six
/
LWHP
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Now it is an actual guide

master
six 2024-12-16 03:15:09 +00:00
parent 40130c5961
commit bea7149bd6
1 changed files with 62 additions and 198 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

260
windows_11_hardening_w_privacy.txt
View File

@ -1,193 +1,15 @@
## TBA, fix mess ## Simplified Version
### Relevant + newer repos found ### Guides worth considering:
# https://github.com/beerisgood/Windows11_Hardening - txt guide # https://github.com/beerisgood/Windows11_Hardening - txt guide
# hotcakex guide -> https://www.reddit.com/r/cybersecurity/comments/10x986w/harden_windows_security_the_right_way_only_with/ # hotcakex guide -> https://www.reddit.com/r/cybersecurity/comments/10x986w/harden_windows_security_the_right_way_only_with/
# First, install without internet and local account (disable WLAN from BIOS and Shift+F10, OOBE\BYPASSNRO)
# Second, Block ALL traffic in firewall, set default to block and set enabled services to block too
# Third, be aware this fucker is enabling firewall rules automatically after you enable WLAN. You want to block those too, but idk how to avoid Windows setting their own rules without permission. Fucking crazy this is rules appear in firewall without consent.
# ! Run the commands below, then restart and then allow internet only.
### Copy paste privacy settings
### ChatGPT Answer
Here's the answer in **Gitea Markdown** format:
```markdown
# Remove ALL Tracking from Windows 11
This guide provides commands and steps to remove all tracking from Windows 11. **Warning:** This will break some functionality, including Windows Updates, the Microsoft Store, Cortana, and other system features. Proceed with caution.
---
## 1. Disable Telemetry via Group Policy or Registry
### Group Policy Settings via PowerShell
```powershell
# Disable telemetry via Group Policy
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
```
### Block Data Collection via Services
```powershell
# Disable telemetry services
sc stop DiagTrack
sc delete DiagTrack
sc stop diagnosticshub.standardcollector.service
sc delete diagnosticshub.standardcollector.service
sc stop dmwappushservice
sc delete dmwappushservice
```
---
## 2. Disable Tracking Features
### Remove Pre-installed Apps
```powershell
# Remove all pre-installed apps
Get-AppxPackage -AllUsers | Remove-AppxPackage
Get-AppxProvisionedPackage -Online | Remove-AppxProvisionedPackage -Online
```
### Disable Cortana
```powershell
# Disable Cortana
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
```
### Disable Feedback Requests
```powershell
# Turn off feedback requests
reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_QWORD /d 0 /f
```
---
## 3. Block Microsoft Telemetry Domains
### Open HOSTS File
```powershell
notepad C:\Windows\System32\drivers\etc\hosts
```
### Add Telemetry Domains
Add the following lines to the `hosts` file:
```plaintext
127.0.0.1 vortex.data.microsoft.com
127.0.0.1 settings-win.data.microsoft.com
127.0.0.1 watson.telemetry.microsoft.com
127.0.0.1 feedback.windows.com
127.0.0.1 activity.windows.com
127.0.0.1 assets.onestore.microsoft.com
127.0.0.1 c1.microsoft.com
127.0.0.1 c2.microsoft.com
127.0.0.1 c3.microsoft.com
127.0.0.1 msftncsi.com
127.0.0.1 officeclient.microsoft.com
127.0.0.1 www.msftconnecttest.com
```
Save the file and reboot.
---
## 4. Disable Tracking Using PowerShell
### Disable Windows Defender (Tracking)
```powershell
# Disable Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $true
```
### Disable Data Sharing Features
```powershell
# Disable OneDrive
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d 1 /f
# Disable Activity History
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f
```
---
## 5. Disable Windows Update (Tracking)
Completely disable Windows Updates to stop telemetry-related data collection.
```powershell
# Disable Windows Update Service
sc config wuauserv start= disabled
sc stop wuauserv
```
---
## 6. Disable Telemetry via Firewall
### Block Telemetry Domains
```powershell
netsh advfirewall firewall add rule name="BlockTelemetry" dir=out action=block remoteip=13.107.4.50,23.216.10.10,204.79.197.200
```
---
## 7. Use Advanced Privacy Tools
1. Download and run **[O&O ShutUp10++](https://www.oo-software.com/en/shutup10)**.
- Apply all "Recommended" and "Recommended and somewhat recommended" settings.
2. Install **[WPD](https://wpd.app/)** for additional telemetry blocking.
---
## 8. Disable Online Features
```powershell
# Disable online search in Start Menu
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f
```
---
## 9. Use a Debloated ISO
For a fully stripped-down version of Windows 11, consider:
- Installing a debloated custom ISO like **[AtlasOS](https://atlasos.net/)**.
- Creating your own using **NTLite**.
---
Would you like a pre-made script to automate these steps? Let me know!
```
## GPT Sciprt:
# Set-ExecutionPolicy Bypass -Scope Process -Force .\RemoveTracking.ps1
```
# Disable Telemetry Services
Write-Host "Disabling telemetry services..." -ForegroundColor Green
sc.exe stop DiagTrack
sc.exe delete DiagTrack
sc.exe stop diagnosticshub.standardcollector.service
sc.exe delete diagnosticshub.standardcollector.service
sc.exe stop dmwappushservice
sc.exe delete dmwappushservice
# Disable Telemetry via Registry
Write-Host "Disabling telemetry via registry..." -ForegroundColor Green
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
# Remove Pre-installed Apps
Write-Host "Removing pre-installed apps..." -ForegroundColor Green
Get-AppxPackage -AllUsers | Remove-AppxPackage -ErrorAction SilentlyContinue
Get-AppxProvisionedPackage -Online | Remove-AppxProvisionedPackage -Online -ErrorAction SilentlyContinue
# Disable Cortana
Write-Host "Disabling Cortana..." -ForegroundColor Green
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
# Disable Feedback Requests
Write-Host "Disabling feedback requests..." -ForegroundColor Green
reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_QWORD /d 0 /f
# Block Microsoft Telemetry Domains via Hosts File # Block Microsoft Telemetry Domains via Hosts File
Write-Host "Blocking telemetry domains..." -ForegroundColor Green Write-Host "Blocking telemetry domains..." -ForegroundColor Green
@ -208,32 +30,74 @@ $domains = @"
"@ "@
Add-Content -Path $hostsPath -Value $domains Add-Content -Path $hostsPath -Value $domains
# Disable Defender Realtime Monitoring ## Disable telemetry
Write-Host "Disabling Windows Defender real-time monitoring..." -ForegroundColor Green
# Disable via Group Policy
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
# Disable telemetry services
sc.exe stop DiagTrack
sc.exe delete DiagTrack
sc.exe stop diagnosticshub.standardcollector.service
sc.exe delete diagnosticshub.standardcollector.service
sc.exe stop dmwappushservice
sc.exe delete dmwappushservice
## Disable Tracking Features
# Remove all pre-installed apps
Get-AppxPackage -AllUsers | Remove-AppxPackage
Get-AppxProvisionedPackage -Online | Remove-AppxProvisionedPackage -Online
## Disable Cortana
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
## Disable Feedback Requests
reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_QWORD /d 0 /f
## Block Microsoft Telemetry Domains
## Disable Windows Defender (Tracking)
Set-MpPreference -DisableRealtimeMonitoring $true Set-MpPreference -DisableRealtimeMonitoring $true
## Disable Data Sharing Features
# Disable OneDrive
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d 1 /f
# Disable Activity History # Disable Activity History
Write-Host "Disabling activity history..." -ForegroundColor Green
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f
# Disable Windows Update Service ## Disable Windows Auto Update (Tracking)
Write-Host "Disabling Windows Update service..." -ForegroundColor Green
sc.exe config wuauserv start= disabled
sc.exe stop wuauserv
# Block Telemetry Domains via Firewall # Disable Windows Update Service
Write-Host "Blocking telemetry domains via firewall..." -ForegroundColor Green sc config wuauserv start=disabled # Not working?
sc stop wuauserv
## Disable Telemetry via Firewall
# Block Telemetry Domains
netsh advfirewall firewall add rule name="BlockTelemetry" dir=out action=block remoteip=13.107.4.50,23.216.10.10,204.79.197.200 netsh advfirewall firewall add rule name="BlockTelemetry" dir=out action=block remoteip=13.107.4.50,23.216.10.10,204.79.197.200
# Disable Online Features # Disable online search in Start Menu
Write-Host "Disabling online features..." -ForegroundColor Green
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 0 /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f
Write-Host "All tracking has been disabled. Reboot your system for changes to take effect." -ForegroundColor Green
``` ### Things I didn't try/test: Use Advanced Privacy Tools
1. Download and run **[O&O ShutUp10++](https://www.oo-software.com/en/shutup10)**.
- Apply all "Recommended" and "Recommended and somewhat recommended" settings.
2. Install **[WPD](https://wpd.app/)** for additional telemetry blocking.
### Old privacy hardening notes below ### Old privacy hardening notes below