six
/
LWHP
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
LWHP/windows_11_hardening_w_priv...

142 lines
5.2 KiB
Plaintext
Raw Permalink Blame History

## Simplified Version
### Guides worth considering:
# https://github.com/beerisgood/Windows11_Hardening - txt guide
# hotcakex guide -> https://www.reddit.com/r/cybersecurity/comments/10x986w/harden_windows_security_the_right_way_only_with/
# First, install without internet and local account (disable WLAN from BIOS and Shift+F10, OOBE\BYPASSNRO)
# Second, Block ALL traffic in firewall, set default to block and set enabled services to block too
# Third, be aware this fucker is enabling firewall rules automatically after you enable WLAN. You want to block those too, but idk how to avoid Windows setting their own rules without permission. Fucking crazy this is rules appear in firewall without consent.
# ! Run the commands below, then restart and then allow internet only.
### Copy paste privacy settings
# Block Microsoft Telemetry Domains via Hosts File
Write-Host "Blocking telemetry domains..." -ForegroundColor Green
$hostsPath = "C:\Windows\System32\drivers\etc\hosts"
$domains = @"
127.0.0.1 vortex.data.microsoft.com
127.0.0.1 settings-win.data.microsoft.com
127.0.0.1 watson.telemetry.microsoft.com
127.0.0.1 feedback.windows.com
127.0.0.1 activity.windows.com
127.0.0.1 assets.onestore.microsoft.com
127.0.0.1 c1.microsoft.com
127.0.0.1 c2.microsoft.com
127.0.0.1 c3.microsoft.com
127.0.0.1 msftncsi.com
127.0.0.1 officeclient.microsoft.com
127.0.0.1 www.msftconnecttest.com
"@
Add-Content -Path $hostsPath -Value $domains
## Disable telemetry
# Disable via Group Policy
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
# Disable telemetry services
sc.exe stop DiagTrack
sc.exe delete DiagTrack
sc.exe stop diagnosticshub.standardcollector.service
sc.exe delete diagnosticshub.standardcollector.service
sc.exe stop dmwappushservice
sc.exe delete dmwappushservice
## Disable Tracking Features
# Remove all pre-installed apps
Get-AppxPackage -AllUsers | Remove-AppxPackage
Get-AppxProvisionedPackage -Online | Remove-AppxProvisionedPackage -Online
## Disable Cortana
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
## Disable Feedback Requests
reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_QWORD /d 0 /f
## Block Microsoft Telemetry Domains
## Disable Windows Defender (Tracking)
Set-MpPreference -DisableRealtimeMonitoring $true
## Disable Data Sharing Features
# Disable OneDrive
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d 1 /f
# Disable Activity History
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f
## Disable Windows Auto Update (Tracking)
# Disable Windows Update Service
sc config wuauserv start=disabled # Not working?
sc stop wuauserv
## Disable Telemetry via Firewall
# Block Telemetry Domains
netsh advfirewall firewall add rule name="BlockTelemetry" dir=out action=block remoteip=13.107.4.50,23.216.10.10,204.79.197.200
# Disable online search in Start Menu
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f
### Things I didn't try/test: Use Advanced Privacy Tools
1. Download and run **[O&O ShutUp10++](https://www.oo-software.com/en/shutup10)**.
- Apply all "Recommended" and "Recommended and somewhat recommended" settings.
2. Install **[WPD](https://wpd.app/)** for additional telemetry blocking.
### Old privacy hardening notes below
# Disable all networking except for programs you need it for.
# Alternatively try these and use a good firewall, don't allow unwanted sites.
# Uninstall tracking updates:
wusa /uninstall /kb:3083710 /quiet /norestart
wusa /uninstall /kb:3083711 /quiet /norestart
wusa /uninstall /kb:3065988 /quiet /norestart
wusa /uninstall /kb:3083325 /quiet /norestart
wusa /uninstall /kb:3083324 /quiet /norestart
wusa /uninstall /kb:2976978 /quiet /norestart
wusa /uninstall /kb:3075853 /quiet /norestart
wusa /uninstall /kb:3065987 /quiet /norestart
wusa /uninstall /kb:3050265 /quiet /norestart
wusa /uninstall /kb:3050267 /quiet /norestart
wusa /uninstall /kb:3075851 /quiet /norestart
wusa /uninstall /kb:2902907 /quiet /norestart
wusa /uninstall /kb:3068708 /quiet /norestart
wusa /uninstall /kb:3022345 /quiet /norestart
wusa /uninstall /kb:2952664 /quiet /norestart
wusa /uninstall /kb:2990214 /quiet /norestart
wusa /uninstall /kb:3035583 /quiet /norestart
wusa /uninstall /kb:3021917 /quiet /norestart
wusa /uninstall /kb:3044374 /quiet /norestart
wusa /uninstall /kb:3046480 /quiet /norestart
wusa /uninstall /kb:3075249 /quiet /norestart
wusa /uninstall /kb:3080149 /quiet /norestart
# Stop tracking Services:
sc stop DiagTrack
sc stop dmwappushservice
sc delete DiagTrack
sc delete dmwappushservice
# Or Windows behind a firewall and block Microsoft...
Reference in New Issue View Git Blame Copy Permalink