LWHP/windows_11_hardening_w_priv...

## Simplified Version

### Guides worth considering:
# https://github.com/beerisgood/Windows11_Hardening - txt guide
# hotcakex guide -> https://www.reddit.com/r/cybersecurity/comments/10x986w/harden_windows_security_the_right_way_only_with/

# First, install without internet and local account (disable WLAN from BIOS and Shift+F10, OOBE\BYPASSNRO)
# Second, Block ALL traffic in firewall, set default to block and set enabled services to block too
# Third, be aware this fucker is enabling firewall rules automatically after you enable WLAN. You want to block those too, but idk how to avoid Windows setting their own rules without permission. Fucking crazy this is rules appear in firewall without consent.
# ! Run the commands below, then restart and then allow internet only.

### Copy paste privacy settings

# Block Microsoft Telemetry Domains via Hosts File
Write-Host "Blocking telemetry domains..." -ForegroundColor Green
$hostsPath = "C:\Windows\System32\drivers\etc\hosts"
$domains = @"
127.0.0.1 vortex.data.microsoft.com
127.0.0.1 settings-win.data.microsoft.com
127.0.0.1 watson.telemetry.microsoft.com
127.0.0.1 feedback.windows.com
127.0.0.1 activity.windows.com
127.0.0.1 assets.onestore.microsoft.com
127.0.0.1 c1.microsoft.com
127.0.0.1 c2.microsoft.com
127.0.0.1 c3.microsoft.com
127.0.0.1 msftncsi.com
127.0.0.1 officeclient.microsoft.com
127.0.0.1 www.msftconnecttest.com
"@
Add-Content -Path $hostsPath -Value $domains

## Disable telemetry 

# Disable via Group Policy
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f

# Disable telemetry services
sc.exe stop DiagTrack
sc.exe delete DiagTrack
sc.exe stop diagnosticshub.standardcollector.service
sc.exe delete diagnosticshub.standardcollector.service
sc.exe stop dmwappushservice
sc.exe delete dmwappushservice


## Disable Tracking Features

# Remove all pre-installed apps
Get-AppxPackage -AllUsers | Remove-AppxPackage
Get-AppxProvisionedPackage -Online | Remove-AppxProvisionedPackage -Online


## Disable Cortana

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f


## Disable Feedback Requests
reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_QWORD /d 0 /f

## Block Microsoft Telemetry Domains


## Disable Windows Defender (Tracking)
Set-MpPreference -DisableRealtimeMonitoring $true

## Disable Data Sharing Features

# Disable OneDrive
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d 1 /f

# Disable Activity History
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f

## Disable Windows Auto Update (Tracking)

# Disable Windows Update Service
sc config wuauserv start=disabled # Not working?
sc stop wuauserv


## Disable Telemetry via Firewall

# Block Telemetry Domains
netsh advfirewall firewall add rule name="BlockTelemetry" dir=out action=block remoteip=13.107.4.50,23.216.10.10,204.79.197.200

# Disable online search in Start Menu
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f


### Things I didn't try/test: Use Advanced Privacy Tools

1. Download and run **[O&O ShutUp10++](https://www.oo-software.com/en/shutup10)**.
   - Apply all "Recommended" and "Recommended and somewhat recommended" settings.
2. Install **[WPD](https://wpd.app/)** for additional telemetry blocking.


### Old privacy hardening notes below

# Disable all networking except for programs you need it for.

# Alternatively try these and use a good firewall, don't allow unwanted sites.

# Uninstall tracking updates:
wusa /uninstall /kb:3083710 /quiet /norestart
wusa /uninstall /kb:3083711 /quiet /norestart
wusa /uninstall /kb:3065988 /quiet /norestart
wusa /uninstall /kb:3083325 /quiet /norestart
wusa /uninstall /kb:3083324 /quiet /norestart
wusa /uninstall /kb:2976978 /quiet /norestart
wusa /uninstall /kb:3075853 /quiet /norestart
wusa /uninstall /kb:3065987 /quiet /norestart
wusa /uninstall /kb:3050265 /quiet /norestart
wusa /uninstall /kb:3050267 /quiet /norestart
wusa /uninstall /kb:3075851 /quiet /norestart
wusa /uninstall /kb:2902907 /quiet /norestart
wusa /uninstall /kb:3068708 /quiet /norestart
wusa /uninstall /kb:3022345 /quiet /norestart
wusa /uninstall /kb:2952664 /quiet /norestart
wusa /uninstall /kb:2990214 /quiet /norestart
wusa /uninstall /kb:3035583 /quiet /norestart
wusa /uninstall /kb:3021917 /quiet /norestart
wusa /uninstall /kb:3044374 /quiet /norestart
wusa /uninstall /kb:3046480 /quiet /norestart
wusa /uninstall /kb:3075249 /quiet /norestart
wusa /uninstall /kb:3080149 /quiet /norestart


# Stop tracking Services:
sc stop DiagTrack
sc stop dmwappushservice
sc delete DiagTrack
sc delete dmwappushservice


# Or Windows behind a firewall and block Microsoft...
Now it is an actual guide 2024-12-16 03:15:09 +00:00			`## Simplified Version`
lfg6 2024-12-15 03:03:27 +00:00
Now it is an actual guide 2024-12-16 03:15:09 +00:00			`### Guides worth considering:`
lfg6 2024-12-15 03:03:27 +00:00			`# https://github.com/beerisgood/Windows11_Hardening - txt guide`
			`# hotcakex guide -> https://www.reddit.com/r/cybersecurity/comments/10x986w/harden_windows_security_the_right_way_only_with/`

Now it is an actual guide 2024-12-16 03:15:09 +00:00			`# First, install without internet and local account (disable WLAN from BIOS and Shift+F10, OOBE\BYPASSNRO)`
			`# Second, Block ALL traffic in firewall, set default to block and set enabled services to block too`
			`# Third, be aware this fucker is enabling firewall rules automatically after you enable WLAN. You want to block those too, but idk how to avoid Windows setting their own rules without permission. Fucking crazy this is rules appear in firewall without consent.`
			`# ! Run the commands below, then restart and then allow internet only.`
lfg6 2024-12-15 03:03:27 +00:00
Now it is an actual guide 2024-12-16 03:15:09 +00:00			`### Copy paste privacy settings`
lfg6 2024-12-15 03:03:27 +00:00
Now it is an actual guide 2024-12-16 03:15:09 +00:00			`# Block Microsoft Telemetry Domains via Hosts File`
			`Write-Host "Blocking telemetry domains..." -ForegroundColor Green`
			`$hostsPath = "C:\Windows\System32\drivers\etc\hosts"`
			`$domains = @"`
lfg6 2024-12-15 03:03:27 +00:00			`127.0.0.1 vortex.data.microsoft.com`
			`127.0.0.1 settings-win.data.microsoft.com`
			`127.0.0.1 watson.telemetry.microsoft.com`
			`127.0.0.1 feedback.windows.com`
			`127.0.0.1 activity.windows.com`
			`127.0.0.1 assets.onestore.microsoft.com`
			`127.0.0.1 c1.microsoft.com`
			`127.0.0.1 c2.microsoft.com`
			`127.0.0.1 c3.microsoft.com`
			`127.0.0.1 msftncsi.com`
			`127.0.0.1 officeclient.microsoft.com`
			`127.0.0.1 www.msftconnecttest.com`
Now it is an actual guide 2024-12-16 03:15:09 +00:00			`"@`
			`Add-Content -Path $hostsPath -Value $domains`
lfg6 2024-12-15 03:03:27 +00:00
Now it is an actual guide 2024-12-16 03:15:09 +00:00			`## Disable telemetry`
lfg6 2024-12-15 03:03:27 +00:00
Now it is an actual guide 2024-12-16 03:15:09 +00:00			`# Disable via Group Policy`
			`reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f`
lfg6 2024-12-15 03:03:27 +00:00
Now it is an actual guide 2024-12-16 03:15:09 +00:00			`# Disable telemetry services`
lfg6 2024-12-15 03:03:27 +00:00			`sc.exe stop DiagTrack`
			`sc.exe delete DiagTrack`
			`sc.exe stop diagnosticshub.standardcollector.service`
			`sc.exe delete diagnosticshub.standardcollector.service`
			`sc.exe stop dmwappushservice`
			`sc.exe delete dmwappushservice`


Now it is an actual guide 2024-12-16 03:15:09 +00:00			`## Disable Tracking Features`

			`# Remove all pre-installed apps`
			`Get-AppxPackage -AllUsers \| Remove-AppxPackage`
			`Get-AppxProvisionedPackage -Online \| Remove-AppxProvisionedPackage -Online`


			`## Disable Cortana`
lfg6 2024-12-15 03:03:27 +00:00
			`reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f`

Now it is an actual guide 2024-12-16 03:15:09 +00:00
			`## Disable Feedback Requests`
lfg6 2024-12-15 03:03:27 +00:00			`reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f`
			`reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_QWORD /d 0 /f`

Now it is an actual guide 2024-12-16 03:15:09 +00:00			`## Block Microsoft Telemetry Domains`

lfg6 2024-12-15 03:03:27 +00:00
Now it is an actual guide 2024-12-16 03:15:09 +00:00			`## Disable Windows Defender (Tracking)`
lfg6 2024-12-15 03:03:27 +00:00			`Set-MpPreference -DisableRealtimeMonitoring $true`

Now it is an actual guide 2024-12-16 03:15:09 +00:00			`## Disable Data Sharing Features`

			`# Disable OneDrive`
			`reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d 1 /f`

lfg6 2024-12-15 03:03:27 +00:00			`# Disable Activity History`
			`reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f`
			`reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f`
			`reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f`

Now it is an actual guide 2024-12-16 03:15:09 +00:00			`## Disable Windows Auto Update (Tracking)`

lfg6 2024-12-15 03:03:27 +00:00			`# Disable Windows Update Service`
Now it is an actual guide 2024-12-16 03:15:09 +00:00			`sc config wuauserv start=disabled # Not working?`
			`sc stop wuauserv`


			`## Disable Telemetry via Firewall`
lfg6 2024-12-15 03:03:27 +00:00
Now it is an actual guide 2024-12-16 03:15:09 +00:00			`# Block Telemetry Domains`
lfg6 2024-12-15 03:03:27 +00:00			`netsh advfirewall firewall add rule name="BlockTelemetry" dir=out action=block remoteip=13.107.4.50,23.216.10.10,204.79.197.200`

Now it is an actual guide 2024-12-16 03:15:09 +00:00			`# Disable online search in Start Menu`
lfg6 2024-12-15 03:03:27 +00:00			`reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 0 /f`
			`reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f`

Now it is an actual guide 2024-12-16 03:15:09 +00:00
			`### Things I didn't try/test: Use Advanced Privacy Tools`

			`1. Download and run [O&O ShutUp10++](https://www.oo-software.com/en/shutup10).`
			`- Apply all "Recommended" and "Recommended and somewhat recommended" settings.`
			`2. Install [WPD](https://wpd.app/) for additional telemetry blocking.`
lfg6 2024-12-15 03:03:27 +00:00

			`### Old privacy hardening notes below`

			`# Disable all networking except for programs you need it for.`

			`# Alternatively try these and use a good firewall, don't allow unwanted sites.`

			`# Uninstall tracking updates:`
			`wusa /uninstall /kb:3083710 /quiet /norestart`
			`wusa /uninstall /kb:3083711 /quiet /norestart`
			`wusa /uninstall /kb:3065988 /quiet /norestart`
			`wusa /uninstall /kb:3083325 /quiet /norestart`
			`wusa /uninstall /kb:3083324 /quiet /norestart`
			`wusa /uninstall /kb:2976978 /quiet /norestart`
			`wusa /uninstall /kb:3075853 /quiet /norestart`
			`wusa /uninstall /kb:3065987 /quiet /norestart`
			`wusa /uninstall /kb:3050265 /quiet /norestart`
			`wusa /uninstall /kb:3050267 /quiet /norestart`
			`wusa /uninstall /kb:3075851 /quiet /norestart`
			`wusa /uninstall /kb:2902907 /quiet /norestart`
			`wusa /uninstall /kb:3068708 /quiet /norestart`
			`wusa /uninstall /kb:3022345 /quiet /norestart`
			`wusa /uninstall /kb:2952664 /quiet /norestart`
			`wusa /uninstall /kb:2990214 /quiet /norestart`
			`wusa /uninstall /kb:3035583 /quiet /norestart`
			`wusa /uninstall /kb:3021917 /quiet /norestart`
			`wusa /uninstall /kb:3044374 /quiet /norestart`
			`wusa /uninstall /kb:3046480 /quiet /norestart`
			`wusa /uninstall /kb:3075249 /quiet /norestart`
			`wusa /uninstall /kb:3080149 /quiet /norestart`


			`# Stop tracking Services:`
			`sc stop DiagTrack`
			`sc stop dmwappushservice`
			`sc delete DiagTrack`
			`sc delete dmwappushservice`


			`# Or Windows behind a firewall and block Microsoft...`