{"id":13596574,"url":"https://github.com/HotCakeX/Harden-Windows-Security","last_synced_at":"2025-04-09T16:33:07.427Z","repository":{"id":64218113,"uuid":"569233100","full_name":"HotCakeX/Harden-Windows-Security","owner":"HotCakeX","description":"Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md","archived":false,"fork":false,"pushed_at":"2024-11-19T14:35:27.000Z","size":364132,"stargazers_count":1826,"open_issues_count":4,"forks_count":143,"subscribers_count":37,"default_branch":"main","last_synced_at":"2024-11-19T17:12:14.989Z","etag":null,"topics":["1st-party-security","applicationcontrol","bitlocker","defender","encryption","enterprise-security","firewall-configuration","harden","module","operation-system-security","powershell","powershell-script","proactive","security","security-hardening","tpm2","wdac","windows","windows11","windowsdefender"],"latest_commit_sha":null,"homepage":"https://hotcakex.github.io","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/HotCakeX.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":"CITATION.cff","codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-11-22T11:26:53.000Z","updated_at":"2024-11-19T15:57:33.000Z","dependencies_parsed_at":"2023-12-22T12:10:13.088Z","dependency_job_id":"0ee83d20-5d06-4e68-8872-6b2d0354fa95","html_url":"https://github.com/HotCakeX/Harden-Windows-Security","commit_stats":{"total_commits":3435,"total_committers":7,"mean_commits":490.7142857142857,"dds":0.2570596797671033,"last_synced_commit":"4448624f057bb2bcc6136f5739949bf1185da3b4"},"previous_names":[],"tags_count":141,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HotCakeX%2FHarden-Windows-Security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HotCakeX%2FHarden-Windows-Security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HotCakeX%2FHarden-Windows-Security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HotCakeX%2FHarden-Windows-Security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/HotCakeX","download_url":"https://codeload.github.com/HotCakeX/Harden-Windows-Security/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248067982,"owners_count":21042395,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["1st-party-security","applicationcontrol","bitlocker","defender","encryption","enterprise-security","firewall-configuration","harden","module","operation-system-security","powershell","powershell-script","proactive","security","security-hardening","tpm2","wdac","windows","windows11","windowsdefender"],"created_at":"2024-08-01T16:02:34.760Z","updated_at":"2025-04-09T16:33:02.416Z","avatar_url":"https://github.com/HotCakeX.png","language":"C#","funding_links":[],"categories":["C# #","Windows Hardening","Other Lists","C\\#","windows11","windows","C#"],"sub_categories":["🧪 LAB"],"readme":"\u003cdiv align=\"center\"\u003e\n\n![Big Yummy Donut](https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/dripwelcome1.gif)![Big Yummy Donut](https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/donuts.gif)![Big Yummy Donut](https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/dripwelcome2.gif)\n\n\u003cbr\u003e\n\n# Harden Windows Security | A New Threat to Malware\n\n\u003ca name=\"readme-top\"\u003e\u003c/a\u003e\n\n## Harden Windows Safely, Securely, Only With Official Microsoft Methods\n\n\u003c/div\u003e\n\n\u003cdiv align=\"center\"\u003e\n\u003ca href=\"https://www.powershellgallery.com/packages/Harden-Windows-Security-Module\"\u003e\u003cimg src=\"https://img.shields.io/powershellgallery/v/Harden-Windows-Security-Module?include_prereleases\u0026logo=Github\u0026logoColor=rgb(76%2C%2082%2C%20112)\u0026label=Harden%20Windows%20Security%20Module\u0026labelColor=rgb(233%2C255%2C125)\u0026color=rgb(246%2C%2082%2C%20160)\" alt=\"PowerShell Gallery Version (including pre-releases)\"\u003e\u003c/a\u003e \u003ca href=\"https://www.powershellgallery.com/packages/WDACConfig\"\u003e\u003cimg src=\"https://img.shields.io/powershellgallery/v/WDACConfig?include_prereleases\u0026logo=Github\u0026logoColor=rgb(76%2C%2082%2C%20112)\u0026label=WDACConfig%20Module\u0026labelColor=rgb(233%2C255%2C125)\u0026color=rgb(246%2C%2082%2C%20160)\" alt=\"PowerShell Gallery Version (including pre-releases)\"\u003e\u003c/a\u003e\n\u003c/div\u003e\n\n\u003ch6 align=\"center\"\u003e\n\n\u003ca href=\"https://twitter.com/intent/tweet?text=Harden%20Windows%20Security%20Using%20Official%20Microsoft%20Methods%20https://github.com/HotCakeX/Harden-Windows-Security/\"\u003e\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/SVGs/Twitter%20with%20URL.svg\" alt=\"Twitter Share button\"\u003e\u003c/a\u003e\n\n\u003c/h6\u003e\n\n\u003cp align=\"center\"\u003e\n \u003ca href=\"#hardening-Categories\"\u003eHardening Categories\u003c/a\u003e \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/cool-colours.gif\" width=\"12\" alt=\"rotating colorful thing\"\u003e\n \u003ca href=\"#how-to-use\"\u003eHow To Use\u003c/a\u003e \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/cool-colours.gif\" width=\"12\" alt=\"rotating colorful thing\"\u003e\n \u003ca href=\"#features\"\u003eFeatures\u003c/a\u003e \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/cool-colours.gif\" width=\"12\" alt=\"rotating colorful thing\"\u003e\n \u003ca href=\"#related\"\u003eRelated\u003c/a\u003e \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/cool-colours.gif\" width=\"12\" alt=\"rotating colorful thing\"\u003e\n \u003ca href=\"#Trust\"\u003eTrust\u003c/a\u003e \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/cool-colours.gif\" width=\"12\" alt=\"rotating colorful thing\"\u003e\n \u003ca href=\"#support\"\u003eSupport\u003c/a\u003e \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/cool-colours.gif\" width=\"12\" alt=\"rotating colorful thing\"\u003e\n \u003ca href=\"#security-recommendations\"\u003e\u003cb\u003eSecurity Recommendations\u003c/b\u003e\u003c/a\u003e \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/cool-colours.gif\" width=\"12\" alt=\"rotating colorful thing\"\u003e\n \u003ca href=\"#resources\"\u003eResources\u003c/a\u003e \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/cool-colours.gif\" width=\"12\" alt=\"rotating colorful thing\"\u003e\n \u003ca href=\"#license\"\u003eLicense\u003c/a\u003e \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/cool-colours.gif\" width=\"12\" alt=\"rotating colorful thing\"\u003e\n \u003ca href=\"https://github.com/HotCakeX/Harden-Windows-Security/wiki\"\u003e\u003cb\u003eWiki\u003c/b\u003e\u003c/a\u003e \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/cool-colours.gif\" width=\"12\" alt=\"rotating colorful thing\"\u003e\n \u003ca href=\"https://github.com/HotCakeX/Harden-Windows-Security/wiki/Answers-to-the-Basic-Frequently-Asked-Questions\"\u003e\u003cb\u003eBasic FAQs\u003c/b\u003e\u003c/a\u003e \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/cool-colours.gif\" width=\"12\" alt=\"rotating colorful thing\"\u003e \u003ca href=\"#roadmap\"\u003e\u003cb\u003eRoadmap\u003c/b\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/febfcc2b3be66ef0d5ecd74694157622a7fde865/Pictures/SVG/SVG%20line%20wave%20yellow%20pink%20inverted.svg\" width= \"300000\" alt=\"horizontal super thin rainbow RGB line\"\u003e\n\n\u003e [!IMPORTANT]\\\n\u003e Click/Tap on Each of the Items Below to Access Them on This GitHub Repository\n\u003e\n\u003e ### \u003cimg width=\"50\" src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/tada-cyan.gif\" alt=\"Indicator for Windows Defender Application Control Resources\"\u003e \u003ca href=\"https://github.com/HotCakeX/Harden-Windows-Security/wiki/Introduction\"\u003e Windows Defender Application Control Resources \u003c/a\u003e\n\u003e\n\u003e ### \u003cimg width=\"50\" src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/tada-purple.gif\" alt=\"Indicator for The WDACConfig Module for Windows Defender Application Control\"\u003e \u003ca href=\"https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDACConfig\"\u003e The WDACConfig Module for Windows Defender Application Control \u003c/a\u003e\n\u003e\n\u003e ### \u003cimg width=\"50\" src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/colorful-heart.gif\" alt=\"Indicator for the Rationale Behind This GitHub Repository\"\u003e \u003ca href=\"https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md\"\u003e Read the Rationale Behind This GitHub Repository \u003c/a\u003e\n\n\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/febfcc2b3be66ef0d5ecd74694157622a7fde865/Pictures/SVG/SVG%20line%20wave%20yellow%20pink.svg\" width= \"300000\" alt=\"horizontal super thin rainbow RGB line\"\u003e\n\n\u003cbr\u003e\n\n\u003e [!NOTE]\\\n\u003e Windows by default is secure and safe, this repository does not imply nor claim otherwise. Just like anything, you have to use it wisely and don't compromise yourself with reckless behavior and bad user configuration; Nothing is foolproof. This repository only uses the tools and features that have already been implemented by Microsoft in Windows OS to fine-tune it towards the highest security and locked-down state, using well-documented, supported, recommended and official methods. Continue reading for comprehensive info.\n\n\u003cbr\u003e\n\n## How To Use\u003ca href=\"#how-to-use\"\u003e![HowToUseIcon](https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/HowToUse.png)\u003c/a\u003e\n\n### \u003cimg width=\"35\" src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/SVGs/github-pink.svg\" alt=\"GitHub logo pink SVG\"\u003e Start The Harden Windows Security Using GUI [(Graphical User Interface)](https://youtu.be/a8YbihowTVg?si=hGUS2KAW_z80Hnx8)\n\n```powershell\n(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'P'|iex\n```\n\n\u003cbr\u003e\n\n### \u003cimg width=\"35\" src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/SVGs/powershell-pink.svg\" alt=\"PowerShell icon Pink\"\u003e Install the Harden Windows Security Module from [PowerShell Gallery](https://www.powershellgallery.com/packages/Harden-Windows-Security-Module/)\n\n[**Check the documentation and How to use**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Harden%E2%80%90Windows%E2%80%90Security%E2%80%90Module)\n\n\u003cdetails\u003e\n\u003csummary\u003e\n\nClick/Tap here for commands\n\n```powershell\nInstall-Module -Name 'Harden-Windows-Security-Module' -Force\n```\n\n\u003c/summary\u003e\n\n```powershell\nProtect-WindowsSecurity\n```\n```powershell\nConfirm-SystemCompliance\n```\n```powershell\nUnprotect-WindowsSecurity\n```\n\n\u003c/details\u003e\n\n![Animated APNG demonstrating how the Harden Windows Security PowerShell module works](https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/APNGs/Harden%20Windows%20Security%20Demo%201.apng)\n\n\u003cbr\u003e\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif\" width= \"300000\" alt=\"horizontal super thin rainbow RGB line\"\u003e\n\n\u003cbr\u003e\n\n\u003cp align=\"center\"\u003e\n \u003ca href=\"https://youtu.be/AksQ0NACRxY?si=b4L1lA4VGsZJsfV7\"\u003e\n \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/PNG%20and%20JPG/Harden%20Windows%20Security%20Module%20Demo.png\" width=\"500\"\n alt=\"YouTube Video showcase\"\u003e\n \u003c/a\u003e\n\u003c/p\u003e\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif\" width= \"300000\" alt=\"horizontal super thin rainbow RGB line\"\u003e\n\n\u003cbr\u003e\n\n\u003cdiv align=\"center\"\u003e\n\n\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/Harden%20Windows%20Security%20Module%20Demo.gif\" width=\"500\" alt=\"horizontal super thin rainbow RGB line\"\u003e\n\n\u003c/div\u003e\n\n\u003cbr\u003e\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif\" width= \"300000\" alt=\"horizontal super thin rainbow RGB line\"\u003e\n\n\u003cbr\u003e\n\n## Requirements \u003ca href=\"#requirements\"\u003e![RequirementsIcon](https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Requirements.png)\u003c/a\u003e\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/verticalshine.gif\" width=\"27\" alt=\"Requirements item\"\u003e PowerShell (latest version), Install it from [🛍️ Microsoft Store](https://apps.microsoft.com/store/detail/powershell/9MZ1SNWT0N5D) or using Winget: `Winget install Microsoft.PowerShell`\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/verticalshine.gif\" width=\"27\" alt=\"Requirements item\"\u003e Any device that meets the [Windows 11 hardware](https://www.microsoft.com/en-in/windows/windows-11-specifications?r=1) and [Virtualization Based Security](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs) requirements.\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/verticalshine.gif\" width=\"27\" alt=\"Requirements item\"\u003e Virtualization technology and Secure Boot enabled in your UEFI settings. [Official guide](https://support.microsoft.com/en-us/windows/windows-11-and-secure-boot-a8ff1202-c0d9-42f5-940f-843abef64fad) - How to enable Secure Boot on: [HP](https://support.hp.com/document/ish_4300937-4295746-16?openCLC=true) - [Lenovo](https://support.lenovo.com/solutions/ht509044) - [Dell](https://www.dell.com/support/kbdoc/000190116/How-to-Enable-Secure-Boot-on-Your-Dell-Device).\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/verticalshine.gif\" width=\"27\" alt=\"Requirements item\"\u003e No 3rd party AV installed.\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/verticalshine.gif\" width=\"27\" alt=\"Requirements item\"\u003e [Latest available version](https://www.microsoft.com/en-us/software-download/windows11/) of Windows installed.\n\n\u003e [!TIP]\\\n\u003e Restart your device after applying the hardening measures.\n\n\u003cbr\u003e\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif\" width= \"300000\" alt=\"Harden-Windows-Security is a PowerShell module\"\u003e\n\n\u003cbr\u003e\n\n## Features \u003ca href=\"#features\"\u003e![FeaturesIcon](https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Features.png)\u003c/a\u003e\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/Shiny.gif\" width=\"27\" alt=\"Features Item\"\u003e Everything always stays up-to-date with the newest proactive security measures that are industry standards and scalable.\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/Shiny.gif\" width=\"27\" alt=\"Features Item\"\u003e Everything is in clear text, nothing hidden, no 3rd party executable or pre-compiled binary is involved.\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/Shiny.gif\" width=\"27\" alt=\"Features Item\"\u003e No Windows functionality is removed/disabled against Microsoft's recommendations.\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/Shiny.gif\" width=\"27\" alt=\"Features Item\"\u003e All of the links and sources are from official Microsoft websites, straight from the source. No bias, No FUD, No misinformation and definitely No old obsolete methods. That's why there are no links to 3rd party news websites, forums, made up blogs/articles, and such.\n\n\u003cdetails\u003e\u003csummary\u003eWith the following exceptions\u003c/summary\u003e\n\n| Link Count| Link | Reason |\n|:----:|:-----------------------------:|:----------------------------------------------------------:|\n| 1 | Intel website | i7 13700k product page |\n| 1 | state.gov | List of State Sponsors of Terrorism |\n| 1 | orpa.princeton.edu | OFAC Sanctioned Countries |\n| 2 | Wikipedia | TLS - providing additional information |\n| 1 | UK Cyber Security Centre | TLS - providing additional information |\n| 1 | Security.Stackexchange Q\u0026A | TLS - providing additional information |\n| 1 | browserleaks.com/tls | TLS - Browser test |\n| 1 | clienttest.ssllabs.com | TLS - Browser test |\n| 1 | scanigma.com/knowledge-base | TLS - providing additional information |\n| 1 | cloudflare.com/ssl/reference/ | TLS - providing additional information |\n| 1 | github.com/ssllabs/research/ | TLS - providing additional information |\n| 1 | Wayback Machine | Providing additional information about Edge Browser |\n\n\u003c/details\u003e\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/Shiny.gif\" width=\"27\" alt=\"Features Item\"\u003e The module primarily uses Group policies, **the Microsoft recommended way of configuring Windows**. It also uses PowerShell cmdlets where Group Policies aren't available, and finally uses [a few registry keys](https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Harden-Windows-Security%20Module/Main%20files/Resources/Registry.csv) to configure security measures that can neither be configured using Group Policies nor PowerShell cmdlets. This is why the module doesn't break anything or cause unwanted behavior.\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/Shiny.gif\" width=\"27\" alt=\"Features Item\"\u003e This Readme page lists **all** of the security measures applied by the module.\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/Shiny.gif\" width=\"27\" alt=\"Features Item\"\u003e When a hardening measure is no longer necessary because it's applied by default by Microsoft on new builds of Windows, it will also be removed from the module in order to prevent any problems and because it won't be necessary anymore.\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/Shiny.gif\" width=\"27\" alt=\"Features Item\"\u003e The module can be run infinite number of times, it's made in a way that it won't make any duplicate changes.\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/Shiny.gif\" width=\"27\" alt=\"Features Item\"\u003e Applying these hardening measures makes your PC compliant with Microsoft Security Baselines and Secured-core PC specifications (provided that you use modern hardware that supports the latest Windows security features) - [See what makes a Secured-core PC](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure-11#what-makes-a-secured-core-pc) - \u003ca href=\"https://github.com/HotCakeX/Harden-Windows-Security/wiki/Device-Guard-and-Virtualization-Based-Security-in-Windows\"\u003eCheck Device Guard article for more info\u003c/a\u003e\n\u003e [Secured-core](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure-11) – recommended for the most sensitive systems and industries like financial, healthcare, and government agencies. Builds on the previous layers and leverages advanced processor capabilities to provide protection from firmware attacks.\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/Shiny.gif\" width=\"27\" alt=\"Features Item\"\u003e Since I originally created this repository for myself and people I care about, I always maintain it to the highest possible standard.\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/Shiny.gif\" width=\"27\" alt=\"Features Item\"\u003e If you have multiple accounts on your device, you only need to apply the hardening measures 1 time with Admin privileges, that will make system-wide changes. Then you can ***optionally*** run the module, without Admin privileges, for each standard user to apply the [Non-Admin category](https://github.com/HotCakeX/Harden-Windows-Security#non-admin-commands).\n\n\u003cbr\u003e\n\n\u003e [!WARNING]\\\n\u003e For your own security, exercise caution when considering any other 3rd-party tools, programs, or scripts claiming to harden or modify Windows OS in any way. Verify their legitimacy thoroughly before use and after each release. Avoid blind trust in 3rd party Internet sources. Additionally, if they don't adhere to the rules mentioned above, they can cause system damage, unknown issues, and bugs.\n\u003e\n\u003e * \u003ca href=\"#Trust\"\u003eRead the Trust section\u003c/a\u003e to see how you can 100% Trust this repository.\n\u003e * [How are Group Policies for this module created and maintained?](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Group-Policy#how-are-group-policies-for-the-module-created-and-maintained)\n\n\u003cbr\u003e\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#readme-top\"\u003e💡 (back to top)\u003c/a\u003e\u003c/p\u003e\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif\" width= \"300000\" alt=\"Harden-Windows-Security is a PowerShell module\"\u003e\n\n## Hardening Categories\u003ca href=\"#hardening-categories\"\u003e![HardeningCategoriesIcon](https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/HardeningCategories.png)\u003c/a\u003e\n\n\u003ca name=\"menu-back-to-top\"\u003e\u003c/a\u003e\nFrom Top to bottom in order:\n\n* Commands that require Administrator Privileges (click/tap on each of these to see in-depth info)\n - \u003ca href=\"#microsoft-security-baselines\"\u003eMicrosoft Security Baselines\u003c/a\u003e\n - \u003ca href=\"#microsoft-365-apps-security-baselines\"\u003eMicrosoft 365 Apps Security Baselines\u003c/a\u003e\n - \u003ca href=\"#microsoft-defender\"\u003eMicrosoft Defender\u003c/a\u003e\n - \u003ca href=\"#attack-surface-reduction-rules\"\u003eAttack surface reduction rules\u003c/a\u003e\n - \u003ca href=\"#bitlocker-settings\"\u003eBitlocker Settings\u003c/a\u003e\n - \u003ca href=\"#tls-security\"\u003eTLS Security\u003c/a\u003e\n - \u003ca href=\"#lock-screen\"\u003eLock Screen\u003c/a\u003e\n - \u003ca href=\"#user-account-control\"\u003eUAC (User Account Control)\u003c/a\u003e\n - \u003ca href=\"#windows-firewall\"\u003eWindows Firewall\u003c/a\u003e\n - \u003ca href=\"#optional-windows-features\"\u003eOptional Windows Features\u003c/a\u003e\n - \u003ca href=\"#windows-networking\"\u003eWindows Networking\u003c/a\u003e\n - \u003ca href=\"#miscellaneous-configurations\"\u003eMiscellaneous Configurations\u003c/a\u003e\n - \u003ca href=\"#windows-update-configurations\"\u003eWindows Update configurations\u003c/a\u003e\n - \u003ca href=\"#edge-browser-configurations\"\u003eEdge Browser configurations\u003c/a\u003e\n - \u003ca href=\"#certificate-checking-commands\"\u003eCertificate Checking Commands\u003c/a\u003e\n - \u003ca href=\"#country-ip-blocking\"\u003eCountry IP Blocking\u003c/a\u003e\n - \u003ca href=\"#downloads-defense-measures-\"\u003eDownloads Defense Measures \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/PNG%20and%20JPG/New.png\" alt=\"New Label\" width=\"25\"\u003e\u003c/a\u003e\n\n* Commands that don't require Administrator Privileges\n - \u003ca href=\"#non-admin-commands\"\u003eNon-Admin Commands\u003c/a\u003e\n\n\u003cbr\u003e\n\n\u003cbr\u003e\n\n\u003cdiv align=\"center\"\u003e\n\n| Indicator| Description |\n|:--------:|:-----------------------------:|\n| \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e | Security measure is applied using PowerShell cmdlets or Registry |\n| \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e | Security measure is applied using Group Policies |\n| \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"25\" alt=\"Rotating green checkmark denoting CSP\"\u003e | [CSP](https://learn.microsoft.com/en-us/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) for the security measure |\n| \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/discord-verify-gradient.gif\" width=\"25\" alt=\"Rotating green checkmark denoting Subcategory\"\u003e | Sub-category - prompts for additional confirmation |\n\n\u003c/div\u003e\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#readme-top\"\u003e💡 (back to top)\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif\" width= \"300000\" alt=\"horizontal super thin rainbow RGB line\"\u003e\n\n\u003cbr\u003e\n\n## Microsoft Security Baselines\u003ca href=\"#microsoft-security-baselines\"\u003e![MicrosoftSecurityBaseline](https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Microsoft-Security-Baseline.png)\u003c/a\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/d6960a261913f979526c0fac7901effa4b72d813/Pictures/Readme%20Categories/Microsoft%20Security%20Baselines/Microsoft%20Security%20Baselines.svg\" alt=\"Microsoft Security Baselines - Harden Windows Security\" width=\"550\"\u003e\u003c/p\u003e\n\n\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e A security baseline is a group of Microsoft-recommended configuration settings that explains their security implications. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.\n\n[Continue reading in the official documentation](https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines#what-are-security-baselines)\n\n[Optional Overrides for Microsoft Security Baselines](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Overrides-for-Microsoft-Security-Baseline)\n\n\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e **Highly recommended** to apply these overrides, the module will ask you whether you want to apply them or not. Use Optional Overrides when applying the hardening measures on Azure VMs.\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#menu-back-to-top\"\u003e💡 (back to categories)\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif\" width= \"300000\" alt=\"horizontal super thin rainbow RGB line\"\u003e\n\n\u003cbr\u003e\n\n## Microsoft 365 Apps Security Baselines\u003ca href=\"#microsoft-365-apps-security-baselines\"\u003e![Microsoft365AppsSecurityBaselines](https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Microsoft-365-Apps-Security-Baselines.png)\u003c/a\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Readme%20Categories/Microsoft%20365%20Apps%20Security%20Baselines/Microsoft%20365%20Apps%20Security%20Baselines.png\" alt=\"Microsoft 365 Apps Security Baselines - Harden Windows Security GitHub repository\" width=\"550\"\u003e\u003c/p\u003e\n\n\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e The security baseline for Microsoft 365 Apps for enterprise is published twice a year, usually in June and December.\n\n[More info in Microsoft Learn](https://learn.microsoft.com/en-us/deployoffice/security/security-baseline)\n\n[Microsoft Security Baselines Version Matrix](https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines#version-matrix)\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#menu-back-to-top\"\u003e💡 (back to categories)\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif\" width= \"300000\" alt=\"horizontal super thin rainbow RGB line\"\u003e\n\n\u003cbr\u003e\n\n## Microsoft Defender\u003ca href=\"#microsoft-defender\"\u003e![WindowsDefenderIcon](https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/WindowsDefender.png)\u003c/a\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/d6960a261913f979526c0fac7901effa4b72d813/Pictures/Readme%20Categories/Microsoft%20Defender/Microsoft%20Defender.svg\" alt=\"Microsoft Defender Cloud Protection features and abilities\" width=\"450\"\u003e\u003c/p\u003e\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e Enables **additional** security features of Microsoft Defender, You can refer to [this official document](https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps) for full details. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender)\n\n - [Performance analyzer for Microsoft Defender Antivirus](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e The module makes sure [Cloud Security Scan](https://support.microsoft.com/en-us/topic/what-is-a-cloud-security-scan-75112696-7660-4450-9194-d717f72a8ad8) and [Block At First Sight](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide#turn-on-block-at-first-sight-with-group-policy) are enabled to the highest possible security states available, **Zero Tolerance Cloud Block level**. You need to be aware that this means actions like downloading and opening an unknown file **will** make Microsoft Defender send samples of it to the Cloud for more advanced analysis and it can take a maximum of 60 seconds (this module sets it to max) from the time you try to open that unknown file to the time when it will be opened (if deemed safe), so you will have to wait. All of these security measures are in place by default in Windows to some extent and happen automatically, but this module **maxes them out and sets them to the highest possible levels**. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#cloudblocklevel) \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#cloudextendedtimeout)\n\n - Here is an example of the notification you will see in Windows 11 if that happens.\n\n \u003cp align=\"center\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Windows%20Security%20Cloud%20Analysis.png\" alt=\"Windows Security Cloud Scan Notification\" width=\"200\"\u003e\u003c/p\u003e\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e Enables file hash computation; [designed](https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-enablefilehashcomputation) to allow admins to force the anti-malware solution to \"compute file hashes for every executable file that is scanned if it wasn't previously computed\" to \"improve blocking for custom indicators in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#mpengine_enablefilehashcomputation)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e Clears Quarantined items after 1 day instead of the default behavior of keeping them indefinitely. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#quarantine_purgeitemsafterdelay)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e Allows Microsoft Defender to download security updates even on a metered connection. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp?WT.mc_id=Portal-fx#configurationmeteredconnectionupdates)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e Enables [Microsoft Defender](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus?view=o365-worldwide#settings-and-locations) to scan mapped network drives, network files, [reparse points](https://learn.microsoft.com/en-us/windows/win32/fileio/reparse-points), Emails and removable drives during a full scan. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowemailscanning) \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowfullscanonmappednetworkdrives) \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowfullscanremovabledrivescanning) \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#scan_disablereparsepointscanning) \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowscanningnetworkfiles)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e Sets the Signature Update Interval to every 3 hours instead of automatically. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#signatureupdateinterval)\n\n - [Change logs for security intelligence updates](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes)\n\n - [Configure and validate Microsoft Defender Antivirus network connections](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide)\n\n - [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates)\n\n - [Microsoft Safety Scanner](https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/safety-scanner-download?view=o365-worldwide)\n\n - Paste the following PowerShell code to retrieve the latest available online versions of the Platform, Signatures, and Engine for Microsoft Defender\n -\n ```powershell\n $X = irm \"https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info\"\n @{Engine = $X.versions.engine; Signatures = $X.versions.signatures.'#text'; Platform = $X.versions.platform} | ft -AutoSize\n ```\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e Forces Microsoft Defender to check for new virus and spyware definitions before it runs a scan. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#checkforsignaturesbeforerunningscan)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e Makes Microsoft Defender run [catch-up scans](https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-disablecatchupquickscan) for scheduled quick scans. A computer can miss a scheduled scan, usually because the computer is off at the scheduled time, but now after the computer misses two scheduled quick scans, Microsoft Defender runs a catch-up scan the next time someone logs onto the computer. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#disablecatchupquickscan)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e Enables [Network Protection of Microsoft Defender](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide) \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#enablenetworkprotection)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e Enables [scanning of restore points](https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference#-disablerestorepoint) \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#scan_disablerestorepoint)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e Makes sure [Async Inspection for Network protection](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide#optimizing-network-protection-performance) of Microsoft Defender is turned on - Network protection now has a performance optimization that allows Block mode to start asynchronously inspecting long connections after they're validated and allowed by SmartScreen, which might provide a potential reduction in the cost that inspection has on bandwidth and can also help with app compatibility problems. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp?WT.mc_id=Portal-fx#configurationallowswitchtoasyncinspection)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/discord-verify-gradient.gif\" width=\"25\" alt=\"Rotating green checkmark denoting Subcategory\"\u003e Enables [Smart App Control](https://support.microsoft.com/en-us/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) (*if it's in Evaluation mode*): adds significant protection from new and emerging threats by blocking apps that are malicious or untrusted. Smart App Control also helps to block potentially unwanted apps, which are apps that may cause your device to run slowly, display unexpected ads, offer extra software you didn't want, or do other things you don't expect.\n\n - Smart App Control is User-Mode (and enforces Kernel-Mode) [Windows Defender Application Control policy (WDAC)](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-design-guide), **more info** [**in the Wiki**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Introduction). You can see its status in [System Information](https://support.microsoft.com/en-us/windows/view-your-system-info-a965a8f2-0773-1d65-472a-1e747c9ebe00) and enable it manually from Microsoft Defender app's GUI. It is very important for Windows and Windows Defender intelligence updates to be always up-to-date in order for Smart App Control to work properly as it relies on live intelligence and definition data from the cloud and other sources to make a Smart decision about programs and files it encounters.\n\n - Smart App Control uses [ISG (Intelligent Security Graph)](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/use-wdac-with-intelligent-security-graph#how-does-wdac-work-with-the-isg). The ISG isn't a \"list\" of apps. Rather, it uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having \"known good\", \"known bad\", or \"unknown\" reputation. This cloud-based AI is based on trillions of signals collected from Windows endpoints and other data sources and processed every 24 hours. As a result, the decision from the cloud can change.\n\n - [Smart App Control](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/wdac#wdac-and-smart-app-control) can block a program entirely from running or only [some parts of it](https://support.microsoft.com/en-us/topic/smart-app-control-has-blocked-part-of-this-app-0729fff1-48bf-4b25-aa97-632fe55ccca2) in which case your app or program will continue working just fine most of the time. It's improved a lot since it was introduced, and it continues doing so. Consider turning it on after clean installing a new OS and fully updating it.\n\n - Smart App Control enforces the [Microsoft Recommended Driver Block rules](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules) and the [Microsoft Recommended Block Rules](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac)\n\n - Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows.\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/discord-verify-gradient.gif\" width=\"25\" alt=\"Rotating green checkmark denoting Subcategory\"\u003e Enables [\"Send optional diagnostic data\"](https://learn.microsoft.com/en-us/windows/privacy/windows-diagnostic-data) because [it](https://learn.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization) is [required for Smart App Control](https://support.microsoft.com/en-us/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) **to operate when it's in evaluation mode or turned on, and for communication with [Intelligent Security Graph (ISG)](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/use-wdac-with-intelligent-security-graph).** You won't see this prompt if Smart App Control is already turned on (this setting will be applied), turned off (this setting will be skipped) or you choose to enable it in the previous step (this setting will be applied). \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#allowtelemetry)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e Enables [Controlled Folder Access](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders). It [helps protect your valuable data](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/controlled-folders) from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Due to the recent wave of global ransomware attacks, it is important to use this feature to protect your valuables files, specially OneDrive folders. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#enablecontrolledfolderaccess)\n\n - If it blocks a program from accessing one of your folders it protects, and you absolutely trust that program, then you can add it to exclusion list using Microsoft Defender GUI or PowerShell. you can also query the list of allowed apps using PowerShell (commands below). with these commands, you can backup your personalized list of allowed apps, that are relevant to your system, and restore them in case you clean install your Windows.\n - \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e The module adds the root of the OneDrive folders of all user accounts present, to the protected folders list of Controlled Folder Access, to provide Ransomware protection for the entire OneDrive folder. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#controlledfolderaccessprotectedfolders)\n\n -\n ```powershell\n # Add multiple programs to the exclusion list of Controlled Folder Access\n Add-MpPreference -ControlledFolderAccessAllowedApplications 'C:\\Program Files\\App\\app.exe','C:\\Program Files\\App2\\app2.exe'\n ```\n\n -\n ```powershell\n # Get the list of all allowed apps\n (Get-MpPreference).ControlledFolderAccessAllowedApplications\n ```\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e Enables [Mandatory ASLR,](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-exploit-protection?view=o365-worldwide) *It might cause compatibility issues* only for some **poorly-made 3rd party programs**, specially portable ones. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-exploitguard)\n\n - Automatically detects and excludes the Git executables of GitHub Desktop and Git (Standalone version) from mandatory ASLR if they are installed on the system. [More info here](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Git-GitHub-Desktop-and-Mandatory-ASLR)\n\n - You can add Mandatory ASLR override for a trusted program using the PowerShell command below or in the Program Settings section of Exploit Protection in Microsoft Defender app.\n\n - `Set-ProcessMitigation -Name \"C:\\TrustedApp.exe\" -Disable ForceRelocateImages`\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e Applies [Exploit Protections/Process Mitigations](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-exploit-protection) from [**this list**](https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Harden-Windows-Security%20Module/Main%20files/Resources/ProcessMitigations.csv) to the following programs: \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-exploitguard)\n\n - All channels of [Microsoft Edge](https://www.microsoft.com/en-us/edge) browser\n\n - [Quick Assist](https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist) app\n\n - Some System processes\n\n - Microsoft 365 apps\n\n - More apps and processes will be added to the list over time once they are properly validated to be fully compatible.\n\n - Exploit Protection configurations are also accessible in XML format [within this repository](https://github.com/HotCakeX/Harden-Windows-Security/tree/main/Intune%20Files/Hardening%20Policies/Exploit%20Protections). When implementing exploit protections using an XML file, the existing exploit mitigations will seamlessly integrate rather than being overwritten. Should there be pre-existing exploit protections applied to an executable on the system, and the XML file specifies different mitigations for the same executable, these protections will be merged and applied collectively.\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e [Turns on Data Execution Prevention](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set) (DEP) for all applications, including 32-bit programs. By default, the output of `BCDEdit /enum \"{current}\"` (in PowerShell) for the NX bit is `OptIn` but this module sets it to `AlwaysOn`\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e Check for the latest virus and spyware security intelligence on startup. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#signatureupdate_updateonstartup)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e Specifies the maximum depth to scan archive files to the maximum possible value of `4,294,967,295` \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#scan_archivemaxdepth)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e [Defines the maximum size of downloaded files and attachments to be scanned](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus?view=o365-worldwide) and set it to the maximum possible value of `10,000,000 KB` or `10 GB`. [the default is](https://github.com/MicrosoftDocs/microsoft-365-docs/pull/5600) `20480 KB` or `~20MB` \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#realtimeprotection_ioavmaxsize)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e Enables automatic data collection (formerly known as Capture Threat Window) of [Enhanced Phishing Protection](https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection) in Microsoft Defender SmartScreen for security analysis from a suspicious website or app. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#automaticdatacollection)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/discord-verify-gradient.gif\" width=\"25\" alt=\"Rotating green checkmark denoting Subcategory\"\u003e [Create scheduled task for fast weekly Microsoft recommended driver block list update.](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Fast-and-Automatic-Microsoft-Recommended-Driver-Block-Rules-updates). You won't see this prompt if the task already exists and is enabled or running.\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/discord-verify-gradient.gif\" width=\"25\" alt=\"Rotating green checkmark denoting Subcategory\"\u003e Set Microsoft [Defender engine](https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference#-engineupdateschannel) and [platform update channel](https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference#-platformupdateschannel) to beta. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp?WT.mc_id=Portal-fx#configurationengineupdateschannel) \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp?WT.mc_id=Portal-fx#configurationplatformupdateschannel)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e [Defines the number of days before spyware and virus security intelligence definitions](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus?view=o365-worldwide#use-group-policy-to-specify-the-number-of-days-before-protection-is-considered-out-of-date) are considered out of date to 2 days, instead of the default 7 days. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#signatureupdate_assignaturedue)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e Sets the [default action](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus) for Severe and High threat levels to Remove, for Medium and Low threat levels to Quarantine. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#threats_threatiddefaultaction)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e Configures real-time protection and Security Intelligence Updates to be enabled during OOBE. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configurationoobeenablertpandsigupdate)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e Enables the [Intel TDT](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defending-against-ransomware-with-microsoft-defender-for/ba-p/3243941) (Intel® Threat Detection Technology) integration with Microsoft Defender. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configurationinteltdtenabled)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e Disables [Performance Mode](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-antivirus-performance-mode) - [Security risks in relation to Dev Drive](https://learn.microsoft.com/en-us/windows/dev-drive/#understanding-security-risks-and-trust-in-relation-to-dev-drive) \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp?WT.mc_id=Portal-fx#configurationperformancemodestatus)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e Enables a network protection setting that blocks malicious network traffic instead of displaying a warning. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configurationenableconvertwarntoblock)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e Configures the Brute-Force Protection to use cloud aggregation to block IP addresses that are over 99% likely malicious \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configurationbehavioralnetworkblocksbruteforceprotectionbruteforceprotectionaggressiveness)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e Configures the Brute-Force Protection to detect and block attempts to forcibly sign in and initiate sessions \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configurationbehavioralnetworkblocksbruteforceprotectionbruteforceprotectionconfiguredstate)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e Sets the internal feature logic to determine blocking time for the Brute-Force Protections \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configurationbehavioralnetworkblocksbruteforceprotectionbruteforceprotectionmaxblocktime)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e Configures the Remote Encryption Protection to use cloud intel and context, and block when confidence level is above 90%. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configurationbehavioralnetworkblocksremoteencryptionprotectionremoteencryptionprotectionaggressiveness)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e Configures the Remote Encryption Protection to detect and block attempts to replace local files with encrypted versions from another device \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configurationbehavioralnetworkblocksremoteencryptionprotectionremoteencryptionprotectionconfiguredstate)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e Sets the internal feature logic to determine blocking time for the Remote Encryption Protection \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configurationbehavioralnetworkblocksremoteencryptionprotectionremoteencryptionprotectionmaxblocktime)\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#menu-back-to-top\"\u003e💡 (back to categories)\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif\" width= \"300000\" alt=\"horizontal super thin rainbow RGB line\"\u003e\n\n\u003cbr\u003e\n\n## Attack surface reduction rules\u003ca href=\"#attack-surface-reduction-rules\"\u003e![ASRrulesIcon](https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/ASRrules.png)\u003c/a\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/0180bc6ace1ea086653cc405f142d1aada424150/Pictures/Readme%20Categories/Attack%20Surface%20Reduction/Attack%20Surface%20Reduction.svg\" alt=\"Attack surface reduction rules - Harden Windows Security GitHub repository\" width=\"550\"\u003e\u003c/p\u003e\n\n\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e [Reducing your attack surface](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction) means protecting your devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Windows can help!\n\n\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e [Attack surface reduction rules](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide) target certain software behaviors, such as: \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#attacksurfacereductionrules)\n\n* Launching executable files and scripts that attempt to download or run files\n* Running obfuscated or otherwise suspicious scripts\n* Performing behaviors that apps don't usually initiate during normal day-to-day work\n\nSuch software behaviors are sometimes seen in legitimate applications. However, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain software-based risky behaviors and help keep your organization safe.\n\n\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e This module enables [all 19 available Attack Surface Reduction rules shown in the official chart](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#asr-rule-to-guid-matrix).\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#menu-back-to-top\"\u003e💡 (back to categories)\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif\" width= \"300000\" alt=\"horizontal super thin rainbow RGB line\"\u003e\n\n\u003cbr\u003e\n\n## Bitlocker Settings\u003ca href=\"#bitlocker-settings\"\u003e![BitlockerIcon](https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Bitlocker.png)\u003c/a\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/0180bc6ace1ea086653cc405f142d1aada424150/Pictures/Readme%20Categories/BitLocker%20Settings/BitLocker%20Settings.svg\" alt=\"Bitlocker Settings - Harden Windows Security\" width=\"550\"\u003e\u003c/p\u003e\n\n\u003cbr\u003e\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e The module sets up and configures Bitlocker [using official documentation](https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings), with the most secure configuration and military grade encryption algorithm, XTS-AES-256, to protect the confidentiality and integrity of all information at rest. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype) \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication)\n\n - It offers 2 security levels for OS drive encryption: **Enhanced** and **Normal**.\n\n - In **Normal** security level, the OS drive is encrypted with TPM and Startup PIN. This provides very high security for your data, specially with a PIN that's long, complicated (uppercase and lowercase letters, symbols, numbers, spaces) and isn't the same as your Windows Hello PIN.\n\n - In **Enhanced** security level, the OS drive is encrypted with TPM and Startup PIN and Startup key. This provides the highest level of protection by offering Multifactor Authentication. You will need to enter your PIN and also plug in a flash drive, containing a special BitLocker key, into your device in order to unlock it. [Continue reading more about it here](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/countermeasures#preboot-authentication).\n\n - Once the OS drive is encrypted, for every other non-OS drive, there will be prompts for confirmation before encrypting it. The encryption will use the same algorithm as the OS drive and uses [Auto-unlock key protector](https://learn.microsoft.com/en-us/powershell/module/bitlocker/enable-bitlockerautounlock). Removable flash drives are skipped.\n\n - The recovery information of all of the drives are saved in a single well-formatted text file in the root of the OS drive `C:\\BitLocker-Recovery-Info-All-Drives.txt`. It's **very important to keep it in a safe and reachable place as soon as possible, e.g., in OneDrive's Personal Vault which requires additional authentication to access.** See [here](https://www.microsoft.com/en-us/microsoft-365/onedrive/personal-vault) and [here](https://support.microsoft.com/en-us/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4) for more info. You can use it to unlock your drives if you ever forget your PIN, lose your Startup key (USB Flash Drive) or TPM no longer has the correct authorization (E.g., after a firmware change).\n\n - TPM has [special anti-hammering logic](https://learn.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-fundamentals) which prevents malicious user from guessing the authorization data indefinitely. [Microsoft defines that maximum number of failed attempts](https://learn.microsoft.com/en-us/archive/blogs/dubaisec/tpm-lockout) in Windows is 32 and every single failed attempt is forgotten after 2 hours. This means that every continuous two hours of powered on (and successfully booted) operation without an event which increases the counter will cause the counter to decrease by 1. You can view all the details using this [PowerShell command](https://learn.microsoft.com/en-us/powershell/module/trustedplatformmodule/get-tpm): `Get-TPM`.\n\n - Check out \u003ca href=\"#lock-screen\"\u003eLock Screen\u003c/a\u003e category for more info about the recovery password and the 2nd anti-hammering mechanism.\n\n - BitLocker will bring you a [real security](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/countermeasures#attacker-with-skill-and-lengthy-physical-access) against the theft of your device if you strictly abide by the following basic rules:\n\n - As soon as you have finished working, either Hibernate or shut Windows down and allow for every shadow of information to disappear from RAM within 2 minutes. **This practice is recommended in High-Risk Environments.**\n\n - Do not mix 3rd party encryption software and tools with Bitlocker. Bitlocker creates a secure end-to-end encrypted ecosystem for your device and its peripherals, this secure ecosystem is backed by things such as software, Virtualization Technology, TPM 2.0 and UEFI firmware, Bitlocker protects your data and entire device against **real-life attacks and threats**. You can encrypt your external SSDs and flash drives with Bitlocker too.\n\n\u003cbr\u003e\n\n\u003e [!IMPORTANT]\\\n\u003e [AMD Zen 2 and 3 CPUs have a vulnerability in them](https://github.com/HotCakeX/Harden-Windows-Security/issues/63), if you use one of them, make sure your Bitlocker Startup PIN is at least 16 characters long [*(max is 20)*](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings#configure-minimum-pin-length-for-startup).\n\n\u003cbr\u003e\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e Enables or disables [DMA protection from Bitlocker Countermeasures](https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-countermeasures#protecting-thunderbolt-and-other-dma-ports) based [on the status](https://github.com/MicrosoftDocs/windows-itpro-docs/issues/6878#issuecomment-742429128) of [Kernel DMA protection](https://learn.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt). Kernel DMA Protection is [not compatible](https://learn.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt#system-compatibility) with other BitLocker DMA attacks countermeasures. It is recommended to disable the BitLocker DMA attacks countermeasures if the system supports Kernel DMA Protection (this module does that exactly). Kernel DMA Protection provides higher security bar for the system over the BitLocker DMA attack countermeasures, while maintaining usability of external peripherals. you can check the status of Kernel DMA protection [using this official guide](https://learn.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt#how-to-check-if-kernel-dma-protection-is-enabled). \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-dataprotection#allowdirectmemoryaccess)\n\n - [Kernel DMA Protection (Memory Access Protection) for OEMs](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-kernel-dma-protection) page shows the requirements for Kernel DMA Protection. for Intel CPUs, support for requirements such as VT-X and VT-D can be found in each CPU's respective product page. e.g. [Intel i7 13700K](https://ark.intel.com/content/www/us/en/ark/products/230500/intel-core-i713700k-processor-30m-cache-up-to-5-40-ghz.html)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e Disallows standard (non-Administrator) users from changing the Bitlocker Startup PIN or password \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesdisallowstandarduserscanchangepin)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e [Requires you to choose a PIN that contains at least 10 characters](https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#configure-minimum-pin-length-for-startup) \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesminimumpinlength)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e (Only on Physical machines) Enables Hibernate and adds Hibernate to Start menu's power options. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-power#allowhibernate)\n\n - Devices that support [Modern Standby](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/modern-standby) have the most security because [(S1-S3) power states](https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/system-power-states) which belong to the [legacy sleep modes](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/modern-standby-vs-s3) are not available. In Modern Standby, security components remain vigilant and the OS stays protected. Applying Microsoft Security Baselines also automatically disables the legacy (S1-S3) sleep states.\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e [sets Hibernate to full](https://learn.microsoft.com/en-us/windows/win32/power/system-power-states#hibernation-file-types)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e Enables network connectivity in standby on modern standby-capable systems. This ensures security updates for Microsoft Defender and Windows will be installed automatically. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-power#acconnectivityinstandby_2)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e [Disallows access to Bitlocker-protected removable data drives from earlier versions of Windows.](https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#allow-access-to-bitlocker-protected-removable-data-drives-from-earlier-versions-of-windows)\n\nRefer to this [official documentation about the countermeasures of Bitlocker](https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-countermeasures)\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#menu-back-to-top\"\u003e💡 (back to categories)\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif\" width= \"300000\" alt=\"horizontal super thin rainbow RGB line\"\u003e\n\n\u003cbr\u003e\n\n## TLS Security\u003ca href=\"#tls-security\"\u003e![TLSIcon](https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/TLS.png)\u003c/a\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/0180bc6ace1ea086653cc405f142d1aada424150/Pictures/Readme%20Categories/TLS%20Security/TLS%20Security.svg\" alt=\"TLS Security - Harden Windows Security repository GitHub\" width=\"550\"\u003e\u003c/p\u003e\n\n\u003cbr\u003e\n\nChanges made by this category only affect things that use [Schannel SSP](https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-): that includes IIS web server, built-in inbox Windows apps and some other programs supplied by Microsoft, including Windows network communications, but not 3rd party software that use [portable stacks](https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Portability_concerns) like Java, nodejs, python or php.\n\nIf you want to read more: [Demystifying Schannel](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-schannel/ba-p/259233)\n\n\u003e [!NOTE]\\\n\u003e The only [known](https://github.com/HotCakeX/Harden-Windows-Security/issues/38) program incompatible with this category is Battle.net game client.\n\n\u003cbr\u003e\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e Disables TLS 1 and TLS 1.1 security protocols that only **exist for backward compatibility**. All modern software should and do use `TLS 1.2` and `TLS 1.3`. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionclient) \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionserver)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e Disables [MD5 Hashing Algorithm](https://security.stackexchange.com/questions/52461/how-weak-is-md5-as-a-password-hashing-function) that is **only available for backward compatibility**\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif\" width=\"25\" alt=\"Rotating pink checkmark denoting registry or cmdlet\"\u003e Disables the following [weak ciphers](https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices) that are **only available for backward compatibility**: `\"DES 56-bit\"`,`\"RC2 40-bit\"`,`\"RC2 56-bit\"`,`\"RC2 128-bit\"`,`\"RC4 40-bit\"`,`\"RC4 56-bit\"`,`\"RC4 64-bit\"`,`\"RC4 128-bit\"`,`\"3DES 168-bit (Triple DES 168)\"`\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e Configures the [TLS](https://www.ncsc.gov.uk/guidance/using-tls-to-protect-data) to only use the [following](https://developers.cloudflare.com/ssl/reference/cipher-suites/recommendations/) secure [cipher suites](https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-11) and in this [exact](https://scanigma.com/knowledge-base) order: \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#tlsciphersuites)\n\n```\nTLS_CHACHA20_POLY1305_SHA256\nTLS_AES_256_GCM_SHA384\nTLS_AES_128_GCM_SHA256\nTLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\nTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\nTLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\nTLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\nTLS_DHE_RSA_WITH_AES_256_GCM_SHA384\nTLS_DHE_RSA_WITH_AES_128_GCM_SHA256\n```\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e [Configures](https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tls) TLS ECC Curves to [use the following](https://github.com/HotCakeX/Harden-Windows-Security/commit/5b5be1fcab8f7bf5d364f48459aecfc54c6eff9d#commitcomment-115982586) prioritized Curves order: \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#configureellipticcurvecryptography)\n\n```\nnistP521\ncurve25519\nNistP384\nNistP256\n```\n\n* By default, [in Windows](https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-elliptic-curves-in-windows-10-1607-and-later), the order is this:\n\n```\ncurve25519\nNistP256\nNistP384\n```\n\n*[Read more in this Wiki post](https://github.com/HotCakeX/Harden-Windows-Security/wiki/About-TLS,-DNS,-Encryption-and-OPSEC-concepts)*\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#menu-back-to-top\"\u003e💡 (back to categories)\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif\" width= \"300000\" alt=\"horizontal super thin rainbow RGB line\"\u003e\n\n\u003cbr\u003e\n\n## Lock Screen\u003ca href=\"#lock-screen\"\u003e![LockScreenIcon](https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/LockScreen.png)\u003c/a\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/d6960a261913f979526c0fac7901effa4b72d813/Pictures/Readme%20Categories/Lock%20Screen/Lock%20Screen.svg\" alt=\"An AI generated picture of a girl working in a server farm in Lock Screen Category\" width=\"550\"\u003e\u003c/p\u003e\n\n\u003cbr\u003e\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e [Automatically locks device after X seconds of inactivity](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit) (just like mobile phones), which is set to 120 seconds (2 minutes) in this module, you can change that to any value you like. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#interactivelogon_machineinactivitylimit)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/discord-verify-gradient.gif\" width=\"25\" alt=\"Rotating green checkmark denoting Subcategory\"\u003e [Requires **CTRL+ALT+DEL** on the lock screen](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del), kernel protected set of key strokes. The reason and logic behind it is: \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#interactivelogon_donotrequirectrlaltdel)\n\n - A malicious user might install malware that looks like the standard sign-in dialog box for the Windows operating system and capture a user's password. The attacker can then sign into the compromised account with whatever level of user rights that user has.\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e Enables [a security anti-hammering feature](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold) that sets a threshold of **5** for the number of failed sign-in attempts that causes the device to be locked by using BitLocker. Sign-in attempts include Windows password or Windows Hello authentication methods. This threshold means, if the specified maximum number of failed sign-in attempts is exceeded, the device will invalidate the Trusted Platform Module (TPM) protector and any other protector except the 48-digit recovery password, and then reboot. During Device Lockout mode, the computer or device only boots into the touch-enabled Windows Recovery Environment (WinRE) until an authorized user enters the recovery password to restore full access.\n\n - This module (\u003ca href=\"#bitlocker-settings\"\u003ein the Bitlocker category\u003c/a\u003e) automatically saves the 48-digit recovery password of each drive in itself, the location of it will also be visible on the PowerShell console when you run it. It is **very important to keep it in a safe and reachable place, e.g. in OneDrive's Personal Vault which requires authentication to access. See [Here](https://www.microsoft.com/en-us/microsoft-365/onedrive/personal-vault) and [Here](https://support.microsoft.com/en-us/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4) for more info about OneDrive's Personal Vault**\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e Configures account lockout policy: [Account lockout threshold](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-threshold), Sets the number of allowed failed sign-in attempts to **5**. In combination with other policies in this category, this means every 5 failed sign-in attempts will need a full day to pass before 5 more attempts can be made, otherwise Bitlocker will engage, system will be restarted and 48-digit Bitlocker code will be asked. **This policy greatly prevents brute force attempts.** \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-devicelock#accountlockoutpolicy)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e Configures account lockout policy: Sets [Account lockout duration](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-duration) to **1440 minutes or 1 day**. In combination with other policies in this category, this means every 5 failed sign-in attempts will need a full day to pass before 5 more attempts can be made, otherwise Bitlocker will engage, system will be restarted and 48-digit Bitlocker code will be asked. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-devicelock#accountlockoutpolicy)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e Configures account lockout policy: Sets [Reset account lockout counter](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after) to **1440 minutes or 1 day**. In combination with other policies in this category, this means every 5 failed sign-in attempts will need a full day to pass before 5 more attempts can be made, otherwise Bitlocker will engage, system will be restarted and 48-digit Bitlocker code will be asked. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-devicelock#accountlockoutpolicy)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e [Hides email address of the Microsoft account on lock screen](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked), if your device is in a trusted place like at home then this isn't necessary.\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e [Don't display username at sign-in](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in); If a user signs in as Other user, the full name of the user isn't displayed during sign-in. In the same context, if users type their email address and password at the sign-in screen and press Enter, the displayed text \"Other user\" remains unchanged, and is no longer replaced by the user's first and last name, as in previous versions of Windows 10. Additionally, if users enter their domain user name and password and click Submit, their full name isn't shown until the Start screen displays. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#interactivelogon_donotdisplayusernameatsignin)\n\n - [Useful](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in#best-practices) If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user's full names or domain account names\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/discord-verify-gradient.gif\" width=\"25\" alt=\"Rotating green checkmark denoting Subcategory\"\u003e [Don't display last signed-in](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name); This security policy setting determines whether the name of the last user to sign in to the device is displayed on the Secure Desktop. If this policy is enabled, the full name of the last user to successfully sign in isn't displayed on the Secure Desktop, nor is the user's sign-in tile displayed. Additionally, if the Switch user feature is used, the full name and sign-in tile aren't displayed. The sign-in screen requests both Username + Windows Hello credentials. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#interactivelogon_donotdisplaylastsignedin)\n\n - This feature can be useful to enable if you live in *High-Risk Environments* and you don't want anyone to get any information about your accounts when you aren't logged-in.\n\n - This policy will prevent you from using \"Forgot my PIN\" feature in lock screen or logon screen. If you forget your PIN, you won't be able to recover it.\n\n - If you use Windows Hello Face or Fingerprint, you can easily login using those credential providers without the need to supply username first.\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e [Don't Display Network Selection UI on Lock Screen](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon#dontdisplaynetworkselectionui) (like WIFI Icon); This setting allows you to control whether anyone can interact with available networks UI on the logon screen. Once enabled, the device's network connectivity state cannot be changed without signing into Windows. Suitable for *High-Risk Environments*. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon#dontdisplaynetworkselectionui)\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e Applies the following [PIN Complexity rules](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-manage-in-organization#pin-complexity) to Windows Hello \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexity)\n\n - [Must include digits](https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexitydigits) \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexitydigits)\n - [Expires](https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityexpiration) **every 180 days** (default behavior is to never expire) \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityexpiration)\n - [History](https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityhistory) of the **3** most recent selected PINs is preserved to prevent the user from reusing them \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityhistory)\n - [Must include lower-case letters](https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexitylowercaseletters) \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexitylowercaseletters)\n\n\u003cp align=\"right\"\u003e\u003ca href=\"#menu-back-to-top\"\u003e💡 (back to categories)\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e\n\n\u003cimg src=\"https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif\" width= \"300000\" alt=\"horizontal super thin rainbow RGB line\"\u003e\n\n\u003cbr\u003e\n\n## User Account Control\u003ca href=\"#user-account-control\"\u003e![UACIcon](https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/UAC.png)\u003c/a\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/503f187e5e870b776d281808fc5574e49f212955/Pictures/Readme%20Categories/User%20Account%20Control/User%20Account%20Control.svg\" alt=\"User Account Control - Harden Windows Security\" width=\"550\"\u003e\u003c/p\u003e\n\n\u003cbr\u003e\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e [Prompt for elevation of privilege on secure desktop for all binaries](https://learn.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) in [Administrator accounts](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4), which presents the sign-in UI and restricts functionality and access to the system until the sign-in requirements are satisfied. The [secure desktop's](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation#reference) primary difference from the user desktop is that only trusted processes running as SYSTEM are allowed to run here (that is, nothing is running at the user's privilege level). The path to get to the secure desktop from the user desktop must also be trusted through the entire chain. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif\" width=\"15\" alt=\"Rotating green checkmark denoting CSP\"\u003e [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#useraccountcontrol_behavioroftheelevationpromptforadministrators)\n\n - **This is the default behavior:** prompt the administrator in Admin Approval Mode to select either \"Permit\" or \"Deny\" for an operation that requires elevation of privilege for any non-Windows binaries. If the Consent Admin selects Permit, the operation will continue with the highest available privilege. This operation will happen on the secure desktop\n - **This is the behavior that this module sets:** prompts the administrator in Admin Approval Mode to select either \"Permit\" or \"Deny\" an operation that requires elevation of privilege. If the Consent Admin selects Permit, the operation will continue with the highest available privilege. \"Prompt for consent\" removes the inconvenience of requiring that users enter their name and password to perform a privileged task. This operation occurs on the secure desktop.\n\n- \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif\" width=\"25\" alt=\"Blue Check mark denoting Group Policy\"\u003e \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/discord-verify-gradient.gif\" width=\"25\" alt=\"Rotating green checkmark denoting Subcategory\"\u003e Only elevate executables that are signed and validated [by enforcing cryptographic signatures on any interactive application](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated) that requests elevation of privilege. One of the [Potential impacts](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated#potential-impact) of it is that it can prevent certain poorly designed programs from prompting for UAC. \u003cimg src=\"https://raw.githubusercontent.com/HotCakeX/.github/main/Picture","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FHotCakeX%2FHarden-Windows-Security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FHotCakeX%2FHarden-Windows-Security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FHotCakeX%2FHarden-Windows-Security/lists"}