LWHP/windows_11_hardening_w_priv...

278 lines
9.1 KiB
Plaintext

## TBA, fix mess
### Relevant + newer repos found
# https://github.com/beerisgood/Windows11_Hardening - txt guide
# hotcakex guide -> https://www.reddit.com/r/cybersecurity/comments/10x986w/harden_windows_security_the_right_way_only_with/
### ChatGPT Answer
Here's the answer in **Gitea Markdown** format:
```markdown
# Remove ALL Tracking from Windows 11
This guide provides commands and steps to remove all tracking from Windows 11. **Warning:** This will break some functionality, including Windows Updates, the Microsoft Store, Cortana, and other system features. Proceed with caution.
---
## 1. Disable Telemetry via Group Policy or Registry
### Group Policy Settings via PowerShell
```powershell
# Disable telemetry via Group Policy
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
```
### Block Data Collection via Services
```powershell
# Disable telemetry services
sc stop DiagTrack
sc delete DiagTrack
sc stop diagnosticshub.standardcollector.service
sc delete diagnosticshub.standardcollector.service
sc stop dmwappushservice
sc delete dmwappushservice
```
---
## 2. Disable Tracking Features
### Remove Pre-installed Apps
```powershell
# Remove all pre-installed apps
Get-AppxPackage -AllUsers | Remove-AppxPackage
Get-AppxProvisionedPackage -Online | Remove-AppxProvisionedPackage -Online
```
### Disable Cortana
```powershell
# Disable Cortana
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
```
### Disable Feedback Requests
```powershell
# Turn off feedback requests
reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_QWORD /d 0 /f
```
---
## 3. Block Microsoft Telemetry Domains
### Open HOSTS File
```powershell
notepad C:\Windows\System32\drivers\etc\hosts
```
### Add Telemetry Domains
Add the following lines to the `hosts` file:
```plaintext
127.0.0.1 vortex.data.microsoft.com
127.0.0.1 settings-win.data.microsoft.com
127.0.0.1 watson.telemetry.microsoft.com
127.0.0.1 feedback.windows.com
127.0.0.1 activity.windows.com
127.0.0.1 assets.onestore.microsoft.com
127.0.0.1 c1.microsoft.com
127.0.0.1 c2.microsoft.com
127.0.0.1 c3.microsoft.com
127.0.0.1 msftncsi.com
127.0.0.1 officeclient.microsoft.com
127.0.0.1 www.msftconnecttest.com
```
Save the file and reboot.
---
## 4. Disable Tracking Using PowerShell
### Disable Windows Defender (Tracking)
```powershell
# Disable Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $true
```
### Disable Data Sharing Features
```powershell
# Disable OneDrive
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d 1 /f
# Disable Activity History
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f
```
---
## 5. Disable Windows Update (Tracking)
Completely disable Windows Updates to stop telemetry-related data collection.
```powershell
# Disable Windows Update Service
sc config wuauserv start= disabled
sc stop wuauserv
```
---
## 6. Disable Telemetry via Firewall
### Block Telemetry Domains
```powershell
netsh advfirewall firewall add rule name="BlockTelemetry" dir=out action=block remoteip=13.107.4.50,23.216.10.10,204.79.197.200
```
---
## 7. Use Advanced Privacy Tools
1. Download and run **[O&O ShutUp10++](https://www.oo-software.com/en/shutup10)**.
- Apply all "Recommended" and "Recommended and somewhat recommended" settings.
2. Install **[WPD](https://wpd.app/)** for additional telemetry blocking.
---
## 8. Disable Online Features
```powershell
# Disable online search in Start Menu
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f
```
---
## 9. Use a Debloated ISO
For a fully stripped-down version of Windows 11, consider:
- Installing a debloated custom ISO like **[AtlasOS](https://atlasos.net/)**.
- Creating your own using **NTLite**.
---
Would you like a pre-made script to automate these steps? Let me know!
```
## GPT Sciprt:
# Set-ExecutionPolicy Bypass -Scope Process -Force .\RemoveTracking.ps1
```
# Disable Telemetry Services
Write-Host "Disabling telemetry services..." -ForegroundColor Green
sc.exe stop DiagTrack
sc.exe delete DiagTrack
sc.exe stop diagnosticshub.standardcollector.service
sc.exe delete diagnosticshub.standardcollector.service
sc.exe stop dmwappushservice
sc.exe delete dmwappushservice
# Disable Telemetry via Registry
Write-Host "Disabling telemetry via registry..." -ForegroundColor Green
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
# Remove Pre-installed Apps
Write-Host "Removing pre-installed apps..." -ForegroundColor Green
Get-AppxPackage -AllUsers | Remove-AppxPackage -ErrorAction SilentlyContinue
Get-AppxProvisionedPackage -Online | Remove-AppxProvisionedPackage -Online -ErrorAction SilentlyContinue
# Disable Cortana
Write-Host "Disabling Cortana..." -ForegroundColor Green
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
# Disable Feedback Requests
Write-Host "Disabling feedback requests..." -ForegroundColor Green
reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_QWORD /d 0 /f
# Block Microsoft Telemetry Domains via Hosts File
Write-Host "Blocking telemetry domains..." -ForegroundColor Green
$hostsPath = "C:\Windows\System32\drivers\etc\hosts"
$domains = @"
127.0.0.1 vortex.data.microsoft.com
127.0.0.1 settings-win.data.microsoft.com
127.0.0.1 watson.telemetry.microsoft.com
127.0.0.1 feedback.windows.com
127.0.0.1 activity.windows.com
127.0.0.1 assets.onestore.microsoft.com
127.0.0.1 c1.microsoft.com
127.0.0.1 c2.microsoft.com
127.0.0.1 c3.microsoft.com
127.0.0.1 msftncsi.com
127.0.0.1 officeclient.microsoft.com
127.0.0.1 www.msftconnecttest.com
"@
Add-Content -Path $hostsPath -Value $domains
# Disable Defender Realtime Monitoring
Write-Host "Disabling Windows Defender real-time monitoring..." -ForegroundColor Green
Set-MpPreference -DisableRealtimeMonitoring $true
# Disable Activity History
Write-Host "Disabling activity history..." -ForegroundColor Green
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f
# Disable Windows Update Service
Write-Host "Disabling Windows Update service..." -ForegroundColor Green
sc.exe config wuauserv start= disabled
sc.exe stop wuauserv
# Block Telemetry Domains via Firewall
Write-Host "Blocking telemetry domains via firewall..." -ForegroundColor Green
netsh advfirewall firewall add rule name="BlockTelemetry" dir=out action=block remoteip=13.107.4.50,23.216.10.10,204.79.197.200
# Disable Online Features
Write-Host "Disabling online features..." -ForegroundColor Green
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f
Write-Host "All tracking has been disabled. Reboot your system for changes to take effect." -ForegroundColor Green
```
### Old privacy hardening notes below
# Disable all networking except for programs you need it for.
# Alternatively try these and use a good firewall, don't allow unwanted sites.
# Uninstall tracking updates:
wusa /uninstall /kb:3083710 /quiet /norestart
wusa /uninstall /kb:3083711 /quiet /norestart
wusa /uninstall /kb:3065988 /quiet /norestart
wusa /uninstall /kb:3083325 /quiet /norestart
wusa /uninstall /kb:3083324 /quiet /norestart
wusa /uninstall /kb:2976978 /quiet /norestart
wusa /uninstall /kb:3075853 /quiet /norestart
wusa /uninstall /kb:3065987 /quiet /norestart
wusa /uninstall /kb:3050265 /quiet /norestart
wusa /uninstall /kb:3050267 /quiet /norestart
wusa /uninstall /kb:3075851 /quiet /norestart
wusa /uninstall /kb:2902907 /quiet /norestart
wusa /uninstall /kb:3068708 /quiet /norestart
wusa /uninstall /kb:3022345 /quiet /norestart
wusa /uninstall /kb:2952664 /quiet /norestart
wusa /uninstall /kb:2990214 /quiet /norestart
wusa /uninstall /kb:3035583 /quiet /norestart
wusa /uninstall /kb:3021917 /quiet /norestart
wusa /uninstall /kb:3044374 /quiet /norestart
wusa /uninstall /kb:3046480 /quiet /norestart
wusa /uninstall /kb:3075249 /quiet /norestart
wusa /uninstall /kb:3080149 /quiet /norestart
# Stop tracking Services:
sc stop DiagTrack
sc stop dmwappushservice
sc delete DiagTrack
sc delete dmwappushservice
# Or Windows behind a firewall and block Microsoft...