstallStoreApp parameters: packageName: Microsoft.MinecraftUWP # Get-AppxPackage Microsoft.MinecraftUWP publisherId: 8wekyb3d8bbwe - category: Remove Microsoft Store apps docs: |- This category houses scripts dedicated to uninstalling specific applications related to the Microsoft Store. As the digital storefront for Microsoft, the Microsoft Store is a hub for apps, games, movies, and other content. While it provides a convenient method of obtaining software, some users might wish to uninstall or disable it for reasons like performance optimization or data privacy concerns. As always, when disabling or uninstalling core system apps, it is crucial to be informed of the potential repercussions and act carefully. children: - name: Remove "Microsoft Store" app docs: |- This script aims to uninstall the Microsoft Store app (also known as Store [1]). This app comes pre-installed on certain versions of Windows [1] [2] [3] [4]. Microsoft has mentioned that it doesn't officially support the uninstallation of this app [4] [5]. Removing it might lead to unwanted effects [5]. The Microsoft Store is subject to the data collection policies laid out in the Windows privacy statement [6]. It can collect diagnostic data about your device, its settings, and capabilities [7]. This data is sent to Microsoft and can include unique identifiers, potentially allowing Microsoft to recognize a user and their device [7]. Additionally, the data can offer insights into your device's settings, capabilities, health, visited websites, device activity (or usage), and, the memory state of your device [7]. Sometimes, this might inadvertently include parts of a file you are using [7]. From a security perspective, the Microsoft Store increases potential risks, as it has known vulnerabilities [8]. To address privacy and security concerns, it might be beneficial to disable the Microsoft Store and explore alternative methods for software package management. However, considering the official stance from Microsoft on uninstallation, it's important to understand that this action might affect some core functionalities of the operating system. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20231004094641/https://learn.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/pre-installed-microsoft-store-app-removed-logon "Pre-installed Microsoft Store app is removed at first Windows logon - Windows Client | Microsoft Learn" [3]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [5]: https://web.archive.org/web/20231004093559/https://learn.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/cannot-remove-uninstall-or-reinstall-microsoft-store-app "Can't remove, uninstall, or reinstall Microsoft Store app - Windows Client | Microsoft Learn" [6]: https://web.archive.org/web/20231004094058/https://github.com/microsoft/winget-cli/issues/179#issuecomment-631183527 "Please include ability to opt out of telemetry and clear documentation on how to opt out · Issue #179 · microsoft/winget-cli · GitHub" [7]: https://web.archive.org/web/20231004094657/https://support.microsoft.com/en-us/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319#ID0EDF "Diagnostics, feedback, and privacy in Windows - Microsoft Support" [8]: https://web.archive.org/web/20231004100105/https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=microsoft+store&queryType=phrase&search_type=all&isCpeNameSearch=false "Search: Microsoft Store | NVD - Results | nist.gov" call: function: UninstallStoreApp parameters: packageName: Microsoft.WindowsStore # Get-AppxPackage Microsoft.WindowsStore publisherId: 8wekyb3d8bbwe - name: Remove "Store Purchase" app docs: |- This script uninstalls the "Store Purchase" app. The Store Purchase app is linked with the purchase feature in the Store app, allowing users to view their purchase history without needing to open a separate website [1]. This app is not well-documented officially by Microsoft. This app comes pre-installed on certain Windows versions [2] [3] [4]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231004133326/https://social.technet.microsoft.com/Forums/exchange/en-US/24b1088d-0fc5-4a82-8015-c9c964532603/store-purchase-app?forum=win10itproapps "Store Purchase App | social.technet.microsoft.com" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.StorePurchaseApp # Get-AppxPackage Microsoft.StorePurchaseApp publisherId: 8wekyb3d8bbwe - name: Remove "Microsoft People" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004105428/https://apps.microsoft.com/store/detail/microsoft-people/9NBLGGH10PG8) This app comes pre-installed on certain versions of Windows [1] [2] [3] [4]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.People # Get-AppxPackage Microsoft.People publisherId: 8wekyb3d8bbwe - name: Remove "Microsoft Pay" app docs: |- This script uninstalls the Microsoft Pay app. Microsoft Pay, previously known as "Microsoft Wallet" [1] [2] [3], is a cloud-based payment and wallet technology provided by Microsoft [2]. This system enables users to make payments through Microsoft Pay on websites, within Universal Windows Platform (UWP) apps, and through Microsoft Bot Framework bots [4]. The primary function of Microsoft Pay is to facilitate payments using banks and credit cards [3]. The app integrates with the Microsoft Edge browser [5] and stores card data [4]. This app comes pre-installed on certain versions of Windows [1] [6] [7] [8] [9]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20240217204237/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-1903-endpoints "Connection endpoints for Windows 10 Enterprise, version 1903 - Windows Privacy | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20231004112830/https://blogs.windows.com/windows-insider/2016/06/21/microsoft-wallet-with-tap-to-pay-is-now-available-for-windows-insiders/ "Microsoft Wallet with tap to pay is now available for Windows Insiders | Windows Insider Blog" [3]: https://web.archive.org/web/20180216173337/http://www.microsoft.com/wallet/ "Microsoft Wallet: Digital Wallet for Secure Mobile Payments" [4]: https://web.archive.org/web/20230609124956/https://stripe.com/docs/microsoft-pay "Microsoft Pay | Stripe Documentation" [5]: https://web.archive.org/web/20231004112732/https://support.microsoft.com/en-us/microsoft-edge/features-currently-not-available-in-the-new-microsoft-edge-4307f116-8184-0c59-dcb4-3c55e00f70bf "Features currently not available in the new Microsoft Edge - Microsoft Support" [6]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [7]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [8]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [9]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.Wallet # Get-AppxPackage Microsoft.Wallet publisherId: 8wekyb3d8bbwe - name: Remove "Mobile Plans" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004142628/https://apps.microsoft.com/store/detail/mobile-plans/9NBLGGH5PNB1) This app comes pre-installed on certain versions of Windows [1] [2] [3]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [3]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.OneConnect # Get-AppxPackage Microsoft.OneConnect publisherId: 8wekyb3d8bbwe - name: Remove "Microsoft Solitaire Collection" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20230609084501/https://apps.microsoft.com/store/detail/microsoft-solitaire-collection/9wzdncrfhwd2) This app comes pre-installed on certain versions of Windows [1] [2] [3]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [3]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.MicrosoftSolitaireCollection # Get-AppxPackage Microsoft.MicrosoftSolitaireCollection publisherId: 8wekyb3d8bbwe - name: Remove "Microsoft Sticky Notes" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20230806145300/https://apps.microsoft.com/store/detail/microsoft-sticky-notes/9NBLGGH4QGHW) This app comes pre-installed on certain versions of Windows [1] [2] [3]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [3]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.MicrosoftStickyNotes # Get-AppxPackage Microsoft.MicrosoftStickyNotes publisherId: 8wekyb3d8bbwe - category: Remove Xbox apps docs: |- This category contains scripts designed to uninstall specific Windows apps related to Xbox. Uninstalling these apps may enhance system performance and privacy, as fewer apps are running in the background, accessing personal data or utilizing system resources. If you're not using these services or apps, it might be beneficial to disable them for a cleaner and more privacy-focused user experience. children: - name: Remove "Xbox Console Companion" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004143830/https://apps.microsoft.com/store/detail/xbox-console-companion/9WZDNCRFJBD8) This app comes pre-installed on certain versions of Windows [1] [2] [3] [4]. It's part of Microsoft Game Development Kit (GDK) [5]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" [5]: https://web.archive.org/web/20231004145519/https://learn.microsoft.com/pt-pt/gaming/gdk/_content/gc/networking/overviews/tools/fiddler-pc "Fiddler on Windows PC - Microsoft Game Development Kit | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.XboxApp # Get-AppxPackage Microsoft.XboxApp publisherId: 8wekyb3d8bbwe - name: Remove "Xbox Live in-game experience" app recommend: standard docs: |- This script uninstalls the "Xbox Live in-game experience" app [1]. This application provides TCUI functionality [1]. Title-callable UI (TCUI) is a feature that allows game code to invoke pre-defined user interface displays [2]. This app comes pre-installed on certain versions of Windows [1] [3] [4]. It's part of Microsoft Game Development Kit (GDK) [5]. Uninstalling this script can contribute to user privacy by removing unnecessary apps that may have predefined interfaces linked with Xbox Live, minimizing potential data interactions with the system. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231004144304/https://github.com/MicrosoftDocs/xbox-live-docs/blob/docs/xbox-live-docs-pr/features/general/tcui/live-tcui-overview.md "xbox-live-docs/xbox-live-docs-pr/features/general/tcui/live-tcui-overview.md at docs · MicrosoftDocs/xbox-live-docs · GitHub" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" [5]: https://web.archive.org/web/20231004145519/https://learn.microsoft.com/pt-pt/gaming/gdk/_content/gc/networking/overviews/tools/fiddler-pc "Fiddler on Windows PC - Microsoft Game Development Kit | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.Xbox.TCUI # Get-AppxPackage Microsoft.Xbox.TCUI publisherId: 8wekyb3d8bbwe - name: Remove "Xbox Game Bar" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004144844/https://apps.microsoft.com/store/detail/xbox-game-bar/9NZKPSTSNW4P) This app comes pre-installed on certain versions of Windows [1] [2]. It's part of Microsoft Game Development Kit (GDK) [3]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [3]: https://web.archive.org/web/20231004145519/https://learn.microsoft.com/pt-pt/gaming/gdk/_content/gc/networking/overviews/tools/fiddler-pc "Fiddler on Windows PC - Microsoft Game Development Kit | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.XboxGamingOverlay # Get-AppxPackage Microsoft.XboxGamingOverlay publisherId: 8wekyb3d8bbwe - name: Remove "Xbox Game Bar Plugin" app recommend: standard docs: |- It's part of Microsoft Game Development Kit (GDK) [1]. This app comes pre-installed on certain versions of Windows [2] [3] [4]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231004145519/https://learn.microsoft.com/pt-pt/gaming/gdk/_content/gc/networking/overviews/tools/fiddler-pc "Fiddler on Windows PC - Microsoft Game Development Kit | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.XboxGameOverlay # Get-AppxPackage Microsoft.XboxGameOverlay publisherId: 8wekyb3d8bbwe - name: Remove "Xbox Identity Provider" app (breaks Xbox sign-in) recommend: strict docs: |- This script uninstalls the "Xbox Identity Provider" app. This app enables your PC games to connect to Xbox Live [1]. Its removal can help prevent personal gaming data from being shared with Microsoft's servers. Running this script will impact: - Xbox sign-in for certain games, making it impossible to log in [2] [3] [4]. - Log-in functionality for Xbox Game Pass, leading to errors and inability to access games [5] [6]. - Log-in to the Xbox app itself [2] [4] [7] [8]. Common errors caused by the absence of this app include: - "We tried to sign you in to your Microsoft Account, but something went wrong" [6]. - "You are not signed in to Xbox Live" [6]. - "We couldn't sign you in to Xbox Live. User Interaction is required for Authentication" [6]. - "We can't sign you in right now. Try again later. (`0x406`)" [7] [8]. This app comes pre-installed on certain versions of Windows [9] [10] [11] [12]. See also: [Microsoft Store Page](https://web.archive.org/web/20231004150131/https://apps.microsoft.com/store/detail/xbox-identity-provider/9WZDNCRD1HKW) > **Caution:** Removing this app disrupts Xbox sign-in for games and services that require it, > including Xbox Game Pass. Ensure you understand the impact on your gaming experience before proceeding. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231004150131/https://apps.microsoft.com/store/detail/xbox-identity-provider/9WZDNCRD1HKW "Xbox Identity Provider - Microsoft Store Apps | apps.microsoft.com" [2]: https://github.com/undergroundwires/privacy.sexy/issues/79 "[BUG]: Xbox sign in not working · Issue #79 · undergroundwires/privacy.sexy | github.com" [3]: https://github.com/undergroundwires/privacy.sexy/issues/181 "[BUG]: Standard Privacy Script mess with some online games · Issue #181 · undergroundwires/privacy.sexy | github.com" [4]: https://github.com/undergroundwires/privacy.sexy/issues/64 "[BUG]: can't sign in again · Issue #64 · undergroundwires/privacy.sexy | github.com" [5]: https://web.archive.org/web/20231206171549/https://www.reddit.com/r/theouterworlds/comments/dn73hf/xbox_game_pass_for_pc_problem_you_are_not_signed/?rdt=43601 "Xbox Game Pass for PC Problem: You are not signed in to Xbox Live. Cloud Saves are unavailable. : r/theouterworlds | reddit.com" [6]: https://web.archive.org/web/20231206171559/https://bestgamingtips.com/fix-xbox-identity-provider-not-working/ "Xbox Live Identity Provider Not Working | Fix | bestgamingtips.com" [7]: https://web.archive.org/web/20231206171520/https://answers.microsoft.com/en-us/windows/forum/all/xbox-app-error-0x406/09dc12db-97ee-4907-89b8-3a2b7ebe1507?page=13 "Page 13 | Xbox App Error 0x406 - Microsoft Community | answers.microsoft.com" [8]: https://web.archive.org/web/20231206172303/https://windowsreport.com/xbox-sign-in-error-0x406/ "How to fix Xbox sign in error 0x406 | windowsreport.com" [9]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [10]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [11]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [12]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.XboxIdentityProvider # Get-AppxPackage Microsoft.XboxIdentityProvider publisherId: 8wekyb3d8bbwe - name: Remove "Xbox Speech To Text Overlay" app recommend: standard docs: |- This script uninstalls the "Xbox Speech To Text Overlay" app. The app offers a speech-to-text feature for certain Xbox games. Specifically, it turns spoken words during a party chat into text which then appears on the game screen [1]. This function is also termed as "game and chat transcription", and is compatible with games that support this feature [2]. The removal of this app can help in reclaiming system resources and enhancing user privacy, as it would reduce the number of tools with potential voice data access. After uninstalling, the speech-to-text functionality in supported Xbox games may no longer be available. This app comes pre-installed on certain versions of Windows [3] [4] [5]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231004150708/https://news.xbox.com/en-us/2021/06/15/june-2021-xbox-update/ "June Xbox Update: Party Chat Accessibility, Xbox App Official Posts, and More - Xbox Wire" [2]: https://web.archive.org/web/20231004151225/https://support.xbox.com/en-US/help/account-profile/accessibility/use-game-chat-transcription "Use game and chat transcription on Xbox and Windows devices | Xbox Support" [3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [4]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [5]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.XboxSpeechToTextOverlay # Get-AppxPackage Microsoft.XboxSpeechToTextOverlay publisherId: 8wekyb3d8bbwe - name: Remove "Mail and Calendar" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004175316/https://apps.microsoft.com/store/detail/mail-and-calendar/9WZDNCRFHVQM) It's previously known as "Outlook Calendar and Mail" app [1]. This app comes pre-installed on certain versions of Windows [1] [2] [3] [4]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: microsoft.windowscommunicationsapps # Get-AppxPackage microsoft.windowscommunicationsapps publisherId: 8wekyb3d8bbwe - name: Remove "Windows Media Player" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231005124745/https://apps.microsoft.com/store/detail/windows-media-player/9WZDNCRFJ3PT) This app was previously known as "Groove Music" [1] [2] [3]. This app comes pre-installed on certain versions of Windows [1] [2] [3] [4]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.ZuneMusic # Get-AppxPackage Microsoft.ZuneMusic publisherId: 8wekyb3d8bbwe - name: Remove "Movies & TV" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231005124924/https://apps.microsoft.com/store/detail/movies-tv/9WZDNCRFJ3P2) It's also known as "Movies and TV" app [1]. This app comes pre-installed on certain versions of Windows [1] [2] [3] [4]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.ZuneVideo # Get-AppxPackage Microsoft.ZuneVideo publisherId: 8wekyb3d8bbwe - name: Remove "Windows Calculator" app docs: |- [Microsoft Store Page](https://archive.ph/2023.10.06-182013/https://apps.microsoft.com/detail/windows-calculator/9WZDNCRFHVN5?hl=en-us&gl=JP) It's also known as just "Calculator" [1]. This app comes pre-installed on certain versions of Windows [2] [3] [4]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.WindowsCalculator # Get-AppxPackage Microsoft.WindowsCalculator publisherId: 8wekyb3d8bbwe - name: Remove "Microsoft Photos" app docs: |- [Microsoft Store Page](https://archive.ph/2023.10.06-182550/https://apps.microsoft.com/detail/microsoft-photos/9WZDNCRFJBH4?hl=en-us&gl=CZ) It's also known as just "Photos" apps [1]. This app comes pre-installed on certain versions of Windows [1] [2] [3] [4]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.Windows.Photos # Get-AppxPackage Microsoft.Windows.Photos publisherId: 8wekyb3d8bbwe - name: Remove "Skype" app docs: |- [Microsoft Store Page](https://archive.ph/2023.10.06-182613/https://apps.microsoft.com/detail/9WZDNCRFJ364?hl=en-us&gl=US) This app comes pre-installed on certain versions of Windows [1] [2] [3] [4]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.SkypeApp # Get-AppxPackage Microsoft.SkypeApp publisherId: kzf8qxf38zg5c - name: Remove "GroupMe" app docs: |- [Microsoft Store Page](https://archive.ph/2023.10.06-182707/https://apps.microsoft.com/detail/groupme/9NBLGGH5Z4F2?hl=en-us&gl=SE) ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | call: function: UninstallStoreApp parameters: packageName: Microsoft.GroupMe10 # Get-AppxPackage Microsoft.GroupMe10 publisherId: kzf8qxf38zg5c - name: Remove "Windows Sound Recorder" app docs: |- [Microsoft Store Page](https://archive.ph/2023.10.06-182722/https://apps.microsoft.com/detail/windows-sound-recorder/9WZDNCRFHWKN?hl=en-us&gl=SE) This app is also known as "Voice recorder" [1] or "Windows Voice Recorder" [2] [3]. This app comes pre-installed on certain versions of Windows [1] [2] [3] [4]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: packageName: Microsoft.WindowsSoundRecorder # Get-AppxPackage Microsoft.WindowsSoundRecorder publisherId: 8wekyb3d8bbwe - category: Remove Phone apps docs: |- This category features scripts for managing Windows apps related to smartphones. These scripts are for apps that connect smartphones to Windows, including dialer and other phone-related apps, even those that are outdated or replaced. The scripts aim to let users control whether these apps stay or go, improving their control over personal settings. These applications may pose privacy concerns due to their data sharing and synchronization capabilities. Removing these apps improves privacy by stopping unwanted data sharing with Microsoft and reducing security risks. This also improves system performance by reducing process count. > **Caution:** Removal might affect smartphone integration features. > Ensure you understand the implications and have alternative solutions if you rely on these features for your daily tasks. children: # Excluding: # - `Microsoft.Windows.Phone`: # Although occasionally mentioned in online scripts, there's no verifiable evidence of this package. # References like "Windows Phone" (an operating system, not an app) and "Windows Phone Connector" (an app exclusively for macOS) # suggest a mix-up with unrelated products. - name: Remove "Phone Companion" app # Deprecated in newer Windows recommend: standard # Deprecated, impact on modern systems would be minimal docs: |- This script removes the "Phone Companion" app. This app is also known as *Microsoft Phone Companion* [1] or, technically, `Microsoft.WindowsPhone` [2]. This integrates Windows PCs with mobile devices (Android, iPhone, and iPad) [1]. It enabled synchronization of music, photos, Word documents, and Cortana reminders across devices [1]. It provided setup instructions and syncing tips [1]. The app enabled users to check their device's battery and storage status and transfer files [1]. It supported Windows, Android, and iOS devices [1]. This app has been absent in Windows versions since October 2018, replaced by the *Phone Link* app [3]. Removing this app enhances privacy and system performance. > **Caution:** Removal may impact device synchronization on older Windows versions reliant on this app's unique features. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20161230070534/https://www.microsoft.com/en-us/store/p/microsoft-phone-companion/9wzdncrfj3pm "Microsoft Phone Companion – Windows Apps on Microsoft Store | web.archive.org" [2]: https://web.archive.org/web/20240323103312/https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfj3pm/applockerdata "Microsoft.WindowsPhone | bspmts.mp.microsoft.com API | | bspmts.mp.microsoft.com" [3]: https://web.archive.org/web/20231006204400/https://support.microsoft.com/en-us/topic/introducing-microsoft-phone-link-and-link-to-windows-2e4bb4c0-f99a-4464-92a8-5264c7c39734 "Introducing Microsoft Phone Link and Link to Windows - Microsoft Support" call: function: UninstallStoreApp parameters: packageName: Microsoft.WindowsPhone # Get-AppxPackage Microsoft.WindowsPhone publisherId: 8wekyb3d8bbwe - name: Remove "Microsoft Phone" app # Windows 10 Mobile app, deprecated in newer Windows recommend: standard # Deprecated, impact on modern systems would be minimal docs: |- This script removes the "Microsoft Phone" app. This app is known as *Phone (dialer)* [1], *Microsoft Phone* [2], or `Microsoft.CommsPhone` [3]. This app enabled voice and video calls over cellular networks or Wi-Fi on Windows 10 Mobile [2]. It offered smart contact search, voicemail management, call recording, and call blocking [2]. This app comes pre-installed on certain versions of Windows [1] [4]. Windows 10 Mobile has reached end of support and is an outdated operating system [5]. Removing outdated and unsupported apps improves privacy and performance. > **Caution:** If you are using a device still running on Windows 10 Mobile, uninstalling this app will remove your ability to make or receive phone > calls, manage voicemail, or block unwanted calls directly from your device. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20240324180612/https://www.microsoft.com/en-us/p/microsoft-phone/9wzdncrdtbwp?activetab=pivot:overviewtab "Get Microsoft Phone - Microsoft Store | www.microsoft.com" [3]: https://web.archive.org/web/20240324180601/https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrdtbwp/applockerdata "Microsoft.CommsPhone | bspmts.mp.microsoft.com API | | bspmts.mp.microsoft.com" [4]: https://web.archive.org/web/20190420022129/https://docs.microsoft.com/en-us/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile "Product IDs in Windows 10 Mobile (Windows 10) | Microsoft Docs | docs.microsoft.com" [5]: https://web.archive.org/web/20240325084146/https://support.microsoft.com/en-us/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5 "Windows 10 Mobile End of Support: FAQ - Microsoft Support | support.microsoft.com" call: function: UninstallStoreApp parameters: packageName: Microsoft.CommsPhone # Get-AppxPackage Microsoft.CommsPhone publisherId: 8wekyb3d8bbwe - name: Remove "Phone Link" app recommend: strict docs: |- This script removes the "Phone Link" app. Known technically as `Microsoft.YourPhone` [1] [2] [3], previously *Your Phone* [2] [3] [4] [5] [6] and *Your Phone Companion* [4]. The app links your phone and Windows PC. It allows you to share and manage content and communications across devices [5] [7] [8]. The app lets you text, make calls, use mobile apps, get notifications, and transfer files over Wi-Fi [5] [7] [8]. Launched in October 2018 as *Your Phone* and *Your Phone Companion* [4], it was rebranded to *Microsoft Phone Link* in March 2022 [4] [9]. Originally developed for Android [8], through collaboration between Microsoft and Samsung [8], it has extended support to iOS devices since April 26, 2023 [10]. Privacy concerns arise from personal data handling, unencrypted data transfer, and potential misuse: - **No End-to-End Encryption:** It is not end-to-end encrypted, raising doubts about data privacy and security during transfers [11]. - **Microsoft personal data collection:** Personal data, including text messages, clipboard contents, photos, and notifications, are collected by Microsoft [6]. Microsoft confirms it stores and processes such data [6]. - **Malicious Usage**: Misuse of the app, such as setting it up on a victim's phone to monitor communications without consent [12] [13], increases data leakage risks. - **Lack of Privacy Transparency:** The Microsoft Privacy Statement does not explicitly clarify that personal data is relayed through its servers, leading to possible misconceptions about data handling [6] [14]. Microsoft's approach to privacy is criticized for lacking transparency [6] [11]. - **Sensitive Information Exposure:** Data exposed to Microsoft, or can be received by an attacker can include sensitive information such as the content of private messages, security codes from authentication apps, caller identities, and more [6] [12]. This can contain personal, financial, or security-related data [6] [12]. - **Diagnostic Data Collection:** The app collects diagnostic data, including potentially sensitive information about app usage [6]. - **Account Takeover:** The app could be used in account takeover attempts by intercepting multi-factor authentication notifications [12]. - **Attack vector surface on Android:** Android devices face more potential attack vectors than iOS devices due to internet-based connectivity [12]. This app comes pre-installed on certain versions of Windows [2] [3]. > **Caution:** Its absence may affect your workflow if you rely on its features for daily tasks. > Consider [KDE Connect](https://kdeconnect.kde.org/) for similar, privacy-friendly features. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20240324181147/https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9NMPJ99VJBWV/applockerdata "Microsoft.YourPhone | bspmts.mp.microsoft.com API | | bspmts.mp.microsoft.com" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231006204400/https://support.microsoft.com/en-us/topic/introducing-microsoft-phone-link-and-link-to-windows-2e4bb4c0-f99a-4464-92a8-5264c7c39734 "Introducing Microsoft Phone Link and Link to Windows - Microsoft Support" [5]: https://archive.ph/2024.03.24-181742/https://github.com/microsoftdocs/windows-insider/blob/public/wip/apps/your-phone.md "windows-insider/wip/apps/your-phone.md at public · MicrosoftDocs/windows-insider | github.com" [6]: https://web.archive.org/web/20240325075627/https://www.ctrl.blog/entry/microsoft-phone-link-privacy.html "Phone Link relays your personal data through Microsoft servers | Ctrl blog | ctrl.blog" [7]: https://archive.ph/2023.10.06-204308/https://apps.microsoft.com/detail/phone-link/9NMPJ99VJBWV?hl=en-us&gl=us "Phone Link - Microsoft Apps | apps.microsoft.com" [8]: https://web.archive.org/web/20240324183306/https://blogs.windows.com/windowsexperience/2020/08/05/microsoft-and-samsung-expand-partnership-empowering-you-across-work-and-play/ "Microsoft and Samsung expand partnership, empowering you across work and play | Windows Experience Blog | blogs.windows.com" [9]: https://web.archive.org/web/20240324183451/https://www.windowscentral.com/your-phone-renamed-phone-link "Microsoft renames Your Phone to Phone Link, partners with Honor for an expanded experience | Windows Central | windowscentral.com" [10]: https://web.archive.org/web/20240324184511/https://blogs.windows.com/windowsexperience/2023/04/26/phone-link-for-ios-is-now-rolling-out-to-all-windows-11-customers/ "Phone Link for iOS is now rolling out to all Windows 11 customers | Windows Experience Blog | blogs.windows.com" [11]: https://web.archive.org/web/20240325080949/https://www.windowscentral.com/software-apps/windows-11/microsofts-phone-link-is-the-best-new-windows-feature-of-the-past-decade "Microsoft's 'Phone Link' is the best new Windows feature of the past decade | Windows Central | www.windowscentral.com" [12]: https://web.archive.org/web/20240325084649/https://irradiate.com.au/blog/securing-microsoft-phone-link "Navigating Security Challenges in Microsoft's Phone Link for Organization - Irradiate Security | irradiate.com.au" [13]: https://web.archive.org/web/20240325080335/https://www.foxbusiness.com/technology/windows-11-phone-link-feature-could-exploited-cyberstalkers-spy-iphones-report "Windows 11 Phone Link feature could be exploited by cyberstalkers to spy on iPhones: report | Fox Business | foxbusiness.com" [14]: https://web.archive.org/web/20230406235344/https://privacy.microsoft.com/en-us/privacystatement#mainyourphonemodule "Microsoft Privacy Statement – Microsoft privacy | privacy.microsoft.com" call: function: UninstallStoreApp parameters: packageName: Microsoft.YourPhone # Get-AppxPackage Microsoft.YourPhone publisherId: 8wekyb3d8bbwe - name: Remove "Call" app recommend: strict docs: |- This script removes the "Call" application, also known as the *Calling Shell App* [1]. This app enables transferring and managing phone calls from a mobile to a Windows desktop, including playback through PC speakers [2]. The main executable of this app is `CallingShellApp.exe`, which Microsoft describes as the "Calling App to host call progress on shell" [3]. The script is safe to use if you don't need your PC to handle phone calls [3]. Removing this app does not affect the core functionalities of Windows. > **Caution**: > Removing the "Call" app disables transferring phone calls from a mobile to your PC [2]. ### Overview of default preinstallation This app comes pre-installed on certain versions of Windows [3]. | OS | Version | Existence | | -- | ------- | --------- | | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://archive.ph/2024.03.25-093648/https://twitter.com/ALumia_Italia/status/1088739425738244096?lang=en 'Aggiornamenti Lumia on X: "Windows Calling Shell App (aka Call) got a new "Store Logo"" / X | twitter.com' [2]: https://web.archive.org/web/20240103144719/https://www.aggiornamentilumia.it/2018/11/05/windows-10-19h1-in-arrivo-una-nuova-applicazione-per-il-mirroring-chiamate-indiscrezione/ "Windows 10 19H1 | In arrivo una nuova applicazione per il mirroring chiamate [Indiscrezione] - Aggiornamenti Lumia | www.aggiornamentilumia.it" [3]: https://web.archive.org/web/20240103144732/https://strontic.github.io/xcyclopedia/library/CallingShellApp.exe-C5415F104A4060D90CE1675383308A66.html "CallingShellApp.exe | Calling App to host call progress on shell | STRONTIC | strontic.github.io" call: function: UninstallNonRemovableStoreApp parameters: packageName: Microsoft.Windows.CallingShellApp # Get-AppxPackage Microsoft.Windows.CallingShellApp publisherId: cw5n1h2txyewy - name: Remove "Microsoft Remote Desktop" app docs: |- [Microsoft Store Page](https://archive.ph/2024.03.14-131853/https://apps.microsoft.com/detail/9wzdncrfj3ps?hl=en-us&gl=US) It's also known as just "Remote Desktop" [1]. This app comes pre-installed on certain versions of Windows [1]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallStoreApp parameters: packageName: Microsoft.RemoteDesktop # Get-AppxPackage Microsoft.RemoteDesktop publisherId: 8wekyb3d8bbwe - name: Remove "Network Speed Test" app recommend: standard docs: |- [Microsoft Store Page](https://archive.ph/2023.10.06-205006/https://apps.microsoft.com/detail/9WZDNCRFHX52?hl=en-us&gl=US) This app comes pre-installed on certain versions of Windows [1]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallStoreApp parameters: packageName: Microsoft.NetworkSpeedTest # Get-AppxPackage Microsoft.NetworkSpeedTest publisherId: 8wekyb3d8bbwe - name: 'Remove "Microsoft To Do: Lists, Tasks & Reminders" app' docs: |- [Microsoft Store Page](https://archive.ph/2023.10.06-205208/https://apps.microsoft.com/detail/9NBLGGH5R558?hl=en-us&gl=US) This app comes pre-installed on certain versions of Windows [1]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://archive.ph/2021.10.23-200225/https://www.microsoft.com/en-us/d/surface-duo-2/9408kgxp4xjl?activetab=pivot:overviewtab "Surface Duo 2 - Dual-Screen Mobile Productivity - Microsoft Surface | microsoft.com" call: function: UninstallStoreApp parameters: packageName: Microsoft.Todos # Get-AppxPackage Microsoft.Todos publisherId: 8wekyb3d8bbwe - category: Remove third-party apps docs: |- This category provides options to uninstall third-party applications (not developed by Microsoft) that may come preinstalled or be available for installation on specific Windows versions. children: - name: Remove "Shazam" app docs: |- [Microsoft Store Page](https://archive.ph/2023.10.07-013930/https://apps.microsoft.com/detail/9WZDNCRFJ0QQ?hl=en-us&gl=US) Shazam Windows app was officially declared end-of-life on February 7, 2017 and is discontinued as Windows app [1]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20231007013946/https://www.windowscentral.com/shazam-pulls-plug-windows-apps "Shazam pulls the plug on its Windows apps for PC and Mobile | Windows Central" call: function: UninstallStoreApp parameters: packageName: ShazamEntertainmentLtd.Shazam # Get-AppxPackage ShazamEntertainmentLtd.Shazam publisherId: pqbynwjfrbcg4 - category: Remove Candy Crush apps docs: |- This category consists of scripts to uninstall the various Candy Crush applications that may come preinstalled or be available for installation on certain versions of Windows. children: - name: Remove "Candy Crush Saga" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231007015121/https://www.microsoft.com/en-us/p/candy-crush-saga/9nblggh18846) ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | call: function: UninstallStoreApp parameters: packageName: king.com.CandyCrushSaga # Get-AppxPackage king.com.CandyCrushSaga publisherId: kgqvnymyfvs32 - name: Remove "Candy Crush Soda Saga" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231007015313/https://www.microsoft.com/en-us/p/candy-crush-soda-saga/9nblggh1zrpv) ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | call: function: UninstallStoreApp parameters: packageName: king.com.CandyCrushSodaSaga # Get-AppxPackage king.com.CandyCrushSodaSaga publisherId: kgqvnymyfvs32 - name: Remove "Flipboard" app docs: |- [Microsoft Store Page](https://archive.ph/2023.10.07-111934/https://apps.microsoft.com/detail/9WZDNCRFJ32Q?hl=en-us&gl=US) ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | call: function: UninstallStoreApp parameters: packageName: Flipboard.Flipboard # Get-AppxPackage Flipboard.Flipboard publisherId: 3f5azkryzdbc4 - name: Remove "Twitter" app docs: |- [Microsoft Store Page](https://archive.ph/2023.10.07-111953/https://apps.microsoft.com/detail/9WZDNCRFJ140?hl=en-us&gl=US) ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | call: function: UninstallStoreApp parameters: packageName: 9E2F88E3.Twitter # Get-AppxPackage 9E2F88E3.Twitter publisherId: wgeqdkkx372wm - name: 'Remove "iHeart: Radio, Music, Podcasts" app' docs: |- [Microsoft Store Page](https://archive.ph/2023.10.07-112020/https://apps.microsoft.com/detail/9WZDNCRFJ223?hl=en-us&gl=US) ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | call: function: UninstallStoreApp parameters: packageName: ClearChannelRadioDigital.iHeartRadio # Get-AppxPackage ClearChannelRadioDigital.iHeartRadio publisherId: a76a11dkgb644 - name: 'Remove "Duolingo - Language Lessons" app' docs: |- [Microsoft Store Page](https://archive.ph/2023.10.07-112229/https://apps.microsoft.com/detail/9WZDNCRCV5XN?hl=en-us&gl=US) This app comes pre-installed on certain versions of Windows [1]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallStoreApp parameters: packageName: D5EA27B7.Duolingo-LearnLanguagesforFree # Get-AppxPackage D5EA27B7.Duolingo-LearnLanguagesforFree publisherId: yx6k7tf7xvsea - name: Remove "Adobe Photoshop Express" app docs: |- [Microsoft Store Page](https://archive.ph/2023.10.07-112247/https://apps.microsoft.com/detail/9WZDNCRFJ27N?hl=en-us&gl=US) This apps is also known as just "Photoshop Express" [1]. This app comes pre-installed on certain versions of Windows [1]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallStoreApp parameters: packageName: AdobeSystemsIncorporated.AdobePhotoshopExpress # Get-AppxPackage AdobeSystemsIncorporated.AdobePhotoshop # Official docs is wrong (given as `AdobeSystemIncorporated.AdobePhotoshop`) publisherId: ynb6jyjzte8ga - name: Remove "Pandora" app docs: |- [Microsoft Store Page](https://archive.ph/2023.10.07-112259/https://apps.microsoft.com/detail/9WZDNCRFJ46V?hl=en-us&gl=US) This app comes pre-installed on certain versions of Windows [1]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallStoreApp parameters: packageName: PandoraMediaInc.29680B314EFC2 # Get-AppxPackage PandoraMediaInc.29680B314EFC2 publisherId: n619g4d5j0fnw - name: Remove "Eclipse Manager" app docs: |- [Microsoft Store Page](https://archive.ph/2023.10.07-112311/https://apps.microsoft.com/detail/9WZDNCRDJMH1?hl=en-us&gl=US) This app comes pre-installed on certain versions of Windows [1]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallStoreApp parameters: packageName: 46928bounde.EclipseManager # Get-AppxPackage 46928bounde.EclipseManager publisherId: a5h4egax66k6y - name: Remove "Code Writer" app docs: |- [Microsoft Store Page](https://archive.ph/2023.10.07-112330/https://apps.microsoft.com/detail/9WZDNCRFHZDT?hl=en-us&gl=US) This app comes pre-installed on certain versions of Windows [1]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallStoreApp parameters: packageName: ActiproSoftwareLLC.562882FEEB491 # Get-AppxPackage ActiproSoftwareLLC.562882FEEB491 publisherId: 24pqs290vpjk0 - name: 'Remove "Spotify - Music and Podcasts" app' docs: |- [Microsoft Store Page](https://archive.ph/2023.10.07-112359/https://apps.microsoft.com/detail/9NCBCSZSJRSB?hl=en-us&gl=US) ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | call: function: UninstallStoreApp parameters: packageName: SpotifyAB.SpotifyMusic # Get-AppxPackage SpotifyAB.SpotifyMusic publisherId: zpdnekdrzrea0 - category: Remove system apps docs: |- This category includes scripts for uninstalling default system apps in Windows. System apps are pre-installed [1] [2] applications located in the `C:\Windows*` directory [1] [2]. These apps are typically found on `C:\Windows\SystemApps\{PackageFamilyName}` or `C:\Windows\{ShortAppName}` folders. To view all system apps: 1. Open a PowerShell command prompt. 2. Execute the following command: `Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, PublisherId, InstallLocation` They are integral components of the Windows operating system [1]. However, by removing unnecessary system apps, users can enhance their privacy by reducing potential data collection points and streamlining their system. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" children: - name: Remove "File Picker" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: 1527c705-839a-4832-9118-54d4Bd6a0c89 # Get-AppxPackage 1527c705-839a-4832-9118-54d4Bd6a0c89 publisherId: cw5n1h2txyewy - name: Remove "File Explorer" app docs: | This app comes pre-installed on certain versions of Windows [1] [2]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: c5e2524a-ea46-4f67-841f-6a9465d9d515 # Get-AppxPackage c5e2524a-ea46-4f67-841f-6a9465d9d515 publisherId: cw5n1h2txyewy - name: Remove "App Resolver UX" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: E2A4F912-2574-4A75-9BB0-0D023378592B # Get-AppxPackage E2A4F912-2574-4A75-9BB0-0D023378592B publisherId: cw5n1h2txyewy - name: Remove "Add Suggested Folders To Library" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE # Get-AppxPackage F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE publisherId: cw5n1h2txyewy - name: Remove "InputApp" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: InputApp # Get-AppxPackage InputApp publisherId: cw5n1h2txyewy - name: Remove "Microsoft AAD Broker Plugin" app (breaks Night Light settings, taskbar keyboard selection and Office app authentication) # recommend: strict (Unrecommended due to too many side-effects) docs: |- This script uninstalls the "Microsoft AAD Broker Plugin" app. This app is also referred to as the "Work or school account" or "Broker plug-in" [1]. The primary purpose of this app is to offer login functionality for what used to be Azure Active Directory and is now called Microsoft Entra ID [2]. Users should be aware of the following side-effects before uninstalling: - For certain Windows versions, uninstalling this app disrupts the keyboard selection in the taskbar [3]. Clicking on the taskbar language selection icon will not show the selection dialog [3]. - The Night Light feature, which adjusts the colors on your screen to reduce eye strain during the evening and night, will stop functioning after uninstalling [4]. You can read more about the Night Light feature [here](https://web.archive.org/web/20231003182409/https://support.microsoft.com/en-us/windows/set-your-display-for-night-time-in-windows-18fe903a-e0a1-8326-4c68-fd23d7aaf136). - The authentication process for Office apps is affected, preventing users from signing in [5]. Removing this app enhances user privacy by reducing potential data collection by the app. Yet, it's important to weigh the privacy benefits against the loss of the above functionalities. This app comes pre-installed on certain versions of Windows [1] [6] [7]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20231003182133/https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id "Microsoft Entra ID (formerly Azure Active Directory) | Microsoft Security" [3]: https://github.com/undergroundwires/privacy.sexy/issues/24 "The selection of keyboards in the taskbar disappears. · Issue #24 · undergroundwires/privacy.sexy" [4]: https://github.com/undergroundwires/privacy.sexy/issues/54 "What script disables the night light settings? · Issue #54 · undergroundwires/privacy.sexy" [5]: https://web.archive.org/web/20231003182528/https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/authentication/automatic-authentication-fails "Authentication automatically fails in Microsoft 365 services - Microsoft 365 | Microsoft Learn" [6]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [7]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.AAD.BrokerPlugin # Get-AppxPackage Microsoft.AAD.BrokerPlugin # Official docs point to wrong "Microsoft.AAD.Broker.Plugin" publisherId: cw5n1h2txyewy - name: Remove "Microsoft Accounts Control" app docs: |- It is also known as "Email and accounts" [1]. This app comes pre-installed on certain versions of Windows [1] [2] [3]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.AccountsControl # Get-AppxPackage Microsoft.AccountsControl publisherId: cw5n1h2txyewy - name: Remove "Microsoft Async Text Service" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.AsyncTextService # Get-AppxPackage Microsoft.AsyncTextService publisherId: 8wekyb3d8bbwe - name: Remove "Hello setup UI" app (breaks biometric authentication) recommend: strict docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. See also: [Discussion about this service on Microsoft forums](https://web.archive.org/web/20231003183050/https://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_store-insiderplat_pc/what-is-bio-enrollment-app/53808b5a-8694-4128-a5bd-34e3b954434a) ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.BioEnrollment # Get-AppxPackage Microsoft.BioEnrollment publisherId: cw5n1h2txyewy - name: Remove "Credentials Dialog Host" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2] [3]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.CredDialogHost # Get-AppxPackage Microsoft.CredDialogHost publisherId: cw5n1h2txyewy - name: Remove "EC" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.ECApp # Get-AppxPackage Microsoft.ECApp publisherId: 8wekyb3d8bbwe - name: Remove "Lock" app (shows lock screen) docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. See also: [More information `LockApp.exe` process](https://web.archive.org/web/20231003183213/https://www.getwox.com/what-is-lockapp-exe/) ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.LockApp # Get-AppxPackage Microsoft.LockApp publisherId: cw5n1h2txyewy - category: Remove Edge (Legacy) docs: |- This category includes scripts to remove Microsoft Edge Legacy. Microsoft introduced the Legacy version based on the EdgeHTML engine [1] in 2015 [2]. However, as of March 9, 2021, they stopped supporting this version, implying it no longer gets security updates or patches [1] [2]. Keeping unsupported software on your system can pose security vulnerabilities. Initially, this version was the default browser on Windows 10 PCs [1]. Due to its tight integration with Windows, a simple uninstall might not eliminate all related files. One privacy concern with Microsoft Edge Legacy is how it handles your browsing history. When used, the browser integrates your browsing history into your device's activity log that is sent to Microsoft [3]. But, even if disabled, the data remains on your device [3]. This local storage of data can be analyzed for your behavior, potentially compromising your privacy. By utilizing this script, you ensure a comprehensive removal of the browser and its related components, thus enhancing your system's privacy and security. [1]: https://web.archive.org/web/20231004084011/https://support.microsoft.com/en-us/microsoft-edge/what-is-microsoft-edge-legacy-3e779e55-4c55-08e6-ecc8-2333768c0fb0 "What is Microsoft Edge Legacy? - Microsoft Support" [2]: https://web.archive.org/web/20231120102054/https://learn.microsoft.com/en-us/lifecycle/products/microsoft-edge-legacy "Microsoft Edge Legacy - Microsoft Lifecycle | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20231008125552/https://support.microsoft.com/en-us/windows/-windows-activity-history-and-your-privacy-2b279964-44ec-8c2f-e0c2-6779b07d2cbd "Windows activity history and your privacy - Microsoft Support" children: - name: Remove "Microsoft Edge" app recommend: strict docs: |- # refactor-with-variables: Same • Edge (Legacy) only This script uninstalls the "Microsoft Edge" Windows app. This app comes pre-installed on certain versions of Windows [1] [2] [3]. As of March 9, 2021, this app stopped receiving any updates or security patches [4]. Such unsupported software can become a security risk. Furthermore, using this version means your browsing data gets integrated into your device's activity history [5]. Microsoft can access this data [5] and it remains stored locally, leaving traces of your behavior [5]. Removing this software not only minimizes potential security threats but also improves your privacy by preventing data accumulation. This script only applies to Edge (Legacy) and does not impact newer versions of Edge. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231004085037/https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge "Lifecycle FAQ - Internet Explorer and Microsoft Edge | Microsoft Learn" [5]: https://web.archive.org/web/20231008125552/https://support.microsoft.com/en-us/windows/-windows-activity-history-and-your-privacy-2b279964-44ec-8c2f-e0c2-6779b07d2cbd "Windows activity history and your privacy - Microsoft Support" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.MicrosoftEdge # Get-AppxPackage Microsoft.MicrosoftEdge publisherId: 8wekyb3d8bbwe - name: Remove "Microsoft Edge Dev Tools Client" app recommend: strict docs: |- This script removes the Developer Tools (DevTools) app that was paired with Microsoft Edge Legacy. These tools, now outdated, haven't received updates for a while [1] [2]. If the main Edge application is uninstalled, these tools lose their relevance and should be removed as well. This app comes pre-installed on certain versions of Windows [3] [4]. Getting rid of such outdated software components helps to protect your security. They could have vulnerabilities waiting to be exploited. By uninstalling them, you're taking a step towards a more secure system. [More about Edge DevTools](https://web.archive.org/web/20200508053014/https://docs.microsoft.com/en-us/microsoft-edge/devtools-guide) ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231004085037/https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge "Lifecycle FAQ - Internet Explorer and Microsoft Edge | Microsoft Learn" [2]: https://web.archive.org/web/20231004084959/https://learn.microsoft.com/en-us/archive/microsoft-edge/legacy/developer/ "Legacy Microsoft Edge developer documentation - Legacy Microsoft Edge developer docs | Microsoft Learn" [3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [4]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.MicrosoftEdgeDevToolsClient # Get-AppxPackage Microsoft.MicrosoftEdgeDevToolsClient publisherId: 8wekyb3d8bbwe - name: Remove Edge (legacy) file and URL associations recommend: strict docs: |- # refactor-with-variables: Same • Edge (Legacy) only This script unlinks file and URL associations from the legacy Microsoft Edge, ensuring that it is not mistakenly recognized as the default browser on your system. When you remove Microsoft Edge and don't disconnect its associations as the default browser, certain Windows functionalities may malfunction, as reported by users [1]. The standard uninstallation method for Microsoft Edge does not unlink these associations, leading to possible issues. For newer versions of Windows (specifically, Windows 10 21H2 and Windows 11 21H2 and beyond), the Chromium-based Edge is associated with majority of default options (with ProgIDs `MSEdgePDF` and `MSEdgeHTM` [2]), however there are still associations for legacy Edge. The legacy Microsoft Edge is associated with several ProgIDs, such as `AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9` and `AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723`, all prefixed with `AppX` [3]. To check the specific file and URL associations handled by Edge, you can look under the following registry keys, although not all these keys are registered by the operating system: - `HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.MicrosoftEdge_{Version}\MicrosoftEdge\Capabilities\URLAssociations` - `HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.MicrosoftEdge_{Version}\MicrosoftEdge\Capabilities\FileAssociations` Within these keys: - URL associations include `http`, `https`, `microsoft-edge`, and others. - File associations include `.htm`, `.html`, `.pdf`, and `.svg`. By running this script, you help in enhancing your system's privacy and ensuring that no unintended associations remain that could potentially cause vulnerabilities or other issues. This script only applies to Edge (Legacy) and does not impact newer versions of Edge. [1]: https://github.com/undergroundwires/privacy.sexy/issues/64 "[BUG]: can't sign in again · Issue #64 · undergroundwires/privacy.sexy" [2]: https://web.archive.org/web/20231001221635/https://learn.microsoft.com/en-us/deployedge/edge-default-browser "Set Microsoft Edge as the default browser on Windows and macOS | Microsoft Learn" [3]: https://web.archive.org/web/20231001223221/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationdefaults#defaultassociationsconfiguration call: function: RemoveBrowserAssociations parameters: progIdPattern: AppX* # List: # $keywords = @('AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9', 'AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723', 'AppXq0fevzme2pys62n3e0fbqa7peapykr8v', 'AppX90nv6nhay5n6a98fnetv7tpk64pp35es') # Get-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts' | ForEach-Object { $_.Property } | Where-Object { $key = $_; $keywords | Where-Object { $key -match $_ } } toastAssociations: >- AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9_.htm AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9_.html AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723_.pdf AppXq0fevzme2pys62n3e0fbqa7peapykr8v_http AppX90nv6nhay5n6a98fnetv7tpk64pp35es_https - name: Remove "Win32 Web View Host" / "Desktop App Web Viewer" app recommend: strict docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.Win32WebViewHost # Get-AppxPackage Microsoft.Win32WebViewHost publisherId: cw5n1h2txyewy - name: Remove "Microsoft PPI Projection" app docs: |- [More about Perceptive Pixel](https://en.wikipedia.org/wiki/Perceptive_Pixel) This app comes pre-installed on certain versions of Windows [1] [2]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" recommend: strict call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.PPIProjection # Get-AppxPackage Microsoft.PPIProjection publisherId: cw5n1h2txyewy - name: Remove "ChxApp" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.Windows.Apprep.ChxApp # Get-AppxPackage Microsoft.Windows.Apprep.ChxApp publisherId: cw5n1h2txyewy - name: Remove "Assigned Access Lock App" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.Windows.AssignedAccessLockApp # Get-AppxPackage Microsoft.Windows.AssignedAccessLockApp publisherId: cw5n1h2txyewy - name: Remove "Capture Picker" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.Windows.CapturePicker # Get-AppxPackage Microsoft.Windows.CapturePicker publisherId: cw5n1h2txyewy - name: Remove "Cloud Experience Host" app (breaks Windows Hello password/PIN sign-in options, and Microsoft cloud/corporate sign in) # recommend: strict (Unrecommended due to too many side-effects) docs: |- This script uninstall the Microsoft Cloud Experience Host service. This service is required for connecting to corporate domains or Microsoft cloud-based services. It is also referred to as the "Microsoft account" app [1]. This app comes pre-installed on certain versions of Windows [1] [2] [3]. The Microsoft Cloud Experience Host has several functionalities: - It is responsible for connecting Microsoft accounts [4] [5]. - It enables corporate login. Cloud Experience Host application comes into action during the joining process of workplace environments or Azure Active Directory (Azure AD) [6]. It renders the experience when collecting company-provided credentials [6]. After enrolling your device with your workplace environment or Azure AD, your organization can manage your PC and collect specific data about you, including your location [6]. The organization may add or remove apps, modify settings, disable certain features, prevent account removal, or even reset your PC [6]. - It manages PIN, Biometric, and Device authentication [7]. This is needed for Windows Hello, which supports authentication through a device, biometric data, or a PIN code [7]. This functionality also assists in joining a machine to Azure AD or an on-premises AD domain [7]. - Lastly, it aids in Out-of-box experience (OOBE) troubleshooting [8]. The OOBE comprises a series of screens such as the license agreement, internet connection, and login [9]. The service helps detect errors occurring during the OOBE flow [8]. While the service does offer these essential functionalities, it also introduces notable privacy considerations. However, if one decides to uninstall it, they will encounter the following challenges: - The ability to sign in to Windows using a Microsoft account will be hampered, affecting cloud-based sign-in [10] [11]. - The password and PIN sign-in options located in "Settings > Sign-in Options" will be inaccessible [12]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231007145740/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [5]: https://web.archive.org/web/20231007145741/https://answers.microsoft.com/en-us/windows/forum/all/cant-login-to-microsoft-account-because-of-cloud/0861c72d-3621-45bc-bae0-67d13121f526 "cant login to microsoft account because of cloud experience host - Microsoft Community | answers.microsoft.com" [6]: https://web.archive.org/web/20231007145756/https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology#cloud-experience-hos "How Windows Hello for Business works - technology and terms - Windows Security | Microsoft Learn" [7]: https://web.archive.org/web/20231007150204/https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning "How Windows Hello for Business works - Provisioning - Windows Security | Microsoft Learn" [8]: https://web.archive.org/web/20231007150256/https://learn.microsoft.com/en-us/windows/privacy/required-windows-11-diagnostic-events-and-fields#cloud-experience-host-events "Required diagnostic events and fields for Windows 11, version 21H2 - Windows Privacy | Microsoft Learn" [9]: https://web.archive.org/web/20231007150258/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/customize-oobe "Customize OOBE | Microsoft Learn" [10]: https://github.com/undergroundwires/privacy.sexy/issues/99 "Microsoft login procedure is not functional · Issue #99 · undergroundwires/privacy.sexy | github.com" [11]: https://github.com/undergroundwires/privacy.sexy/issues/64 "[BUG]: can't sign in again · Issue #64 · undergroundwires/privacy.sexy | github.com" [12]: https://github.com/undergroundwires/privacy.sexy/issues/67 "[BUG]: Unable to change PIN and Password · Issue #67 · undergroundwires/privacy.sexy | github.com" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.Windows.CloudExperienceHost # Get-AppxPackage Microsoft.Windows.CloudExperienceHost publisherId: cw5n1h2txyewy - name: Remove "Content Delivery Manager" app recommend: strict docs: |- This script uninstalls the "Content Delivery Manager" app. This app provides Windows Spotlight functionality [1], which automatically sets random wallpapers on the lock screen in Windows [2] [3]. The main purpose of this app is to update the Windows experience [1]. To achieve this, the app collects data about interactions with the Windows Spotlight content, such as which content is viewed, clicked on, or given feedback [1]. It records the content's ID, user actions, and other associated attributes [1]. Additionally, the app aggregates data about the state of content offers on a device, including the health of user accounts, the health status of the content delivery, and more specific metrics [1]. The app also keeps track of where the content is displayed, like on the LockScreen or Start menu, and when [1] [3]. This detailed tracking ensures that Windows stays up-to-date [1]. However, for users who prioritize privacy, understanding the data this app collects can be vital. The app comes pre-installed on certain versions of Windows [4] [5]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231007152921/https://learn.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703#content-delivery-manager-events "Windows 10, version 1703 basic diagnostic events and fields (Windows 10) - Windows Privacy | Microsoft Learn" [2]: https://web.archive.org/web/20230911110727/https://support.microsoft.com/en-us/windows/personalize-your-lock-screen-81dab9b0-35cf-887c-84a0-6de8ef72bea0 "Personalize your lock screen - Microsoft Support" [3]: https://web.archive.org/web/20230911110748/https://learn.microsoft.com/en-us/windows/configuration/windows-spotlight "Configure Windows Spotlight on the lock screen - Configure Windows | Microsoft Learn" [4]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [5]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.Windows.ContentDeliveryManager # Get-AppxPackage Microsoft.Windows.ContentDeliveryManager publisherId: cw5n1h2txyewy - name: Remove "Search" app (breaks Windows search) docs: |- This script removes two specific apps from Windows: - `Microsoft.Windows.Cortana`: Commonly known as Cortana [1] [2] [3]. This app comes pre-installed on certain versions of Windows [1] [2] [3]. - `Microsoft.Windows.Search`: Introduced in Windows 10 2004, this app took over the role of `Microsoft.Windows.Cortana` to provide search functionality [4]. The executable for this app is `SearchApp.exe`, located at `C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe` [5] [6]. This app powers the Windows search bar [5]. Some community reports have indicated that this app may collect data to display advertisements [7] [8]. Removing these apps contributes to user privacy by eliminating potential data collection points. However, please note that running this script will disfunction the built-in Windows search functionality. Weigh the trade-off between improved privacy and the loss of search functionality before proceeding. ### Overview of default preinstallation `Microsoft.Windows.Cortana`: | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | `Microsoft.Windows.Search`: | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231007222810/https://answers.microsoft.com/en-us/windows/forum/all/applocker-blocking-windows-search-functionality/5509bfcc-061c-49e0-803d-6dbb1bc6a839 "Applocker Blocking windows search functionality Win 10 - 2004 - Microsoft Community" [5]: https://web.archive.org/web/20231007222923/https://learn.microsoft.com/en-us/answers/questions/461791/kb5003637-problem-with-windows-search-bar "KB5003637 Problem With Windows Search Bar - Microsoft Q&A" [6]: https://web.archive.org/web/20231007222844/https://learn.microsoft.com/en-us/answers/questions/842652/unable-to-start-a-dcom-server-microsoftwindows-cli?cid=kerryherger&page=2 "Unable to start a DCOM Server - MicrosoftWindows.Client.CBS_120.2212.4170.0_x64__cw5n1h2txyewy!InputApp as Unavailable/Unavailable. Error 2147942402 (TextInputHost.exe) - Microsoft Q&A" [7]: https://web.archive.org/web/20231007222907/https://learn.microsoft.com/en-us/answers/questions/175856/windows-10-20h2-searchapp-exe-network-connection "Windows 10 20H2 searchapp.exe - network connection - Microsoft Q&A" [8]: https://web.archive.org/web/20231007222922/https://learn.microsoft.com/en-us/answers/questions/893937/searchapp-exe-connecting-to-ms-for-no-reason "Searchapp.exe connecting to MS for no reason. - Microsoft Q&A" call: - function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.Windows.Cortana # Get-AppxPackage Microsoft.Windows.Cortana publisherId: cw5n1h2txyewy - function: UninstallStoreApp parameters: packageName: Microsoft.Windows.Search # Get-AppxPackage Microsoft.Windows.Search publisherId: cw5n1h2txyewy - name: Remove "Holographic First Run" app recommend: standard docs: |- The "Windows Holographic First Run" app is a diagnostic tool on Windows, designed for potential users of Microsoft's Hololens, an augmented reality headset [1]. When run, the app scans your computer's hardware to determine its compatibility with the Hololens [1]. It assesses which components meet or exceed the required specifications, which might offer a subpar experience, and which fail to meet the necessary standards [1]. The app accesses hardware data to ensure that the users have a system capable of supporting the Hololens [1]. This app is pre-installed in specific Windows versions [2]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20231003184605/https://www.addictivetips.com/windows-tips/check-pc-windows-holographic-app-requirements/ "Check If Your PC Meets The Windows Holographic App Requirements | addictivetips.com" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.Windows.Holographic.FirstRun # Get-AppxPackage Microsoft.Windows.Holographic.FirstRun publisherId: cw5n1h2txyewy - category: Remove Out-of-Box Experience (OOBE) apps docs: |- This category focuses on uninstalling specific Out-of-Box Experience (OOBE) apps from Windows devices. OOBE apps are components of the Windows setup process designed to guide users through initial device setup, establishing settings and preferences, and connecting to networks [1]. [1]: https://web.archive.org/web/20231007230029/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/oobe-screen-details "Windows 10 OOBE screen details | Microsoft Learn" children: - name: Remove "OOBE Network Captive Portal" app docs: |- This script uninstall the OOBE Network Captive Portal app. The app is part of the Out-of-Box Experience (OOBE) process in Windows [1]. When users set up their Windows system for the first time, they encounter the "Let's connect you to a network" screen [1]. This screen precedes the End User License Agreement (EULA) screen and presents available connection options, including Wi-Fi and Cellular data networks in the vicinity [1]. Some pages during the OOBE are delivered through a cloud service [1]. The app runs the `OOBENetworkCaptivePortal.exe` file, which is responsible for the Captive Portal Flow during OOBE [2]. This app is pre-installed in specific Windows versions [3] [4]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231007230029/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/oobe-screen-details#connect-users-to-the-network "Windows 10 OOBE screen details | Microsoft Learn" [2]: https://web.archive.org/web/20231007230004/https://strontic.github.io/xcyclopedia/library/OOBENetworkCaptivePortal.exe-0DF57DA84716210304E79A34BF5F4B39.html "OOBENetworkCaptivePortal.exe | OOBE Captive Portal Flow | STRONTIC" [3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [4]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.Windows.OOBENetworkCaptivePortal # Get-AppxPackage Microsoft.Windows.OOBENetworkCaptivePortal # Official docs point to wrong "Microsoft.Windows.OOBENetworkCaptivePort" publisherId: cw5n1h2txyewy - name: Remove "OOBE Network Connection Flow" app docs: |- This script uninstalls the "OOBE Network Connection Flow" app from Windows devices. The OOBE (Out-of-Box Experience) Network Connection Flow app assists users during their initial setup of a Windows device [1]. When setting up, users encounter the "Let's connect you to a network" screen, which lists available Wi-Fi and Cellular network options [1]. Devices with LTE capabilities and an active SIM card will automatically connect to the Cellular network, but if a Wi-Fi network is accessible, it will be preferred [1]. To ensure users don't consume excessive data during setup, Windows limits the download to essential updates when on metered networks [1]. After establishing a network connection, the device starts downloading necessary driver and Windows Zero-Day Patch (ZDP) updates, which are necessary for device performance and security [1]. Users cannot opt-out of these updates [1]. If a newer Windows version is available and the device qualifies, users will get an option to download this update at the OOBE's conclusion [1]. The primary process for this app is `OOBENetworkConnectionFlow.exe` [2]. This app comes pre-installed on certain versions of Windows [3] [4]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231007230029/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/oobe-screen-details "Windows 10 OOBE screen details | Microsoft Learn" [2]: https://web.archive.org/web/20231007233651/https://strontic.github.io/xcyclopedia/library/OOBENetworkConnectionFlow.exe-823E4DEF469E572C9C3DC2DC332441E1.html "OOBENetworkConnectionFlow.exe | OOBE Network Connection Flow | STRONTIC" [3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [4]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.Windows.OOBENetworkConnectionFlow # Get-AppxPackage Microsoft.Windows.OOBENetworkConnectionFlow publisherId: cw5n1h2txyewy - name: Remove "Microsoft Family Safety" / "Parental control" app recommend: standard docs: |- This script uninstalls the parental control app for Microsoft Family Safety. A **parental control** app helps parents regulate the content their children access online, including how long they spend on devices [1]. It provides features such as content filtering, screen time limit enforcement, activity monitoring, contact blocking, and activity reports [1] [2]. **Family Safety**, a specific parental control tool from Microsoft, lets parents monitor and control their children's online activities [3]. It offers the ability to filter unsuitable web content and gives parents insight into the search terms their children use on search engines [3]. One notable function is the "safe search" feature that communicates with search engines to ensure adult material is excluded from search results [3]. However, using Family Safety means Microsoft collects personal details such as names, email addresses, birth dates, and other diagnostic data [4]. There's a privacy concern, especially regarding minors, because the tool actively logs the search terms children enter into search engines [3]. While "safe search" promotes user safety, it communicates settings to various search engine platforms, potentially sharing user preferences and identifiable information with these third parties [3]. It's also worth noting that certain browsers, like Firefox, require extra measures to ensure secure connections [3]. Without these measures, there's a risk of user data interception or manipulation. This app comes pre-installed on certain versions of Windows [5] [6]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231008130535/https://www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/choosing-a-parental-control-app "Choosing a parental control app that works for you - Microsoft 365" [2]: https://web.archive.org/web/20231008130516/https://www.microsoft.com/en-us/microsoft-365/family-safety "Microsoft Family Safety—Location Sharing and Screen Time App | Microsoft 365" [3]: https://web.archive.org/web/20231008130419/https://support.microsoft.com/en-us/topic/family-safety-update-improves-web-filtering-and-activity-reporting-in-windows-8-1-and-windows-rt-8-1-116efe24-0153-9680-0d0c-5f433c677336 "Family Safety update improves web filtering and activity reporting in Windows 8.1 and Windows RT 8.1 - Microsoft Support" [4]: https://web.archive.org/web/20231008130529/https://support.microsoft.com/en-us/account-billing/family-safety-data-collection-and-privacy-options-3d01b791-e48a-498f-bfa6-97f0d373cd9c "Family Safety data collection and privacy options - Microsoft Support" [5]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [6]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.Windows.ParentalControls # Get-AppxPackage Microsoft.Windows.ParentalControls publisherId: cw5n1h2txyewy - name: Remove "My People" app recommend: strict docs: |- This script uninstalls the "My People" app. This app is also known as "People Hub" [1] [2] or "Windows My People" [3] [4]. It allows users to pin contacts to the Windows task bar [3]. Additionally, users can drag and drop documents, photos, or videos onto a contact to share them [3]. This app comes pre-installed on certain versions of Windows [1] [2]. Its main operational file is `PeopleExperienceHost.exe`, which can typically be located at `C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\PeopleExperienceHost.exe` [4]. This process is commonly as "Windows My People" [4]. By uninstalling pre-installed apps like "My People", users can reclaim system resources and potentially enhance privacy by reducing the number of apps that could access and share their data. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" [3]: https://web.archive.org/web/20231009112816/https://blogs.windows.com/windowsexperience/2016/10/26/empowering-a-new-wave-of-creativity-with-the-windows-10-creators-update-and-surface-studio/ "Empowering a new wave of creativity with the Windows 10 Creators Update and Surface Studio | Windows Experience Blog" [4]: https://web.archive.org/web/20231205170517/https://strontic.github.io/xcyclopedia/library/PeopleExperienceHost.exe-4DB57408AA06543E575368FEDC280B4A "PeopleExperienceHost.exe | Windows My People | STRONTIC" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.Windows.PeopleExperienceHost # Get-AppxPackage Microsoft.Windows.PeopleExperienceHost publisherId: cw5n1h2txyewy - name: Remove "Pinning Confirmation Dialog" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.Windows.PinningConfirmationDialog # Get-AppxPackage Microsoft.Windows.PinningConfirmationDialog publisherId: cw5n1h2txyewy - name: Remove "Secondary Tile Experience" app recommend: strict docs: |- This script removes the Second Tile Experience app from your computer. The Second Tile Experience helps in providing a feature in Windows that lets users create quick access shortcuts, called secondary tiles, to specific content from an app on their Start menu [1]. For example, it might be a shortcut to the weather of a city or a favorite news article. Secondary tiles act as direct entry points to parts of an app, like displaying real-time updates or leading to a particular feature [1]. While these tiles share some similarities with primary tiles in terms of showing detailed content and notifications, they differ in a few ways. First, secondary tiles are created based on the user's choice, and they get a prompt from the system asking for confirmation before pinning [1]. Second, these tiles can be deleted at any time, and this doesn't affect the main app [1]. This app comes pre-installed on certain versions of Windows [2]. From a privacy perspective, it's worth noting that individual secondary tiles might track user behaviors or preferences, which could be a concern for some users. The purpose of this script is to offer users the option to uninstall this feature if they wish to prioritize their privacy. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20231008120335/https://learn.microsoft.com/en-us/windows/apps/design/shell/tiles-and-notifications/secondary-tiles "Secondary tiles - Windows apps | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.Windows.SecondaryTileExperience # Get-AppxPackage Microsoft.Windows.SecondaryTileExperience publisherId: cw5n1h2txyewy - name: Remove "Take a Test" app recommend: strict docs: |- This script uninstalls the "Take a Test" application, also known as "secure assessment browser" [1] [2] [3]. It is a feature in Windows primarily used for online testing in schools [4]. The purpose of this app is to create a secure environment where students can't access external computer or internet resources while taking a test [4]. It restricts specific activities, like printing, taking screenshots, or opening other apps [4]. The software offers two usage modes: a basic secure mode and a more stringent "kiosk mode" for vital assessments [4]. Educators and administrators have the flexibility to set various rules using this application [5]. For example, they can determine if the test allows screen monitoring, if students can get keyboard text suggestions, or if a specific test should auto-launch when the app is started [5]. They can also control printing permissions and determine which user accounts are permitted to take the test [5]. The app collects data such as the username of the person taking the test and information about the particular tests being taken [5]. This app comes pre-installed on certain versions of Windows [1] [2]. Its technical implementation can be found under the name `SecureAssessmentBrowser.exe` at `C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SecureAssessmentBrowser.exe`[3]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" [3]: https://web.archive.org/web/20231008122256/https://strontic.github.io/xcyclopedia/library/SecureAssessmentBrowser.exe-9997A632135DFB0C53479401E17A7367.html "SecureAssessmentBrowser.exe | Take a Test | STRONTIC" [4]: https://web.archive.org/web/20231008122321/https://learn.microsoft.com/en-us/education/windows/take-tests-in-windows "Take tests and assessments in Windows - Windows Education | Microsoft Learn" [5]: https://web.archive.org/web/20231008122328/https://learn.microsoft.com/en-us/windows/client-management/mdm/secureassessment-csp "SecureAssessment CSP - Windows Client Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.Windows.SecureAssessmentBrowser # Get-AppxPackage Microsoft.Windows.SecureAssessmentBrowser publisherId: cw5n1h2txyewy - name: Remove "Windows Feedback" app recommend: standard docs: |- This script removes the "Windows Feedback" app. Introduced in Windows 1511 (Windows 10 Fall Update) [1], this app allows users to share feedback with Microsoft, primarily aimed at Windows Insider users [1]. This app comes pre-installed on certain versions of Windows [2]. Removing this app contributes to privacy by eliminating a channel through which user feedback and usage data might be sent to Microsoft. It's particularly useful for users who prefer to minimize data sharing with external parties. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20240101111454/https://blogs.windows.com/windows-insider/2015/08/27/windows-10-insider-preview-build-10532-for-pc/ "Windows 10 Insider Preview Build 10532 for PC | Windows Insider Blog | blogs.windows.com" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.WindowsFeedback # Get-AppxPackage Microsoft.WindowsFeedback publisherId: cw5n1h2txyewy - name: Remove "Xbox Game Callable UI" app (breaks Xbox Live games) recommend: strict docs: |- This script uninstalls the "Xbox Game Callable UI" (TCUI) app. This app acts as an intermediary tool that games can use to bring up common UI elements on the Xbox platform [1]. These displays, consistent with the RS5 Gamebar style, offer functionalities such as profile viewing, game invite sending, people selection, friend management, achievement viewing, user privilege checking, and navigation to game details, profile customization, user settings, and storage management [1]. This app comes pre-installed on certain versions of Windows [2] [3]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20200827080253/https://docs.microsoft.com/en-us/gaming/xbox-live/features/general/tcui/live-tcui-overview "Title-callable UI (TCUI) overview - Xbox Live | Microsoft Docs" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Microsoft.XboxGameCallableUI # Get-AppxPackage Microsoft.XboxGameCallableUI publisherId: cw5n1h2txyewy - name: Remove "CBS Preview" app recommend: standard docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Windows.CBSPreview # Get-AppxPackage Windows.CBSPreview publisherId: cw5n1h2txyewy - name: Remove "Contact Support" app docs: |- This app comes pre-installed on certain versions of Windows [1]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ❌ | | Windows 11 | 23H2 | ❌ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Windows.ContactSupport # Get-AppxPackage Windows.ContactSupport publisherId: cw5n1h2txyewy - category: Remove printing user interface docs: |- # refactor-with-variables: • Printing Caution This category includes scripts that remove applications providing printing-related user interfaces. These interfaces manage printing tasks from the desktop environment. Both system and third-party applications use these interfaces. Removing these apps benefits users who do not use physical printing or prefer alternative methods. This can streamline system operations and enhance security by reducing the attack surface. Additionally, removing these apps enhances your data privacy by preventing unauthorized printing of sensitive documents. However, removing these essential printing interfaces can disrupt normal printing functions for dependent applications. Users should assess whether these apps are essential to their workflow before removal. Do not run these scripts if you rely on the operating system's printing functionality. > **Caution:** > This may significantly impair your ability to print. children: - name: Remove "Print Queue" app (breaks printing) docs: |- # refactor-with-variables: • Printing Caution This script removes the "Print Queue" app [1] [2] [3], also known as the *Print Queue Action Center* [1] [2] [3] [4] [5]. This app replaces the older print queue dialog with a modern user interface (UI) [3] [5]. It enables users to view and manage their print jobs, including pausing and resuming them [1] [2]. The app first appeared in an early version of Windows 11 (build 22567.1) [5]. It became fully functional in later updates (starting with build 22572.1) [3]. The Windows 11 22H2 update includes it for general users [6]. To determine if this app is essential for your workflow, launch it from the terminal using the following command to explore its features before deciding on its removal [1] [2]: ``` explorer.exe shell:appsFolder\Microsoft.Windows.PrintQueueActionCenter_cw5n1h2txyewy!App ``` This app comes pre-installed on certain versions of Windows [4] [2] [5] [3] [6]. Uninstalling this app can improve system performance by reducing background processes. > **Caution:** > This may significantly impair your ability to print. > Be cautious about removing this app if you rely on printing services. > This app is essential for printing in Windows 11 [1]. > Switching back to older interfaces might not be possible [6]. ### Overview of default preinstallation | OS | Version | Existence | | -- | ------- | --------- | | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ❌ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20240322115140/https://www.elevenforum.com/t/pause-and-resume-printing-in-windows-11.11913/ "Pause and Resume Printing in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com" [2]: https://web.archive.org/web/20240322115355/https://blogs.windows.com/windows-insider/2024/01/03/announcing-windows-11-insider-preview-build-26020-canary-channel/ "Announcing Windows 11 Insider Preview Build 26020 (Canary Channel) | Windows Insider Blog | blogs.windows.com" [3]: https://web.archive.org/web/20240322115428/https://betawiki.net/wiki/Windows_11_build_22572.1 "Windows 11 build 22572.1 - BetaWiki | betawiki.net" [4]: https://web.archive.org/web/20230610014325/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20240322115338/https://betawiki.net/wiki/Windows_11_build_22567.1 "Windows 11 build 22567.1 - BetaWiki | betawiki.net" [6]: https://web.archive.org/web/20240322115646/https://answers.microsoft.com/en-us/windows/forum/all/windows-11-22h2-update-issue-with-printer-queue-in/52c8eb48-a9d1-41c7-9e97-616713bfab81 "Windows 11 22H2 Update Issue with Printer Queue in Lower right hand - Microsoft Community | answers.microsoft.com" call: function: UninstallNonRemovableStoreApp parameters: packageName: Microsoft.Windows.PrintQueueActionCenter # Get-AppxPackage Microsoft.Windows.PrintQueueActionCenter publisherId: cw5n1h2txyewy - name: Remove "Print UI" app (breaks printing for some apps) docs: |- # refactor-with-variables: • Printing Caution This script removes the "Print UI" system application. This app comes pre-installed on certain versions of Windows [1] [2]. First introduced in early development builds of Windows 10 [3] [4] [5], the "Print UI" app is crucial for the native printing experience in Windows. When users click the Print button in apps such as Photos or early versions of Edge browser (before Chromium), this UI is displayed [6] [7]. Since the release of Windows 11 22H2, Microsoft has replaced the legacy print dialog for all classic apps (like Notepad and WordPad) with this newer interface [8]. To determine if this app is essential for your workflow, launch it from the terminal using the following command to explore its features before deciding on its removal [3] [4] [5]: ``` explorer.exe shell:AppsFolder\Windows.PrintDialog_cw5n1h2txyewy!Microsoft.Windows.PrintDialog ``` The app is located at `C:\Windows\PrintDialog` [6] [7]. Removing it may enhance system performance and security by reducing unnecessary components and the attack surface. It's safe to remove if you use applications that have their own printing dialogs or that directly request a different user interface from the operating system. However, applications like the Photos app, which depend on hard-coded calls to this UI, may lose printing functionality if the app is removed [6] [7]. Therefore, it is advisable not to remove this app if you rely on such applications for printing. > **Caution**: > This may significantly impair your ability to print. > Removing this application may disrupt the ability of other apps to initiate printing tasks. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" [3]: https://web.archive.org/web/20240515081857/https://betawiki.net/wiki/Windows_10_build_10041_(fbl_impressive) "Windows 10 build 10041 (fbl_impressive) - BetaWiki | betawiki.net" [4]: https://archive.ph/2024.05.15-082810/https://thecollectionbook.info/windows/10/1432 "Microsoft Windows 10, 10.0.9909.0 - The Collection Book | thecollectionbook.info" [5]: https://archive.ph/2024.05.15-082800/https://www.betaworld.cn/index.php?title=Windows_10:10.0.9909.0.fbl_awesome1501.141213-2119&mobileaction=toggle_view_desktop "Windows 10:10.0.9909.0.fbl_awesome1501.141213-2119 - BetaWorld 百科 | betaworld.cn" [6]: https://web.archive.org/web/20240515081804/https://github.com/microsoft/microsoft-ui-xaml/issues/2669 "Faulting module name: Windows.UI.Xaml.dll, version: 10.0.18362.815 · Issue #2669 · microsoft/microsoft-ui-xaml | github.com" [7]: https://web.archive.org/web/20240515081814/https://administrator.de/forum/drucken-aus-microsoft-windows-photos-funktioniert-nicht-3790564489.html "Drucken aus Microsoft.Windows.Photos funktioniert nicht - Administrator | administrator.de" [8]: https://web.archive.org/web/20240515081823/https://www.winhelponline.com/blog/restore-legacy-print-dialog-windows-11/?expand_article=1 "Restore the Legacy Print Dialog in Windows 11 22H2 » Winhelponline | winhelponline.com" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: packageName: Windows.PrintDialog # Get-AppxPackage Windows.PrintDialog publisherId: cw5n1h2txyewy - category: Remove OneDrive docs: |- Microsoft OneDrive (formerly SkyDrive) is a file hosting service operated by Microsoft [1]. First launched in August 2007, it enables registered users to share and synchronize their files [1]. Data stored on OneDrive is subject to monitoring by Microsoft [2]. There's been reports of Microsoft accessing and altering your personal files when syncing on OneDrive [3] [4]. Uninstalling OneDrive is recommended by Microsoft to optimize Windows VDIs [5]. [1]: https://en.wikipedia.org/wiki/OneDrive "OneDrive | Wikipedia" [2]: https://en.wikipedia.org/w/index.php?title=OneDrive&oldid=1111615560#Privacy_concerns "OneDrive | Privacy concerns | Wikipedia" [3]: https://web.archive.org/web/20191002180755/https://www.intralinks.com/blog/2014/04/microsoft-onedrive-business-can-alter-files-syncs "Microsoft OneDrive for Business can Alter Your Files as It Syncs | Intralinks" [4]: https://thehackernews.com/2014/04/microsoft-onedrive-secretly-modifies.html "Microsoft OneDrive Secretly Modifies your BackUp Files | thehackernews.com" [5]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#remove-onedrive-components "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn" children: - name: Kill OneDrive process recommend: strict docs: |- It stops the execution of OneDrive. Main OneDrive process is `OneDrive.exe` and it is installed in `\Microsoft\OneDrive\OneDrive.exe` [1] [2] [3] [4]. [1]: https://web.archive.org/web/20231206192439/https://answers.microsoft.com/en-us/windows/forum/all/onedrive-wont-sync-and-wont-uninstall-so-i-can-re/6182d0a5-e7ea-46bb-a058-c0a4fd5e299a "Onedrive wont sync and wont uninstall so I can re-install the latest - Microsoft Community | answers.microsoft.com" [2]: https://web.archive.org/web/20231206211723/https://social.technet.microsoft.com/Forums/scriptcenter/en-US/9bd33f03-62dd-4c4f-9d29-970c1016f2f9/better-onedrive-detection-method?forum=configmanagerapps "Better OneDrive detection method | social.technet.microsoft.com" [3]: https://web.archive.org/web/20231206212821/https://social.msdn.microsoft.com/Forums/en-US/072e3577-d0ff-4950-9e0b-40b037853881/starting-and-stopping-sharepoint-library-sync-with-onedrive "Starting and stopping SharePoint library sync with OneDrive | social.msdn.microsoft.com" [4]: https://web.archive.org/web/20240314124031/https://learn.microsoft.com/en-us/answers/questions/473995/onedrive-was-previously-disabled-and-now-i-cant-en "OneDrive was previously disabled and now I can't enable it with GPO - Microsoft Q&A | learn.microsoft.com" call: function: TerminateRunningProcess parameters: executableNameWithExtension: OneDrive.exe revertExecutablePath: '%LOCALAPPDATA%\Microsoft\OneDrive\OneDrive.exe' revertExecutableArgs: /background - name: Remove OneDrive from startup recommend: strict docs: |- OneDrive starts on every boot in both Windows 10 and 11. It's started through `OneDrive` `REG_SZ` entry in `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` [1]. The startup command is `"\Microsoft\OneDrive\OneDrive.exe" /background` [1]. [1]: https://techcommunity.microsoft.com/t5/azure-virtual-desktop/start-onedrive-when-using-a-remoteapp-in-wvd/m-p/899331 "Re: Start OneDrive when using a RemoteApp in WVD - Page 2 - Microsoft Tech Community | techcommunity.microsoft.com" code: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDrive" /f 2>nul revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDrive" /t REG_SZ /d "\"%LOCALAPPDATA%\Microsoft\OneDrive\OneDrive.exe\" /background" /f - name: Remove OneDrive through official installer docs: |- This script will call official Microsoft uninstaller that will uninstall the application but residual files will be left. You won't lose data by uninstalling OneDrive from computer because they will be stored in cloud [1]. Running OneDrive client setup package (`OneDriveSetup.exe`) with the `/uninstall` command line switch uninstalls OneDrive [2] [3]. On Windows 10, the setup package is found on different folders (`System32` or `SysWOW64`) based on the CPU architecture [4]. On Windows 11, the setup package is always inside `System32` regarding of the CPU architecture. Uninstalling OneDrive is recommended by Microsoft to optimize Windows VDIs [5]. [1]: https://support.microsoft.com/en-us/office/turn-off-disable-or-uninstall-onedrive-f32a17ce-3336-40fe-9c38-6efb09f944b0 "Turn off, disable, or uninstall OneDrive | support.microsoft.com" [2]: https://web.archive.org/web/20231002162805/https://learn.microsoft.com/en-us/sharepoint/troubleshoot/installation-and-setup/how-to-block-onedrive-from-being-advertised-after-install-office-2016#method-2-uninstall-onedriveexe "How to block OneDrive.exe from being advertised after you install Office 2016 - SharePoint | Microsoft Learn" [3]: https://learn.microsoft.com/en-us/sharepoint/troubleshoot/lists-and-libraries/cannot-open-onedrive-on-images-using-sysprep#how-to-correctly-deploy-onedrive-via-sysprep "Can't open OneDrive on images using Sysprep - SharePoint | Microsoft Learn" [4]: https://web.archive.org/web/20231206192414/https://answers.microsoft.com/en-us/windows/forum/all/onedrive-on-windows-11-does-not-appear-in-file/250c679b-9d02-410f-8c8f-41cca112ccfa "OneDrive on Windows 11 - Does Not Appear in File Explorer - Microsoft Community | answers.microsoft.com" [5]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#remove-onedrive-components "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn" recommend: strict code: |- if exist "%SYSTEMROOT%\System32\OneDriveSetup.exe" ( "%SYSTEMROOT%\System32\OneDriveSetup.exe" /uninstall ) else ( if exist "%SYSTEMROOT%\SysWOW64\OneDriveSetup.exe" ( "%SYSTEMROOT%\SysWOW64\OneDriveSetup.exe" /uninstall ) else ( echo Failed to uninstall, uninstaller could not be found. 1>&2 ) ) revertCode: |- if exist "%SYSTEMROOT%\System32\OneDriveSetup.exe" ( "%SYSTEMROOT%\System32\OneDriveSetup.exe" /silent ) else ( if exist "%SYSTEMROOT%\SysWOW64\OneDriveSetup.exe" ( "%SYSTEMROOT%\SysWOW64\OneDriveSetup.exe" /silent ) else ( echo Failed to install, installer could not be found. 1>&2 ) ) - name: Remove OneDrive user data and synced folders recommend: strict docs: |- This script deletes the OneDrive directory and all stored data from your profile. OneDrive usually saves your data in the `%USERPROFILE%\OneDrive` directory [1] [2], also known as the *OneDrive folder* or *OneDrive root directory* [2]. By default, OneDrive stores user data in folder called *OneDrive* [1]. For multiple accounts, files may be in *OneDrive - Personal* or *OneDrive - CompanyName* folders [1] [3]. OneDrive can synchronize default Windows folders like *Documents*, *Pictures*, *Music*, and *Desktop* [4] [5] [6] [7]. These folders are known as *user shell folders* [6] or *Windows system folders* [7]. Upon synchronization, these folders are moved within the OneDrive user data directory [5] [8]. Users may enable this synchronization unknowingly during Windows setup by choosing *Save files to OneDrive* option [9] [10]. Alternatively, synchronization can be enabled later through OneDrive settings [4]. OneDrive may also prompt users to *set up protection of important folders* [11], a feature also referred to as *protect your folders* or *Known Folder Move (KFM)* [11]. Additionally, an organization may move files of their managed computers to OneDrive using methods such as the *Windows Folder Redirection Group Policy* [8]. This script contains safeguards to protect against unintended consequences: 1. **System Integrity Protection**: The script verifies if any user shell folders are linked to the OneDrive directory. This is crucial as redirecting these folders to OneDrive can cause system integrity issues. For instance, if the *Desktop* folder is redirected to OneDrive, deleting the OneDrive folder could make the *Desktop* inaccessible. The script stops and warns if any user shell folders are found within OneDrive. > 💡 Move these folders back to their original locations using the > `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders` registry key [6] before proceeding. 2. **Data Loss Prevention**: The script avoids deleting files or non-empty directories to prevent accidental data loss. > 💡 Manually empty these directories before running the script or opt to delete them afterward if needed. The OneDrive folder has been confirmed to exist in modern versions of Windows, tested since Windows 11 (since 22H2) and Windows 10 (since 22H2). [1]: https://web.archive.org/web/20231025220524/https://support.microsoft.com/en-us/office/sync-onedrive-files-and-folders-3b8246e0-cc3c-4ae7-b4e1-4b4b37d27f68 "Sync OneDrive files and folders - Microsoft Support | support.microsoft.com" [2]: https://web.archive.org/web/20220812205500/https://admx.help/?Category=OneDrive&Policy=Microsoft.Policies.OneDriveNGSC::DefaultRootDir "Set the default location for the OneDrive folder | admx.help" [3]: https://web.archive.org/web/20231025220530/https://support.microsoft.com/en-us/office/sync-files-with-onedrive-in-windows-615391c4-2bd3-4aae-a42a-858262e42a49 "Sync files with OneDrive in Windows | support.microsoft.com" [4]: https://web.archive.org/web/20231025220541/https://support.microsoft.com/en-us/office/choose-which-onedrive-folders-to-sync-to-your-computer-98b8b011-8b94-419b-aa95-a14ff2415e85 "Choose which OneDrive folders to sync to your computer - Microsoft Support | support.microsoft.com" [5]: https://web.archive.org/web/20240317200014/https://support.microsoft.com/en-us/office/back-up-your-folders-with-onedrive-d61a7930-a6fb-4b95-b28a-6552e77c3057 "Back up your folders with OneDrive - Microsoft Support | support.microsoft.com" [6]: https://web.archive.org/web/20231025220843/https://support.microsoft.com/en-us/topic/how-to-redirect-user-shell-folders-to-a-specified-path-by-using-profile-maker-ed6289ae-1f9c-b874-4e8c-20d23ea65b2e "How to redirect user shell folders to a specified path by using Profile Maker - Microsoft Support | support.microsoft.com" [7]: https://web.archive.org/web/20231025220733/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/controlled-folders?view=o365-worldwide#windows-system-folders-are-protected-by-default "Protect important folders from ransomware from encrypting your files with controlled folder access | Microsoft Learn | learn.microsoft.com" [8]: https://web.archive.org/web/20231025220852/https://learn.microsoft.com/en-us/sharepoint/redirect-known-folders "Redirect and move Windows known folders to OneDrive - SharePoint in Microsoft 365 | Microsoft Learn | learn.microsoft.com" [9]: https://web.archive.org/web/20231025220728/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/customize-oobe-in-windows-11 "Customize the Out of Box experience (OOBE) | Microsoft Learn | learn.microsoft.com" [10]: https://web.archive.org/web/20231025220741/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/customize-oobe "Customize OOBE | Microsoft Learn | learn.microsoft.com" [11]: https://web.archive.org/web/20231025220711/https://techcommunity.microsoft.com/t5/microsoft-onedrive-blog/migrate-your-files-to-onedrive-easily-with-known-folder-move/ba-p/207076 "Migrate Your Files to OneDrive Easily with Known Folder Move - Microsoft Community Hub | techcommunity.microsoft.com" call: function: DeleteDirectory parameters: directoryGlob: '%USERPROFILE%\OneDrive*' # System Integrity Guard: Verifying user shell folders # This section checks if any user shell folders are set to the OneDrive directory. # It ensures the system's integrity by verifying the registry path and entries for user shell folders. # If any user shell folder is found in OneDrive, a warning is issued, and the script stops to avoid system disruptions. beforeIteration: |- $oneDriveUserFolderPattern = [System.Environment]::ExpandEnvironmentVariables('%USERPROFILE%\OneDrive') + '*' while ($true) { # Loop to control the execution of the subsequent code try { $userShellFoldersRegistryPath = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' if (-not (Test-Path $userShellFoldersRegistryPath)) { Write-Output "Skipping verification: The registry path for user shell folders is missing: `"$userShellFoldersRegistryPath`"" break; } $userShellFoldersRegistryKeys = Get-ItemProperty -Path $userShellFoldersRegistryPath $userShellFoldersEntries = @($userShellFoldersRegistryKeys.PSObject.Properties) if ($userShellFoldersEntries.Count -eq 0) { Write-Warning "Skipping verification: No entries found for user shell folders in the registry: `"$userShellFoldersRegistryPath`"" break; } Write-Output "Initiating verification: Checking if any of the ${userShellFoldersEntries.Count} user shell folders point to the OneDrive user folder pattern ($oneDriveUserFolderPattern)." $userShellFoldersInOneDrive = @() foreach ($registryEntry in $userShellFoldersEntries) { $userShellFolderName = $registryEntry.Name $userShellFolderPath = $registryEntry.Value if (!$userShellFolderPath) { Write-Output "Skipping: The user shell folder `"$userShellFolderName`" does not have a defined path." continue } $expandedUserShellFolderPath = [System.Environment]::ExpandEnvironmentVariables($userShellFolderPath) if(-not ($expandedUserShellFolderPath -like $oneDriveUserFolderPattern)) { continue } $userShellFoldersInOneDrive += [PSCustomObject]@{ Name = $userShellFolderName; Path = $expandedUserShellFolderPath } } if ($userShellFoldersInOneDrive.Count -gt 0) { $warningMessage = 'To keep your computer running smoothly, OneDrive user folder will not be deleted.' $warningMessage += "`nIt's being used by the OS as a user shell directory for the following folders:" $userShellFoldersInOneDrive.ForEach({ $warningMessage += "`n- $($_.Name): $($_.Path)" }) Write-Warning $warningMessage exit 0 } Write-Output "Successfully verified that none of the $($userShellFoldersEntries.Count) user shell folders point to the OneDrive user folder pattern." break; } catch { Write-Warning "An error occurred during verification of user shell folders. Skipping prevent potential issues. Error: $($_.Exception.Message)" exit 0 } } # Data Loss Prevention Guard: Checking directory contents # This guard ensures that no file or non-empty directory is accidentally deleted. # It checks each path; if it's a file or a non-empty directory, the script skips deletion for that path. # This step is designed to prevent unintended data loss during script execution. duringIteration: |- try { if (Test-Path -Path $path -PathType Leaf) { Write-Warning "Retaining file `"$path`" to safeguard your data." continue; } elseif (Test-Path -Path $path -PathType Container) { if ((Get-ChildItem "$path" -Recurse | Measure-Object).Count -gt 0) { Write-Warning "Preserving non-empty folder `"$path`" to protect your files." continue; } } } catch { Write-Warning "An error occurred while processing `"$path`". Skipping to protect your data. Error: $($_.Exception.Message)" continue; } - name: Remove OneDrive installation files and cache recommend: strict docs: |- This script removes OneDrive installation directories, application data, temporary files, and cache. Identified by the community and confirmed through testing, these folders include: - `C:\OneDriveTemp`: A location for temporary cache files [1] [3]. - `C:\ProgramData\Microsoft OneDrive` [2]: Stores data used in setting up OneDrive [2] [3]. - `C:\Users\\AppData\Local\Microsoft\OneDrive`: OneDrive installation directory [2] [3] [4]. | Directory | Windows 11 (since 22H2) | Windows 10 (since 22H2) | | --------- |:-----------------------:|:-----------------------:| | `%SYSTEMDRIVE%\OneDriveTemp` | ❌ Missing | ❌ Missing | | `%PROGRAMDATA%\Microsoft OneDrive` | ✅ Exists | ✅ Exists | | `%LOCALAPPDATA%\Microsoft\OneDrive` | ✅ Exists | ✅ Exists | [1]: https://web.archive.org/web/20231206213533/https://social.microsoft.com/Forums/en-US/53263a51-856f-4e64-bc0e-a689d4cc5a8b/release-notes-for-1907-build-29711727413?forum=FSLogix "Release Notes for 1907 - build 2.9.7117.27413 | social.microsoft.com" [2]: https://web.archive.org/web/20231231134443/https://techcommunity.microsoft.com/t5/sharepoint/onedrive-setup-fails-to-complete/m-p/2072446 "OneDrive setup fails to complete - Microsoft Tech Community" [3]: https://web.archive.org/web/20231231134548/https://answers.microsoft.com/en-us/msoffice/forum/all/why-does-onedrive-act-as-ransomware/288e5940-b92b-493c-91ff-dafd26279bee "Why does OneDrive act as Ransomware? - Microsoft Community" [4]: https://web.archive.org/web/20231231134612/https://learn.microsoft.com/en-us/sharepoint/install/configure-syncing-with-the-onedrive-sync-app "Configure syncing with the new OneDrive sync app - SharePoint Server | Microsoft Learn | learn.microsoft.com" call: - function: DeleteDirectory parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\OneDrive' grantPermissions: 'true' - function: DeleteDirectory parameters: directoryGlob: '%PROGRAMDATA%\Microsoft OneDrive' - function: DeleteDirectory parameters: directoryGlob: '%SYSTEMDRIVE%\OneDriveTemp' - name: Remove OneDrive shortcuts recommend: strict docs: |- This script ensures the removal of all OneDrive shortcuts from your system, even after uninstallation or cleanup. Erasing these shortcuts improves the security and privacy of your computer system, lessening the potential access points for unwanted entities. Moreover, the removal of unused shortcuts results in a more organized and efficient system, enhancing your user experience by preventing any confusion from dead shortcuts. Shortcuts that link to OneDrive are stored in various locations, such as: - `Start Menu\Programs\Microsoft OneDrive.lnk`, `Start Menu\Programs\OneDrive.lnk`, `Links\OneDrive.lnk` [1], - `ServiceProfiles\LocalService` and `ServiceProfiles\NetworkService` [1] Below are the tested shortcut file locations on default installation (since Windows 10 22H2 and Windows 11 22H2): | Path | Windows 11 | Windows 10 | | ---- |:----------:|:----------:| | `%APPDATA%\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk` | ✅ Exists | ✅ Exists | | `%USERPROFILE%\Links\OneDrive.lnk` | ❌ Missing | ❌ Missing | | `%WINDIR%\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk` | ❌ Missing | ✅ Exists | | `%WINDIR%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk` | ❌ Missing | ✅ Exists | In Windows 10 and higher, additional steps are necessary to delete the OneDrive icon from the navigation pane in Windows Explorer [2], which is executed by this script. [1]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#remove-onedrive-components "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn" [2]: https://web.archive.org/web/20231002162805/https://learn.microsoft.com/en-us/sharepoint/troubleshoot/installation-and-setup/how-to-block-onedrive-from-being-advertised-after-install-office-2016 "How to block OneDrive.exe from being advertised after you install Office 2016 - SharePoint | Microsoft Learn" call: - function: RemoveShortcutFiles parameters: targetFile: '%LOCALAPPDATA%\Microsoft\OneDrive\OneDrive.exe' shortcutItems: |- @{ Revert = $True; Path = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"; } @{ Revert = $False; Path = "$env:USERPROFILE\Links\OneDrive.lnk"; } @{ Revert = $False; Path = "$env:WINDIR\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"; } @{ Revert = $False; Path = "$env:WINDIR\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"; } - function: RunPowerShell parameters: code: |- Set-Location "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace" Get-ChildItem | ForEach-Object {Get-ItemProperty $_.pspath} | ForEach-Object { $leftnavNodeName = $_."(default)"; if (($leftnavNodeName -eq "OneDrive") -Or ($leftnavNodeName -eq "OneDrive - Personal")) { if (Test-Path $_.pspath) { Write-Host "Deleting $($_.pspath)." Remove-Item $_.pspath; } } } - name: Disable OneDrive usage recommend: strict docs: |- This script prevents [1]: - Keeping OneDrive files in sync with the cloud. - Users from automatically uploading photos and videos from the camera roll folder. - Users from accessing OneDrive from the OneDrive app and file picker. - Windows Store apps from accessing OneDrive using the WinRT API. - OneDrive from appearing in the navigation pane in File Explorer. Setting `DisableFileSyncNGSC` group policy prevents OneDrive from working on both Windows 10 and 11 [1] [2]. Windows 8 uses older `DisableFileSync` key [3]. These policies do not exist by default in clean installations. [1]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.OneDrive::PreventOnedriveFileSync "Prevent the usage of OneDrive for file storage | admx.help" [2]: https://support.microsoft.com/en-us/office/onedrive-won-t-start-0c158fa6-0cd8-4373-98c8-9179e24f10f2 "OneDrive won't start | support.microsoft.com" [3]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.OneDrive::PreventOnedriveFileSyncForBlue "Prevent the usage of OneDrive for file storage on Windows 8.1 | admx.help" call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive valueName: DisableFileSyncNGSC dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing key since Windows 10 21H2, Windows 11 21H2 - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive valueName: DisableFileSync dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing key since Windows 10 21H2, Windows 11 21H2 - name: Disable automatic OneDrive installation docs: |- Windows 10 comes with `OneDriveSetup` entry in startup for automatic reinstallations even though OneDrive is uninstalled. This entry is missing in Windows 11 by default. `OneDriveSetup` is registered to reinstall OneDrive and can be removed using registry [1], as recommended by Microsoft for optimizing Windows VDIs [1]. [1]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#remove-onedrive-components "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn" recommend: strict call: function: RunPowerShell parameters: code: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f 2>$null revertCode: |- $osVersion = [System.Environment]::OSVersion.Version function Test-IsWindows11 { ($osVersion.Major -gt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -ge 22000)) } if (Test-IsWindows11) { Write-Host 'Skipping, no action needed on Windows 11.' } else { if([Environment]::Is64BitOperatingSystem) { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "OneDriveSetup" /t REG_SZ /d "%SYSTEMROOT%\SysWOW64\OneDriveSetup.exe /silent" /f } else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "OneDriveSetup" /t REG_SZ /d "%SYSTEMROOT%\System32\OneDriveSetup.exe /silent" /f } } - name: Remove OneDrive folder from File Explorer recommend: strict docs: |- File Explorer shows OneDrive to allow you to access files stored in OneDrive (stored online and locally cached) [1]. [CLSID](https://learn.microsoft.com/en-us/windows/win32/com/clsid-key-hklm) for OneDrive is `018D5C66-4533-4307-9B53-224DE2ED1FE6` [2] for both Windows 10 and 11. Changing pinning option for this key removed OneDrive from navigation file in File Explorer [2]. This CLSID includes `System.IsPinnedToNameSpaceTree` as value as `1` after clean installation in both Windows 10 and Windows 11. [1]: https://web.archive.org/web/20231025220530/https://support.microsoft.com/en-us/office/sync-files-with-onedrive-in-windows-615391c4-2bd3-4aae-a42a-858262e42a49 "Sync files with OneDrive in Windows | support.microsoft.com" [2]: https://web.archive.org/web/20240322101857/https://answers.microsoft.com/en-us/windows/forum/all/remove-onedrive-from-file-explorer-navigation-pane/38ac7524-2b35-4ffc-baab-40ad61dc5d79 "Remove OneDrive from File Explorer navigation pane - Microsoft Community | answers.microsoft.com" code: |- # `1` by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /d "0" /t REG_DWORD /f reg add "HKCR\Wow6432Node\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /d "0" /t REG_DWORD /f revertCode: |- reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /d "1" /t REG_DWORD /f reg add "HKCR\Wow6432Node\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /d "1" /t REG_DWORD /f - name: Disable OneDrive scheduled tasks recommend: strict docs: |- This script disables the scheduled tasks associated with Microsoft OneDrive that typically run maintenance activities such as auto-updates [1] [2] [3] and data collection [2]. Disabling these tasks impacts OneDrive's automatic background update process [1] [2] [3]. By default, Windows 10 (since 22H2) and Windows 11 (since 22H2) include the following tasks: - `OneDrive Standalone Update Task` [1] [2] [3] - `OneDrive Reporting Task` [1] These tasks are enabled by default and lack official documentation from Microsoft. They can be identified by executing `Get-ScheduledTask 'OneDrive *' | Select -ExpandProperty TaskName` in PowerShell. These tasks are observed to persist even after OneDrive is uninstalled. The tasks appear with a Security Identifier (SID) unique to each installation [1], following this pattern: - `OneDrive Reporting Task-S-1-5-21-xxxxxx` - `OneDrive Standalone Update Task-S-1-5-21-xxxxxx` The SID, denoted by 'xxxxxx', varies per installation and represents the user account associated with the task. SID of user accounts always start with `S-1-5-21` [4], the rest of the number changes per user. To see all user SIDs, you can run `wmic useraccount get Name,sid`. The SID for your account can be confirmed using `whoami /user`. A SID which doesn't correspond to any user account may appear. This is be due to system preparation processes (`sysprep`) that use different SIDs for tasks to prevent duplication [5]. Disabling tasks with standard user SIDs is straightforward, but attempting to disable tasks with unpredictable SIDs can result in an error message: `Catastrophic failure (Exception from HRESULT: 0x80000FFF (E_UNEXPECTED))`. Nonetheless, disabling tasks with the correct SID is achievable using the provided script, which locates the full task names including the SIDs. If OneDrive is installed for all users on a machine (which is not the default behavior [6]), an additional task is present: - `OneDrive Per-Machine Standalone Update` [1] [7]. Disabling the `OneDrive Standalone Update Task` is recommended by Microsoft to improve system performance and reduce unnecessary data collection [2]. ### Overview of default task statuses `\OneDrive Reporting Task-$SID`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | `\OneDrive Standalone Update Task-$SID`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟢 Ready | | Windows 11 22H2 | 🟢 Ready | `\OneDrive Per-Machine Standalone Update`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | 🟡 N/A (missing) | | Windows 11 22H2 | 🟡 N/A (missing) | [1]: https://web.archive.org/web/20231104142218/https://docs.fra.me/blog/2023/08/04/application-optimizations-microsoft-onedrive/#scheduled-tasks "Application Optimization Essentials: Microsoft OneDrive | Frame Platform Documentation | docs.fra.me" [2]: https://web.archive.org/web/20231104142209/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-1803 "Optimizing Windows 10, version 1803, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20231104142301/http://windows.fyicenter.com/5623_OneDrive_Standalone_Update_Task-S-1-_Scheduled_Task_on_Windows_7.html '"OneDrive Standalone Update Task-S-1-..." Scheduled Task on Windows 7 | windows.fyicenter.com' [4]: https://web.archive.org/web/20231104133125/https://renenyffenegger.ch/notes/Windows/security/SID/index "Windows security identifiers (SID) | renenyffenegger.ch" [5]: https://en.wikipedia.org/w/index.php?title=Windows_Task_Scheduler&oldid=1086196699#Bugs "Windows Task Scheduler - Wikipedia | wikipedia.rg" [6]: https://web.archive.org/web/20231104142412/https://learn.microsoft.com/en-us/sharepoint/per-machine-installation "Install the sync app per-machine (Windows) - SharePoint in Microsoft 365 | Microsoft Learn | learn.microsoft.com" [7]: https://web.archive.org/web/20231104142343/https://docs.citrix.com/en-us/tech-zone/build/deployment-guides/microsoft-365-citrix.html "Deployment Guide: Microsoft 365 with Citrix Virtual Apps and Desktops | docs.citrix.com" call: - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'OneDrive Reporting Task-*' taskPathPattern: \ taskNamePattern: OneDrive Reporting Task-* - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'OneDrive Standalone Update Task-*' taskPathPattern: \ taskNamePattern: OneDrive Standalone Update Task-* - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'OneDrive Per-Machine Standalone Update' taskPathPattern: \ taskNamePattern: OneDrive Per-Machine Standalone Update - name: Clear OneDrive environment variable recommend: strict docs: |- Since Windows 10 1809, Microsoft introduced `%OneDrive%` environment variable to reach OneDrive through an alias [1]. This variable is redundant when OneDrive is undesired. This script deletes `OneDrive` environment variable [2]. `OneDrive` key at `HKCU\Environment` is found on both Windows 10 and Windows 11. [1]: https://web.archive.org/web/20240314091504/https://superuser.com/questions/1336521/determine-onedrive-synchronisation-folders/1397495#1397495 "Determine OneDrive synchronisation folders - Super User | superuser.com" [2]: https://stackoverflow.com/questions/46744840/export-registry-value-to-file-and-then-set-a-variable-in-batch "Export registry value to file and then set a variable in Batch - Stack Overflow | stackoverflow.com" code: reg delete "HKCU\Environment" /v "OneDrive" /f 2>nul - category: Remove Edge docs: |- This category automates the uninstallation of Microsoft Edge (also known as "Chromium Edge" or "New Edge" [1]), the web browser that comes pre-installed with many versions of Windows. Microsoft Edge collects various types of data, some of which pertain to your browsing habits, such as the websites you visit, your search queries, and the data you enter into forms [2]. Additionally, it tracks usage metrics and diagnostic data about your device data and how the browser is functioning [2]. These pieces of information could be used for targeted advertising or profiling. Removing Microsoft Edge ensures that it is not silently accumulating this data in the background, thereby improving your overall privacy. By default, Microsoft Edge doesn't allow uninstallation and has officially declared Microsoft Edge as uninstallable on Windows [3]. [1]: https://en.wikipedia.org/w/index.php?title=Microsoft_Edge&oldid=1174053020#New_Edge_(2019%E2%80%93present) "Microsoft Edge - Wikipedia" [2]: https://web.archive.org/web/20230907002709/https://support.microsoft.com/en-us/microsoft-edge/learn-more-about-diagnostic-data-collection-in-microsoft-edge-7fcee15b-39f7-ba02-bc59-9eef622c1a9f "Learn more about diagnostic data collection in Microsoft Edge - Microsoft Support" [3]: https://web.archive.org/web/20230907002011/https://support.microsoft.com/en-us/microsoft-edge/why-can-t-i-uninstall-microsoft-edge-ee150b3b-7d7a-9984-6d83-eb36683d526d "Why can't I uninstall Microsoft Edge? - Microsoft Support" children: - name: Remove Edge through official installer docs: |- This script uninstalls Microsoft Edge using the official installer. This script reliably uninstalls Microsoft Edge, even when direct removal is restricted by system settings. 1. **Enable Uninstallation**: The script modifies a registry key to permit the uninstallation of Microsoft Edge. This step is required because from version 116 onwards, Edge cannot be uninstalled without setting this registry key [1]. 2. **Mark Microsoft Edge (Legacy) as Installed**: It creates a placeholder file to simulate the presence of the Legacy version of Microsoft Edge (Legacy). This is necessary as the newer versions of the Edge installer check for Legacy Edge before allowing uninstallation [2]. 3. **Run Uninstaller:** The script finds and runs the Microsoft Edge installer (`setup.exe`) for each version of the browser installed on the system. This guarantees the complete removal of all Microsoft Edge versions from the system [1]. **Note:** This script uses methods not officially documented but confirmed effective by community testing and support. [1]: https://archive.ph/2024.06.21-133029/https://github.com/undergroundwires/privacy.sexy/issues/236 "[BUG]: Edge Browser uninstall process no longer works · Issue #236 · undergroundwires/privacy.sexy | github.com" [2]: https://archive.ph/2024.06.21-133037/https://github.com/undergroundwires/privacy.sexy/issues/309 "[BUG]: Microsoft Edge still alive after removal · Issue #309 · undergroundwires/privacy.sexy" call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdateDev valueName: AllowUninstall dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing key since Windows 10 21H2, Windows 11 21H2 - function: CreatePlaceholderFile parameters: placeholderFilePath: '%SYSTEMROOT%\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe' - function: RunPowerShell parameters: codeComment: Uninstall running the official uninstaller code: |- $installers = (Get-ChildItem "$($env:ProgramFiles)*\Microsoft\Edge\Application\*\Installer\setup.exe") if (!$installers) { Write-Host 'Installer not found. Microsoft Edge may already be uninstalled.' } else { foreach ($installer in $installers) { $uninstallerPath = $installer.FullName if (-Not (Test-Path "$uninstallerPath")) { Write-Host "Installer not found at `"$uninstallerPath`". Microsoft Edge may already be uninstalled." continue } $installerArguments = @("--uninstall", "--system-level", "--verbose-logging", "--force-uninstall") Write-Output "Uninstalling through uninstaller: $uninstallerPath" $process = Start-Process -FilePath "$uninstallerPath" -ArgumentList $installerArguments -Wait -PassThru if ($process.ExitCode -eq 0 -or $process.ExitCode -eq 19) { Write-Host "Successfully uninstalled Edge." } else { Write-Error "Failed to uninstall, uninstaller failed with exit code $($process.ExitCode)." } } } revertCodeComment: Download and run the official uninstaller revertCode: |- $edgeExePath = Get-ChildItem -Path "$($env:ProgramFiles)*\Microsoft\Edge\Application" -Filter 'msedge.exe' -Recurse if ($edgeExePath) { Write-Host 'Microsoft Edge is already installed. Skipping reinstallation.' Exit 0 } Write-Host 'Downloading Microsoft Edge...' $edgeInstallerUrl = 'https://c2rsetup.officeapps.live.com/c2r/downloadEdge.aspx?platform=Default&Channel=Stable&language=en' $downloadPath = "$($env:TEMP)\MicrosoftEdgeSetup.exe" Invoke-WebRequest -Uri "$edgeInstallerUrl" -OutFile "$downloadPath" $installerArguments = @('/install', '/silent') Write-Host 'Installing Microsoft Edge...' $process = Start-Process -FilePath "$downloadPath" -ArgumentList "$installerArguments" -Wait -PassThru Remove-Item -Path $downloadPath -Force if ($process.ExitCode -eq 0) { Write-Host 'Successfully reinstalled Microsoft Edge.' } else { Write-Error "Failed to reinstall Microsoft Edge. Installer failed with exit code $($process.ExitCode)." } - name: Remove Edge file and URL associations recommend: strict docs: |- This script disconnects file and URL associations related to the Microsoft Edge browser on your computer. When you uninstall Edge, these associations remain intact, leading to potential unexpected behaviors [1] and vulnerabilities when opening specific file types or URLs. The script is recommended for enhancing the stability and privacy of your system by avoiding unintentional interactions with these leftover settings. It particularly addresses associations found under specific registry keys: - `HKLM\SOFTWARE\Clients\StartMenuInternet\Microsoft Edge\Capabilities\FileAssociations` - `HKLM\SOFTWARE\Clients\StartMenuInternet\Microsoft Edge\Capabilities\URLAssociations` Note that not all these associations are registered for Edge by the OS by default. Specifically, the removed associations have an `MSEdge` prefix, covering program IDs such as `MSEdgePDF` and `MSEdgeHTM` [2]. Clearing these associations, which are not removed by the official Edge uninstaller, mitigates the risk of exposure to system vulnerabilities due to these lingering settings. Your system remains cleaner, more stable, and more private, ensuring a more secure user experience. [1]: https://github.com/undergroundwires/privacy.sexy/issues/64 "[BUG]: can't sign in again · Issue #64 · undergroundwires/privacy.sexy" [2]: https://web.archive.org/web/20231001221635/https://learn.microsoft.com/en-us/deployedge/edge-default-browser "Set Microsoft Edge as the default browser on Windows and macOS | Microsoft Learn" call: # Exclude: # - Cleanup of keys under `HKLM\SOFTWARE\Clients\StartMenuInternet` as default uninstaller already cleans it. - function: RemoveBrowserAssociations # Deleting Edge through uninstaller does not remove these (tested on Windows 11 22H2 and Windows 10 21H1 using Edge v115). parameters: progIdPattern: MSEdge* # MSEdgeHTM, MSEdgeMHT, MSEdgePDF # List: # Get-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts' | ForEach-Object { $_.Property } | Where-Object { $_ -Match 'MSEdge' } toastAssociations: >- MSEdgeHTM_.webp MSEdgeHTM_http MSEdgeHTM_https MSEdgeHTM_.htm MSEdgeHTM_ftp MSEdgeHTM_.xml MSEdgeHTM_.html MSEdgePDF_.pdf MSEdgeHTM_.svg MSEdgeHTM_mailto MSEdgeHTM_read MSEdgeHTM_.mht MSEdgeMHT_.mht MSEdgeHTM_.mhtml MSEdgeMHT_.mhtml MSEdgeHTM_.xhtml MSEdgeHTM_.xht - function: RunInlineCode # Remove association from "Open With" context menu. # Deleting Edge through uninstaller does not remove these (tested on Windows 11 22H2 and Windows 10 21H1 using Edge v115). # This associations can be found at HKLM\SOFTWARE\Clients\StartMenuInternet\Microsoft Edge\Capabilities\FileAssociations. parameters: code: |- # reg delete HKCR\{extension}\OpenWithProgIds\MSEdge{..} for %%A in ( htm:MSEdgeHTM, html:MSEdgeHTM, shtml:MSEdgeHTM, pdf:MSEdgePDF, svg:MSEdgeHTM, xht:MSEdgeHTM, xhtml:MSEdgeHTM, webp:MSEdgeHTM, xml:MSEdgeHTM, mht:MSEdgeMHT, mhtml:MSEdgeMHT ) do ( for /f "tokens=1,2 delims=:" %%B in ("%%A") do ( echo Removing OpenWith association for "%%C" from "%%B"... reg delete "HKCR\.%%B\OpenWithProgIds" /v "%%C" /f 2>nul ) ) revertCode: |- # Common defaults since Windows 10 21H2 and Windows 11 21H2 for %%A in ( htm:MSEdgeHTM, html:MSEdgeHTM, shtml:MSEdgeHTM, pdf:MSEdgePDF, svg:MSEdgeHTM, xht:MSEdgeHTM, xhtml:MSEdgeHTM, webp:MSEdgeHTM, mht:MSEdgeMHT, mhtml:MSEdgeMHT ) do ( for /f "tokens=1,2 delims=:" %%B in ("%%A") do ( echo Restoring OpenWith for ".%%B" to "%%C"... reg add "HKCR\.%%B\OpenWithProgids" /v "%%C" /t REG_SZ /f ) ) - name: Remove Edge shortcuts docs: |- This script removes Microsoft Edge shortcuts from specific locations on your computer, enhancing the privacy and integrity of your system. When installed, Microsoft Edge, places shortcuts in various locations on your computer. Even after uninstalling the Edge browser, some of these shortcuts may not be removed (tested since ≥ Edge v117). This script ensures the removal of these residual shortcuts. These shortcuts can serve as access points for malicious entities, potentially compromising your computer's security and privacy. By deleting these shortcuts, the script helps in reducing these vulnerabilities, thus contributing to a more secure and private computing environment. Besides contributing to privacy and security, removing these unused shortcuts also contributes to a cleaner and more organized computer system, providing an enhanced user experience. The script specifically targets and removes shortcuts from the following paths, which have been tested and verified to exist on default installations of Windows since Windows 10 22H2 and Windows 11 22H2: | Path | Windows 11 | Windows 10 | | ---- |:----------:|:----------:| | `%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk` | ✅ Exists | ✅ Exists | | `%APPDATA%\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk` | ✅ Exists | ✅ Exists | | `%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk` | ✅ Exists | ✅ Exists | | `%PUBLIC%\Desktop\Microsoft Edge.lnk` | ✅ Exists | ✅ Exists | | `%SYSTEMROOT%\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk` | ✅ Exists | ✅ Exists | | `%USERPROFILE%\Desktop\Microsoft Edge.lnk` | ❌ Missing | ❌ Missing | call: # Exclude: # - `DisableEdgeDesktopShortcutCreation` because it's highly documented and it does not really bring value since this script already deletes `Microsoft Edge.lnk` from public folder. function: RemoveShortcutFiles parameters: targetFile: '%PROGRAMFILES(X86)%\Microsoft\Edge\Application\msedge.exe' shortcutItems: |- @{ Revert = $True; Path = "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"; } @{ Revert = $True; Path = "$env:AppData\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk"; } @{ Revert = $True; Path = "$env:AppData\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk"; } @{ Revert = $True; Path = "$env:Public\Desktop\Microsoft Edge.lnk"; } @{ Revert = $True; Path = "$env:SystemRoot\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk"; } @{ Revert = $False; Path = "$env:UserProfile\Desktop\Microsoft Edge.lnk"; } - category: Disable built-in Windows features children: - name: Disable "Direct Play" feature docs: |- ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `DirectPlay` | | **Display name** | DirectPlay | | **Description** | Enables the installation of DirectPlay component. | | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | call: function: DisableWindowsFeature parameters: featureName: DirectPlay # Get-WindowsOptionalFeature -FeatureName 'DirectPlay' -Online disabledByDefault: 'true' - name: Disable "Internet Explorer" feature docs: |- ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `Internet-Explorer-Optional-amd64`, `Internet-Explorer-Optional-x84`, `Internet-Explorer-Optional-x64` | | **Display name** | Internet Explorer 11 | | **Description** | Finds and displays information and Web sites on the Internet. | | **Default** (Windows 11 ≥ 23H2) | 🟡 Missing | | **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled (or 🟡 Missing based on architecture) | call: - function: DisableWindowsFeature parameters: featureName: Internet-Explorer-Optional-x64 # Get-WindowsOptionalFeature -FeatureName 'Internet-Explorer-Optional-x64' -Online ignoreMissingOnRevert: 'true' - function: DisableWindowsFeature parameters: featureName: Internet-Explorer-Optional-x84 # Get-WindowsOptionalFeature -FeatureName 'Internet-Explorer-Optional-x84' -Online ignoreMissingOnRevert: 'true' - function: DisableWindowsFeature parameters: featureName: Internet-Explorer-Optional-amd64 # Get-WindowsOptionalFeature -FeatureName 'Internet-Explorer-Optional-amd64' -Online ignoreMissingOnRevert: 'true' - name: Disable "Legacy Components" feature docs: |- ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `LegacyComponents` | | **Display name** | Legacy Components | | **Description** | Controls legacy components in Windows. | | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | call: function: DisableWindowsFeature parameters: featureName: LegacyComponents # Get-WindowsOptionalFeature -FeatureName 'LegacyComponents' -Online disabledByDefault: 'true' - category: Disable Hyper-V virtualization features children: - name: Disable "Hyper-V" feature docs: |- ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `Microsoft-Hyper-V-All` | | **Display name** | Hyper-V | | **Description** | Provides services and management tools for creating and running virtual machines and their resources. | | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | call: function: DisableWindowsFeature parameters: featureName: Microsoft-Hyper-V-All # Get-WindowsOptionalFeature -FeatureName 'Microsoft-Hyper-V-All' -Online disabledByDefault: 'true' - name: Disable "Hyper-V GUI Management Tools" feature docs: |- ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `Microsoft-Hyper-V-Management-Clients` | | **Display name** | Hyper-V GUI Management Tools | | **Description** | Includes the Hyper-V Manager snap-in and Virtual Machine Connection tool. | | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | call: function: DisableWindowsFeature parameters: featureName: Microsoft-Hyper-V-Management-Clients # Get-WindowsOptionalFeature -FeatureName 'Microsoft-Hyper-V-Management-Clients' -Online disabledByDefault: 'true' - name: Disable "Hyper-V Management Tools" feature docs: |- ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `Microsoft-Hyper-V-Tools-All` | | **Display name** | Hyper-V Management Tools | | **Description** | Includes GUI and command-line tools for managing Hyper-V. | | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | call: function: DisableWindowsFeature parameters: featureName: Microsoft-Hyper-V-Tools-All # Get-WindowsOptionalFeature -FeatureName 'Microsoft-Hyper-V-Tools-All' -Online disabledByDefault: 'true' # Default: Disabled (tested: Windows 10 22H2, Windows 11 23H2) - name: Disable "Hyper-V Module for Windows PowerShell" feature docs: |- ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `Microsoft-Hyper-V-Management-PowerShell` | | **Display name** | Hyper-V Module for Windows PowerShell | | **Description** | Includes Windows PowerShell cmdlets for managing Hyper-V. | | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | call: function: DisableWindowsFeature parameters: featureName: Microsoft-Hyper-V-Management-PowerShell # Get-WindowsOptionalFeature -FeatureName 'Microsoft-Hyper-V-Management-PowerShell' -Online disabledByDefault: 'true' - category: Disable printing features children: - category: Disable printer networking children: - name: Disable "Internet Printing Client" feature docs: |- ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `Printing-Foundation-InternetPrinting-Client` | | **Display name** | Internet Printing Client | | **Description** | Enables clients to use HTTP to connect to printers on Web print servers | | **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled | | **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled | call: function: DisableWindowsFeature parameters: featureName: Printing-Foundation-InternetPrinting-Client # Get-WindowsOptionalFeature -FeatureName 'Printing-Foundation-InternetPrinting-Client' -Online - name: Disable "LPD Print Service" feature docs: |- ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `Printing-Foundation-LPDPrintService` | | **Display name** | LPD Print Service | | **Description** | Makes your Windows computer work as a Line Printer Daemon (LPD) and Remote Line Printer client | | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | call: function: DisableWindowsFeature parameters: featureName: Printing-Foundation-LPDPrintService # Get-WindowsOptionalFeature -FeatureName 'Printing-Foundation-LPDPrintService' -Online disabledByDefault: 'true' - name: Disable "LPR Port Monitor" feature docs: |- ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `Printing-Foundation-LPRPortMonitor` | | **Display name** | LPR Port Monitor | | **Description** | Enables clients to print to TCP/IP printers connected to a Unix (or VAX) server | | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | | **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled | call: function: DisableWindowsFeature parameters: featureName: Printing-Foundation-LPRPortMonitor # Get-WindowsOptionalFeature -FeatureName 'Printing-Foundation-LPRPortMonitor' -Online disabledByDefault: 'true' - name: Disable "Microsoft Print to PDF" feature docs: |- ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `Printing-PrintToPDFServices-Features` | | **Display name** | Microsoft Print to PDF | | **Description** | Provides binaries on the system for creating the Microsoft Print to PDF Print Queue | | **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled | | **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled | call: function: DisableWindowsFeature parameters: featureName: Printing-PrintToPDFServices-Features # Get-WindowsOptionalFeature -FeatureName 'Printing-PrintToPDFServices-Features' -Online - name: Disable "Print and Document Services" feature docs: |- ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `Printing-Foundation-Features` | | **Display name** | Print and Document Services | | **Description** | Enable print, fax, and scan tasks on this computer | | **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled | | **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled | call: function: DisableWindowsFeature parameters: featureName: Printing-Foundation-Features # Get-WindowsOptionalFeature -FeatureName 'Printing-Foundation-Features' -Online - name: Disable "Work Folders Client" feature docs: |- See: [Work Folders overview | Microsoft Learn | learn.microsoft.com](https://web.archive.org/web/20240314102358/https://learn.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview) ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `WorkFolders-Client` | | **Display name** | Work Folders Client | | **Description** | Allows file synchronization with a configured file server. | | **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled | | **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled | call: function: DisableWindowsFeature parameters: featureName: WorkFolders-Client # Get-WindowsOptionalFeature -FeatureName 'WorkFolders-Client' -Online - category: Disable XPS support features children: - name: Disable "Microsoft XPS Document Writer" feature docs: |- ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `Printing-XPSServices-Features` | | **Display name** | Microsoft XPS Document Writer | | **Description** | Provides binaries on the system for creating the XPS Document Writer Print Queue. | | **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled | | **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled | call: function: DisableWindowsFeature parameters: featureName: Printing-XPSServices-Features # Get-WindowsOptionalFeature -FeatureName 'Printing-XPSServices-Features' -Online disabledByDefault: 'true' - name: Disable "XPS Viewer" feature recommend: standard # Deprecated and missing on modern versions of Windows docs: |- This feature has been part of older versions on Windows [1]. ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `Xps-Foundation-Xps-Viewer` | | **Display name** | XPS Viewer | | **Description** | Allows you to read, copy, print, sign, and set permissions for XPS documents. | | **Default** (Windows 11 ≥ 23H2) | 🟡 Missing | | **Default** (Windows 10 ≥ 22H2) | 🟡 Missing | [1]: "Unattended Windows Setup Reference | systemscenter.ru" https://web.archive.org/web/20240406125031/https://systemscenter.ru/unattend.en/index.html?page=html%2Fdb43485b-ffad-476f-9b22-97bde41ceb47.htm call: function: DisableWindowsFeature parameters: featureName: Xps-Foundation-Xps-Viewer # Get-WindowsOptionalFeature -FeatureName 'Xps-Foundation-Xps-Viewer' -Online ignoreMissingOnRevert: 'true' - name: Disable "Media Features" feature docs: |- ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `MediaPlayback` | | **Display name** | Media Features | | **Description** | Controls media features such as Windows Media Player. | | **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled | | **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled | call: function: DisableWindowsFeature parameters: featureName: MediaPlayback # Get-WindowsOptionalFeature -FeatureName 'MediaPlayback' -Online - name: Disable "Scan Management" feature recommend: standard # Deprecated and missing on modern versions of Windows docs: |- This feature has been part of older versions on Windows [1]. ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `ScanManagementConsole` | | **Display name** | Scan Management | | **Description** | Manages distributed scanners, scan processes, and scan servers. | | **Default** (Windows 11 ≥ 23H2) | 🟡 Missing | | **Default** (Windows 10 ≥ 22H2) | 🟡 Missing | [1]: "Unattended Windows Setup Reference | systemscenter.ru" https://web.archive.org/web/20240406125031/https://systemscenter.ru/unattend.en/index.html?page=html%2Fdb43485b-ffad-476f-9b22-97bde41ceb47.htm call: function: DisableWindowsFeature parameters: featureName: ScanManagementConsole # Get-WindowsOptionalFeature -FeatureName 'ScanManagementConsole' -Online ignoreMissingOnRevert: 'true' - name: Disable "Windows Fax and Scan" feature recommend: standard # Deprecated and missing on modern versions of Windows docs: |- This feature has been part of older versions on Windows [1]. ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `FaxServicesClientPackage` | | **Display name** | Windows Fax and Scan | | **Description** | Enable fax and scan tasks on this computer | | **Default** (Windows 11 ≥ 23H2) | 🟡 Missing | | **Default** (Windows 10 ≥ 22H2) | 🟡 Missing | [1]: "Unattended Windows Setup Reference | systemscenter.ru" https://web.archive.org/web/20240406125031/https://systemscenter.ru/unattend.en/index.html?page=html%2Fdb43485b-ffad-476f-9b22-97bde41ceb47.htm call: function: DisableWindowsFeature parameters: featureName: FaxServicesClientPackage # Get-WindowsOptionalFeature -FeatureName 'FaxServicesClientPackage' -Online ignoreMissingOnRevert: 'true' - name: Disable "Windows Media Player" feature docs: |- ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `WindowsMediaPlayer` | | **Display name** | Windows Media Player | | **Description** | Windows Media Player | | **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled | | **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled | call: function: DisableWindowsFeature parameters: featureName: WindowsMediaPlayer # Get-WindowsOptionalFeature -FeatureName 'WindowsMediaPlayer' -Online - name: Disable "Windows Search" feature docs: |- ### Overview of default feature statuses | | | | ---- | --- | | **Feature name** | `SearchEngine-Client-Package` | | **Display name** | Windows Search | | **Description** | Provides content indexing, property caching, and search results for files, e-mail, and other content. | | **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled | | **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled | call: function: DisableWindowsFeature parameters: featureName: SearchEngine-Client-Package # Get-WindowsOptionalFeature -FeatureName 'SearchEngine-Client-Package' -Online - category: Remove on-demand capabilities and features docs: https://web.archive.org/web/20240314062310/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11#fods-that-are-not-preinstalled-but-may-need-to-be-preinstalled children: - category: Remove preinstalled features on demand children: - name: Remove "DirectX Configuration Database" capability call: function: UninstallCapability parameters: capabilityName: DirectX.Configuration.Database - name: Remove "Internet Explorer 11" capability call: function: UninstallCapability parameters: capabilityName: Browser.InternetExplorer - name: Remove "Math Recognizer" capability call: function: UninstallCapability parameters: capabilityName: MathRecognizer - name: Remove "OneSync" capability (breaks Mail, People, and Calendar) recommend: strict docs: https://web.archive.org/web/20240314062310/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11#onesync call: function: UninstallCapability parameters: capabilityName: OneCoreUAP.OneSync - name: Remove "OpenSSH client" capability call: function: UninstallCapability parameters: capabilityName: OpenSSH.Client - name: Remove "PowerShell ISE" capability call: function: UninstallCapability parameters: capabilityName: Microsoft.Windows.PowerShell.ISE - name: Remove "Print Management Console" capability call: function: UninstallCapability parameters: capabilityName: Print.Management.Console - name: Remove "Quick Assist" capability call: function: UninstallCapability parameters: capabilityName: App.Support.QuickAssist - name: Remove "Steps Recorder" capability call: function: UninstallCapability parameters: capabilityName: App.StepsRecorder - name: Remove "Windows Fax and Scan" capability call: function: UninstallCapability parameters: capabilityName: Print.Fax.Scan # Following are excluded because: # 1. They are not widely considered as "bloatware" as the community # 2. Do not have known privacy issues # 3. Make Windows more functional when running all scripts # - # name: Remove "WordPad" capability # call: # function: UninstallCapability # parameters: # capabilityName: Microsoft.Windows.WordPad # - # name: Remove "Paint" capability # call: # function: UninstallCapability # parameters: # capabilityName: Microsoft.Windows.MSPaint # - # name: Remove "Notepad" capability # call: # function: UninstallCapability # parameters: # capabilityName: Microsoft.Windows.Notepad - category: Remove not preinstalled features on demand children: - name: Remove ".NET Framework" capability call: function: UninstallCapability parameters: capabilityName: NetFX3 - name: Remove "Mixed Reality" capability call: function: UninstallCapability parameters: capabilityName: Analog.Holographic.Desktop - name: Remove "Wireless Display" capability call: function: UninstallCapability parameters: capabilityName: App.WirelessDisplay.Connect - name: Remove "Accessibility - Braille Support" capability call: function: UninstallCapability parameters: capabilityName: Accessibility.Braille - name: Remove "Developer Mode" capability call: function: UninstallCapability parameters: capabilityName: Tools.DeveloperMode.Core - name: Remove "Graphics Tools" capability call: function: UninstallCapability parameters: capabilityName: Tools.Graphics.DirectX - name: Remove "IrDA" capability call: function: UninstallCapability parameters: capabilityName: Network.Irda - name: Remove "Microsoft WebDriver" capability call: function: UninstallCapability parameters: capabilityName: Microsoft.WebDriver - name: Remove "MSIX Packaging Tool Driver" capability call: function: UninstallCapability parameters: capabilityName: Msix.PackagingTool.Driver - name: Remove "OpenSSH Server" capability call: function: UninstallCapability parameters: capabilityName: OpenSSH.Server - category: Remove printing capabilities children: - name: Remove "Enterprise Cloud Print" capability call: function: UninstallCapability parameters: capabilityName: Print.EnterpriseCloudPrint - name: Remove "Mopria Cloud Service" capability call: function: UninstallCapability parameters: capabilityName: Print.MopriaCloudService - category: Remove Remote Server Administration Tools (RSAT) children: - name: Remove "Active Directory Domain Services and Lightweight Directory Services Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.ActiveDirectory.DS-LDS.Tools - name: Remove "BitLocker Drive Encryption Administration Utilities" capability call: function: UninstallCapability parameters: capabilityName: Rsat.BitLocker.Recovery.Tools - name: Remove "Active Directory Certificate Services Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.CertificateServices.Tools - name: Remove "DHCP Server Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.DHCP.Tools - name: Remove "DNS Server Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.Dns.Tools - name: Remove "Failover Clustering Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.FailoverCluster.Management.Tools - name: Remove "File Services Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.FileServices.Tools - name: Remove "Group Policy Management Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.GroupPolicy.Management.Tools - name: Remove "IP Address Management (IPAM) Client" capability call: function: UninstallCapability parameters: capabilityName: Rsat.IPAM.Client.Tools - name: Remove "Data Center Bridging LLDP Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.LLDP.Tools - name: Remove "Network Controller Management Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.NetworkController.Tools - name: Remove "Network Load Balancing Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.NetworkLoadBalancing.Tools - name: Remove "Remote Access Management Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.RemoteAccess.Management.Tools - name: Remove "Server Manager Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.ServerManager.Tools - name: Remove "Shielded VM Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.Shielded.VM.Tools - name: Remove "Storage Replica Module for Windows PowerShell" capability call: function: UninstallCapability parameters: capabilityName: Rsat.StorageReplica.Tools - name: Remove "Volume Activation Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.VolumeActivation.Tools - name: Remove "Windows Server Update Services Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.WSUS.Tools - name: Remove "Storage Migration Service Management Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.StorageMigrationService.Management.Tools - name: Remove "Systems Insights Module for Windows PowerShell" capability call: function: UninstallCapability parameters: capabilityName: Rsat.SystemInsights.Management.Tools - category: Remove storage capabilities children: - name: Remove "Windows Storage Management" capability call: function: UninstallCapability parameters: capabilityName: Microsoft.Windows.StorageManagement - name: Remove "OneCore Storage Management" capability call: function: UninstallCapability parameters: capabilityName: Microsoft.OneCore.StorageManagement - name: Remove "Windows Emergency Management Services and Serial Console" capability call: function: UninstallCapability parameters: capabilityName: Windows.Desktop.EMS-SAC.Tools - name: Remove "XPS Viewer" capability call: function: UninstallCapability parameters: capabilityName: XPS.Viewer - category: Remove Widgets docs: |- Windows 11 adds a new taskbar flyout named "Widgets", which displays a panel with Microsoft Start, a news aggregator with personalized stories and content (expanding upon the "news and interests" panel introduced in later builds of Windows 10) [1]. It's rebranding/future version of older "Windows 10 News and Interests" feature [2]. The user can customize the panel by adding or removing widgets, rearranging, resizing, and personalizing the content [1]. It has privacy implications as it collects data about your usage of the computer such as diagnostics data [3]. [1]: https://web.archive.org/web/20240314091958/https://en.wikipedia.org/wiki/Features_new_to_Windows_11#Windows_shell "Features new to Windows 11 | Wikipedia" [2]: https://www.bleepingcomputer.com/news/microsoft/windows-10-news-and-interests-enabled-for-everyone-in-latest-update/ "Windows 10 News and Interests enabled for everyone in latest update | Bleeping Computer" [3]: https://support.microsoft.com/en-us/windows/stay-up-to-date-with-widgets-7ba79aaa-dac6-4687-b460-ad16a06be6e4 "What data does Microsoft collect? | Widgets | Microsoft" children: - name: Remove "Widgets" from taskbar recommend: strict docs: |- To control whether the Widgets button is visible on the taskbar, Microsoft introduced `TaskbarDa` registry value [1]. Possible `DWORD` 32-bit settings for the `TaskbarDa` value are [1] [2]: 1. 0 = Hidden 2. 1 = Visible This registry key does not exist in Windows 11 installations by default. [1]: https://web.archive.org/web/20231206213443/https://www.elevenforum.com/t/add-or-remove-widgets-button-on-taskbar-in-windows-11.32/ " Add or Remove Widgets Button on Taskbar in Windows 11 | Windows Eleven Forum" [2]: https://www.bleepingcomputer.com/news/microsoft/new-windows-11-registry-hacks-to-customize-your-device/ "New Windows 11 registry hacks to customize your device | Bleeping Computer" call: - function: SetRegistryValue parameters: keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced valueName: TaskbarDa dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - name: Remove "Windows Web Experience Pack" (breaks Widgets) recommend: strict docs: |- This script removes the "Windows Web Experience Pack" app. This app is responsible for enabling the Widgets feature [1]. Widgets are mini-programs that provide information and easy access to frequently used functions. The app is not essential, and its removal does not impact other functionalities of the operating system, provided you do not ntend to use Widgets. "Windows Web Experience Pack" app collects diagnostic data, and the individual widgets it enables might also gather user data [2]. By removing this app, you also detach yourself from the necessity to agree to Microsoft's general privacy terms [3]. This agreement allows Microsoft to collect your personal data [3]. You can view these terms at the [Microsoft Privacy Statement](https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement). The app is not needed and not known to break other OS functionality if you do not wish to use Widgets feature. This app is known to collect diagnostics data, individual widgets might also collect data [2]. For additional information, you can visit the [Microsoft Store Page](https://archive.ph/2023.11.01-233200/https://apps.microsoft.com/detail/windows-web-experience-pack/9MSSGKG348SP?hl=en-us&gl=US). ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ❌ | | Windows 10 | 20H2 | ❌ | | Windows 10 | 21H2 | ❌ | | Windows 10 | 22H2 | ❌ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20231101233028/https://support.microsoft.com/en-us/windows/how-to-update-the-windows-web-experience-pack-in-the-microsoft-store-a16c9bf1-f042-4dc9-a523-740cca1e1e60 "How to update the Windows Web Experience Pack in the Microsoft Store | support.microsoft.com" [2]: https://archive.ph/2023.11.01-233200/https://apps.microsoft.com/detail/windows-web-experience-pack/9MSSGKG348SP?hl=en-us&gl=US "Windows Web Experience Pack - Microsoft Store Apps | apps.microsoft.com/store" [3]: https://web.archive.org/web/20231101233034/https://support.microsoft.com/en-us/windows/stay-up-to-date-with-widgets-7ba79aaa-dac6-4687-b460-ad16a06be6e4 "Stay up to date with widgets | support.microsoft.com" call: function: UninstallStoreApp parameters: packageName: MicrosoftWindows.Client.WebExperience # Get-AppxPackage MicrosoftWindows.Client.WebExperience publisherId: cw5n1h2txyewy - name: Remove "Meet Now" icon from taskbar recommend: strict docs: # Skype feature, introduced in 20H2, KB4580364 update - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.TaskBar2::HideSCAMeetNow - https://www.windowscentral.com/how-disable-meet-now-feature-windows-10 call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer valueName: HideSCAMeetNow dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Remove Windows Copilot docs: |- This category includes scripts to disable or remove the Windows Copilot feature. "Windows Copilot" is also known as "Copilot in Windows" [1] [2] [3], Windows Copilot is an AI assistant within Windows [1] [2]. It helps with a wide range of tasks, like adjusting system settings [1] [2]. It can deliver web results [1], and supports generating creative content, like images [1] [2], and providing personalized suggestions based on user data analysis [2]. While these features enhance user experience, they raise privacy concerns due to the extensive personal data access and processing involved, including user files [4], keyboard and voice inputs [3], and browser history [3]. Such data is transmitted to Microsoft's servers [3]. Transmitting this data to Microsoft poses potential privacy and security risks. Moreover, Copilot's susceptibility to attacks like prompt engineering underlines its security risks [5]. More about security vulnerabilities: [Attacks on language models](https://erkinekici.com/articles/attacks-on-language-models/). Removing Windows Copilot reduces privacy and security risks, improves system performance, and simplifies the user interface. [1]: https://web.archive.org/web/20240122063553/https://www.microsoft.com/en-us/windows/copilot-ai-features "Copilot in Windows & Other AI-Powered Features | Microsoft | www.microsoft.com" [2]: https://web.archive.org/web/20240122063357/https://support.microsoft.com/en-us/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0 "Welcome to Copilot in Windows - Microsoft Support | support.microsoft.com" [3]: https://web.archive.org/web/20240122063412/https://support.microsoft.com/en-us/windows/copilot-in-windows-your-data-and-privacy-3e265e82-fc76-4d0a-afc0-4a0de528b73a "Copilot in Windows: Your data and privacy - Microsoft Support | support.microsoft.com" [4]: https://web.archive.org/web/20240122063447/https://concentric.ai/too-much-access-microsoft-copilot-data-risks-explained/ "2023 Microsoft Copilot Data Risks Explained | Concentric AI | concentric.ai" [5]: https://erkinekici.com/articles/attacks-on-language-models/ "Attacks on language models :: Erkin Ekici | erkinekici.com" children: - name: Disable Copilot feature recommend: strict docs: |- This script deactivates the Windows Copilot feature, enhancing user privacy and potentially improving system performance. By default, Copilot is enabled and appears on the taskbar when available [1] [2]. Disabling Windows Copilot prevents it from appearing on the taskbar and stops it from functioning [1] [2]. This action is useful for users who prioritize privacy and system performance, as it eliminates a potential channel for data sharing with Microsoft servers and reduces the attacks on language models [3]. Read more: [Attacks on language models](https://erkinekici.com/articles/attacks-on-language-models/). The script operates by modifying two registry keys: - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot!TurnOffWindowsCopilot`: This key disables Copilot for all users on the device [2] [4]. - `HKCU\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot!TurnOffWindowsCopilot`: This key disables Copilot for the current user [1] [4]. To fully disable Copilot, both machine-level (`HKLM`) and user-level (`HKCU`) settings might need adjustment, given reports that `HKLM` alone is inadequate [4]. This script turns off Copilot, enhancing privacy by preventing data collection and transmission, and improving security by reducing the risk of language model attacks [3]. [1]: https://web.archive.org/web/20240122064120/https://learn.microsoft.com/en-us/windows/client-management/manage-windows-copilot "Manage Copilot in Windows - Windows Client Management | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240522162728/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot "WindowsAI Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [3]: https://erkinekici.com/articles/attacks-on-language-models/ "Attacks on language models :: Erkin Ekici | erkinekici.com" [4]: https://web.archive.org/web/20240122064046/https://www.elevenforum.com/t/enable-or-disable-windows-copilot-in-windows-11.17045/ "Enable or Disable Windows Copilot in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com" call: - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot valueName: TurnOffWindowsCopilot dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKCU\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot valueName: TurnOffWindowsCopilot dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Copilot access recommend: strict docs: |- This script disables Copilot access on your computer, enhancing your privacy. It prevents the Copilot feature from activating or being suggested for use locally [1] [2]. When activated, Copilot can access and process a vast array of personal data, potentially leading to privacy concerns. By setting your local user's eligibility status to "ineligible" this script effectively removes the possibility of Copilot being automatically offered or activated on your system. It works by adjusting the `HKCU\Software\Microsoft\Windows\Shell\Copilot\BingChat!IsUserEligible` registry key [1] [2] [3]. Typically, this key may be modified by Microsoft based on your account activity [3]. However, running this script will override such adjustments, maintaining your privacy preference and potentially enhancing system performance by disabling background services. Please restart your computer after applying this script to activate changes [2] [3]. If reverting, relog into your Microsoft account to reset settings [3]. [1]: https://web.archive.org/web/20240122065339/https://itstechbased.com/how-to-enable-new-copilot-ai-in-windows-11-22631-2262-beta/ "How to Enable New Copilot AI in Windows 11 22631.2262 (Beta) - Tech Based | itstechbased.com" [2]: https://web.archive.org/web/20240122065302/https://betawiki.net/wiki/Windows_10_build_19045.3754 "Windows 10 build 19045.3754 - BetaWiki | betawiki.net" [3]: https://web.archive.org/web/20240122065316/https://www.neowin.net/guides/how-to-enable-copilot-in-windows-10/ "How to enable Copilot in Windows 10 - Neowin | www.neowin.net" call: - function: SetRegistryValue parameters: keyPath: HKCU\Software\Microsoft\Windows\Shell\Copilot\BingChat valueName: IsUserEligible dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Default value for this key varies, seen as `0` on some Windows 11 22H3, key does not exist on some Windows 10 22H2 - function: ShowComputerRestartSuggestion - name: Disable Copilot auto-launch on start recommend: strict docs: |- This script stops the Copilot feature from automatically starting up with Windows, providing a more controlled and resource-efficient computing experience. With the release of Windows 11 builds 25992 (Canary) and 23615 (Dev), users encountered a new functionality that would auto-launch Copilot on wider screens [1] [2] [3]. This script modifies the `HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings!AutoOpenCopilotLargeScreens` registry key to configure this setting [1] [2]. This script ensures Copilot stays inactive at startup, activating only when the user initiates it manually. This change not only respects user preference but also frees up system resources that would otherwise be consumed by this feature, potentially leading to faster startup times and better overall performance. [1]: https://web.archive.org/web/20240122071219/https://www.elevenforum.com/t/enable-or-disable-open-copilot-at-startup-in-windows-11.19626/ "Enable or Disable Open Copilot at Startup in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com" [2]: https://web.archive.org/web/20240122071337/https://blogs.windows.com/windows-insider/2024/01/11/announcing-windows-11-insider-preview-build-23615-dev-channel/ "Announcing Windows 11 Insider Preview Build 23615 (Dev Channel) | Windows Insider Blog | blogs.windows.com" [3]: https://web.archive.org/web/20240122071352/https://geekrewind.com/how-to-turn-open-copilot-when-windows-starts-on-or-off-in-windows-11/ "How to Turn “Open Copilot when Windows Starts” On or Off in Windows 11 - Geek Rewind | geekrewind.com" call: function: SetRegistryValue parameters: keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings valueName: AutoOpenCopilotLargeScreens dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - name: Remove "Copilot" icon from taskbar recommend: strict docs: |- This script removes the Copilot icon from the taskbar. Windows added a taskbar button enabled by default to launch Windows Copilot [1]. This feature was introduced with the Windows 11 22H2 Moments 4 update [2] [3]. The script configures the `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced!ShowCopilotButton` registry key [3] [4]. This script will turn off the Copilot button in the Settings app of Windows 11, which will hide or remove the Copilot icon from the taskbar [4]. Disabling the Copilot button won't uninstall the feature but will hide the icon from the taskbar, simplifying the user interface and reducing distractions. This action also reduces the visibility of a feature with privacy implications from data collection and processing. [1]: https://web.archive.org/web/20240122072226/https://blogs.windows.com/windows-insider/2023/06/29/announcing-windows-11-insider-preview-build-23493/ "Announcing Windows 11 Insider Preview Build 23493 | Windows Insider Blog | blogs.windows.com" [2]: https://web.archive.org/web/20240122072448/https://support.microsoft.com/en-us/topic/october-31-2023-kb5031455-os-builds-22621-2506-and-22631-2506-preview-6513c5ec-c5a2-4aaf-97f5-44c13d29e0d4 "October 31, 2023—KB5031455 (OS Builds 22621.2506 and 22631.2506) Preview - Microsoft Support | support.microsoft.com" [3]: https://web.archive.org/web/20240122071203/https://www.elevenforum.com/t/add-or-remove-copilot-button-on-taskbar-in-windows-11.16015/ "Add or Remove Copilot Button on Taskbar in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com" [4]: https://web.archive.org/web/20240122071007/https://www.thewindowsclub.com/how-to-show-or-hide-copilot-button-on-taskbar-in-windows "How to remove Copilot from Taskbar in Windows 11 | www.thewindowsclub.com" call: - function: SetRegistryValue parameters: keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced valueName: ShowCopilotButton dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - function: ShowExplorerRestartSuggestion - category: Disable non-essential services docs: |- This category contains scripts designed to enhance privacy by disabling system services that are not essential for your operating system's core functions. A Windows service is a program that runs in the background, automatically starting and operating without direct user interaction, even when no user is logged in [1]. Disabling these services, especially those transmitting data to external parties or running unseen, significantly reduces the risk of unwanted data exposure. Taking these proactive steps is crucial for minimizing privacy risks and improving your system's security. [1]: https://web.archive.org/web/20240219200713/https://learn.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications "Introduction to Windows Service Applications - .NET Framework | Microsoft Learn | learn.microsoft.com" children: - name: Disable Microsoft Account Sign-in Assistant (breaks Microsoft Store and Microsoft Account sign-in) recommend: strict docs: |- This script disables the **Microsoft Account Sign-in Assistant** (`wlidsvc`) service. This service helps users sign in with their Microsoft account, giving access to Microsoft's services and apps [1] [2]. This service connects with Microsoft's cloud for authentication [3]. Formerly known as the "Microsoft Windows Live ID Service", it supported sign-ins for applications such as Office and Windows Live Messenger [4]. Currently, it uses Microsoft Entra (formerly Azure AD [5]) as identity service [6] [7]. It's used to facilitate creation of primary identifier Microsoft use for devices [8] Disabling this service prioritizes user privacy by limiting data sharing with Microsoft but necessitates a trade-off regarding certain convenience features and system capabilities. > **Caution**: > While Microsoft indicates this service can be safely disabled, [1] doing so may impact essential features and functionalities [3]. > > - **Microsoft Sign-in**: > Disabling this service prevents users from signing into the computer with their Microsoft account [2] [8]. > It also affects scenarios requiring user action for completion [6]. > For instance, users might not see the Microsoft Entra sign-in option [6] [7] [9], leading to the creation of a local account instead [6] [7]. > - **Windows Autopilot**: > Windows Autopilot is a set of technologies used by IT departments to set up and pre-configure new devices [9]. > It requires this service to retrieve the Windows Autopilot profile [10]. > - **Microsoft Store**: > On Windows 11 and Windows 10, failure messages may appear, indicating a break in functionality [11]. > Known error messages include `PUR-AuthenticationFailure v3ZtcNH7IECS00iL.36.1`, `0x800706d9`, and `0x800704cf` [11]. > - **Feature Updates**: > Feature updates, which add new functionalities to Windows [12], will not be offered [3] [13] [14] [15] [16]. > Disabling this service disrupts feature updates by impacting Subscription Activation (license authentication) [16]. ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 22H2) | 🔴 Stopped | Manual | | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | [1]: https://web.archive.org/web/20240218231654/https://learn.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#microsoft-account-sign-in-assistant "Security guidelines for system services in Windows Server 2016 | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240218232041/https://batcmd.com/windows/10/services/wlidsvc/ "Microsoft Account Sign-in Assistant - Windows 10 Service - batcmd.com | batcmd.com" [3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#12-microsoft-account "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" [4]: https://web.archive.org/web/20240219000506/https://www.howtogeek.com/30348/what-are-wlidsvc.exe-and-wlidsvcm.exe-and-why-are-they-running/ "What Are WLIDSVC.EXE and WLIDSVCM.EXE and Why Are They Running? | howtogeek.com" [5]: https://web.archive.org/web/20240218232515/https://learn.microsoft.com/en-us/entra/fundamentals/new-name "New name for Azure Active Directory - Microsoft Entra | Microsoft Learn | learn.microsoft.com" [6]: https://web.archive.org/web/20240120200946/https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10#search "Device restriction settings for Windows 10/11 in Microsoft Intune | Microsoft Learn | learn.microsoft.com" [7]: https://web.archive.org/web/20240218234642/https://learn.microsoft.com/en-us/autopilot/pre-provision#user-flow "Windows Autopilot for pre-provisioned deployment | Microsoft Learn | learn.microsoft.com" [8]: https://web.archive.org/web/20211129073326/https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-configuration-manual#required-endpoints "Manually configuring devices for Update Compliance - Windows Deployment | Microsoft Docs | docs.microsoft.com" [9]: https://web.archive.org/web/20240218234541/https://learn.microsoft.com/en-us/autopilot/windows-autopilot "Overview of Windows Autopilot | Microsoft Learn | learn.microsoft.com" [10]: https://web.archive.org/web/20240218235057/https://learn.microsoft.com/en-us/autopilot/policy-conflicts "Windows Autopilot policy conflicts | Microsoft Learn | learn.microsoft.com" [11]: https://web.archive.org/web/20240218233743/https://github.com/undergroundwires/privacy.sexy/issues/100 "[BUG]: Running the script broke Windows Store login; unable to install any Store apps due to error 0x800704cf · Issue #100 · undergroundwires/privacy.sexy | github.com" [12]: https://web.archive.org/web/20240218233355/https://learn.microsoft.com/en-us/windows/deployment/update/get-started-updates-channels-tools#types-of-updates "Windows client updates, channels, and tools - Windows Deployment | Microsoft Learn | learn.microsoft.com" [13]: https://web.archive.org/web/20240219000354/https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-configuration/windows-feature-updates-never-offered "Windows 10 feature updates not offered on Intune-managed devices - Intune | Microsoft Learn | learn.microsoft.com" [14]: https://web.archive.org/web/20240218235145/https://learn.microsoft.com/en-us/mem/intune/protect/windows-10-feature-updates "Configure feature updates policy for Windows 10 Windows 11 devices in Intune | Microsoft Learn | learn.microsoft.com" [15]: https://web.archive.org/web/20240218235015/https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/windows-update-issues-troubleshooting#feature-updates-arent-being-offered-while-other-updates-are "Windows Update issues troubleshooting - Windows Client | Microsoft Learn" [16]: https://web.archive.org/web/20240218233634/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountsigninassistant "Accounts Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" call: function: DisableService parameters: serviceName: wlidsvc # Check: (Get-Service -Name 'wlidsvc').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable Downloaded Maps Manager recommend: standard docs: |- This script disables the **Downloaded Maps Manager** (`MapsBroker`) service. This service manages downloaded maps [1]. Disabling this service prevents apps from accessing maps [1], enhancing privacy by limiting access to sensitive location data > **Caution**: This may affect apps that rely on downloaded maps but prioritizes user privacy [1]. ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 22H2) | 🔴 Stopped | Automatic | | Windows 11 (≥ 23H2) | 🔴 Stopped | Automatic | [1]: https://web.archive.org/web/20240219135016/https://batcmd.com/windows/10/services/mapsbroker/ "Downloaded Maps Manager - Windows 10 Service - batcmd.com | batcmd.com" call: function: DisableService parameters: serviceName: MapsBroker # Check: (Get-Service -Name 'MapsBroker').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable Microsoft Retail Demo recommend: standard docs: |- This script disables the **Microsoft Retail Demo** (`RetailDemo`) service. This service is used to control device activity when the device is in retail demo mode [1]. For personal use, this service is generally redundant, and disabling it strengthens privacy. By turning off this service, you prevent the potential misuse of demo content and settings, ensuring that your device operates under standard conditions without unnecessary exposure to retail demo features. ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 22H2) | 🔴 Stopped | Manual | | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | [1]: https://web.archive.org/web/20240219135100/https://batcmd.com/windows/10/services/retaildemo/ "Retail Demo Service - Windows 10 Service - batcmd.com | batcmd.com" call: function: DisableService parameters: serviceName: RetailDemo # Check: (Get-Service -Name 'RetailDemo').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - category: Disable synchronization of mail, contacts, calendar, and user data docs: |- This category contains scripts that improve privacy by turning off services that synchronize mail, contacts, calendars, and other user data. Turning off these services stops the automatic sharing and storing of personal information across devices and apps, crucial for privacy. children: - name: Disable User Data Storage recommend: strict docs: |- This script disables the **User Data Storage** (`UnistoreSvc`) service. This service stores user data like contact info, calendars, and messages [1]. Disabling this service boosts privacy by blocking app access to this data. This script is recommended for users who prioritize privacy over the convenience of synchronized user data. > **Caution**: Some applications may not function correctly without access to this data [1]. [1]: https://web.archive.org/web/20240219134932/https://batcmd.com/windows/10/services/unistoresvc/ "User Data Storage - Windows 10 Service - batcmd.com | batcmd.com" call: function: DisablePerUserService parameters: # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UnistoreSvc").Start # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UnistoreSvc_*").Start serviceName: UnistoreSvc defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - name: Disable Sync Host recommend: strict docs: |- This script turns off the **Sync Host** (`OneSyncSvc`) service. This service syncs mail, contacts, calendars, and other user data across devices and apps [1]. Disabling this service stops the automatic sharing of personal information, enhancing privacy. This script is recommended for individuals prioritizing the security of their personal data over the functionality of data synchronization. > **Caution**: Mail and other applications relying on synchronized data may not perform as intended without this service [1]. [1]: https://web.archive.org/web/20240219141722/https://batcmd.com/windows/10/services/onesyncsvc/ "Sync Host - Windows 10 Service - batcmd.com | batcmd.com" call: function: DisablePerUserService parameters: # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\OneSyncSvc").Start # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\OneSyncSvc_*").Start serviceName: OneSyncSvc defaultStartupMode: Automatic # Allowed values: Boot | System | Automatic | Manual - name: Disable User Data Access docs: |- This script disables the **User Data Access** (`UserDataSvc`) service. This service allows apps to access personal data such as contacts, calendars, and messages [1]. By disabling this service, you enhance your privacy by preventing apps from accessing this personal information. This script is recommended for users valuing privacy more than some app functionalities relying on user data. > **Caution**: It's important to be aware that some apps relying on this data may not function correctly without it [1]. [1]: https://web.archive.org/web/20240219141730/https://batcmd.com/windows/10/services/userdatasvc/ "User Data Access - Windows 10 Service - batcmd.com | batcmd.com" call: function: DisablePerUserService parameters: # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UserDataSvc").Start # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UserDataSvc_*").Start serviceName: UserDataSvc defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - name: Disable Messaging Service docs: |- This script disables the **Messaging Service** (`MessagingService`) service. This service supports text messaging and related functions [1]. Disabling this service improves privacy by reducing how the system processes text messages [1]. Users should consider this action if they prioritize privacy and do not use native text messaging features extensively. > **Caution**: Be advised that disabling this service may affect the functionality of text messaging and related services [1]. [1]: https://web.archive.org/web/20240219141734/https://batcmd.com/windows/10/services/messagingservice/ "MessagingService - Windows 10 Service - batcmd.com | batcmd.com" call: function: DisablePerUserService parameters: # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MessagingService").Start # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MessagingService_*").Start serviceName: MessagingService defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - name: Disable Windows Push Notifications (breaks network settings view on Windows 10) recommend: strict docs: |- This script disables the **Windows Push Notification Service (WNS)** (`WpnService` and `WpnUserService`). WNS allows third-party developers to send a range of notifications, such as toast, tile, badge, and raw updates, from their cloud services [1]. However, there are privacy concerns with this service: - It relies on connections to Microsoft cloud servers [1] [2] [3] [4] [5] to deliver both local and push notifications to your device [1]. - It can bypass VPN protections, exposing the device's real IP address, as noted in Wikipedia (uncited) [2]. This script disables `WpnService` (Windows Push Notifications System Service) [3] and `WpnUserService` (Windows Push Notifications User Service) [4]. > **Caution**: Disabling the `WpnUserService` system-wide impacts access to network settings on Windows 10, > possibly causing issues with managing network connections [5] [6]. This issue does not occur on Windows 11 [5]. ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | | Windows 11 (≥ 23H2) | 🟢 Running | Automatic | [1]: https://web.archive.org/web/20240218223751/https://learn.microsoft.com/en-us/windows/apps/design/shell/tiles-and-notifications/windows-push-notification-services--wns--overview "Windows Push Notification Services (WNS) overview - Windows apps | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240218223848/https://en.wikipedia.org/w/index.php?title=Windows_Push_Notification_Service&oldid=1012335551#Privacy_Issue "Windows Push Notification Service - Wikipedia | en.wikipedia.org" [3]: https://web.archive.org/web/20240218223841/https://batcmd.com/windows/10/services/wpnservice/ "Windows Push Notifications System Service - Windows 10 Service - batcmd.com | batcmd.com" [4]: https://web.archive.org/web/20240218223900/https://batcmd.com/windows/10/services/wpnuserservice/ "Windows Push Notifications User Service - Windows 10 Service - batcmd.com | batcmd.com" [5]: https://web.archive.org/web/20240218223920/https://github.com/undergroundwires/privacy.sexy/issues/110 '[BUG]: "SystemSettings.exe - Stack-based buffer" when accessing network settings · Issue #110 · undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy' [6]: https://web.archive.org/web/20240218225733/https://github.com/undergroundwires/privacy.sexy/issues/166 "[BUG]: Network & Internet Problem after using the script · Issue #166 · undergroundwires/privacy.sexy | GitHub | github.com/undergroundwires/privacy.sexy" call: - function: ShowMessage parameters: message: Disabling Network settings on Windows 10 is known to break Network settings. ignoreWindows11: 'true' warn: 'true' - function: DisableService parameters: serviceName: WpnService # Check: (Get-Service -Name 'WpnService').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - function: DisablePerUserService parameters: # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WpnUserService").Start # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WpnUserService_*").Start serviceName: WpnUserService defaultStartupMode: Automatic # Allowed values: Boot | System | Automatic | Manual - category: Disable Xbox services docs: |- This category includes scripts to turn off Xbox services. While enhancing gaming, these services may impact privacy and system performance for non-Xbox Live users. Turning off these services protects privacy by stopping unnecessary data sharing with Xbox Live servers. children: - name: Disable Xbox Live Auth Manager recommend: standard docs: |- This script disables the **Xbox Live Auth Manager** (`XblAuthManager`) service. This service manages Xbox Live login and permissions [1]. Turning off this service can enhance privacy for users who do not use Xbox Live, as it prevents potentially unnecessary communication with Xbox Live servers. > **Caution:** Disabling this service could impact apps needing Xbox Live login. ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 22H2) | 🔴 Stopped | Manual | | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | [1]: https://web.archive.org/web/20240219142010/https://batcmd.com/windows/10/services/xblauthmanager/ "Xbox Live Auth Manager - Windows 10 Service - batcmd.com | batcmd.com" call: function: DisableService parameters: serviceName: XblAuthManager # Check: (Get-Service -Name 'XblAuthManager').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable Xbox Live Game Save recommend: standard docs: |- This script disables the **Xbox Live Game Save** (`XblGameSave`) service. This service synchronizes save data for games that are enabled with Xbox Live save features [1]. If you're not using Xbox Live to save games, turning off this service can protect your privacy by stopping save data transfers to Xbox Live [1]. > **Caution:** Be aware that stopping this service will prevent game save synchronization with Xbox Live [1], > affecting users who play Xbox Live-enabled games. ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 22H2) | 🔴 Stopped | Manual | | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | [1]: https://web.archive.org/web/20240219141930/https://batcmd.com/windows/10/services/xblgamesave/ "Xbox Live Game Save - Windows 10 Service - batcmd.com | batcmd.com" call: function: DisableService parameters: serviceName: XblGameSave # Check: (Get-Service -Name 'XblGameSave').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable Xbox Live Networking recommend: standard docs: |- This script disables the **Xbox Live Networking Service** (`XboxNetApiSvc`) service. This service supports the `Windows.Networking.XboxLive` application programming interface [1]. Disabling this service is useful for those not using Xbox Live, as it stops the system from Xbox Live networking activities. This script may enhance privacy and improve system performance by reducing unnecessary network traffic and resource use. > **Caution:** Turning off this service could impact apps and games using Xbox Live network features. ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 22H2) | 🔴 Stopped | Manual | | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | [1]: https://web.archive.org/web/20240219141939/https://www.tenable.com/audits/items/CIS_MS_Windows_10_Enterprise_Level_1_v1.12.0.audit:413ad68866cc396f0bd1dd4ead7deb97 "5.45 Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is ... | Tenable® | www.tenable.com" call: function: DisableService parameters: serviceName: XboxNetApiSvc # Check: (Get-Service -Name 'XboxNetApiSvc').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable Shadow Copy (breaks System Restore and Windows Backup) recommend: strict docs: |- This script disables the **Shadow Copy** service, known also as the *Volume Shadow Copy Service* (VSS) [1] [2] [3] [4] [5] or *Volume Snapshot Service* [4] [6]. This service is integral for system backups [1] [2] [3] [5] and data snapshots [1] [5] [7]. It allows for data recovery [1] [5] and system restore points [1] [7] [8]. Introduced with Windows Server 2003 [1], VSS facilitates backups and system restores without needing to take applications offline [1]. It creates a consistent snapshot of data for backup, supporting functions like archiving, data mining, and disk-to-disk backups [1]. These snapshots can restore data in case of data loss, to the original location or a new one, if the original has failed [1]. However, VSS has privacy and security risks: - It can store unencrypted versions of files, even after users have encrypted and securely deleted them [5] [7]. This feature, while useful for recovery, poses a risk as it allows retrieving deleted files, undermining efforts to permanently remove sensitive information. - Malware may use this service for persistence [4]. - Forensic investigators use shadow copies to recover deleted files and analyze your behavior [5]. Disabling VSS can also free up system resources and potentially improve performance by eliminating the creation and storage of shadow copies. But it will render system restore points [1] [8] and Windows Backup [1] features inoperative, potentially compromising data recovery capabilities. This trade-off between privacy/security and system recovery features should be carefully considered. > **Caution**: > Disabling this service will make shadow copies unavailable for backup, which could cause backup processes to fail [3]. > Services that depend on VSS will not start, affecting features like Windows Server Backup [1], Shadow Copies of Shared Folders [1], > System Center Data Protection Manager [1], and System Restore [1] [8]. ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 22H2) | 🔴 Stopped | Manual | | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | [1]: https://web.archive.org/web/20240218220458/https://learn.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service "Volume Shadow Copy Service | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240218220517/https://learn.microsoft.com/en-us/windows/win32/vss/volume-shadow-copy-service-overview?redirectedfrom=MSDN "Volume Shadow Copy Service Overview - Win32 apps | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240218221447/https://batcmd.com/windows/10/services/vss/ "Volume Shadow Copy - Windows 10 Service - batcmd.com | batcmd.com" [4]: https://archive.ph/2024.02.18-221756/https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934 "CVE-2021-36934 - Security Update Guide - Microsoft - Windows Elevation of Privilege Vulnerability | msrc.microsoft.com" [5]: https://web.archive.org/web/20240218221441/https://www.iiis.org/CDs2018/CD2018Spring/papers/ZA288KS.pdf "Forensic Analysis of Windows 10 Volume Shadow Copy Service | University of North Georgia | iiis.org" [6]: https://web.archive.org/web/20240218220401/https://download.microsoft.com/download/7/1/B/71B9C665-6D2B-4154-AB7E-9CDC40647B57/697737_ebook_mobile_TechPreview.pdf "Introducing Windows Server 2016 Technical Preview | John McCabe and the Windows Server team | download.microsoft.com" [7]: https://web.archive.org/web/20240218220503/https://www.schneier.com/blog/archives/2009/12/the_security_im.html "The Security Implications of Windows Volume Shadow Copy - Schneier on Security | www.schneier.com" [8]: https://web.archive.org/web/20240218220527/https://github.com/undergroundwires/privacy.sexy/issues/81 "[BUG]: Can't access sign-in options nor create a restore point · Issue #81 · undergroundwires/privacy.sexy · GitHub | github.com/undergroundwires/privacy.sexy" call: function: DisableService parameters: serviceName: VSS # Check: (Get-Service -Name 'VSS').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - category: Remove Snipping Tool docs: |- This category addresses privacy risks related to the **Snipping Tool** [1] [2] (also called **screen capture** [3]) and its earlier forms, **Snip & Sketch** [1] [4] and **Screen Sketch** [4]. The Snipping Tool enables users to capture screenshots [2] [5] and record their screens [2]. This capability can expose sensitive information displayed on the screen unintentionally. Earlier versions had significant privacy vulnerabilities, allowing recovery of cropped screenshot portions [6] [7]. For example, bank details edited out of a saved screenshot could still be extracted by malicious entities [6]. Although updates have remedied these issues in modern versions [6], the potential for data exposure remains a concern. Disabling this tool enhances privacy by preventing unintentional capture of sensitive information and protecting against vulnerabilities. [1]: https://archive.ph/2024.04.24-100718/https://apps.microsoft.com/detail/9mz95kl8mr0l?hl=en-US&gl=US "Snipping Tool - Microsoft Apps | apps.microsoft.com" [2]: https://web.archive.org/web/20240424101014/https://www.microsoft.com/en-us/windows/learning-center/how-to-record-screen-windows-11 "How to Record Your Screen on Windows 11 | Microsoft Windows | www.microsoft.com" [3]: https://web.archive.org/web/20240424100904/https://github.com/undergroundwires/privacy.sexy/issues/343 "[BUG]: Snipping Tool still can be executable via its keyboard shortcut · Issue #343 · undergroundwires/privacy.sexy · GitHub | github.com" [4]: https://web.archive.org/web/20240424100700/https://blogs.windows.com/windowsexperience/2018/10/02/find-out-whats-new-in-windows-and-office-in-october/ "Find out what’s new in Windows and Office in October | Windows Experience Blog | blogs.windows.com" [5]: https://web.archive.org/web/20240424101031/https://support.microsoft.com/en-us/windows/open-snipping-tool-and-take-a-screenshot-a35ac9ff-4a58-24c9-3253-f12bac9f9d44 "Open Snipping Tool and take a screenshot - Microsoft Support | support.microsoft.com" [6]: https://archive.ph/2024.04.24-100742/https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28303 "CVE-2023-28303 - Security Update Guide - Microsoft - Windows Snipping Tool Information Disclosure Vulnerability | msrc.microsoft.com" [7]: https://web.archive.org/web/20240424100805/https://www.bleepingcomputer.com/news/microsoft/windows-11-snipping-tool-privacy-bug-exposes-cropped-image-content/ "Windows 11 Snipping Tool privacy bug exposes cropped image content | www.bleepingcomputer.com" children: - name: Remove outdated "Snipping Tool" app docs: |- This script removes the outdated **Snipping Tool** app. It was previously known as **Snip & Sketch** [1] [2] [3]. It allows users to capture, edit, and share screenshots [3]. In recent Windows versions, this app is part of the *Windows Feature Experience Pack* (`MicrosoftWindows.Client.Core`) and is no longer a separate application [4] [5] [6] [7]. This script disables snipping functionality on older Windows versions. privacy.sexy does not remove the entire Windows Feature Experience Pack, as it contains many other essential functions [7]. This app comes pre-installed on certain versions of Windows [1] [2]. ### Overview of default preinstallation | OS | Version | Existence | | -- |:-------:|:---------:| | Windows 10 | 19H2 | ✅ | | Windows 10 | 20H2 | ✅ | | Windows 10 | 21H2 | ✅ | | Windows 10 | 22H2 | ✅ | | Windows 11 | 21H2 | ✅ | | Windows 11 | 22H2 | ✅ | | Windows 11 | 23H2 | ✅ | [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [3]: https://archive.ph/2024.04.24-100718/https://apps.microsoft.com/detail/9mz95kl8mr0l?hl=en-US&gl=US "Snipping Tool - Microsoft Apps | apps.microsoft.com" [4]: https://web.archive.org/web/20240320082149/https://blogs.windows.com/windows-insider/2020/11/30/releasing-windows-feature-experience-pack-120-2212-1070-0-to-the-beta-channel/ "Releasing Windows Feature Experience Pack 120.2212.1070.0 to the Beta Channel | Windows Insider Blog | blogs.windows.com" [5]: https://archive.ph/2024.03.20-082058/https://twitter.com/XenoPanther/status/1504870414702592003 "Xeno on X: \"Parts of MicrosoftWindows.Client.CBS have been moved to MicrosoftWindows.Client.Core \" / X | twitter.com/XenoPanther" [6]: https://web.archive.org/web/20240320082048/https://answers.microsoft.com/en-us/insider/forum/all/snipping-tool-issues-with-build-25295/065a6718-70a0-4e3b-ab1b-21f6315c0296 "Snipping Tool issues with Build 25295 - Microsoft Community | answers.microsoft.com" [7]: https://web.archive.org/web/20240424100904/https://github.com/undergroundwires/privacy.sexy/issues/343 "[BUG]: Snipping Tool still can be executable via its keyboard shortcut · Issue #343 · undergroundwires/privacy.sexy · GitHub | github.com" call: function: UninstallStoreApp parameters: packageName: Microsoft.ScreenSketch # Get-AppxPackage Microsoft.ScreenSketch publisherId: 8wekyb3d8bbwe - name: Disable outdated Snipping Tool docs: |- This script disables the outdated Snipping Tool [1] [2]. This app is enabled by default [1] [2]. The script modifies the `HKLM\SOFTWARE\Policies\Microsoft\TabletPC!DisableSnippingTool` [1] [2] registry key, preventing the tool from launching [1] [2] [3] and disabling the print screen key activation [3]. After running this script, any attempt to open the Snipping Tool will show this message [4], confirming its deactivation (tested on Windows 11 and 10): > Windows cannot open this program because it has been prevented by a software restriction policy. > For more information please contact your system administrator. This script does not affect the new Snipping Tool in Windows 11, only the store app version. [1]: https://web.archive.org/web/20240424103745/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.TabletPCShell::DisableSnippingTool_2 "Do not allow Snipping Tool to run | admx.help" [2]: https://web.archive.org/web/20240424103728/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-tabletshell#disablesnippingtool_1 "ADMX_TabletShell Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240424103901/https://www.thewindowsclub.com/disable-snipping-tool-in-windows-10 "How to Disable Snipping Tool or Print Screen in Windows 11/10 | www.thewindowsclub.com" [4]: https://web.archive.org/web/20240424103809/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994599(v=ws.11)#windows-cannot-open-a-program "Troubleshoot Software Restriction Policies | Microsoft Learn | learn.microsoft.com" call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\TabletPC valueName: DisableSnippingTool dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - name: Disable Snipping Tool keyboard shortcut (**Windows logo key** + **Shift** + **S**) docs: |- This script disables the **Windows logo key** + **Shift** + **S** keyboard shortcut. This keyboard shortcut by default launches the Snipping Tool to capture screenshots [1] [2]. During the screenshot process, the screen darkens to indicate the selected area [1]. By preventing Windows Explorer from recognizing this keyboard shortcut [3], the script enhances privacy by reducing the risk of unintended data exposure through screenshots. This script also disables the **Windows logo key** + **S** keyboard shortcut [4], which by default activates search functions on Windows [5]. > **Caution**: Due to limitation of configuring disabled keys on Windows [6], > this will also disable the other Windows logo keyboard shortcuts including **S** button. [1]: https://web.archive.org/web/20240424101031/https://support.microsoft.com/en-us/windows/open-snipping-tool-and-take-a-screenshot-a35ac9ff-4a58-24c9-3253-f12bac9f9d44 "Open Snipping Tool and take a screenshot - Microsoft Support | support.microsoft.com" [2]: https://web.archive.org/web/20240424105319/https://support.lenovo.com/us/sv/solutions/ht117622 "How to take a screenshot using the Snipping Tool in Windows 10 and 11 - Lenovo Support US | support.lenovo.com" [3]: https://web.archive.org/web/20240424100904/https://github.com/undergroundwires/privacy.sexy/issues/343 "[BUG]: Snipping Tool still can be executable via its keyboard shortcut · Issue #343 · undergroundwires/privacy.sexy · GitHub | github.com" [4]: https://web.archive.org/web/20240424105243/https://github.com/microsoft/PowerToys/issues/18450#issuecomment-1204728155 "[PowerToys Run] Win+S hotkey won't gain focus when Start menu is open · Issue #18450 · microsoft/PowerToys · GitHub | github.com" [5]: https://web.archive.org/web/20240424105403/https://support.microsoft.com/en-us/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec "Keyboard shortcuts in Windows - Microsoft Support | support.microsoft.com" [6]: https://web.archive.org/web/20240424104551/https://www.geoffchappell.com/notes/windows/shell/explorer/globalhotkeys.htm "Disable Global Hot Keys | www.geoffchappell.com" call: function: DisableWindowsKeyPlusCharacterHotkey parameters: characterKeyToDisable: S - name: Disable Print Screen keyboard shortcut for Snipping Tool docs: |- This script prevents the Print Screen key from launching the Snipping Tool. This is the default Windows behavior starting from Windows 11 22H2 [1]. The script targets the `HKCU\Control Panel\Keyboard\PrintScreenKeyForSnippingEnabled` registry key. This key toggles the setting "Use the Print screen button to open screen snipping" in the control panel [1] [2] [3]. Changing this setting through the user interface also modifies this registry entry [3]. This key is absent by default in modern Windows versions, confirmed through testing starting with Windows 10 22H2 and Windows 11 22H3, which indicates that the Print Screen shortcut is enabled. Applying these changes requires restarting File Explorer (`explorer.exe`) [3]. Both `explorer.exe` [4] and `Taskbar.dll` [5] reads this configuration at startup. [1]: https://web.archive.org/web/20240424111406/https://blogs.windows.com/windows-insider/2023/04/07/announcing-windows-11-insider-preview-build-22621-1546-and-22624-1546/ "Announcing Windows 11 Insider Preview Build 22621.1546 and 22624.1546 | Windows Insider Blog | blogs.windows.com" [2]: https://web.archive.org/web/20240424111351/https://www.elevenforum.com/t/enable-or-disable-use-print-screen-key-to-open-screen-snipping-in-windows-11.520/ "Enable or Disable Use Print Screen Key to Open Screen Snipping in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com" [3]: https://web.archive.org/web/20240424100904/https://github.com/undergroundwires/privacy.sexy/issues/343 "[BUG]: Snipping Tool still can be executable via its keyboard shortcut · Issue #343 · undergroundwires/privacy.sexy · GitHub | github.com" [4]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/Taskbar.dll.strings#L9711 "10_0_22622_601/C/Windows/System32/Taskbar.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d · WinDLLsExports/10_0_22622_601 · GitHub | github.com" [5]: https://github.com/privacysexy-forks/10_0_22621_891/blob/fde7af7776698377aceb48a54bcf7bedaadd5c2d/C/Windows/explorer.exe.strings#L7645 "10_0_22621_891/C/Windows/explorer.exe.strings at fde7af7776698377aceb48a54bcf7bedaadd5c2d · WinDLLsExports/10_0_22621_891 · GitHub" call: - function: SetRegistryValue parameters: keyPath: HKCU\Control Panel\Keyboard valueName: PrintScreenKeyForSnippingEnabled dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - function: ShowExplorerRestartSuggestion - category: Advanced settings children: - name: Set NTP (time) server to `pool.ntp.org` docs: https://www.ntppool.org/en/use.html recommend: strict # `sc queryex` output is same in every OS language # Marked: refactor-with-revert-call, refactor-with-variables # This would allow re-using `StartService` and `StopService` code: |- :: Configure time source w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" :: Stop time service if running SC queryex "w32time"|Find "STATE"|Find /v "RUNNING">Nul||( net stop w32time ) :: Start time service and sync now net start w32time w32tm /config /update w32tm /resync revertCode: |- :: Configure time source w32tm /config /syncfromflags:manual /manualpeerlist:"time.windows.com" :: Stop time service if running SC queryex "w32time"|Find "STATE"|Find /v "RUNNING">Nul||( net stop w32time ) :: Start time service and sync now net start w32time w32tm /config /update w32tm /resync - name: Disable reserved storage for updates # since 19H1 (1903) docs: - https://techcommunity.microsoft.com/t5/storage-at-microsoft/windows-10-and-reserved-storage/ba-p/428327 # Announcement - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/managing-reserved-storage-in-windows-10-environments/ba-p/1297070#toc-hId--8696946 # Set-ReservedStorageState - https://www.howtogeek.com/425563/how-to-disable-reserved-storage-on-windows-10/ # ShippedWithReserves - https://techcommunity.microsoft.com/t5/windows-servicing/reserve-manager-enabled-with-low-disk-space-block/m-p/2073132 # PassedPolicy call: - function: RunInlineCode parameters: code: dism /online /Set-ReservedStorageState /State:Disabled /NoRestart revertCode: dism /online /Set-ReservedStorageState /State:Enabled /NoRestart - function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "0" /f # `1` by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "1" /f - function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "PassedPolicy" /t REG_DWORD /d "0" /f # `1` by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "PassedPolicy" /t REG_DWORD /d "1" /f - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager valueName: MiscPolicyInfo dataType: REG_DWORD data: '2' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Run script on startup [EXPERIMENTAL] code: |- del /f /q %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat copy "%~dpnx0" "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat" revertCode: del /f /q %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat functions: - name: TerminateRunningProcess # 💡 If applicable, consider using `TerminateAndBlockExecution` in script calls. parameters: - name: executableNameWithExtension # Name of the executable file, including its extension, to be terminated. - name: revertExecutablePath # Path of the executable to be run during the revert process. optional: true - name: revertExecutableArgs # Arguments to pass to the executable during the revert process. optional: true docs: |- This function is designed to terminate a specified running process. It checks if the process is currently running and, if so, uses the `taskkill` command to forcibly terminate it. This function is particularly useful for stopping processes that may interfere with system configurations or other operations. call: - function: Comment parameters: codeComment: Check and terminate the running process "{{ $executableNameWithExtension }}" revertCodeComment: >- {{ with $revertExecutablePath }} Optionally start the process "{{ $executableNameWithExtension }}" if not running {{ end }} - function: RunInlineCode parameters: code: |- tasklist /fi "ImageName eq {{ $executableNameWithExtension }}" /fo csv 2>NUL | find /i "{{ $executableNameWithExtension }}">NUL && ( echo {{ $executableNameWithExtension }} is running and will be killed. taskkill /f /im {{ $executableNameWithExtension }} ) || ( echo Skipping, {{ $executableNameWithExtension }} is not running. ) # `start` command is used to start processes without blocking execution of rest of the script, see https://ss64.com/nt/start.html. revertCode: |- {{ with $revertExecutablePath }} tasklist /fi "ImageName eq {{ $executableNameWithExtension }}" /fo csv 2>NUL | find /i "{{ $executableNameWithExtension }}">NUL && ( echo Skipping, {{ $executableNameWithExtension }} is already running. ) || ( if exist "{{ . }}" ( start "" "{{ . }}" {{ with $revertExecutableArgs }}{{ . }}{{ end }} echo Executed {{ . }} {{ with $revertExecutableArgs }}{{ . }}{{ end }} ) else ( echo Failed to run the file, it does not exist. 1>&2 ) ) {{ end }} - name: TerminateExecutableOnLaunch # 💡 Usage: This is a low-level function. Favor using `TerminateAndBlockExecution` in script calls. parameters: - name: executableNameWithExtension # Filename of the executable (including its extension) to be terminated upon launch. docs: |- It immediately terminates a specified process whenever it starts. The function adds `Debugger` registry value to point to the `taskkill.exe` utility, a command-line tool used for terminating processes. This effectively means that every time the process attempts to start, `taskkill.exe` is invoked instead, leading to the immediate termination of the process. Read more: [Image File Execution Options | Microsoft Learn](https://learn.microsoft.com/en-us/previous-versions/windows/desktop/xperf/image-file-execution-options) call: - function: Comment parameters: codeComment: Configure termination of "{{ $executableNameWithExtension }}" immediately upon its startup revertCodeComment: Remove configuration preventing "{{ $executableNameWithExtension }}" from starting - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{{ $executableNameWithExtension }} valueName: Debugger dataType: REG_SZ data: '%WINDIR%\System32\taskkill.exe' deleteOnRevert: 'true' # No executable has debugging enabled by default - name: DisableWindowsFeature docs: |- This function manages the enabling and disabling of specified Windows features. Its primary role is to disable a target feature, with options to handle cases where the feature is absent or to maintain its default state upon reversal. parameters: - name: featureName # The name of the Windows feature to be disabled - name: disabledByDefault # Specifies whether the feature is disabled by default in the operating system. optional: true # If set to true, the function will not re-enable the feature during a revert operation. - name: ignoreMissingOnRevert # When set to true, the revert operation will skip any actions for services that cannot be found, instead of failing. optional: false call: - function: Comment parameters: codeComment: Disable the "{{ $featureName }}" feature revertCodeComment: Revert the '{{ $featureName }}' feature to its default settings - function: RunPowerShell parameters: code: |- $featureName = '{{ $featureName }}' $feature = Get-WindowsOptionalFeature ` -FeatureName "$featureName" ` -Online ` -ErrorAction Stop if (-Not $feature) { Write-Output "Skipping: The feature `"$featureName`" is not found. No action required." Exit 0 } if ($feature.State -eq [Microsoft.Dism.Commands.FeatureState]::Disabled) { Write-Output "Skipping: The feature `"$featureName`" is already disabled. No action required." Exit 0 } try { Write-Host "Disabling feature: `"$featureName`"." Disable-WindowsOptionalFeature ` -FeatureName "$featureName" ` -Online ` -NoRestart ` -LogLevel ([Microsoft.Dism.Commands.LogLevel]::Errors) ` -WarningAction SilentlyContinue ` -ErrorAction Stop ` | Out-Null } catch { Write-Error "Failed to disable the feature `"$featureName`": $($_.Exception.Message)" Exit 1 } Write-Output "Successfully disabled the feature `"$featureName`"." Exit 0 revertCode: |- $featureName = '{{ $featureName }}' $ignoreMissingOnRevert = {{ with $ignoreMissingOnRevert }} $true # {{ end }} $false $disabledByDefault = {{ with $disabledByDefault }} $true # {{ end }} $false $feature = Get-WindowsOptionalFeature ` -FeatureName "$featureName" ` -Online ` -ErrorAction Stop if (-Not $feature) { if ($ignoreMissingOnRevert) { Write-Output "Skipping: The feature `"$featureName`" is not found. No action required." Exit 0 } Write-Error "Failed to revert changes to the feature `"$featureName`". The feature is not found." Exit 1 } if ($feature.State -eq [Microsoft.Dism.Commands.FeatureState]::Enabled) { Write-Output "Skipping: The feature `"$featureName`" is already enabled. No action required." Exit 0 } if ($disabledByDefault) { Write-Output "Skipping: The feature `"$featureName`" is already disabled and this is the default configuration." Exit 0 } try { Write-Host "Enabling feature: `"$featureName`"." Enable-WindowsOptionalFeature ` -FeatureName "$featureName" ` -Online ` -NoRestart ` -LogLevel ([Microsoft.Dism.Commands.LogLevel]::Errors) ` -WarningAction SilentlyContinue ` -ErrorAction Stop ` | Out-Null } catch { Write-Error "Failed to enable feature `"$featureName`": $($_.Exception.Message)" Exit 1 } Write-Output "Successfully enabled the feature `"$featureName`"." Exit 0 - name: UninstallStoreApp parameters: - name: packageName - name: publisherId call: - function: RunPowerShell parameters: codeComment: Uninstall '{{ $packageName }}' Microsoft Store app. code: Get-AppxPackage '{{ $packageName }}' | Remove-AppxPackage # This script attempts to reinstall the app that was just uninstalled, if necessary. # Re-installation strategy: # 1. Attempt to locate the package from another user's installation: # - Utilizes the `Get-AppxPackage` command with the `-AllUsers` flag to search across all user installations. # - Iterates through the results to locate the manifest file required for re-installation. # 2. Attempt to locate the package from the system installation: # - Utilizes the `Get-AppxPackage` command with `-RegisterByFamilyName` to search for the manifest file in the system installation. # - The app's package family name is constructed using its name and publisher ID. # Package Family Name is: `_` # Learn more about package identity: https://learn.microsoft.com/en-us/windows/apps/desktop/modernize/package-identity-overview#publisher-id (https://archive.ph/Sx4JC) # - Based on tests, Windows attempts to locate the file in the installation location of the package. # This location can be identified using commands such as `(Get-AppxPackage -AllUsers 'Windows.PrintDialog').InstallLocation`. # Possible installation locations include: # - `%WINDIR%\SystemApps\{PackageFamilyName}` (for system apps) # - `%WINDIR%\{ShortAppName}` (for system apps) # - `%SYSTEMDRIVE%\Program Files\WindowsApps\{PackageName}` (for non-system apps) # View all package locations: `Get-AppxPackage | Sort Name | Format-Table Name, InstallLocation` revertCodeComment: Reinstall '{{ $packageName }}' if it was previously uninstalled. revertCode: |- $packageName='{{ $packageName }}' $publisherId='{{ $publisherId }}' if (Get-AppxPackage -Name $packageName) { Write-Host "Skipping, `"$packageName`" is already installed for the current user." exit 0 } Write-Host "Starting the installation process for `"$packageName`"..." # Attempt installation using the manifest file Write-Host "Checking if `"$packageName`" is installed on another user profile..." $packages = @(Get-AppxPackage -AllUsers $packageName) if (!$packages) { Write-Host "`"$packageName`" is not installed on any other user profiles." } else { foreach ($package in $packages) { Write-Host "Found package `"$($package.PackageFullName)`"." $installationDir = $package.InstallLocation if ([string]::IsNullOrWhiteSpace($installationDir)) { Write-Warning "Installation directory for `"$packageName`" is not found or invalid." continue } $manifestPath = Join-Path -Path $installationDir -ChildPath 'AppxManifest.xml' try { if (-Not (Test-Path "$manifestPath")) { Write-Host "Manifest file not found for `"$packageName`" on another user profile: `"$manifestPath`"." continue } } catch { Write-Warning "An error occurred while checking for the manifest file: $($_.Exception.Message)" continue } Write-Host "Manifest file located. Trying to install using the manifest: `"$manifestPath`"..." try { Add-AppxPackage -DisableDevelopmentMode -Register "$manifestPath" -ErrorAction Stop Write-Host "Successfully installed `"$packageName`" using its manifest file." exit 0 } catch { Write-Warning "Error installing from manifest: $($_.Exception.Message)" } } } # Attempt installation using the package family name $packageFamilyName = "$($packageName)_$($publisherId)" Write-Host "Trying to install `"$packageName`" using its package family name: `"$packageFamilyName`" from system installation..." try { Add-AppxPackage -RegisterByFamilyName -MainPackage $packageFamilyName -ErrorAction Stop Write-Host "Successfully installed `"$packageName`" using its package family name." exit 0 } catch { Write-Warning "Error installing using package family name: $($_.Exception.Message)" } throw "Unable to reinstall the requested package ($packageName). " + ` "It appears to no longer be included in this version of Windows. " + ` "You may search for it or an alternative in the Microsoft Store or " + ` "consider using an earlier version of Windows where this package was originally provided." - function: RunInlineCode # This script prevents specified applications from being automatically reinstalled during Windows updates. # Windows has a feature where certain pre-installed applications (also known as provisioned apps) are reinstalled # when you perform a major update, even if they were previously uninstalled. # For detailed information, refer to the following Microsoft documentation: # - Deprovisioning Apps: https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update#create-registry-keys-for-deprovisioned-apps # - Archived versions: https://archive.ph/04108, https://web.archive.org/web/20231023131048/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update#create-registry-keys-for-deprovisioned-apps # - In-place Upgrade Recommendations: https://learn.microsoft.com/en-us/mem/configmgr/osd/understand/in-place-upgrade-recommendations#remove-default-apps # - Archived versions: https://archive.ph/I7Dwc, https://web.archive.org/web/20231023132613/https://learn.microsoft.com/en-us/mem/configmgr/osd/understand/in-place-upgrade-recommendations#remove-default-apps parameters: code: |- :: Mark '{{ $packageName }}' as deprovisioned to block reinstall during Windows updates. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\{{ $packageName }}_{{ $publisherId }}" /f revertCode: |- :: Remove '{{ $packageName }}' from deprovisioned list to allow reinstall during updates. reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\{{ $packageName }}_{{ $publisherId }}" /f 2>nul - name: UninstallNonRemovableStoreApp parameters: - name: packageName - name: publisherId call: - # ❗️ ORDERING: Run before `UninstallStoreApp` to enable removal of system apps. function: CreateRegistryKey parameters: codeComment: Enable removal of system app '{{ $packageName }}' by marking it as "EndOfLife" # This script modifies the system registry to enable the uninstallation of a specified app. # Some apps (including system apps) are marked as non-removable, which prevents uninstallation and results in error 0x80070032 if an uninstall is attempted. # To bypass this, the script marks the app as 'EndOfLife' in the registry, tricking the system into allowing the uninstallation keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\EndOfLife\$CURRENT_USER_SID\{{ $packageName }}_{{ $publisherId }} replaceSid: 'true' - function: UninstallStoreApp parameters: packageName: '{{ $packageName }}' publisherId: '{{ $publisherId }}' - # ❗️ ORDERING: Run after `UninstallStoreApp` to restore the app to its default state. function: DeleteRegistryKey parameters: codeComment: Revert '{{ $packageName }}' to its default, non-removable state. # This script reverses the previous modification made to the Windows registry to enable its uninstallation. # By removing the 'EndOfLife' status from the registry entry, the app is restored to its default, non-removable state. # Restoring (removing) this key is important for maintaining the stability of Windows Updates (for details: https://github.com/undergroundwires/privacy.sexy/issues/287). keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\EndOfLife\$CURRENT_USER_SID\{{ $packageName }}_{{ $publisherId }} replaceSid: 'true' - name: UninstallNonRemovableStoreAppWithCleanup # ❗️ Prefer `UninstallNonRemovableStoreApp` for new scripts # 💡 Purpose: # This function is designed for comprehensive cleanup, removing the store app along with associated data such as installation directories, user data, and metadata. # # It is maintained primarily for backward compatibility, supporting users who need to reverse changes made by earlier versions of privacy.sexy scripts that included app data removal. # Historically, due to limitations in uninstalling non-removable apps through Windows package management tools (like `Remove-AppxPackage`), earlier versions of privacy.sexy scripts # relied on a soft-deletion approach for app data. Newer scripts can now effectively use Windows package management to remove such apps. # # For general usage in new scripts, prefer `UninstallNonRemovableStoreApp`. It offers a simpler, safer, and less invasive approach. The extensive cleanup performed by # this function is typically unnecessary for most users. parameters: - name: packageName - name: publisherId call: - function: ClearStoreAppDataBeforeUninstallation parameters: packageName: '{{ $packageName }}' publisherId: '{{ $publisherId }}' - function: UninstallNonRemovableStoreApp parameters: packageName: '{{ $packageName }}' publisherId: '{{ $publisherId }}' - function: ClearStoreAppDataAfterUninstallation parameters: packageName: '{{ $packageName }}' publisherId: '{{ $publisherId }}' - name: ClearStoreAppDataBeforeUninstallation parameters: - name: packageName - name: publisherId call: - # ❗️ ORDERING: Run before `UninstallStoreApp` to ensure required manifest data is available for reinstallation when reverting. # Clear: Installation (SystemApps, Directory I) # - Folder : %WINDIR%\SystemApps\{PackageFamilyName} # - Example : C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy # - Check : (Get-AppxPackage -AllUsers 'Windows.CBSPreview').InstallLocation # - Check all : Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation function: SoftDeleteFiles parameters: fileGlob: '%WINDIR%\SystemApps\{{ $packageName }}_{{ $publisherId }}\*' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 recurse: 'true' - # ❗️ ORDERING: Run before `UninstallStoreApp` to ensure required manifest data is available for reinstallation when reverting. # Clear: Installation (SystemApps, Directory II) # - Folder : %WINDIR%\{ShortAppName} # - Example : C:\Windows\PrintDialog # - Check : (Get-AppxPackage -AllUsers 'Windows.PrintDialog').InstallLocation # - Check all : Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation function: SoftDeleteFiles parameters: fileGlob: >- %WINDIR%\$(("{{ $packageName }}" -Split '\.')[-1])\* grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 recurse: 'true' - # ❗️ ORDERING: Run before `UninstallStoreApp` to ensure required manifest data is available for reinstallation when reverting. # Clear: Installation (non-system i.e. provisioned and installed apps) # - Folder : %SYSTEMDRIVE%\Program Files\WindowsApps\{PackageFullName} # - Example : C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe # - Check : (Get-AppxPackage -AllUsers 'Microsoft.BingWeather').InstallLocation # - Check all : Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "Store" } | Sort Name | Format-Table Name, InstallLocation function: SoftDeleteFiles parameters: fileGlob: '%SYSTEMDRIVE%\Program Files\WindowsApps\{{ $packageName }}_*_{{ $publisherId }}\*' grantPermissions: 'true' # 🔒️ Protected on Windows 11 since 22H2 (when deleting `Microsoft.SecHealthUI`) recurse: 'true' - name: ClearStoreAppDataAfterUninstallation parameters: - name: packageName - name: publisherId call: - # ❗️ ORDERING: Run after `UninstallStoreApp` to ensure only leftover files are removed without keeping unnecessary files on the system. # Clear: User-specific data # - Folder : %LOCALAPPDATA%\Packages\{PackageFamilyName} # - Example : C:\Users\undergroundwires\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy # - Check : "$env:LOCALAPPDATA\Packages\$((Get-AppxPackage -AllUsers 'Windows.CBSPreview').PackageFamilyName)" function: SoftDeleteFiles parameters: fileGlob: '%LOCALAPPDATA%\Packages\{{ $packageName }}_{{ $publisherId }}\*' recurse: 'true' - # ❗️ ORDERING: Run after `UninstallStoreApp` to ensure only leftover files are removed without keeping unnecessary files on the system. # Clear: Metadata # - Folder : %PROGRAMDATA%\Microsoft\Windows\AppRepository\Packages\{PackageFullName} # - Example : C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Windows.CBSPreview_10.0.19580.1000_neutral_neutral_cw5n1h2txyewy # - Check : "$env:PROGRAMDATA\Microsoft\Windows\AppRepository\Packages\$((Get-AppxPackage -AllUsers 'Windows.CBSPreview').PackageFullName)" function: SoftDeleteFiles parameters: fileGlob: '%PROGRAMDATA%\Microsoft\Windows\AppRepository\Packages\{{ $packageName }}_*_{{ $publisherId }}\*' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 recurse: 'true' - name: UninstallCapability parameters: - name: capabilityName call: function: RunPowerShell parameters: code: Get-WindowsCapability -Online -Name '{{ $capabilityName }}*' | Remove-WindowsCapability -Online revertCode: |- $capability = Get-WindowsCapability -Online -Name '{{ $capabilityName }}*' Add-WindowsCapability -Name "$capability.Name" -Online - name: SoftDeleteFiles # 💡 Purpose: # Renames files matching a given glob pattern by appending a `.OLD` extension, effectively "soft deleting" them. # It does not touch any of the folders. # This allows for easier restoration and less immediate disruption compared to permanent deletion. # 🤓 Implementation: # 1. (with `grantPermissions`:) Elevate script privileges. # 2. Iterate every file in the given directory, and for each file: # - (with `grantPermissions`:) Grant permissions to file to be able to modify it. # - Rename the file. # - (with `grantPermissions`:) Restore permissions of the file to its original state # 3. (with `grantPermissions`:) Remove elevated script privileges. parameters: - name: fileGlob - name: grantPermissions # Grants permission on the files found, and restores original permissions after modification. optional: true - name: recurse # If set, deletes all files in all directories recursively. optional: true - name: beforeIteration # (Iteration callback) Code to run before iteration. optional: true call: - function: Comment parameters: codeComment: >- Soft delete files matching pattern {{ with $grantPermissions }}(with additional permissions){{ end }} : "{{ $fileGlob }}" revertCodeComment: >- Restore files matching pattern {{ with $grantPermissions }}(with additional permissions){{ end }} : "{{ $fileGlob }}" - function: IterateGlob parameters: pathGlob: '{{ $fileGlob }}' revertPathGlob: '{{ $fileGlob }}.OLD' recurse: '{{ with $recurse }}{{ . }}{{ end }}' # Elevating privileges: # Another (simpler) implementation would be: # ``` # $setPrivilegeFunction = [System.Diagnostics.Process].GetMethods(42) | Where-Object { $_.Name -eq 'SetPrivilege' } # $privileges = @('SeRestorePrivilege', 'SeTakeOwnershipPrivilege') # foreach ($privilege in $privileges) { # $setPrivilegeFunction.Invoke($null, @($privilege, 2)) # } # ``` beforeIteration: |- {{ with $beforeIteration }} {{ . }} {{ end }} $renamedCount = 0 $skippedCount = 0 $failedCount = 0 {{ with $grantPermissions }} Add-Type -TypeDefinition @" using System; using System.Runtime.InteropServices; public class Privileges { [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)] internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen); [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)] internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok); [DllImport("advapi32.dll", SetLastError = true)] internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid); [StructLayout(LayoutKind.Sequential, Pack = 1)] internal struct TokPriv1Luid { public int Count; public long Luid; public int Attr; } internal const int SE_PRIVILEGE_ENABLED = 0x00000002; internal const int TOKEN_QUERY = 0x00000008; internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020; public static bool AddPrivilege(string privilege) { try { bool retVal; TokPriv1Luid tp; IntPtr hproc = GetCurrentProcess(); IntPtr htok = IntPtr.Zero; retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok); tp.Count = 1; tp.Luid = 0; tp.Attr = SE_PRIVILEGE_ENABLED; retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid); retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero); return retVal; } catch (Exception ex) { throw new Exception("Failed to adjust token privileges", ex); } } public static bool RemovePrivilege(string privilege) { try { bool retVal; TokPriv1Luid tp; IntPtr hproc = GetCurrentProcess(); IntPtr htok = IntPtr.Zero; retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok); tp.Count = 1; tp.Luid = 0; tp.Attr = 0; // This line is changed to revoke the privilege retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid); retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero); return retVal; } catch (Exception ex) { throw new Exception("Failed to adjust token privileges", ex); } } [DllImport("kernel32.dll", CharSet = CharSet.Auto)] public static extern IntPtr GetCurrentProcess(); } "@ [Privileges]::AddPrivilege('SeRestorePrivilege') | Out-Null [Privileges]::AddPrivilege('SeTakeOwnershipPrivilege') | Out-Null $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544' $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]) $adminFullControlAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( ` $adminAccount, ` [System.Security.AccessControl.FileSystemRights]::FullControl, ` [System.Security.AccessControl.AccessControlType]::Allow ` ) {{ end }} # Marked: refactor-with-variables # Granting permission is identical to `DisableScheduledTask`. duringIteration: |- if (Test-Path -Path $path -PathType Container) { Write-Host "Skipping folder (not its contents): `"$path`"." $skippedCount++ continue } if($revert -eq $true) { if (-not $path.EndsWith('.OLD')) { Write-Host "Skipping non-backup file: `"$path`"." $skippedCount++ continue } } else { if ($path.EndsWith('.OLD')) { Write-Host "Skipping backup file: `"$path`"." $skippedCount++ continue } } $originalFilePath = $path Write-Host "Processing file: `"$originalFilePath`"." if (-Not (Test-Path $originalFilePath)) { Write-Host "Skipping, file `"$originalFilePath`" not found." $skippedCount++ exit 0 } {{ with $grantPermissions }} $originalAcl = Get-Acl -Path "$originalFilePath" $accessGranted = $false try { $acl = Get-Acl -Path "$originalFilePath" $acl.SetOwner($adminAccount) # Take Ownership (because file is owned by TrustedInstaller) $acl.AddAccessRule($adminFullControlAccessRule) # Grant rights to be able to move the file Set-Acl -Path $originalFilePath -AclObject $acl -ErrorAction Stop $accessGranted = $true } catch { Write-Warning "Failed to grant access to `"$originalFilePath`": $($_.Exception.Message)" } {{ end }} if ($revert -eq $true) { $newFilePath = $originalFilePath.Substring(0, $originalFilePath.Length - 4) } else { $newFilePath = "$($originalFilePath).OLD" } try { Move-Item -LiteralPath "$($originalFilePath)" -Destination "$newFilePath" -Force -ErrorAction Stop Write-Host "Successfully processed `"$originalFilePath`"." $renamedCount++ {{ with $grantPermissions }} if ($accessGranted) { try { Set-Acl -Path $newFilePath -AclObject $originalAcl -ErrorAction Stop } catch { Write-Warning "Failed to restore access on `"$newFilePath`": $($_.Exception.Message)" } } {{ end }} } catch { Write-Error "Failed to rename `"$originalFilePath`" to `"$newFilePath`": $($_.Exception.Message)" $failedCount++ {{ with $grantPermissions }} if ($accessGranted) { try { Set-Acl -Path $originalFilePath -AclObject $originalAcl -ErrorAction Stop } catch { Write-Warning "Failed to restore access on `"$originalFilePath`": $($_.Exception.Message)" } } {{ end }} } afterIteration: |- if (($renamedCount -gt 0) -or ($skippedCount -gt 0)) { Write-Host "Successfully processed $renamedCount items and skipped $skippedCount items." } if ($failedCount -gt 0) { Write-Warning "Failed to processed $($failedCount) items." } {{ with $grantPermissions }} [Privileges]::RemovePrivilege('SeRestorePrivilege') | Out-Null [Privileges]::RemovePrivilege('SeTakeOwnershipPrivilege') | Out-Null {{ end }} - name: SetVsCodeSetting parameters: - name: setting - name: powerShellValue call: function: RunPowerShell parameters: code: |- $settingKey='{{ $setting }}' $settingValue={{ $powerShellValue }} $jsonFilePath = "$($env:APPDATA)\Code\User\settings.json" if (!(Test-Path $jsonFilePath -PathType Leaf)) { Write-Host "Skipping, no updates. Settings file was not at `"$jsonFilePath`"." exit 0 } try { $fileContent = Get-Content $jsonFilePath -ErrorAction Stop } catch { throw "Error, failed to read the settings file: `"$jsonFilePath`". Error: $_" } if ([string]::IsNullOrWhiteSpace($fileContent)) { Write-Host "Settings file is empty. Treating it as default empty JSON object." $fileContent = "{}" } try { $json = $fileContent | ConvertFrom-Json } catch { throw "Error, invalid JSON format in the settings file: `"$jsonFilePath`". Error: $_" } $existingValue = $json.$settingKey if ($existingValue -eq $settingValue) { Write-Host "Skipping, `"$settingKey`" is already configured as `"$settingValue`"." exit 0 } $json | Add-Member -Type NoteProperty -Name $settingKey -Value $settingValue -Force $json | ConvertTo-Json | Set-Content $jsonFilePath Write-Host "Successfully applied the setting to the file: `"$jsonFilePath`"." revertCode: |- $settingKey='{{ $setting }}' $settingValue={{ $powerShellValue }} $jsonFilePath = "$($env:APPDATA)\Code\User\settings.json" if (!(Test-Path $jsonFilePath -PathType Leaf)) { Write-Host "Skipping, no need to revert because settings file is not found: `"$jsonFilePath`"." exit 0 } try { $fileContent = Get-Content $jsonFilePath -ErrorAction Stop } catch { throw "Error, failed to read the settings file: `"$jsonFilePath`". Error: $_" } if ([string]::IsNullOrWhiteSpace($fileContent)) { Write-Host "Skipping, no need to revert because settings file is empty: `"$jsonFilePath`"." exit 0 } try { $json = $fileContent | ConvertFrom-Json } catch { throw "Error, invalid JSON format in the settings file: `"$jsonFilePath`". Error: $_" } if (!$json.PSObject.Properties[$settingKey]) { Write-Host "Skipping, no need to revert because setting `"$settingKey`" does not exist." exit 0 } if ($json.$settingKey -ne $settingValue) { Write-Host "Skipping, setting (`"$settingKey`") has different configuration than `"$settingValue`": `"$($json.$settingKey)`"." exit 0 } $json.PSObject.Properties.Remove($settingKey) $json | ConvertTo-Json | Set-Content $jsonFilePath Write-Host "Successfully reverted the setting from file: `"$jsonFilePath`"." - name: RunPowerShell parameters: - name: code - name: revertCode optional: true - name: codeComment optional: true - name: revertCodeComment optional: true call: - function: Comment parameters: codeComment: '{{ with $codeComment }}{{ . }}{{ end }}' revertCodeComment: '{{ with $revertCodeComment }}{{ . }}{{ end }}' - function: RunInlineCode parameters: code: PowerShell -ExecutionPolicy Unrestricted -Command "{{ $code | inlinePowerShell | escapeDoubleQuotes }}" revertCode: |- {{ with $revertCode }} PowerShell -ExecutionPolicy Unrestricted -Command "{{ . | inlinePowerShell | escapeDoubleQuotes }}" {{ end }} - name: DisablePerUserService parameters: - name: serviceName - name: defaultStartupMode # Allowed values: Boot | System | Automatic | Manual # More about per-user services: https://docs.microsoft.com/en-us/windows/application-management/per-user-services-in-windows call: - # System-wide variant: every per-user service has also system-wide counterpart with same default startup mode function: DisableServiceInRegistry parameters: serviceName: '{{ $serviceName }}' defaultStartupMode: '{{ $defaultStartupMode }}' - # Per-user variant function: DisableServiceInRegistry parameters: serviceName: '{{ $serviceName }}_*' defaultStartupMode: '{{ $defaultStartupMode }}' - name: RunInlineCode # Marked: refactor-with-partials # Same function in macOS, Linux, Windows parameters: - name: code optional: true - name: revertCode optional: true code: '{{ with $code }}{{ . }}{{ end }}' revertCode: '{{ with $revertCode }}{{ . }}{{ end }}' - name: RunPowerShellWithSameCodeAndRevertCode parameters: - name: code - name: codeComment optional: true call: function: RunPowerShell parameters: code: '{{ $code }}' revertCode: '{{ $code }}' codeComment: '{{ with $codeComment }}{{ . }}{{ end }}' revertCodeComment: '{{ with $codeComment }}{{ . }}{{ end }}' - name: RunInlineCodeAsTrustedInstaller parameters: - name: code - name: revertCode optional: true call: function: RunPowerShell parameters: # PowerShell commands (`Unregister-ScheduledTask` and `Get-ScheduledTask`) sometimes fail to find existing tasks. # Seen e.g. on Windows 11 when reverting scripts after executing them and reboot. # They are seen to throw different exceptions: # - `Unregister-ScheduledTask : The system cannot find the file specified` # `ObjectNotFound: (MSFT_ScheduledTask:Root/Microsoft/...T_ScheduledTask)` with `HRESULT 0x80070002` # - `No MSFT_ScheduledTask objects found with property 'TaskName'` # - Because task is already running but `Get-ScheduledTask` cannot find it it throws: # `Failed to execute with exit code: 267009` # Solution # Checking if task is running: # - ❌ Not using `$(schtasks.exe /query /tn "$taskName" 2>$null)".Contains('Running')` because it outputs # different text (not always "Running") in German/English versions. # - ❌ Not using `(Get-ScheduledTask $taskName -ErrorAction Ignore).State -eq 'Running' # because `Get-ScheduledTask `sometimes fails. # - ✅ Using `(Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009` where "267009" indicates running. # Deleting existing task: # - ❌ Not using `Unregister-ScheduledTask $taskName -Confirm:$false` because it sometimes fails with `0x80070002` # - ✅ Using `schtasks.exe /delete /tn "$taskName" /f` with additional `| Out-Null` or `2>&1 | Out-Null` # to suppress errors. code: |- $command = '{{ $code }}' $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464') $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]) $streamOutFile = New-TemporaryFile $batchFile = New-TemporaryFile try { $batchFile = Rename-Item $batchFile "$($batchFile.BaseName).bat" -PassThru "@echo off`r`n$command`r`nexit 0" | Out-File $batchFile -Encoding ASCII $taskName = 'privacy.sexy invoke' schtasks.exe /delete /tn "$taskName" /f 2>&1 | Out-Null # Clean if something went wrong before, suppress any output $taskAction = New-ScheduledTaskAction ` -Execute 'cmd.exe' ` -Argument "cmd /c `"$batchFile`" > $streamOutFile 2>&1" $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries Register-ScheduledTask ` -TaskName $taskName ` -Action $taskAction ` -Settings $settings ` -Force ` -ErrorAction Stop ` | Out-Null try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect() $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null $timeOutLimit = (Get-Date).AddMinutes(5) Write-Host "Running as $trustedInstallerName" while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200 if((Get-Date) -gt $timeOutLimit) { Write-Warning "Skipping results, it took so long to execute script." break; } } if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "Failed to execute with exit code: $result." } } finally { schtasks.exe /delete /tn "$taskName" /f | Out-Null # Outputs only errors } Get-Content $streamOutFile } finally { Remove-Item $streamOutFile, $batchFile } revertCode: |- # Duplicated until custom pipes are implemented {{ with $revertCode }} $command = '{{ . }}' $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464') $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]) $streamOutFile = New-TemporaryFile $batchFile = New-TemporaryFile try { $batchFile = Rename-Item $batchFile "$($batchFile.BaseName).bat" -PassThru "@echo off`r`n$command`r`nexit 0" | Out-File $batchFile -Encoding ASCII $taskName = 'privacy.sexy invoke' schtasks.exe /delete /tn "$taskName" /f 2>&1 | Out-Null # Clean if something went wrong before, suppress any output $taskAction = New-ScheduledTaskAction ` -Execute 'cmd.exe' ` -Argument "cmd /c `"$batchFile`" > $streamOutFile 2>&1" $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries Register-ScheduledTask ` -TaskName $taskName ` -Action $taskAction ` -Settings $settings ` -Force ` -ErrorAction Stop ` | Out-Null try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect() $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null $timeOutLimit = (Get-Date).AddMinutes(5) Write-Host "Running as $trustedInstallerName" while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200 if((Get-Date) -gt $timeOutLimit) { Write-Warning "Skipping results, it took so long to execute script." break; } } if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "Failed to execute with exit code: $result." } } finally { schtasks.exe /delete /tn "$taskName" /f | Out-Null # Outputs only errors } Get-Content $streamOutFile } finally { Remove-Item $streamOutFile, $batchFile } {{ end }} - name: DisableServiceInRegistry parameters: - name: serviceName - name: defaultStartupMode # Allowed values: Boot | System | Automatic | Manual call: function: RunPowerShell # Marked: refactor-with-revert-call, refactor-with-variables # Implementation of those should share similar code: `DisableService`, `StopService`, `StartService`, `DisableServiceInRegistry` parameters: code: |- # We do registry way because GUI, "sc config" or "Set-Service" won't not work $serviceQuery = '{{ $serviceName }}' # -- 1. Skip if service does not exist $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue if(!$service) { Write-Host "Service query `"$serviceQuery`" did not yield any results, no need to disable it." Exit 0 } $serviceName = $service.Name Write-Host "Disabling service: `"$serviceName`"." # -- 2. Stop if running if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "`"$serviceName`" is running, trying to stop it." try { Stop-Service -Name "$serviceName" -Force -ErrorAction Stop Write-Host "Stopped `"$serviceName`" successfully." } catch { Write-Warning "Could not stop `"$serviceName`", it will be stopped after reboot: $_" } } else { Write-Host "`"$serviceName`" is not running, no need to stop." } # -- 3. Skip if service info is not found in registry $registryKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName" if(!(Test-Path $registryKey)) { Write-Host "`"$registryKey`" is not found in registry, cannot enable it." Exit 0 } # -- 4. Skip if already disabled if( $(Get-ItemProperty -Path "$registryKey").Start -eq 4) { Write-Host "`"$serviceName`" is already disabled from start, no further action is needed." Exit 0 } # -- 5. Disable service try { Set-ItemProperty $registryKey -Name Start -Value 4 -Force -ErrorAction Stop Write-Host "Disabled `"$serviceName`" successfully." } catch { Write-Error "Could not disable `"$serviceName`": $_" } revertCode: |- $serviceQuery = '{{ $serviceName }}' $defaultStartupMode = '{{ $defaultStartupMode }}' # -- 1. Skip if service does not exist $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue if(!$service) { Write-Warning "Service query `"$serviceQuery`" did not yield and results, cannot enable it." Exit 1 } $serviceName = $service.Name Write-Host "Enabling service: `"$serviceName`" with `"$defaultStartupMode`" start." # -- 2. Skip if service info is not found in registry $registryKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName" if(!(Test-Path $registryKey)) { Write-Warning "`"$registryKey`" is not found in registry, cannot enable it." Exit 1 } # -- 3. Enable if not already enabled $defaultStartupRegValue = ` if ($defaultStartupMode -eq 'Boot') { '0' } ` elseif($defaultStartupMode -eq 'System') { '1' } ` elseif($defaultStartupMode -eq 'Automatic') { '2' } ` elseif($defaultStartupMode -eq 'Manual') { '3' } ` else { throw "Unknown start mode: $defaultStartupMode"} if( $(Get-ItemProperty -Path "$registryKey").Start -eq $defaultStartupRegValue) { Write-Host "`"$serviceName`" is already enabled with `"$defaultStartupMode`" start." } else { try { Set-ItemProperty $registryKey -Name Start -Value $defaultStartupRegValue -Force Write-Host "Enabled `"$serviceName`" successfully with `"$defaultStartupMode`" start, this may require restarting your computer." } catch { Write-Error "Could not enable `"$serviceName`": $_" Exit 1 } } # -- 4. Start if not running (must be enabled first) if($defaultStartupMode -eq 'Automatic') { if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "`"$serviceName`" is not running, trying to start it." try { Start-Service $serviceName -ErrorAction Stop Write-Host "Started `"$serviceName`" successfully." } catch { Write-Warning "Could not start `"$serviceName`", requires restart, it will be started after reboot.`r`n$_" } } else { Write-Host "`"$serviceName`" is already running, no need to start." } } - name: SetMpPreference # Configures preferences for Microsoft Defender scans and updates. # ❗️ Requires "WinDefend" service in running state, otherwise fails parameters: - name: property - name: value - # When provided, it sets defaults using `Set-MpPreference`. # Used by default in Windows 10 as `Remove-MpPreference` cmdlet is very limited/poor in Windows 10. # Ignored by default in Windows 11 with providing a value for `setDefaultOnWindows11` name: default optional: true - # When reverting in Windows 11, `Set-MpPreference` is called instead of `Remove-MpPreference` # Should be used in cases where `Remove-MpPreference` cmdlet is not setting expected values in Windows 11. name: setDefaultOnWindows11 optional: true call: function: RunPowerShell parameters: # Unsupported arguments -> # Skips when error contains "Cannot convert", this happens e.g. when trying to set `PlatformUpdatesChannel`, # `EngineUpdatesChannel`, `DefinitionUpdatesChannel` to `Broad`. `Broad` is not supported on all platforms # and throws e.g. with: # `Cannot process argument transformation on parameter 'EngineUpdatesChannel'. Cannot convert value # "Broad" to type "Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.UpdatesChannelType". # Error: "Unable to match the identifier name Broad to a valid enumerator name. Specify one of the # following enumerator names and try again: NotConfigured, Beta, Preview"` code: |- $propertyName = '{{ $property }}' $value = {{ $value }} if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) { Write-Host "Skipping. `"$propertyName`" is already `"$value`" as desired." exit 0 } $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore if (!$command) { Write-Warning 'Skipping. Command not found: "Set-MpPreference".' exit 0 } if(!$command.Parameters.Keys.Contains($propertyName)) { Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"." exit 0 } try { Invoke-Expression "$($command.Name) -Force -$propertyName `$value -ErrorAction Stop" Set-MpPreference -Force -{{ $property }} $value -ErrorAction Stop Write-Host "Successfully set `"$propertyName`" to `"$value`"." exit 0 } catch { if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') { Write-Warning "Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?" exit 0 } elseif (($_ | Out-String) -like '*Cannot convert*') { Write-Host "Skipping. Argument `"$value`" for property `"$propertyName`" is not supported for `"$($command.Name)`"." exit 0 } else { Write-Error "Failed to set using $($command.Name): $_" exit 1 } } # `Remove-MpPreference` is different in Windows 11 / 10 # Windows 11 and 10 have different revert behavior which is caused by different `Remove-MpPreference` cmdlet versions used # Windows 10 version: https://docs.microsoft.com/en-us/powershell/module/defender/remove-mppreference?view=windowsserver2019-ps # Windows 11 version: https://docs.microsoft.com/en-us/powershell/module/defender/remove-mppreference?view=windowsserver2022-ps # On Windows 11: # - By default, `Remove-MpPreference` sets default values for settings for all cases. # - `setDefaultOnWindows11` parameter changes this behavior to set the default value using `Set-MpPreference` # On Windows 10: # - If `default` argument is provided, it's set using `Set-MpPreference` # - `default` argument should not be provided if `Remove-MpPreference` is supported in Windows 10. revertCode: |- $propertyName = '{{ $property }}' {{ with $default }} $defaultValue = {{ . }} {{ end }} $setDefaultOnWindows10 = {{ with $default }} $true # {{ end }} $false $setDefaultOnWindows11 = {{ with $setDefaultOnWindows11 }} $true # {{ end }} $false $osVersion = [System.Environment]::OSVersion.Version function Test-IsWindows10 { ($osVersion.Major -eq 10) -and ($osVersion.Build -lt 22000) } function Test-IsWindows11 { ($osVersion.Major -gt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -ge 22000)) } # ------ Set-MpPreference ------ if(($setDefaultOnWindows10 -and (Test-IsWindows10)) -or ($setDefaultOnWindows11 -and (Test-IsWindows11))) { if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $defaultValue) { Write-Host "Skipping. `"$propertyName`" is already configured as desired `"$defaultValue`"." exit 0 } $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore if (!$command) { Write-Warning 'Skipping. Command not found: "Set-MpPreference".' exit 1 } if(!$command.Parameters.Keys.Contains($propertyName)) { Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"." exit 0 } try { Invoke-Expression "$($command.Name) -Force -$propertyName `$defaultValue -ErrorAction Stop" Write-Host "Successfully restored `"$propertyName`" to its default `"$defaultValue`"." exit 0 } catch { if ($_.FullyQualifiedErrorId -like '*0x800106ba*') { Write-Warning "Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?" } else { Write-Error "Failed to set using $($command.Name): $_" } exit 1 } } # ------ Remove-MpPreference ------ $command = Get-Command 'Remove-MpPreference' -ErrorAction Ignore if (!$command) { Write-Warning 'Skipping. Command not found: "Remove-MpPreference".' exit 1 } if(!$command.Parameters.Keys.Contains($propertyName)) { Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"." exit 0 } try { Invoke-Expression "$($command.Name) -Force -$propertyName -ErrorAction Stop" Write-Host "Successfully restored `"$propertyName`" to its default." exit 0 } catch { if ($_.FullyQualifiedErrorId -like '*0x800106ba*') { Write-Warning "Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?" } else { Write-Error "Failed to set using $($command.Name): $_" } exit 1 } - name: StopService parameters: - name: serviceName - name: serviceRestartStateFile # This file is created only if the service is successfully stopped. optional: true - name: waitUntilStopped # Makes the script wait until the service is stopped optional: true call: - function: Comment parameters: codeComment: >- Stop service: {{ $serviceName }} {{ with $serviceRestartStateFile }}(with state flag){{ end }} {{ with $waitUntilStopped }}(wait until stopped){{ end }} - function: RunPowerShell parameters: # Marked: refactor-with-variables # - Implementation of those should share similar code: `DisableService`, `StopService`, `StartService`, `DisableServiceInRegistry` # - Creating the marker file is same as in script `CreatePlaceholderFile` code: |- $serviceName = '{{ $serviceName }}' Write-Host "Stopping service: `"$serviceName`"." $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue if (!$service) { Write-Host "Skipping, service `"$serviceName`" could not be not found, no need to stop it." exit 0 } if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "Skipping, `"$serviceName`" is not running, no need to stop." exit 0 } Write-Host "`"$serviceName`" is running, stopping it." try { $service | Stop-Service -Force -ErrorAction Stop {{ with $waitUntilStopped }} $service.WaitForStatus([System.ServiceProcess.ServiceControllerStatus]::Stopped) {{ end }} } catch { throw "Failed to stop the service `"$serviceName`": $_" } Write-Host "Successfully stopped the service: `"$serviceName`"." {{ with $serviceRestartStateFile }} $stateFilePath = '{{ . }}' $expandedStateFilePath = [System.Environment]::ExpandEnvironmentVariables($stateFilePath) if (Test-Path -Path $expandedStateFilePath) { Write-Host "Skipping creating a service state file, it already exists: `"$expandedStateFilePath`"." } else { # Ensure the directory exists $parentDirectory = [System.IO.Path]::GetDirectoryName($expandedStateFilePath) if (-not (Test-Path $parentDirectory -PathType Container)) { try { New-Item -ItemType Directory -Path $parentDirectory -Force -ErrorAction Stop | Out-Null } catch { Write-Warning "Failed to create parent directory of service state file `"$parentDirectory`": $_" } } # Create the state file try { New-Item -ItemType File -Path $expandedStateFilePath -Force -ErrorAction Stop | Out-Null Write-Host 'The service will be started again.' } catch { Write-Warning "Failed to create service state file `"$expandedStateFilePath`": $_" } } {{ end }} - name: StartService parameters: - name: serviceName - name: serviceRestartStateFile # Used for "check and delete": Starts the service only if file exists, always deletes the file. optional: true call: - function: Comment parameters: codeComment: >- Start service: {{ $serviceName }} {{ with $serviceRestartStateFile }}(with state flag){{ end }} - function: RunPowerShell parameters: # Marked: refactor-with-variables # - Implementation of those should share similar code: `DisableService`, `StopService`, `StartService`, `DisableServiceInRegistry` # - Removing the marker file is same as in script `CreatePlaceholderFile` code: |- $serviceName = '{{ $serviceName }}' {{ with $serviceRestartStateFile }} $stateFilePath = '{{ . }}' $expandedStateFilePath = [System.Environment]::ExpandEnvironmentVariables($stateFilePath) if (-not (Test-Path -Path $expandedStateFilePath)) { Write-Host "Skipping starting the service: It was not running before." } else { try { Remove-Item -Path $expandedStateFilePath -Force -ErrorAction Stop Write-Host 'The service is expected to be started.' } catch { Write-Warning "Failed to delete the service state file `"$expandedStateFilePath`": $_" } } {{ end }} $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue if (!$service) { throw "Failed to start service `"$serviceName`": Service not found." } if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "Skipping, `"$serviceName`" is already running, no need to start." exit 0 } Write-Host "`"$serviceName`" is not running, starting it." try { $service | Start-Service -ErrorAction Stop Write-Host "Successfully started the service: `"$serviceName`"." } catch { Write-Warning "Failed to start the service: `"$serviceName`"." exit 1 } - name: DisableService parameters: - name: serviceName - name: defaultStartupMode # Allowed values: Automatic | Manual - name: ignoreMissingOnRevert # When set to true, the revert operation will skip any actions for services that cannot be found, instead of failing. optional: true call: - function: Comment parameters: codeComment: "Disable service(s): `{{ $serviceName }}`" revertCodeComment: "Restore service(s) to default state: `{{ $serviceName }}`" - # Marked: refactor-with-revert-call, refactor-with-variables # Implementation of those should share similar code: `DisableService`, `StopService`, `StartService`, `DisableServiceInRegistry` function: RunPowerShell # Careful with Set-Service cmdlet: # 1. It exits with positive code even if service is disabled # 2. It had breaking API change for `-StartupMode` parameter: # Powershell >= 6.0 : Automatic, AutomaticDelayedStart, Disabled, InvalidValue, Manual # PowerShell <= 5 : Boot, System, Automatic, Manual, Disabled # So "Disabled", "Automatic" and "Manual" are only consistent ones. # Read more: # https://github.com/PowerShell/PowerShell/blob/v7.2.0/src/Microsoft.PowerShell.Commands.Management/commands/management/Service.cs#L2966-L2978 # https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.4 parameters: code: |- $serviceName = '{{ $serviceName }}' Write-Host "Disabling service: `"$serviceName`"." # -- 1. Skip if service does not exist $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue if(!$service) { Write-Host "Service `"$serviceName`" could not be not found, no need to disable it." Exit 0 } # -- 2. Stop if running if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "`"$serviceName`" is running, stopping it." try { Stop-Service -Name "$serviceName" -Force -ErrorAction Stop Write-Host "Stopped `"$serviceName`" successfully." } catch { Write-Warning "Could not stop `"$serviceName`", it will be stopped after reboot: $_" } } else { Write-Host "`"$serviceName`" is not running, no need to stop." } # -- 3. Skip if already disabled $startupType = $service.StartType # Does not work before .NET 4.6.1 if(!$startupType) { $startupType = (Get-WmiObject -Query "Select StartMode From Win32_Service Where Name='$serviceName'" -ErrorAction Ignore).StartMode if(!$startupType) { $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='$serviceName'" -ErrorAction Ignore).StartMode } } if($startupType -eq 'Disabled') { Write-Host "$serviceName is already disabled, no further action is needed" } # -- 4. Disable service try { Set-Service -Name "$serviceName" -StartupType Disabled -Confirm:$false -ErrorAction Stop Write-Host "Disabled `"$serviceName`" successfully." } catch { Write-Error "Could not disable `"$serviceName`": $_" } revertCode: |- $serviceName = '{{ $serviceName }}' $defaultStartupMode = '{{ $defaultStartupMode }}' $ignoreMissingOnRevert = {{ with $ignoreMissingOnRevert }} $true # {{ end }} $false Write-Host "Enabling service: `"$serviceName`" with `"$defaultStartupMode`" start." # -- 1. Skip if service does not exist $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue if (!$service) { if ($ignoreMissingOnRevert) { Write-Output "Skipping: The service `"$serviceName`" is not found. No action required." Exit 0 } Write-Warning "Failed to revert changes to the service `"$serviceName`". The service is not found." Exit 1 } # -- 2. Enable or skip if already enabled $startupType = $service.StartType # Does not work before .NET 4.6.1 if(!$startupType) { $startupType = (Get-WmiObject -Query "Select StartMode From Win32_Service Where Name='$serviceName'" -ErrorAction Ignore).StartMode if(!$startupType) { $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='$serviceName'" -ErrorAction Ignore).StartMode } } if($startupType -eq "$defaultStartupMode") { Write-Host "`"$serviceName`" is already enabled with `"$defaultStartupMode`" start, no further action is needed." } else { try { Set-Service -Name "$serviceName" -StartupType "$defaultStartupMode" -Confirm:$false -ErrorAction Stop Write-Host "Enabled `"$serviceName`" successfully with `"$defaultStartupMode`" start, this may require restarting your computer." } catch { Write-Error "Could not enable `"$serviceName`": $_" Exit 1 } } # -- 4. Start if not running (must be enabled first) if($defaultStartupMode -eq 'Automatic') { if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "`"$serviceName`" is not running, starting it." try { Start-Service $serviceName -ErrorAction Stop Write-Host "Started `"$serviceName`" successfully." } catch { Write-Warning "Could not start `"$serviceName`", requires restart, it will be started after reboot.`r`n$_" } } else { Write-Host "`"$serviceName`" is already running, no need to start." } } - name: ShowMessage parameters: - name: message - name: ignoreWindows11 # Ignores warning message on Windows 11, allowed values: true | false, default: false optional: true - name: ignoreWindows10 # Ignores warning message on Windows 10, allowed values: true | false, default: false optional: true - name: showOnRevert optional: true - name: warn optional: true call: function: RunPowerShell parameters: code: |- $message = '{{ $message }}' $ignoreWindows10 = {{ with $ignoreWindows10 }} $true # {{ end }} $false $ignoreWindows11 = {{ with $ignoreWindows11 }} $true # {{ end }} $false $warn = {{ with $warn }} $true # {{ end }} $false $osVersion = [System.Environment]::OSVersion.Version function Test-IsWindows10 { ($osVersion.Major -eq 10) -and ($osVersion.Build -lt 22000) } function Test-IsWindows11 { ($osVersion.Major -gt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -ge 22000)) } if (($ignoreWindows10 -and (Test-IsWindows10)) -or ($ignoreWindows11 -and (Test-IsWindows11))) { echo "Skipping" exit 0 # Skip } if ($warn) { Write-Warning "$message" } else { Write-Host "Note: " -ForegroundColor Blue -NoNewLine Write-Output "$message" } # Marked: refactor-with-variables # Unfortunately duplicates `code` inside `showOnRevert` flag as privacy.sexy compiler does not support better way for now. revertCode: |- {{ with $showOnRevert }} $message = '{{ $message }}' $ignoreWindows10 = {{ with $ignoreWindows10 }} $true # {{ end }} $false $ignoreWindows11 = {{ with $ignoreWindows11 }} $true # {{ end }} $false $warn = {{ with $warn }} $true # {{ end }} $false $osVersion = [System.Environment]::OSVersion.Version function Test-IsWindows10 { ($osVersion.Major -eq 10) -and ($osVersion.Build -lt 22000) } function Test-IsWindows11 { ($osVersion.Major -gt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -ge 22000)) } if (($ignoreWindows10 -and (Test-IsWindows10)) -or ($ignoreWindows11 -and (Test-IsWindows11))) { exit 0 # Skip } if ($warn) { Write-Warning "$message" } else { Write-Host "Note: " -ForegroundColor Blue -NoNewLine Write-Output "$message" } {{ end }} - name: RemoveBrowserAssociations parameters: - name: progIdPattern - name: toastAssociations call: - function: RunPowerShell # See all default OS associations: # 1. Open an elevated prompt # 2. Run `dism /online /export-defaultappassociations:C:\appassoc.xml` # 3. Inspect `C:\appassoc.xml` # Registry locations: # - File associations: `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\{extension}\UserChoice` # - URL associations: `HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\{url}\UserChoice` parameters: # - # This script uses WMI StdRegProv methods to modify the registry. # Because deleting key with `Remove-Item -Path $path -Recurse -Force -ErrorAction Stop` fails with: # Cannot delete a subkey tree because the subkey does not exist. # CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException # FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException code: |- $programIdPattern = '{{ $progIdPattern }}' $defaultAssociations = @( @{ Type = 'File'; Ext = '.htm'; } @{ Type = 'File'; Ext = '.html'; } @{ Type = 'File'; Ext = '.pdf'; } @{ Type = 'File'; Ext = '.mht'; } @{ Type = 'File'; Ext = '.mhtml'; } @{ Type = 'File'; Ext = '.svg'; } @{ Type = 'File'; Ext = '.url'; } @{ Type = 'File'; Ext = '.website'; } @{ Type = 'File'; Ext = '.xht'; } @{ Type = 'File'; Ext = '.xhtml'; } @{ Type = 'URL'; Ext = 'ftp'; } @{ Type = 'URL'; Ext = 'http'; } @{ Type = 'URL'; Ext = 'https'; } @{ Type = 'URL'; Ext = 'microsoft-edge'; } @{ Type = 'URL'; Ext = 'microsoft-edge-holographic'; } @{ Type = 'URL'; Ext = 'ms-xbl-3d8b930f'; } @{ Type = 'URL'; Ext = 'read'; } ) foreach ($assoc in $defaultAssociations) { $path = $null if ($assoc.Type -eq 'File') { $path = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\$($assoc.Ext)\UserChoice" } elseif ($assoc.Type -eq 'URL') { $path = "HKCU:\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\$($assoc.Ext)\UserChoice" } else { throw "Error, unknown type: $($assoc.Type)" } $currentProgramId = Get-ItemProperty -Path $path -Name 'Progid' -ErrorAction Ignore | Select-Object -ExpandProperty Progid if (!$currentProgramId) { Write-Host "Skipping, no association found for `"$($assoc.Ext)`" in `"$path`" matching `"$programIdPattern`"." continue } if ($currentProgramId -notlike $programIdPattern) { Write-Host "Skipping, association found `"$currentProgramId`" in `"$path`" does not match pattern `"$programIdPattern`"." continue } $hkcuHiveId = 2147483649 $pathWithoutHive = ($path -split ':\\')[1] $wmi = Get-WmiObject -List -Namespace root\default | Where-Object {$_.Name -eq 'StdRegProv'} $result = $wmi.DeleteKey($hkcuHiveId, $pathWithoutHive) if ($result.ReturnValue -ne 0) { Write-Error "Failed to delete `"$path`": Return code $($result.ReturnValue)" continue } Write-Host "Successfully removed `"$($assoc.Ext)`" association in `"$path`"." } # Differences in OS defaults: # - `.url` : `InternetShortcut` in Windows 11, and `IE.AssocFile.URL` in Windows 10 # - `.website`: N/A (missing) in Windows 11, `IE.AssocFile.WEBSITE` in Windows 10 # Setting keys work fine on Windows 11 but fails with access error on Windows 10, so this script modifies ACLs. revertCode: |- $defaultAssociations = @( @{ Type = 'File'; Ext = '.htm'; ProgId = 'MSEdgeHTM'; } @{ Type = 'File'; Ext = '.html'; ProgId = 'MSEdgeHTM'; } @{ Type = 'File'; Ext = '.pdf'; ProgId = 'MSEdgePDF'; } @{ Type = 'File'; Ext = '.mht'; ProgId = 'MSEdgeMHT'; } @{ Type = 'File'; Ext = '.mhtml'; ProgId = 'MSEdgeMHT'; } @{ Type = 'File'; Ext = '.svg'; ProgId = 'MSEdgeHTM'; } @{ Type = 'File'; Ext = '.url'; ProgId = 'InternetShortcut'; } @{ Type = 'File'; Ext = '.website'; ProgId = 'IE.AssocFile.WEBSITE'; } @{ Type = 'File'; Ext = '.xht'; ProgId = 'MSEdgeHTM'; } @{ Type = 'File'; Ext = '.xhtml'; ProgId = 'MSEdgeHTM'; } @{ Type = 'URL'; Ext = 'ftp'; ProgId = 'MSEdgeHTM'; } @{ Type = 'URL'; Ext = 'http'; ProgId = 'MSEdgeHTM'; } @{ Type = 'URL'; Ext = 'https'; ProgId = 'MSEdgeHTM'; } @{ Type = 'URL'; Ext = 'microsoft-edge'; ProgId = 'MSEdgeHTM'; } @{ Type = 'URL'; Ext = 'microsoft-edge-holographic'; ProgId = 'MSEdgeHTM'; } @{ Type = 'URL'; Ext = 'ms-xbl-3d8b930f'; ProgId = 'MSEdgeHTM'; } @{ Type = 'URL'; Ext = 'read'; ProgId = 'MSEdgeHTM'; } ) foreach ($assoc in $defaultAssociations) { $path = $null if ($assoc.Type -eq 'File') { $path = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\$($assoc.Ext)\UserChoice" } elseif ($assoc.Type -eq 'URL') { $path = "HKCU:\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\$($assoc.Ext)\UserChoice" } else { throw "Unknown type: $($assoc.Type)" } $currentValue = Get-ItemProperty -Path $path -Name 'Progid' -ErrorAction SilentlyContinue if ($currentValue -and ($currentValue.Progid -eq $assoc.ProgId)) { Write-Host "Skipping, `"$($assoc.Ext)`" association already has the desired value. No changes needed." continue } if ($currentValue -and $currentValue.Progid) { Write-Host "Updating existing `"$($currentValue.Progid)`" to `"$($assoc.ProgId)`"." } else { Write-Host "Adding new association `"$($assoc.ProgId)`"." } if (-Not (Test-Path $path)) { New-Item -Path $path -Force | Out-Null Write-Host "Successfully created missing `"$path`"." } # Remove deny access rules $pathWithoutHive = ($path -split ':\\')[1] $registrySubKey = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey($pathWithoutHive, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::ChangePermissions) $accessControlList = $registrySubKey.GetAccessControl() $denyAccessRules = @($accessControlList.Access.Where({ $_.AccessControlType -eq "Deny" })) foreach ($denyAccessRule in $denyAccessRules) { $accessControlList.RemoveAccessRule($denyAccessRule) } if ($denyAccessRules.Count -gt 0) { $registrySubKey.SetAccessControl($accessControlList) $registrySubKey.Close() Write-Host "Successfully removed deny access rules from `"$pathWithoutHive`"." } # Update registry key Set-ItemProperty -Path $path -Name 'Progid' -Value $assoc.ProgId -Force -ErrorAction Continue Write-Host "Successfully updated association for `"$($assoc.Ext)`"" # Restore permissions if ($denyAccessRules.Count -gt 0) { foreach ($denyAccessRule in $denyAccessRules) { $accessControlList.AddAccessRule($denyAccessRule) } $registrySubKey = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey($pathWithoutHive, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::ChangePermissions) $registrySubKey.SetAccessControl($accessControlList) $registrySubKey.Close() Write-Host "Successfully added back deny access rules to `"$pathWithoutHive`"." } } - # Remove association Open With context menu # Edge uninstallers do not remove these associations function: RunPowerShell # When reverting, using batch (`reg add /t REG_NONE`) does not add the exactly same default value # This associations can be found at: # - New, chromium : HKLM\SOFTWARE\Clients\StartMenuInternet\Microsoft Edge\Capabilities\FileAssociations # - Legacy, store : HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.MicrosoftEdge_{Version}\MicrosoftEdge\Capabilities\FileAssociations # - See Microsoft docs for default associations: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/272f15b1d7ea4768e79eb74cfe24d584823970ef/windows/client-management/mdm/policy-csp-applicationdefaults.md?plain=1#L80-L87 parameters: code: |- $extensions = @('.htm', '.html', '.pdf', '.svg') foreach ($extension in $extensions) { $path = "HKCU:\Software\Classes\$extension\OpenWithProgids" Write-Host "Removing association for `"$extension`": `"$path`"..." Remove-Item -Path $path -Force -ErrorAction SilentlyContinue } revertCode: |- # Common defaults since Windows 10 21H2 and Windows 11 21H2 $defaultContextMenuAssociations = @( @{ Extension='.htm'; Name='AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9'; } @{ Extension='.html'; Name='AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9'; } @{ Extension='.pdf'; Name='AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723'; } @{ Extension='.svg'; Name='AppXde74bfzw9j31bzhcvsrxsyjnhhbq66cs'; } ) foreach ($assoc in $defaultContextMenuAssociations) { $path = "HKCU:\Software\Classes\$($assoc.Extension)\OpenWithProgids" $value = Get-ItemProperty -Path $path -Name $assoc.Name -ErrorAction SilentlyContinue if ($value -and [System.BitConverter]::ToString($value.$($assoc.Name)) -eq '') { Write-Host "Skipping, no changes needed for `"$($assoc.Name)`" association." continue } if (-Not (Test-Path $path)) { New-Item -Path $path -Force | Out-Null } Set-ItemProperty -Path $path -Name $assoc.Name -Value ([byte[]]@()) -Type None -Force Write-Host "Successfully reverted association for `"$($assoc.Name)`"." } - function: RunInlineCode # Clean application toasts associations # Description: # The HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts registry key in Windows stores user preferences for file type and application associations. # When a user opens a file with a non-default application, Windows may display a "toast" notification suggesting the use of the default application for that file type. The user's # response to this suggestion is recorded in the ApplicationAssociationToasts registry key. This allows Windows to remember the user's application preferences for specific file types # and determine whether to show the notification again in the future. parameters: code: |- for %%a in ( {{ $toastAssociations }} ) do ( echo Removing association toast for "%%a"... reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" /v "%%a" /f 2>nul ) revertCode: |- for %%a in ( {{ $toastAssociations }} ) do ( echo Restoring association toast for "%%a"... reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" /v "%%a" /t "REG_DWORD" /d "0" /f ) - name: RemoveShortcutFiles parameters: - name: shortcutItems - name: targetFile call: function: RunPowerShell parameters: code: |- $shortcuts = @( {{ $shortcutItems }} ) foreach ($shortcut in $shortcuts) { if (-Not (Test-Path $shortcut.Path)) { Write-Host "Skipping, shortcut does not exist: `"$($shortcut.Path)`"." continue } try { Remove-Item -Path $shortcut.Path -Force -ErrorAction Stop Write-Output "Successfully removed shortcut: `"$($shortcut.Path)`"." } catch { Write-Error "Encountered an issue while attempting to remove shortcut at: `"$($shortcut.Path)`"." } } revertCode: |- $targetFilePath = "{{ $targetFile }}" $expandedTargetFilePath = [System.Environment]::ExpandEnvironmentVariables($targetFilePath) $shortcuts = @( {{ $shortcutItems }} ) if (-Not (Test-Path $expandedTargetFilePath)) { Write-Warning "Target file `"$expandedTargetFilePath`" does not exist." } $wscriptShell = $null try { $wscriptShell = New-Object -ComObject WScript.Shell } catch { throw "Failed to create WScript.Shell object: $($_.Exception.Message)" } foreach ($shortcut in $shortcuts) { if (-Not $shortcut.Revert) { Write-Host "Skipping, revert operation is not needed for: `"$($shortcut.Path)`"." continue } if (Test-Path $shortcut.Path) { Write-Host "Shortcut already exists, skipping: `"$($shortcut.Path)`"." continue } try { $shellShortcut = $wscriptShell.CreateShortcut($shortcut.Path) $shellShortcut.TargetPath = $expandedTargetFilePath $shellShortcut.Save() Write-Output "Successfully created shortcut at `"$($shortcut.Path)`"." } catch { Write-Error "An error occurred while creating the shortcut at `"$($shortcut.Path)`"." } } - name: Comment # 💡 Purpose: # Adds a comment in the executed code for better readability and debugging. # This function does not affect the execution flow but helps in understanding the purpose of subsequent code. parameters: - name: codeComment optional: true - name: revertCodeComment optional: true call: function: RunInlineCode parameters: code: '{{ with $codeComment }}:: {{ . }}{{ end }}' revertCode: '{{ with $revertCodeComment }}:: {{ . }}{{ end }}' - # ℹ️ Behavior: # Searches for files and directories based on a Unix-style glob pattern and iterates over them. # Similar to the `ls` command. # Primarily supports the `*` wildcard; compatibility with other patterns is not tested. # 💡 Usage: # This is a low-level function. Favor using other functions in script calls. # It provides following variables for the code in argument value: # - `$expandedPath` : Expanded path glob pattern. # - `$path` : Current iterated path (only available for `duringIteration`) name: IterateGlob parameters: - name: pathGlob # Glob pattern for search. - name: revertPathGlob # Glob pattern for reverting changes. optional: true - name: beforeIteration # (Iteration callback) Code to run before iteration. optional: true - name: duringIteration # (Iteration callback) Code to run for each found item. - name: afterIteration # (Iteration callback) Code to run after iteration. optional: true - name: recurse # If set, includes all files and directories recursively. optional: true call: function: RunPowerShell parameters: code: |- $pathGlobPattern = "{{ $pathGlob }}" $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern) Write-Host "Searching for items matching pattern: `"$($expandedPath)`"." {{ with $beforeIteration }} {{ . }} {{ end }} $foundAbsolutePaths = @() {{ with $recurse }} Write-Host 'Iterating files and directories recursively.' try { $foundAbsolutePaths += @( Get-ChildItem -Path $expandedPath -Force -Recurse -ErrorAction Stop | Select-Object -ExpandProperty FullName ) } catch [System.Management.Automation.ItemNotFoundException] { # Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions } {{ end }} try { $foundAbsolutePaths += @( Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName ) } catch [System.Management.Automation.ItemNotFoundException] { # Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions } $foundAbsolutePaths = $foundAbsolutePaths ` | Select-Object -Unique ` | Sort-Object -Property { $_.Length } -Descending if (!$foundAbsolutePaths) { Write-Host 'Skipping, no items available.' exit 0 } Write-Host "Initiating processing of $($foundAbsolutePaths.Count) items from `"$expandedPath`"." foreach ($path in $foundAbsolutePaths) { {{ $duringIteration }} } {{ with $afterIteration }} {{ . }} {{ end }} # Marked: refactor-with-variables # Unfortunately a lot of duplication here as privacy.sexy compiler does not support better way for now. # The difference from this script and `code` is that: # - It sets `$revert` variable to `$true`. # - It uses value of `$revertPathGlob` instead of `$pathGlob` revertCode: |- {{ with $revertPathGlob }} $revert = $true $pathGlobPattern = "{{ . }}" $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern) Write-Host "Searching for items matching pattern: `"$($expandedPath)`"." {{ with $beforeIteration }} {{ . }} {{ end }} $foundAbsolutePaths = @() {{ with $recurse }} Write-Host 'Iterating files and directories recursively.' try { $foundAbsolutePaths += @( Get-ChildItem -Path $expandedPath -Force -Recurse -ErrorAction Stop | Select-Object -ExpandProperty FullName ) } catch [System.Management.Automation.ItemNotFoundException] { # Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions } {{ end }} try { $foundAbsolutePaths += @( Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName ) } catch [System.Management.Automation.ItemNotFoundException] { # Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions } $foundAbsolutePaths = $foundAbsolutePaths ` | Select-Object -Unique ` | Sort-Object -Property { $_.Length } -Descending if (!$foundAbsolutePaths) { Write-Host 'Skipping, no items available.' exit 0 } Write-Host "Initiating processing of $($foundAbsolutePaths.Count) items from `"$expandedPath`"." foreach ($path in $foundAbsolutePaths) { {{ $duringIteration }} } {{ with $afterIteration }} {{ . }} {{ end }} {{ end }} - name: DeleteGlob # ℹ️ Behavior: # Deletes files and directories based on a Unix-style glob pattern. # Optionally, it can grant full permissions to the items before deletion. # 💡 Usage: # This is a low-level function. Favor higher-level functions like `ClearDirectoryContents`, `DeleteDirectory`, and `DeleteFiles` # for clearer intent and enhanced security when applicable. # 🚫 Limitations: # The function might not perform as expected if the current user lacks read permissions on the parent directory. # This specific use case is not addressed in the implementation because it has not been deemed necessary for the function's intended # applications. parameters: - name: pathGlob # Glob pattern for search. - name: grantPermissions # Grants permission on items of the parent directory recursively (including all files and directories) to be able to delete them. optional: true - name: beforeIteration # (Iteration callback) Code to run before iteration. optional: true - name: duringIteration # (Iteration callback) Code to run for each found item. optional: true - name: afterIteration # (Iteration callback) Code to run after iteration. optional: true - name: recurse # If set, deletes all files and directories recursively. optional: true call: function: IterateGlob parameters: pathGlob: '{{ $pathGlob }}' recurse: '{{ with $recurse }}{{ . }}{{ end }}' # Marked: refactor-with-variables (optionally) # Granting permissions has limitations for wildcard due to `takeown` and `icacls`. These commands are used for their simplicity to avoid adjusting token privileges. # However, adjusting token privileges is already implemented by `SoftFileDelete`, when this kind of implementations are reusable, this script can be improved to # use `Get-Acl`, `Set-Acl` instead for better wildcards support. When using `Get-Acl`, `Set-Acl`, think also about a way to handle when the user is lacking "List Folder" # Considerations for using `Get-Acl` and `Set-Acl`: # These commands may encounter issues when the user lacks "List Folder" permissions on a parent directory, which is essential for the `DeleteGlob` function. # This is robustly handled by `takeown`. # `takeown` effectively handles scenarios where the user lacks "List Folder" permissions. # It requires a localized 'yes' flag, which varies with the system language ('y' for English). # To find the localized 'yes', the script uses the `choice` command. This approach is simpler and more reliable # than parsing `takeown /?`, which has proven to be inconsistent across different languages. # For future enhancements: # - Explore handling folder listing permission issues when transitioning to `Get-Acl` and `Set-Acl`. # - Currently, `takeown` is preferred for its reliability in permission handling, especially in wildcard scenarios. beforeIteration: |- {{ with $grantPermissions }} # Not using `Get-Acl`/`Set-Acl` to avoid adjusting token privileges $parentDirectory = [System.IO.Path]::GetDirectoryName($expandedPath) $fileName = [System.IO.Path]::GetFileName($expandedPath) if ($parentDirectory -like '*[*?]*') { throw "Unable to grant permissions to glob path parent directory: `"$parentDirectory`", wildcards in parent directory are not supported by ``takeown`` and ``icacls``." } if (($fileName -ne '*') -and ($fileName -like '*[*?]*')) { throw "Unable to grant permissions to glob path file name: `"$fileName`", wildcards in file name is not supported by ``takeown`` and ``icacls``." } Write-Host "Taking ownership of `"$expandedPath`"." $cmdPath = $expandedPath if ($cmdPath.EndsWith('\')) { $cmdPath += '\' # Escape trailing backslash for correct handling in batch commands } $takeOwnershipCommand = "takeown /f `"$cmdPath`" /a" # `icacls /setowner` does not succeed, so use `takeown` instead. if (-not (Test-Path -Path "$expandedPath" -PathType Leaf)) { $localizedYes = 'Y' # Default 'Yes' flag (fallback) try { $choiceOutput = cmd /c "choice nul" if ($choiceOutput -and $choiceOutput.Length -ge 2) { $localizedYes = $choiceOutput[1] } else { Write-Warning "Failed to determine localized 'Yes' character. Output: `"$choiceOutput`"" } } catch { Write-Warning "Failed to determine localized 'Yes' character. Error: $_" } $takeOwnershipCommand += " /r /d $localizedYes" } $takeOwnershipOutput = cmd /c "$takeOwnershipCommand 2>&1" # `stderr` message is misleading, e.g. "ERROR: The system cannot find the file specified." is not an error. if ($LASTEXITCODE -eq 0) { Write-Host "Successfully took ownership of `"$expandedPath`" (using ``$takeOwnershipCommand``)." } else { Write-Host "Did not take ownership of `"$expandedPath`" using ``$takeOwnershipCommand``, status code: $LASTEXITCODE, message: $takeOwnershipOutput." # Do not write as error or warning, because this can be due to missing path, it's handled in next command. # `takeown` exits with status code `1`, making it hard to handle missing path here. } Write-Host "Granting permissions for `"$expandedPath`"." $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544' $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]) $adminAccountName = $adminAccount.Value $grantPermissionsCommand = "icacls `"$cmdPath`" /grant `"$($adminAccountName):F`" /t" $icaclsOutput = cmd /c "$grantPermissionsCommand" if ($LASTEXITCODE -eq 3) { Write-Host "Skipping, no items available for deletion according to: ``$grantPermissionsCommand``." exit 0 } elseif ($LASTEXITCODE -ne 0) { Write-Host "Take ownership message:`n$takeOwnershipOutput" Write-Host "Grant permissions:`n$icaclsOutput" Write-Warning "Failed to assign permissions for `"$expandedPath`" using ``$grantPermissionsCommand``, status code: $LASTEXITCODE." } else { $fileStats = $icaclsOutput | ForEach-Object { $_ -match '\d+' | Out-Null; $matches[0] } | Where-Object { $_ -ne $null } | ForEach-Object { [int]$_ } if ($fileStats.Count -gt 0 -and ($fileStats | ForEach-Object { $_ -eq 0 } | Where-Object { $_ -eq $false }).Count -eq 0) { Write-Host "Skipping, no items available for deletion according to: ``$grantPermissionsCommand``." exit 0 } else { Write-Host "Successfully granted permissions for `"$expandedPath`" (using ``$grantPermissionsCommand``)." } } {{ end }} $deletedCount = 0 $failedCount = 0 {{ with $beforeIteration }} {{ . }} {{ end }} duringIteration: |- {{ with $duringIteration }} {{ . }} {{ end }} if (-not (Test-Path $path)) { # Re-check existence as prior deletions might remove subsequent items (e.g., subdirectories). Write-Host "Successfully deleted: $($path) (already deleted)." $deletedCount++ continue } try { Remove-Item -Path $path -Force -Recurse -ErrorAction Stop $deletedCount++ Write-Host "Successfully deleted: $($path)" } catch { $failedCount++ Write-Warning "Unable to delete $($path): $_" } afterIteration: |- {{ with $afterIteration }} {{ . }} {{ end }} Write-Host "Successfully deleted $($deletedCount) items." if ($failedCount -gt 0) { Write-Warning "Failed to delete $($failedCount) items." } - name: ClearDirectoryContents # 💡 Purpose: # Empties the contents of a directory recursively (including all of its files and subfolders) while preserving # the directory itself. # This is beneficial when other applications depend on the existence of the directory. # For deleting the directory itself too, use `DeleteDirectory`. # 🤓 Implementation: # - Formats the provided glob pattern to ensure only contents are targeted, then delegates to `DeleteGlob`. # - Provides a user-friendly comment in code. parameters: - name: directoryGlob - name: grantPermissions optional: true call: - function: Comment parameters: codeComment: >- Clear directory contents {{ with $grantPermissions }}(with additional permissions){{ end }} : "{{ $directoryGlob }}" - function: DeleteGlob parameters: # Ensure path ends with '\*': # - 'C:\' becomes 'C:\*' # - 'C:' becomes 'C:\*' # - 'C:\*' remains 'C:\*' pathGlob: >- $($directoryGlob = '{{ $directoryGlob }}'; if ($directoryGlob.EndsWith('\*')) { $directoryGlob } elseif ($directoryGlob.EndsWith('\')) { "$($directoryGlob)*" } else { "$($directoryGlob)\*" } ) grantPermissions: '{{ with $grantPermissions }}true{{ end }}' recurse: 'true' # Logs every deleted file name - name: DeleteDirectory # 💡 Purpose: # Deletes an entire directory, including its contents. # ❗️ Use with caution; if you intend to preserve the directory and delete only its contents, use `ClearDirectoryContents`. # 🤓 Implementation: # Formats the provided glob pattern to target the directory, then delegates to `DeleteGlob`. # - Provides a user-friendly comment in code. parameters: - name: directoryGlob # The directory to delete along with its files and subdirectories - name: grantPermissions # Grants permission on the parent directory and its sub-items recursively (including all files and directories) to be able to delete them. optional: true - name: beforeIteration # (Iteration callback) Code to run before iteration. optional: true - name: duringIteration # (Iteration callback) Code to run for each found item. optional: true call: - function: Comment parameters: codeComment: >- Delete directory {{ with $grantPermissions }}(with additional permissions){{ end }} : "{{ $directoryGlob }}" - function: DeleteGlob parameters: # Ensure path ends with '\': # - 'C:\' remains 'C:\' # - 'C:' becomes 'C:\' pathGlob: >- $($directoryGlob = '{{ $directoryGlob }}'; if (-Not $directoryGlob.EndsWith('\')) { $directoryGlob += '\' }; $directoryGlob ) grantPermissions: '{{ with $grantPermissions }}true{{ end }}' recurse: 'true' # Logs every deleted file name beforeIteration: '{{ with $beforeIteration }}{{ . }}{{ end }}' duringIteration: '{{ with $duringIteration }}{{ . }}{{ end }}' - name: DeleteFiles # 💡 Purpose: # Deletes files but does not touch any directories. # Use `DeleteDirectory` or `ClearDirectoryContents` to delete directories. parameters: - name: fileGlob # File glob pattern to delete. - name: grantPermissions # Grants permission on the files found, and restores original permissions after modification. optional: true call: - function: Comment parameters: codeComment: >- Delete files matching pattern: "{{ $fileGlob }}" - function: DeleteGlob parameters: pathGlob: '{{ $fileGlob }}' grantPermissions: '{{ with $grantPermissions }}true{{ end }}' beforeIteration: |- $skippedCount = 0 duringIteration: |- if (Test-Path -Path $path -PathType Container) { Write-Host "Skipping, the path is not a file but a folder: $($path)." $skippedCount++ continue } afterIteration: |- if ($skippedCount -gt 0) { Write-Host "Skipped $($skippedCount) items." } - name: DeleteFilesFromFirefoxProfiles parameters: - name: pathGlob # File name inin profile file call: - # Windows XP function: DeleteFiles parameters: fileGlob: '%USERPROFILE%\Local Settings\Application Data\Mozilla\Firefox\Profiles\*\{{ $pathGlob }}' - # Windows Vista and newer function: DeleteFiles parameters: fileGlob: '%APPDATA%\Mozilla\Firefox\Profiles\*\{{ $pathGlob }}' - name: DisableScheduledTask parameters: - name: taskPathPattern - name: taskNamePattern - name: disableOnRevert optional: true - name: grantPermissions optional: true call: - function: Comment parameters: codeComment: "Disable scheduled task(s): `{{ $taskPathPattern }}{{ $taskNamePattern }}`" revertCodeComment: "Restore scheduled task(s) to default state: `{{ $taskPathPattern }}{{ $taskNamePattern }}`" - function: RunPowerShell parameters: # Marked: refactor-with-variables # Granting permission is identical to `SoftDeleteFiles`. # It's also duplicated in `code` and `revertCode` code: |- $taskPathPattern='{{ $taskPathPattern }}' $taskNamePattern='{{ $taskNamePattern }}' Write-Output "Disabling tasks matching pattern `"$taskNamePattern`"." $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore) if (-Not $tasks) { Write-Output "Skipping, no tasks matching pattern `"$taskNamePattern`" found, no action needed." exit 0 } $operationFailed = $false foreach ($task in $tasks) { $taskName = $task.TaskName if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) { Write-Output "Skipping, task `"$taskName`" is already disabled, no action needed." continue } {{ with $grantPermissions }} $taskFullPath = "$($task.TaskPath)$($task.TaskName)" $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544' $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]) $taskFilePath="$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)" $accessGranted = $false try { $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop $modifiedAcl.SetOwner($adminAccount) $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( ` $adminAccount, ` [System.Security.AccessControl.FileSystemRights]::FullControl, ` [System.Security.AccessControl.AccessControlType]::Allow ` ) $modifiedAcl.SetAccessRule($taskFileAccessRule) Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop Write-Host "Successfully granted permissions for `"$taskFullPath`" ." $accessGranted = $true } catch { Write-Warning "Failed to grant access to `"$taskFullPath`": $($_.Exception.Message)" } {{ end }} try { $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null Write-Output "Successfully disabled task `"$taskName`"." } catch { Write-Error "Failed to disable task `"$taskName`": $($_.Exception.Message)" $operationFailed = $true } {{ with $grantPermissions }} if ($accessGranted) { try { Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop Write-Host "Successfully restored permissions for `"$taskFullPath`" ." } catch { Write-Warning "Failed to restore access on `"$taskFilePath`": $($_.Exception.Message)" } } {{ end }} } if ($operationFailed) { Write-Output 'Failed to disable some tasks. Check error messages above.' exit 1 } # Not failing if tasks cannot be found because all tasks disabled by privacy.sexy do not exist in all Windows versions by default. revertCode: |- $taskPathPattern='{{ $taskPathPattern }}' $taskNamePattern='{{ $taskNamePattern }}' $shouldDisable = {{ with $disableOnRevert }} $true # {{ end }} $false Write-Output "Enabling tasks matching pattern `"$taskNamePattern`"." $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore) if (-Not $tasks) { Write-Warning ( ` "Missing task: Cannot enable, no tasks matching pattern `"$taskNamePattern`" found." ` + " This task appears to be not included in this version of Windows." ` ) exit 0 } $operationFailed = $false foreach ($task in $tasks) { $taskName = $task.TaskName if ($shouldDisable) { if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) { Write-Output "Skipping, task `"$taskName`" is already disabled, no action needed." continue } } else { if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) ` -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) { Write-Output "Skipping, task `"$taskName`" is already enabled, no action needed." continue } } {{ with $grantPermissions }} $taskFullPath = "$($task.TaskPath)$($task.TaskName)" $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544' $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]) $taskFilePath="$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)" $accessGranted = $false try { $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop $modifiedAcl.SetOwner($adminAccount) $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( ` $adminAccount, ` [System.Security.AccessControl.FileSystemRights]::FullControl, ` [System.Security.AccessControl.AccessControlType]::Allow ` ) $modifiedAcl.SetAccessRule($taskFileAccessRule) Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop Write-Host "Successfully granted permissions for `"$taskFullPath`" ." $accessGranted = $true } catch { Write-Warning "Failed to grant access to `"$taskFullPath`": $($_.Exception.Message)" } {{ end }} try { if ($shouldDisable) { $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null Write-Output "Successfully disabled task `"$taskName`"." } else { $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null Write-Output "Successfully enabled task `"$taskName`"." } } catch { Write-Error "Failed to restore task `"$taskName`": $($_.Exception.Message)" $operationFailed = $true } {{ with $grantPermissions }} if ($accessGranted) { try { Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop Write-Host "Successfully restored permissions for `"$taskFullPath`" ." } catch { Write-Warning "Failed to restore access on `"$taskFilePath`": $($_.Exception.Message)" } } {{ end }} } if ($operationFailed) { Write-Output 'Failed to restore some tasks. Check error messages above.' exit 1 } - name: CreateRegistryKey parameters: - name: keyPath # Full path of the subkey or entry to be added. - name: replaceSid # Replaces "$CURRENT_USER_SID" string in registry key with user SID. optional: true - name: codeComment optional: true - name: revertCodeComment optional: true call: # Marked: refactor-with-variables # Replacing SID is same as `DeleteRegistryKey` function: RunPowerShell parameters: code: |- $keyPath='{{ $keyPath }}' $replaceSid={{ with $replaceSid }} $true # {{ end }} $false $registryHive = $keyPath.Split('\')[0] $registryPath = "$($registryHive):$($keyPath.Substring($registryHive.Length))" {{ with $replaceSid }} $userSid = (New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([Security.Principal.SecurityIdentifier]).Value $registryPath = $registryPath.Replace('$CURRENT_USER_SID', $userSid) {{ end }} if (Test-Path $registryPath) { Write-Host "Skipping, no action needed, registry path `"$registryPath`" already exists." exit 0 } try { New-Item -Path $registryPath -Force -ErrorAction Stop | Out-Null Write-Host "Successfully created the registry key at path `"$registryPath`"." } catch { Write-Error "Failed to create the registry key at path `"$registryPath`": $($_.Exception.Message)" } codeComment: '{{ with $codeComment }}{{ . }}{{ end }}' revertCodeComment: '{{ with $revertCodeComment }}{{ . }}{{ end }}' - name: DeleteRegistryKey parameters: - name: keyPath # Full path of the subkey or entry to be added. - name: replaceSid # Replaces "$CURRENT_USER_SID" string in registry key with user SID. optional: true - name: codeComment optional: true - name: revertCodeComment optional: true call: # Marked: refactor-with-variables # Replacing SID is same as `CreateRegistryKey` function: RunPowerShell parameters: code: |- $keyPath='{{ $keyPath }}' $replaceSid={{ with $replaceSid }} $true # {{ end }} $false $registryHive = $keyPath.Split('\')[0] $registryPath = "$($registryHive):$($keyPath.Substring($registryHive.Length))" {{ with $replaceSid }} $userSid = (New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([Security.Principal.SecurityIdentifier]).Value $registryPath = $registryPath.Replace('$CURRENT_USER_SID', $userSid) {{ end }} if (-not (Test-Path $registryPath)) { Write-Host "Skipping, no action needed, registry path `"$registryPath`" does not exist." exit 0 } try { Remove-Item -Path $registryPath -Force -ErrorAction Stop | Out-Null Write-Host "Successfully removed the registry key at path `"$registryPath`"." } catch { Write-Error "Failed to remove the registry key at path `"$registryPath`": $($_.Exception.Message)" } codeComment: '{{ with $codeComment }}{{ . }}{{ end }}' revertCodeComment: '{{ with $revertCodeComment }}{{ . }}{{ end }}' - name: ShowExplorerRestartSuggestion call: - function: Comment parameters: codeComment: Suggest restarting explorer.exe for changes to take effect revertCodeComment: Suggest restarting explorer.exe for changes to take effect - function: ShowMessage parameters: message: >- This script will not take effect until you restart explorer.exe. You can restart explorer.exe by restarting your computer or by running following on command prompt: `taskkill /f /im explorer.exe & start explorer`. showOnRevert: 'true' - name: ShowComputerRestartSuggestion call: - function: Comment parameters: codeComment: Suggest restarting computer for changes to take effect revertCodeComment: Suggest restarting computer for changes to take effect - function: ShowMessage parameters: message: For the changes to fully take effect, please restart your computer. showOnRevert: 'true' - name: BlockViaHostsFile parameters: - name: domain call: function: RunPowerShell parameters: # Marked: improve-comment-inlining # `[char]35` is used in place of `#` because otherwise, the compiler interprets it # as an inline PowerShell comment. This workaround allows for the inclusion of the # hash symbol in strings without confusing the PowerShell parser. codeComment: 'Add hosts entries for {{ $domain }}' code: |- $domain ='{{ $domain }}' $hostsFilePath = "$env:WINDIR\System32\drivers\etc\hosts" $comment = "managed by privacy.sexy" $hostsFileEncoding = [Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding]::Utf8 $blockingHostsEntries = @( @{ AddressType = "IPv4"; IPAddress = '0.0.0.0'; } @{ AddressType = "IPv6"; IPAddress = '::1'; } ) try { $isHostsFilePresent = Test-Path ` -Path $hostsFilePath ` -PathType Leaf ` -ErrorAction Stop } catch { Write-Error "Failed to check hosts file existence. Error: $_" exit 1 } if (-Not $isHostsFilePresent) { Write-Output "Creating a new hosts file at $hostsFilePath." try { New-Item -Path $hostsFilePath -ItemType File -Force -ErrorAction Stop | Out-Null Write-Output "Successfully created the hosts file." } catch { Write-Error "Failed to create the hosts file. Error: $_" exit 1 } } foreach ($blockingEntry in $blockingHostsEntries) { Write-Output "Processing addition for $($blockingEntry.AddressType) entry." try { $hostsFileContents = Get-Content ` -Path "$hostsFilePath" ` -Raw ` -Encoding $hostsFileEncoding ` -ErrorAction Stop } catch { Write-Error "Failed to read the hosts file. Error: $_" continue } $hostsEntryLine = "$($blockingEntry.IPAddress)`t$domain $([char]35) $comment" if ((-Not [String]::IsNullOrWhiteSpace($hostsFileContents)) -And ($hostsFileContents.Contains($hostsEntryLine))) { Write-Output 'Skipping, entry already exists.' continue } try { Add-Content ` -Path $hostsFilePath ` -Value $hostsEntryLine ` -Encoding $hostsFileEncoding ` -ErrorAction Stop Write-Output 'Successfully added the entry.' } catch { Write-Error "Failed to add the entry. Error: $_" continue } } revertCodeComment: 'Remove hosts entries for {{ $domain }}' # Marked: refactor-with-variables # Both code and revertCode sections perform similar operations with slight variations. # Avoiding `Set-Content`: # Using `Set-Content` with or without the `-Force` flag can lead to inconsistent failures, # manifesting as a "Stream was not readable (WriteErrorException)" error. This issue is # likely due to rapid consecutive read/write operations that PowerShell's `Set-Content` # cannot reliably handle in all scenarios. # To avoid this problem and ensure reliable file operations, we use the .NET class methods # `WriteAllText` for writing to files and `ReadAllText` for reading files. These methods # provide a more stable approach for handling file I/O operations, especially in scripts # that perform frequent file updates. revertCode: |- $domain ='{{ $domain }}' $hostsFilePath = "$env:WINDIR\System32\drivers\etc\hosts" $comment = "managed by privacy.sexy" $hostsFileEncoding = [System.Text.Encoding]::UTF8 $blockingHostsEntries = @( @{ AddressType = "IPv4"; IPAddress = '0.0.0.0'; } @{ AddressType = "IPv6"; IPAddress = '::1'; } ) try { $isHostsFilePresent = Test-Path ` -Path $hostsFilePath ` -PathType Leaf ` -ErrorAction Stop } catch { Write-Error "Failed to check hosts file existence. Error: $_" exit 1 } if (-Not $isHostsFilePresent) { Write-Output 'Skipping, the hosts file does not exist.' exit 0 } foreach ($blockingEntry in $blockingHostsEntries) { Write-Output "Processing removal for $($blockingEntry.AddressType) entry." try { $hostsFileContents = [System.IO.File]::ReadAllText($hostsFilePath, $hostsFileEncoding) } catch { Write-Error "Failed to read the hosts file for removal. Error: $_" continue } $hostsEntryLine = "$($blockingEntry.IPAddress)`t$domain $([char]35) $comment" if ([String]::IsNullOrWhiteSpace($hostsFileContents) -Or (-Not $hostsFileContents.Contains($hostsEntryLine))) { Write-Output 'Skipping, entry not found.' continue } $hostsEntryRemovalPattern = [regex]::Escape($hostsEntryLine) + "(\r?\n)?" $hostsFileContentAfterRemoval = $hostsFileContents -Replace $hostsEntryRemovalPattern, "" try { [System.IO.File]::WriteAllText($hostsFilePath, $hostsFileContentAfterRemoval, $hostsFileEncoding) Write-Output 'Successfully removed the entry.' } catch { Write-Error "Failed to remove the entry. Error: $_" continue } } - name: RequireTLSMinimumKeySize parameters: - name: algorithmName # Specifies the cryptographic algorithm to configure. - name: keySizeInBits # Determines the minimum key size in bits for the specified algorithm. - name: ignoreServerSide # If set, the function will not configure the server-side minimum key size. optional: true docs: |- This function configures the minimum key sizes for cryptographic algorithms, enhancing the security of the Transport Layer Security (TLS) protocol on system level [1]. The function modifies registry keys to enforce the minimum key size for both client and server-side TLS key exchange. All versions of Windows 10 and newer support these settings [1]. To set the minimum key size, add the `ServerMinKeyBitLength` and/or `ClientMinKeyBitLength` DWORD values in the registry under the appropriate `KeyExchangeAlgorithms` subkey for the specified algorithm [1] [2]. [1]: https://web.archive.org/web/20240402112853/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings "Transport Layer Security (TLS) registry settings | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" call: - function: Comment parameters: codeComment: Require "{{ $algorithmName }}" key exchange algorithm to have at "{{ $keySizeInBits }}" least bits keys for TLS/SSL connections revertCodeComment: Restore key size requirement for "{{ $algorithmName }}" for TLS/SSL connections - function: RunInlineCode # Marked: refactor-with-if-syntax # Only run if `ignoreServerSide !== false`, then use `SetRegistryValue` parameters: code: >- {{ with $ignoreServerSide }}:: {{ end }} reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\{{ $algorithmName }}" /v "ServerMinKeyBitLength" /t "REG_DWORD" /d "{{ $keySizeInBits }}" /f revertCode: >- # Missing key since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) {{ with $ignoreServerSide }}:: {{ end }} reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\{{ $algorithmName }}" /v "ServerMinKeyBitLength" /f 2>nul - function: SetRegistryValue parameters: keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\{{ $algorithmName }} valueName: ClientMinKeyBitLength dataType: REG_DWORD data: '{{ $keySizeInBits }}' deleteOnRevert: 'true' # Missing key since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - name: DisableTLSCipher parameters: - name: algorithmName docs: |- This function disables specified symmetric cipher algorithms by modifying the `SCHANNEL\Ciphers` subkey in the registry [1] [2] [3] [4]. Changes to this key apply instantly and do not require a system restart. [1]. Setting the `Enabled` registry value to `0` disables the cipher [1] [2] If this value is not configured [1] or set to `1` [1] [2]. [1]: https://web.archive.org/web/20240423073705/https://learn.microsoft.com/en-US/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" [3]: https://web.archive.org/web/20240420182953/https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v2.pdf "OWASP TESTING GUIDE 2007 V2 | owasp.org" [4]: https://web.archive.org/web/20240426092730/https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-schannel/ba-p/259233 "Demystifying Schannel - Microsoft Community Hub" call: - function: Comment parameters: codeComment: Disable the use of "{{ $algorithmName }}" cipher algorithm for TLS/SSL connections revertCodeComment: Restore the use of "{{ $algorithmName }}" cipher algorithm for TLS/SSL connections - function: SetRegistryValue parameters: keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\{{ $algorithmName }} valueName: Enabled dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing subkeys under `Ciphers` since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - name: DisableWindowsKeyPlusCharacterHotkey parameters: - name: characterKeyToDisable docs: |- This function disables specific hotkeys that combine the Windows key with another key. Windows Explorer registers nearly two dozen such combinations as global hotkeys, primarily for taskbar-related functionalities [1]. Although these settings are not extensively documented [1], they are acknowledged by Microsoft [2]. The function modifies the registry key `HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisabledHotkeys` [1] [3] [4]. The specified alphabetical character must be provided in uppercase for the registry data [1]. This adjustment requires a restart of the explorer process (`explorer.exe`) [3] [5] or a system restart [4]. > **Caution**: > Disabling a character will block all hotkey combinations that use it [1] [4]. > For example, disabling "V" affects both `Win-V` and `Win-Shift-V` [1] [4]. > See the [Microsoft Support page](https://web.archive.org/web/20240424105403/https://support.microsoft.com/en-us/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec) > on keyboard shortcuts to understand which Windows key combinations will be affected. [1]: https://web.archive.org/web/20240424104551/https://www.geoffchappell.com/notes/windows/shell/explorer/globalhotkeys.htm "Disable Global Hot Keys | www.geoffchappell.com" [2]: https://web.archive.org/web/20240424112600/https://github.com/microsoft/PowerToys/issues/12928#issuecomment-999819246 "Shortcut overlay disregard `DisabledHotkeys` registry setting. · Issue #12928 · microsoft/PowerToys · GitHub" [3]: https://web.archive.org/web/20240424112650/https://www.nextofwindows.com/how-to-disable-any-specific-win-keyboard-shortcut-in-windows "How To Disable Any Specific Win Keyboard Shortcut in Windows - NEXTOFWINDOWS.COM | www.nextofwindows.com" [4]: https://web.archive.org/web/20240424113022/https://www.ghacks.net/2015/03/22/how-to-disable-specific-global-hotkeys-in-windows/ "How to disable specific global hotkeys in Windows - gHacks Tech News | www.ghacks.net" [5]: https://web.archive.org/web/20240424100904/https://github.com/undergroundwires/privacy.sexy/issues/343#issuecomment-2056279298 "[BUG]: Snipping Tool still can be executable via its keyboard shortcut · Issue #343 · undergroundwires/privacy.sexy · GitHub | github.com" call: - function: Comment parameters: codeComment: Disable the global Windows hotkey "{{ $characterKeyToDisable }}" to prevent its default action. revertCodeComment: Restore the global Windows hotkey "{{ $characterKeyToDisable }}" to re-enable its default functionality. - function: RunPowerShell parameters: code: |- $keyToDisable='{{ $characterKeyToDisable }}' $keyToDisableInUppercase = $keyToDisable.ToUpper() $registryPath = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced' $propertyName = 'DisabledHotkeys' $disabledKeys = Get-ItemProperty ` -Path $registryPath ` -Name $propertyName ` -ErrorAction SilentlyContinue ` | Select-Object -ExpandProperty "$propertyName" if ($disabledKeys) { if ($disabledKeys.Contains($keyToDisableInUppercase)) { Write-Host "Skipping: Key `"$keyToDisableInUppercase`" is already disabled. All disabled keys: `"$disabledKeys`". No action needed." exit 0 } $newKeysToDisable = "$($disabledKeys)$($keyToDisableInUppercase)" Write-Host "Some keys are already disabled: `"$disabledKeys`", but not `"$keyToDisableInUppercase`", disabling it too, new disabled keys: `"$newKeysToDisable`"." try { Set-ItemProperty ` -Path $registryPath ` -Name $propertyName ` -Value "$newKeysToDisable" ` -Force ` -ErrorAction Stop Write-Host "Successfully disabled,`"$keyToDisableInUppercase`", all disabled keys: `"$newKeysToDisable`"." Exit 0 } catch { Write-Error "Failed to disable `"$newKeysToDisable`": $_" Exit 1 } } else { Write-Host "No keys has been disabled before, disabling: `"$keyToDisableInUppercase`"." try { Set-ItemProperty ` -Path $registryPath ` -Name $propertyName ` -Value "$keyToDisableInUppercase" ` -Force ` -ErrorAction Stop Write-Host "Successfully disabled `"$keyToDisableInUppercase`"." Exit 0 } catch { Write-Error "Failed to disable `"$keyToDisableInUppercase`": $_" Exit 1 } } revertCode: |- $keyToRestore='{{ $characterKeyToDisable }}' $keyToRestoreInUppercase = $keyToRestore.ToUpper() $registryPath = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced' $propertyName = 'DisabledHotkeys' $disabledKeys = Get-ItemProperty ` -Path $registryPath ` -Name $propertyName ` -ErrorAction SilentlyContinue ` | Select-Object -ExpandProperty "$propertyName" if (-Not $disabledKeys) { Write-Host "Skipping: No keys has been disabled before, no need to restore `"$keyToRestoreInUppercase`"." Exit 0 } if (-Not $disabledKeys.Contains($keyToRestoreInUppercase)) { Write-Host "Skipping: Key `"$keyToRestoreInUppercase`" is not disabled. All disabled keys: `"$disabledKeys`". No action needed." Exit 0 } $newKeysToDisable = $disabledKeys.Replace($keyToRestoreInUppercase, "") if (-Not $newKeysToDisable) { Write-Host "Removing all entries from the disabled keys as the last key `"$keyToRestoreInUppercase`" is being restored." try { Remove-ItemProperty ` -Path $registryPath ` -Name $propertyName ` -Force ` -ErrorAction Stop Write-Host "Successfully removed the `"$propertyName`" property from the registry, no disabled keys remain." Exit 0 } catch { Write-Error "Failed to remove the empty `"$propertyName`" property from the registry: $_" Exit 1 } } try { Write-Host "Restoring `"$keyToRestoreInUppercase`", all disabled keys: `"$disabledKeys`", new disabled keys: `"$newKeysToDisable`"." Set-ItemProperty ` -Path $registryPath ` -Name $propertyName ` -Value "$newKeysToDisable" ` -Force ` -ErrorAction Stop Write-Host "Successfully restored `"$keyToRestoreInUppercase`", disabled keys now: `"$newKeysToDisable`"." Exit 0 } catch { Write-Error "Failed to restore `"$keysToDisable`": $_" Exit 1 } - function: ShowExplorerRestartSuggestion - name: DisableTLSHash parameters: - name: algorithmName docs: |- This function disables specified hash algorithm by modifying the `SCHANNEL\HASHES` subkey in the registry [1] [2] [3]. This subkey is used to control the use of hash algorithms such as SHA-1 and MD5 [1]. Changes to this key apply instantly and do not require a system restart. [1]. Setting the `Enabled` registry value to `0` disables the cipher [1] [2] If this value is not configured [1] or set to `1` [1] [2]. [1]: https://web.archive.org/web/20240423073705/https://learn.microsoft.com/en-US/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" [3]: https://web.archive.org/web/20240426092730/https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-schannel/ba-p/259233 "Demystifying Schannel - Microsoft Community Hub" call: - function: Comment parameters: codeComment: Disable usage of "{{ $algorithmName }}" hash algorithm for TLS/SSL connections revertCodeComment: Restore usage of "{{ $algorithmName }}" hash algorithm for TLS/SSL connections - function: SetRegistryValue parameters: keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\{{ $algorithmName }} valueName: Enabled dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing subkeys under `Hashes` since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - name: DisableTLSProtocol parameters: - name: protocolName docs: |- This function disables the specified TLS protocol by modifying the registry settings under the `SCHANNEL\Protocols` subkey [1] [2] [3] [4]. This action prevents the Windows operating system from using the protocol during SSL/TLS communications, enhancing system security by eliminating older or less secure protocols that might be susceptible to attacks. The function executes several commands to update the Windows registry. It sets `Enabled` and `DisabledByDefault` for both `Server` and `Client` configurations as recommended in various security guidelines [1] [2] [3] [4]. [1]: https://web.archive.org/web/20240423073705/https://learn.microsoft.com/en-US/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" [3]: https://web.archive.org/web/20240402112853/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings "Transport Layer Security (TLS) registry settings | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240426092730/https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-schannel/ba-p/259233 "Demystifying Schannel - Microsoft Community Hub" call: - function: Comment parameters: codeComment: Disable usage of "{{ $protocolName }}" protocol for TLS/SSL connections revertCodeComment: Restore usage of "{{ $protocolName }}" protocol for TLS/SSL connections # Marked: refactor-with-if-syntax # - Rest of this function does the opposite of `EnableTLSProtocol`, introduce `ToggleTLSProtocolState`? - function: SetRegistryValue parameters: keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server valueName: Enabled dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing subkeys under `Ciphers` since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server valueName: DisabledByDefault dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing subkeys under `Ciphers` since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client valueName: Enabled dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing subkeys under `Ciphers` since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client valueName: DisabledByDefault dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing subkeys under `Ciphers` since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - name: RunPowerShellWithSetup # 💡 Purpose: # Runs the same setup code before both the main code and any revert code. parameters: - name: code - name: revertCode optional: true - name: setupCode # Optional PowerShell code to be executed before `code`, and before `revertCode` if `revertCode` is used. optional: true call: function: RunPowerShell parameters: code: |- {{ with $setupCode }}{{ . }}{{ end }} {{ $code }} revertCode: |- {{ with $revertCode }} {{ with $setupCode }}{{ . }}{{ end }} {{ . }} {{ end }} - name: SetRegistryValue # 💡 Purpose: # Create or modify a registry entry at a specified path. # Use this function for a consistent approach instead of directly using `reg add` or `reg delete` commands. parameters: - name: keyPath # Full path of the subkey or entry to be added. - name: valueName # Name of the add registry entry. - name: dataType # Type for the registry entry. - name: data # Data for the new registry entry. - name: deleteOnRevert # Set to 'true' to revert to the initial state by deleting the registry key. optional: true - name: minimumWindowsVersion # Ensures the script executes only on specified Windows versions or newer. optional: true # Allowed values: Windows11, Windows10-1607 call: function: RunPowerShellWithSetup parameters: # Marked: refactor-with-if-syntax # If checks can be handled during compile time. setupCode: |- {{ with $minimumWindowsVersion }} $targetWindowsVersion = '{{ . }}' $parsedVersion=$null if ($targetWindowsVersion -eq 'Windows11') { $parsedVersion=[System.Version]::Parse('10.0.22000') } elseif ($targetWindowsVersion -eq 'Windows10-1607') { $parsedVersion=[System.Version]::Parse('10.0.14393') } if ([System.Environment]::OSVersion.Version -lt $parsedVersion) { Write-Output "Skipping, versions before $parsedVersion are not supported." exit 0 } {{ end }} code: |- reg add '{{ $keyPath }}' ` /v '{{ $valueName }}' ` /t '{{ $dataType }}' ` /d '{{ $data }}' ` /f revertCode: |- {{ with $deleteOnRevert }} reg delete '{{ $keyPath }}' ` /v '{{ $valueName }}' ` /f 2>$null {{ end }} - name: EnableTLSProtocol parameters: - name: protocolName - name: minimumWindowsVersion # Defines the minimum Windows version required to support this protocol. The script will not execute on unsupported versions. optional: true # Allowed values: Windows11, Windows10-1607 docs: |- This function enables of specific TLS protocols by modifying registry entries at `HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols` [1] [2]. By setting the `DisabledByDefault` registry key to `0`, the it enables the system to negotiate the use of protocols that might otherwise not be used by default [1]. By setting the `Enabled` registry key to '1', it explicitly allows the use of the protocol [1], overriding any system defaults that might otherwise prohibit its use [3]. On reverting the changes, it deletes the registry values, effectively restoring the original protocol settings. The default Windows installation does not include values under the `HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols` registry subtree, as confirmed by tests on Windows 10 22H2 Pro and Windows 11 23H2 Pro. > **Caution**: Enabling a TLS protocol may not always be safe on certain Windows versions, as experimental support > for some protocols can lead to system instability [4] [5]. [1]: https://web.archive.org/web/20240423073705/https://learn.microsoft.com/en-US/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de" [3]: https://web.archive.org/web/20240402112853/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-dtls-and-ssl-protocol-version-settings "Transport Layer Security (TLS) registry settings | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240503122422/https://github.com/undergroundwires/privacy.sexy/issues/175 "Add TLS 1.3 support warning · Issue #175 · undergroundwires/privacy.sexy | github.com" [5]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com" call: - function: Comment parameters: codeComment: Enable "{{ $protocolName }}" protocol as default for TLS/SSL connections revertCodeComment: Restore "{{ $protocolName }}" protocol defaults for TLS/SSL handshake # Marked: refactor-with-if-syntax # - Rest of this function does the opposite of `DisableTLSProtocol`, introduce `ToggleTLSProtocolState`? - # Server -> Enable function: SetRegistryValue parameters: keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server valueName: Enabled dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}' - # Server -> Do not disable function: SetRegistryValue parameters: keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server valueName: DisabledByDefault dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}' - # Client -> Enable function: SetRegistryValue parameters: keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client valueName: Enabled dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}' - # Client -> Do not disable function: SetRegistryValue parameters: keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client valueName: DisabledByDefault dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}' - name: SetDotNetRegistryKey parameters: - name: valueName - name: valueData docs: |- This function configuresregistry settings specifically for .NET Framework applications by setting values within the Windows Registry at the `HKLM\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\\{{ valueName }}!{{ valueData }}` keys [1] [2] [3]. It affects the following .NET Framework versions: - `v4.0.30319`: Used for configurations pertaining to .NET Framework 4 and later versions [1] [2] [3]. - `v2.0.50727`: Targets .NET Framework 3.5 settings [1] [3]. Note that there are no version-based keys such as `v3.0` or `v3.5`, ensuring that only recognized versions are configured. The `Wow6432Node` within the registry path indicates compatibility adjustments for 32-bit applications running on 64-bit machines it is absent in purely 32-bit environments [4]. These settings are applied globally, affecting all .NET applications on the system. The configurations include enabling features or protocols that might not be active by default, depending on the framework version. It configures settings globally, affecting all .NET applications [1]. When reverting changes, the function removes the specified keys to restore settings to their original state. On standard Windows installations, no other subkeys exist under the `.NETFramework\{version}\` registry path besides `v4.0.30319\AspNetEnforceViewStateMac!AspNetEnforceViewStateMac` [3], as tested since Windows 10 Pro 22H2 and Windows 11 23H2 Pro. [1]: https://web.archive.org/web/20240503121044/https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls "Transport Layer Security (TLS) best practices with .NET Framework | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240504125305/https://learn.microsoft.com/en-us/officeonlineserver/enable-tls-1-1-and-tls-1-2-support-in-office-online-server#enable-strong-cryptography-in-net-framework-45-or-higher "Enable TLS 1.1 and TLS 1.2 support in Office Online Server - Office Online Server | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240504125553/https://learn.microsoft.com/en-us/troubleshoot/sql/database-engine/connect/ssl-pe-no-cipher-error-endpoint-5022 "SSL_PE_NO_CIPHER error at endpoint 5022 - SQL Server | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240504125535/https://learn.microsoft.com/en-us/troubleshoot/windows-client/application-management/wow6432node-registry-key-present-32-bit-machine "WOW6432Node listed in 32-bit version of Windows - Windows Client | Microsoft Learn | learn.microsoft.com" call: - function: Comment parameters: codeComment: Configure "{{ $valueName }}" for .NET applications revertCodeComment: Restore "{{ $valueName }}" configuration for .NET applications - # x86 | = .NET Framework 3.5 function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 valueName: "{{ $valueName }}" dataType: REG_DWORD data: '{{ $valueData }}' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # x64 | = .NET Framework 3.5 function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727 valueName: "{{ $valueName }}" dataType: REG_DWORD data: '{{ $valueData }}' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # x86 | ≥ .NET Framework 4 function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 valueName: "{{ $valueName }}" dataType: REG_DWORD data: '{{ $valueData }}' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # x64 | ≥ .NET Framework 4 function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319 valueName: "{{ $valueName }}" dataType: REG_DWORD data: '{{ $valueData }}' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: BlockUWPAccessViaGPO parameters: - name: policyName docs: |- This function blocks UWP apps from accessing the specified OS feature. It uses Group Policy Objects (GPO) using `HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy` registry keys [1] [2]. This policies prevent user modification of these settings via the graphical user interface. Additionally, the script configures exceptions using the `UserInControlOfTheseApps`, `ForceAllowTheseApps`, and `ForceDenyTheseApps` keys [2]. These keys, of type `REG_MULTI_SZ`, manage lists of null-terminated strings [3] The script sets these to `NULL`, ensuring that even empty lists are properly terminated with a null character to maintain registry integrity [3] [4]. [1]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#31-services-configuration "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" [2]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240521092322/https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types "Registry value types - Win32 apps | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240521092438/https://learn.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regsetvalueexa "[in] cbData must include the size of the terminating null character or characters. | RegSetValueExA function (winreg.h) - Win32 apps | Microsoft Learn" call: - function: Comment parameters: codeComment: Disable app access ({{ $policyName }}) using GPO (re-activation through GUI is not possible) revertCodeComment: Restore app access ({{ $policyName }}) using GPO - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy valueName: "{{ $policyName }}" dataType: REG_DWORD data: '2' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy valueName: "{{ $policyName }}_UserInControlOfTheseApps" dataType: REG_MULTI_SZ data: '\0' # `REG_MULTI_SZ` means null terminated string list, empty list should also be terminated with null character deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy valueName: "{{ $policyName }}_ForceAllowTheseApps" dataType: REG_MULTI_SZ data: '\0' # `REG_MULTI_SZ` means null terminated string list, empty list should also be terminated with null character deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy valueName: "{{ $policyName }}_ForceDenyTheseApps" dataType: REG_MULTI_SZ data: '\0' # `REG_MULTI_SZ` means null terminated string list, empty list should also be terminated with null character deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: BlockUWPAccessViaConsentStore parameters: - name: appCapability docs: |- This function blocks UWP apps from accessing the specified OS feature. This function restricts UWP apps from utilizing certain OS features by modifying settings in the `CapabilityAccessManager\ConsentStore` [1]. It sets the specified app capability to "Deny", overriding the default "Allow" setting present in Windows versions since 10 22H2 and Windows 11 23H2. Run following command to see all available settings: > `reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore` [1]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com" call: - function: Comment parameters: codeComment: Disable app capability ({{ $appCapability }}) using user privacy settings revertCodeComment: Restore app capability ({{ $appCapability }}) using user privacy settings - function: RunInlineCode parameters: code: >- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\{{ $appCapability }}" /v "Value" /d "Deny" /t REG_SZ /f revertCode: >- # All subkeys have `Allow` value since Windows 10 22H2 Pro and Windows 11 23H2 Pro reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\{{ $appCapability }}" /v "Value" /d "Allow" /t "REG_SZ" /f - name: BlockUWPLegacyDeviceAccess parameters: - name: deviceAccessId docs: |- This function blocks UWP apps from accessing the specified OS feature. It applies to older versions of Windows [1]. It modifies registry settings in the `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global` [1]. [1]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk" call: - function: Comment parameters: codeComment: Disable app access ({{ $deviceAccessId }}) in older Windows versions (before 1903) revertCodeComment: Restore app access ({{ $deviceAccessId }}) in older Windows versions (before 1903) - function: SetRegistryValue parameters: keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{{ $deviceAccessId }} valueName: "Value" dataType: REG_SZ data: 'Deny' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: BlockExecutablesFromRunningViaShell # 💡 Usage: This is a low-level function. Favor using `TerminateAndBlockExecution` in script calls. parameters: - name: executableNameWithExtension # Filename of the executable (including its extension) to be blocked docs: |- This function prevents specified executable files from running on Windows through the `DisallowRun` policy. Users cannot execute these blocked programs via the Run dialog [1], double-clicking [1], the File menu [1], File Explorer [2] [3], or any application using `ShellExecute` or `ShellExecuteEx` functions [1]. This function does not block executables launched by system processes like Task Manager or through other processes, including those initiated via the command prompt (`cmd.exe`) [2] [3]. The script targets the `HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun` registry key [1] [2] [3], which does not exist by default. [1]: https://web.archive.org/web/20240525130534/https://learn.microsoft.com/en-us/windows/win32/api/shlobj_core/ne-shlobj_core-restrictions "RESTRICTIONS (shlobj_core.h) - Win32 apps | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240525130542/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools#disallowapps "ADMX_ShellCommandPromptRegEditTools Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240525130647/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsTools::DisallowApps "Don't run specified Windows applications | admx.help" call: - function: RunPowerShell parameters: codeComment: Add a rule to prevent the executable "{{ $executableNameWithExtension }}"" from running via File Explorer code: |- $executableFilename='{{ $executableNameWithExtension }}' try { $registryPathForDisallowRun='HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun' $existingBlockEntries = Get-ItemProperty ` -Path "$registryPathForDisallowRun" ` -ErrorAction Ignore $nextFreeRuleIndex = 1 if ($existingBlockEntries) { $existingBlockingRuleForExecutable = $existingBlockEntries.PSObject.Properties ` | Where-Object { $_.Value -eq $executableFilename } if ($existingBlockingRuleForExecutable) { $existingBlockingRuleIndexForExecutable = $existingBlockingRuleForExecutable.Name Write-Output "Skipping, no action needed: `$executableFilename` is already blocked under rule index `"$existingBlockingRuleIndexForExecutable`"." exit 0 } $occupiedRuleIndexes = $existingBlockEntries.PSObject.Properties ` | Where-Object { $_.Name -Match '^\d+$' } ` | Select -ExpandProperty Name if ($occupiedRuleIndexes) { while ($occupiedRuleIndexes -Contains $nextFreeRuleIndex) { $nextFreeRuleIndex += 1 } } } Write-Output "Adding block rule for `"$executableFilename`" under rule index `"$nextFreeRuleIndex`"." if (!(Test-Path $registryPathForDisallowRun)) { New-Item ` -Path "$registryPathForDisallowRun" ` -Force ` -ErrorAction Stop ` | Out-Null } New-ItemProperty ` -Path "$registryPathForDisallowRun" ` -Name "$nextFreeRuleIndex" ` -PropertyType String ` -Value "$executableFilename" ` ` -ErrorAction Stop ` | Out-Null Write-Output "Successfully blocked `"$executableFilename`" with rule index `"$nextFreeRuleIndex`"." } catch { Write-Error "Failed to block `"$executableFilename`": $_" Exit 1 } revertCodeComment: Remove the rule that prevents the executable "{{ $executableNameWithExtension }}" from running via File Explorer revertCode: |- $executableFilename='{{ $executableNameWithExtension }}' try { $blockEntries = Get-ItemProperty ` -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun' ` -ErrorAction Ignore if (-Not $blockEntries) { Write-Output "Skipping, no action needed: No block rules exist, `"$executableFilename`" is not blocked." exit 0 } $blockingRulesForExecutable = @( $blockEntries.PSObject.Properties ` | Where-Object { $_.Value -eq $executableFilename } ) if (-Not $blockingRulesForExecutable) { Write-Output "Skipping, no action needed: `"$executableFilename`" is not currently blocked." exit 0 } foreach ($blockingRuleForExecutable in $blockingRulesForExecutable) { $blockingRuleIndexForExecutable = $blockingRuleForExecutable.Name Write-Output "Removing rule `"$blockingRuleIndexForExecutable`" that blocks `"$executableFilename`"." Remove-ItemProperty ` -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun' ` -Name "$blockingRuleIndexForExecutable" ` -Force ` -ErrorAction Stop Write-Output "Successfully revoked blocking of `$executableFilename` under rule `"$blockingRuleIndexForExecutable`"." } } catch { Write-Error "Failed to revoke blocking of `"$executableFilename`": $_" Exit 1 } - function: RunPowerShell parameters: codeComment: Activate the DisallowRun policy to block specified programs from running via File Explorer code: |- try { $fileExplorerDisallowRunRegistryPath = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' $currentDisallowRunPolicyValue = Get-ItemProperty ` -Path "$fileExplorerDisallowRunRegistryPath" ` -Name 'DisallowRun' ` -ErrorAction Ignore ` | Select -ExpandProperty DisallowRun if ([string]::IsNullOrEmpty($currentDisallowRunPolicyValue)) { Write-Output "Creating DisallowRun policy at `"$fileExplorerDisallowRunRegistryPath`"." if (!(Test-Path $fileExplorerDisallowRunRegistryPath)) { New-Item ` -Path "$fileExplorerDisallowRunRegistryPath" ` -Force ` -ErrorAction Stop ` | Out-Null } New-ItemProperty ` -Path "$fileExplorerDisallowRunRegistryPath" ` -Name 'DisallowRun' ` -Value 1 ` -PropertyType DWORD ` -Force ` -ErrorAction Stop ` | Out-Null Write-Output 'Successfully activated DisallowRun policy.' Exit 0 } if ($currentDisallowRunPolicyValue -eq 1) { Write-Output 'Skipping, no action needed: DisallowRun policy is already in place.' Exit 0 } Write-Output 'Updating DisallowRun policy from unexpected value `"$currentDisallowRunPolicyValue`" to `"1`".' Set-ItemProperty ` -Path "$fileExplorerDisallowRunRegistryPath" ` -Name 'DisallowRun' ` -Value 1 ` -Type DWORD ` -Force ` -ErrorAction Stop ` | Out-Null Write-Output 'Successfully activated DisallowRun policy.' } catch { Write-Error "Failed to activate DisallowRun policy: $_" Exit 1 } revertCodeComment: Restore the File Explorer DisallowRun policy if no other blocks are active revertCode: |- try { $currentDisallowRunPolicyValue = Get-ItemProperty ` -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' ` -Name 'DisallowRun' ` -ErrorAction Ignore ` | Select-Object -ExpandProperty 'DisallowRun' if ([string]::IsNullOrEmpty($currentDisallowRunPolicyValue)) { Write-Output 'Skipping, no action needed: DisallowRun policy is not active.' Exit 0 } if ($currentDisallowRunPolicyValue -ne 1) { Write-Output "Skipping, DisallowRun policy is not configured by privacy.sexy, unexpected value: `"$currentDisallowRunPolicyValue`"." Exit 0 } $remainingBlockingRules = Get-ItemProperty ` -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun' ` -ErrorAction Ignore if ($remainingBlockingRules) { Write-Output 'Skipping deactivating DisallowRun policy, there are still active rules.' Exit 0 } Write-Output 'No remaining rules, deleting DisallowRun policy.' Remove-ItemProperty ` -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' ` -Name 'DisallowRun' ` -Force ` -ErrorAction Stop Write-Output 'Successfully restored DisallowRun policy.' } catch { Write-Error "Failed to restore DisallowRun policy: $_" Exit 1 } - name: TerminateAndBlockExecution parameters: - name: executableNameWithExtension # Filename of the executable (including its extension) to be terminated and blocked docs: |- This function combines actions to terminate and block the re-execution of a specified executable on Windows. It is designed for scripts that need to prevent an unwanted executable from affecting the system. call: - function: TerminateRunningProcess parameters: executableNameWithExtension: '{{ $executableNameWithExtension }}' - function: TerminateExecutableOnLaunch parameters: executableNameWithExtension: '{{ $executableNameWithExtension }}' - function: BlockExecutablesFromRunningViaShell parameters: executableNameWithExtension: '{{ $executableNameWithExtension }}' - name: CreatePlaceholderFile parameters: - name: placeholderFilePath call: function: RunPowerShell parameters: codeComment: 'Create a placeholder file at "{{ $placeholderFilePath }}".' code: |- $filePath = '{{ $placeholderFilePath }}' $expandedFilePath = [System.Environment]::ExpandEnvironmentVariables($filePath) $placeholderText = 'privacy.sexy placeholder' Write-Output "Creating placeholder file at `"$expandedFilePath`"." $parentDirectory = [System.IO.Path]::GetDirectoryName($expandedFilePath) if (Test-Path $expandedFilePath -PathType Leaf) { Write-Host "Skipping file creation as `"$expandedFilePath`" already exists." Exit 0 } if (Test-Path $parentDirectory -PathType Container) { Write-Host "Skipping parent directory creation as `"$parentDirectory`" already exists." } else { try { New-Item ` -ItemType Directory ` -Path "$parentDirectory" ` -Force ` -ErrorAction Stop ` | Out-Null Write-Output "Successfully created directory for placeholder file at `"$parentDirectory`"." } catch { Write-Error "Failed to create directory for placeholder at `"$parentDirectory`": $_" Exit 1 } } try { New-Item ` -ItemType File ` -Path $expandedFilePath ` -Value "$placeholderText" ` -Force ` -ErrorAction Stop ` | Out-Null Write-Host "Successfully created a placeholder file at `"$expandedFilePath`"." } catch { Write-Error "Failed to create placeholder file at `"$expandedFilePath`": $_" Exit 1 } revertCodeComment: 'Remove the placeholder file at "{{ $placeholderFilePath }}".' revertCode: |- $filePath = '{{ $placeholderFilePath }}' $expandedFilePath = [System.Environment]::ExpandEnvironmentVariables($filePath) $placeholderText = 'privacy.sexy placeholder' Write-Output "Attempting to remove placeholder file at `"$expandedFilePath`"." if (-Not (Test-Path $expandedFilePath -PathType Leaf)) { Write-Host "Skipping file removal as `"$expandedFilePath`" does not exist, no action needed." Exit 0 } $currentContent = Get-Content $expandedFilePath ` -ErrorAction SilentlyContinue if ($currentContent -ne $placeholderText) { Write-Output "Skipping removal as the file at `"$expandedFilePath`" was not created by privacy.sexy." Exit 0 } Write-Output "File contents match the placeholder content. Proceeding to remove the file." try { Remove-Item ` -Path $expandedFilePath ` -Force ` -ErrorAction Stop Write-Host "Successfully removed the placeholder file at `"$expandedFilePath`"." } catch { Write-Error "Failed to delete the placeholder file at `"$expandedFilePath`": $_" Exit 1 } - name: SetChromePolicyViaRegistry parameters: - name: valueName - name: dwordData docs: |- This function sets a specified Google Chrome policy value to given REG_DWORD data. This script applies these policies via the Windows Registry at HKLM\SOFTWARE\Policies\Google\Chrome [1]. These policies are also known as *platform policies* [2]. They take the highest precedence, meaning that they override user settings [2]. By default, no policies are configured under this registry path. This has been tested on Windows 10 from version 22H2 onwards and Windows 11 from version 23H2 onwards, with Google Chrome starting from version 125. [1]: https://web.archive.org/web/20240624102414/https://support.google.com/chrome/a/answer/10407780?hl=en "Manage Chrome browser with Windows device management - Chrome Enterprise and Education Help | support.google.com" [2]: https://web.archive.org/web/20240624102622/https://support.google.com/chrome/a/answer/9037717?hl=en#zippy=%2Cplatform-policies "Understand Chrome policy management - Chrome Enterprise and Education Help | support.google.com" call: - function: Comment parameters: codeComment: Configure "{{ $valueName }}" Chrome policy revertCodeComment: Restore "{{ $valueName }}" Chrome policy - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Google\Chrome valueName: "{{ $valueName }}" dataType: REG_DWORD data: "{{ $dwordData }}" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) | Tested since Chrome v125 - name: ShowChromeRestartSuggestion docs: |- This function alerts users to restart Google Chrome to activate changes. It may be necessary to restart the browser following policy modifications for settings to be applied [1] [2]. This is named "Dynamic Policy Refresh" (`dynamic_refresh`) [2]. This indicates that certain policy values might not be applied without restarting Chrome [2]. [1]: https://web.archive.org/web/20240624102414/https://support.google.com/chrome/a/answer/10407780?hl=en "Manage Chrome browser with Windows device management - Chrome Enterprise and Education Help | support.google.com" [2]: https://web.archive.org/web/20240624105512/https://chromium.googlesource.com/chromium/src/+/main/docs/enterprise/add_new_policy.md "Chromium Docs - Policy Settings in Chrome | chromium.googlesource.com" call: - function: Comment parameters: codeComment: Suggest restarting Chrome for changes to take effect revertCodeComment: Suggest restarting Chrome for changes to take effect - function: ShowMessage parameters: message: For the changes to fully take effect, please restart Google Chrome. showOnRevert: 'true' - name: SetEdgePolicyViaRegistry parameters: - name: valueName - name: dwordData docs: |- This function sets a specific Microsoft Edge policy value using `REG_DWORD` data. This determines the operational behavior of Microsoft Edge [1]. It configures *mandatory policies*. These policies which override user preferences and cannot be changed by users [2]. In contrast, *recommended policies* set defaults that users may change [2]. This script applies this policies via the Windows Registry at `HKLM\SOFTWARE\Policies\Microsoft\Edge` [1] [2]. Alternatively, `HKCU` can be to apply settings for the current user only [3] [4]. By default, no policies are pre-configured at these registry paths. This has been tested on Windows 10 from version 22H2 onwards and Windows 11 from version 23H2 onwards, with Microsoft Edge starting from version 125. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240519111447/https://learn.microsoft.com/en-us/deployedge/configure-microsoft-edge "Configure Microsoft Edge for Windows with policy settings | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240624105249/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-manage-extensions-ref-guide#configure-using-the-windows-registry "Detailed guide to the ExtensionSettings policy | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20240624105313/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-management-service#control-userdevice-policy-precedence "Microsoft Edge management service | Microsoft Learn | learn.microsoft.com" call: - function: Comment parameters: codeComment: Configure "{{ $valueName }}" Edge policy revertCodeComment: Restore "{{ $valueName }}" Edge policy - function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\Edge valueName: "{{ $valueName }}" dataType: REG_DWORD data: "{{ $dwordData }}" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) | Tested since Edge ≥ 125 - name: ShowEdgeRestartSuggestion docs: |- This function prompts users to restart Microsoft Edge to implement changes. A restart may be required to apply settings after modifying Edge policies, referred to as "Dynamic Policy Refresh" [1]. This indicates that certain policy values might not be applied without restarting Edge [1]. [1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com" call: - function: Comment parameters: codeComment: Suggest restarting Edge for changes to take effect revertCodeComment: Suggest restarting Edge for changes to take effect - function: ShowMessage parameters: message: For the changes to fully take effect, please restart Microsoft Edge. showOnRevert: 'true' - name: SetLegacyEdgePolicyViaRegistry parameters: - name: policySubkey - name: valueName - name: dwordData docs: |- This function configures policies specifically for Edge (Legacy) via the Windows Registry. It configures two policies using different ways: - **Via Group Policies**: Policies for Edge (Legacy) are located at `HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge` [1] [2]. By default, no group policies are configured, tested since Windows 10 Pro ≥ 19H1 (1909). - **Via User Settings**: Local user settings for Edge (Legacy) are stored at `HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge` [3] [4]. This path is operational on versions of Windows with Legacy Edge installed and was tested on Windows 10 Pro 19H1 (1909). The path does not exist in modern versions of Windows tested from Windows 10 Pro (≥ 22H2) onwards. [1]: https://web.archive.org/web/20240624133131/https://learn.microsoft.com/en-us/previous-versions/windows/edge-legacy/available-policies "Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240314101034/https://learn.microsoft.com/en-us/previous-versions/windows/edge-legacy/group-policies/telemetry-management-gp#prevent-microsoft-edge-from-gathering-live-tile-information-when-pinning-a-site-to-start "Microsoft Edge - Telemetry and data collection group policies | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240624133305/https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2018-8530 "CVE-2018-8530 - Security Update Guide - Microsoft - Microsoft Edge Security Feature Bypass Vulnerability | msrc.microsoft.com" [4]: https://web.archive.org/web/20240624133326/https://learn.microsoft.com/en-us/skype-sdk/websdk/docs/troubleshooting/gatheringlogs/logs-media "Gathering Media Logs from the Skype Web SDK or Conversation Control | Microsoft Learn | learn.microsoft.com" call: - function: Comment parameters: codeComment: Configure "{{ $valueName }}" Edge (Legacy) policy revertCodeComment: Restore "{{ $valueName }}" Edge (Legacy) policy - function: SetRegistryValue # Via GPO parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\{{ $policySubkey }} valueName: "{{ $valueName }}" dataType: REG_DWORD data: "{{ $dwordData }}" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 19H1) and Windows 11 Pro (≥ 23H2) - function: SetRegistryValue # Via user settings parameters: keyPath: HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\{{ $policySubkey }} valueName: "{{ $valueName }}" dataType: REG_DWORD data: "{{ $dwordData }}" deleteOnRevert: 'true' # Exists by default on Windows 10 Pro (≥ 19H1), since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2) - name: SetEdgeUpdatePolicyViaRegistry parameters: - name: valueName - name: dwordData docs: |- This function configures update policies for the Microsoft Edge update mechanism via the Windows Registry. The function affects both Edge and the Microsoft Edge WebView2 Runtime [1]. It modifies settings within the `HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate` registry key [1]. These settings are applicable to Microsoft Edge version 77 or later [1]. By default, no policies are configured under this registry path. This has been tested on Windows 10 from version 22H2 onwards and Windows 11 from version 23H2 onwards, with Microsoft Edge updates starting from version 1.3.187.41. [1]: https://web.archive.org/web/20240622121924/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-update-policies "Microsoft Edge Update Policy Documentation | Microsoft Learn | learn.microsoft.com" call: function: SetRegistryValue parameters: keyPath: HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate valueName: "{{ $valueName }}" dataType: REG_DWORD data: "{{ $dwordData }}" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) | Tested since EdgeUpdate ≥ 1.3.187.41