{"id":13745557,"url":"https://github.com/troennes/private-secure-windows","last_synced_at":"2025-07-13T21:09:01.859Z","repository":{"id":46868921,"uuid":"514230122","full_name":"troennes/private-secure-windows","owner":"troennes","description":"Privacy and security baseline for personal Windows 10 and Windows 11","archived":false,"fork":false,"pushed_at":"2023-10-02T14:06:28.000Z","size":525,"stargazers_count":199,"open_issues_count":1,"forks_count":16,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-06-03T14:04:55.957Z","etag":null,"topics":["group-policy","hardening","privacy","security","security-hardening","windows","windows10","windows11"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/troennes.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2022-07-15T10:35:20.000Z","updated_at":"2025-06-01T10:21:49.000Z","dependencies_parsed_at":"2023-10-02T17:19:44.782Z","dependency_job_id":null,"html_url":"https://github.com/troennes/private-secure-windows","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/troennes/private-secure-windows","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/troennes%2Fprivate-secure-windows","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/troennes%2Fprivate-secure-windows/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/troennes%2Fprivate-secure-windows/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/troennes%2Fprivate-secure-windows/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/troennes","download_url":"https://codeload.github.com/troennes/private-secure-windows/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/troennes%2Fprivate-secure-windows/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265205779,"owners_count":23727513,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["group-policy","hardening","privacy","security","security-hardening","windows","windows10","windows11"],"created_at":"2024-08-03T06:00:24.818Z","updated_at":"2025-07-13T21:09:01.826Z","avatar_url":"https://github.com/troennes.png","language":"PowerShell","funding_links":[],"categories":["Powershell and batch scripts"],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n    \u003cimg src=\"Media/logo.png\" height=auto width=500px\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\u003cb\u003ePrivacy and security baseline for personal Windows 10 and Windows 11\u003c/b\u003e\u003c/p\u003e\n\n## Quick start\n\nThis will apply basic privacy and security settings for Windows 10 and Windows 11\n\n```powershell\npowershell.exe -ExecutionPolicy Unrestricted -File .\\Install.ps1 -Level Basic\n```\n\n## What is this?\n\nThis is a handpicked collection of privacy and security settings for standalone Windows 10 and Windows 11 systems that tries to strike a good balance between privacy, security and usability. It uses group policy and is mainly based on Microsoft's [Windows security baselines](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10) and [Windows Restricted Traffic Limited Functionality Baseline](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services).\n\nIt comes with two security levels, based on your threat profile:\n\n#### Basic security and privacy\n\nContains privacy and security settings that limits sharing of your personal information and improves the security configuration without extensively reducing performance or usability. \n\n- :bust_in_silhouette: For standalone and personal use systems\n- :beetle: Helps protect against passive attacks (malware and attacks against many people at once) \n\n#### High-level security and privacy\n\nIncludes extra security settings for individuals with a higher threat profile. This includes enterprise-grade security settings and protections against physical attacks. This might reduce usability and performance, compared to the basic level.\n\n- :busts_in_silhouette: For standalone, personal use systems and small domains/enterprises\n- :dart: Helps protect against targeted attacks (dedicated hackers or other malicious agents trying to access your device specifically)\n\n## How to use\n\nInstall the Basic security and privacy baseline:\n\n1. (Optional, but recommended) Download the newest LGPO.exe tool from [Microsoft Security Compliance Toolkit](https://www.microsoft.com/en-us/download/confirmation.aspx?id=55319) and place it in the Tools folder.\n2. (Optional, but recommended) Backup your current settings so you can revert later. Run `Backup.ps1` from the Utils folder. E.g. `.\\Backup.ps1 -OutputDir C:\\tmp\\`\n3. (Optional, but recommended) Review the list of changed settings in [Lists/SettingsOverview.xlsx](Lists/SettingsOverview.xlsx)\n4. Run `Install.ps1` with PowerShell with administrative privileges.\n\n```powershell\n.\\Install.ps1 -Level Basic\n```\n\nUse another value for `-Level` to select another baseline:\n\n```powershell\n-Level Basic                 [default] Basic security and privacy\n-Level HighSecurity          High security settings (assumes basic security setting are in place)\n\nAdvanced use and more granular control: \n-Level BasicSecurity         Basic security, with no privacy settings added\n-Level BasicPrivacy          Basic privacy, with no security settings added\n-Level HighSecurityBitlocker A subset of high security settings: Disk encryption settings\n-Level HighSecurityCredGuard A subset of high security settings: Virtualization-based security\n-Level HighSecurityComputer  A subset of high security settings: Computer settings\n-Level HighSecurityDomain    A subset of high security settings: Domain computer settings\n-Level ExtremePrivacy        [experimental] Privacy settings that degrade security and usability\n```\n\n## FAQ\n\n### Which Windows versions are supported?\n\nThe Install script will detect your version and apply supported settings. The current versions are supported:\n\n- Windows 10 (21H1, 21H2 and 22H2)\n- Windows 11 (21H2, 22H2 and 23H2)\n\nIn both cases, the **Enterprise** or **Education** editions of Windows are recommended. Pro will partially work, but some settings, such as telemetry, cannot be set to the desired level.\n\nWindows Home edition is not supported.\n\n### Why use this instead of CIS benchmark or Microsoft's security baseline?\n\nAlthough both CIS' and Microsoft's security baselines are great, they are geared towards organizations using domain-joined computers. This baseline is made for personal/standalone computers, and includes additional settings for increased privacy.\n\n### What is more important, privacy or security?\n\nBoth are important. This baseline tries both, but there are conflicts between them. In the following cases, privacy wins over security:\n\n- Windows Defender does not send samples to Microsoft. \n- Smartscreen is disabled\n\nSecurity and usability wins in some cases too, detailed below:\n\n### Does this baseline stop all traffic sent to Microsoft services?\n\nNo. Traffic to Microsoft is limited, but for usability and security reasons, the following services still sends information to Microsoft:\n\n- Windows Update is enabled to automatically download security updates\n- Windows Defender signature updates are enabled to automatically download anti-malware definition updates\n- Automatic Root Certificates Update is enabled to automatically check the list of trusted authorities on Windows Update to see if an update is available\n- Network Connection Status Indicator (NCSI) sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. This is required to get Windows Updates and some other features\n- The \"Microsoft Account Sign-in Assistant\" service (wlidsvc) is enabled. This is required to get Windows Updates.\n- Telemetry is set to the lowest level availble for your Windows version. If you don't have the Enterprise/Education edition, some telemetry is still [sent to Microsoft](https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization).\n- This baseline might have flaws and does not cover all possibilities. Please submit an issue if you see room for improvement.\n\n### What are the usability implications of installing this?\n\nFunctionality related to Microsoft accounts, Cortana, OneDrive, Store, cloud, feedback and customer experience improvement are disabled or reduced.\n\n### I want to change some of the settings\n\nEverything is customizable through group policy:\n\n1. To get an overview of your current settings, run `gpresult.exe /h GPreport.html` with administrative privileges. Then open the report in a browser and click \"Show all\". Identify the setting(s) you want to change and note their path.\n\n2. To change a setting, run `gpedit.msc` with administrative privileges, and change the setting(s) identified in the step above. The paths in the GPreport corresponds with the gpedit tool. To reset a setting its default state, set it to \"Not configured\".\n\n### What is the difference between the Basic and High security levels?\n\nThe High level has the following security improvements compared to the Basic level:\n\n- Stronger User Account Control (UAC) settings\n- Increased protection against physical attacks (Direct Memory Attack (DMA) protections, Sleep mode disabled, machine inactivity limit)\n- Virtualization-based security features enabled (Hypervisor-Protected Code Integrity (HVCI), Secure launch)\n- Enhanced logging enabled (audit, powershell, firewall)\n- Hardening of Enterprise/domain features (Domain security settings, remote access like RDP and WinRM)\n- More strict password policy\n\nThe privacy settings are equal in both levels.\n\n### How to verify changed settings before installing?\n\nDownload Microsoft's Policy Analyzer tool from [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319), then import GPOs to view which settings they change.\n\n### Does this baseline improve any applications?\n\nNo. Only the Windows operating system and built-in Windows components are covered. There are no improvements to Microsoft Edge and Internet Explorer included here.\n\n## Contributing\n\nDon't be afraid to contribute! For now, create an issue if you see room for improvement, and we'll take it from there.\n\n## Credits\n\nThe main components of this baseline are\n\n- Microsoft's [Windows Security baselines](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) and [Microsoft Security Compliance Toolkit](https://www.microsoft.com/en-us/download/confirmation.aspx?id=55319)\n- Microsoft's [Restricted Traffic Limited Functionality Baseline](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services)\n\nI learned a lot from mxk's [Windows 10 and Server 2019 Secure Baseline GPO](https://github.com/mxk/win10-secure-baseline-gpo) and included some adjustments based on that baseline.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftroennes%2Fprivate-secure-windows","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftroennes%2Fprivate-secure-windows","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftroennes%2Fprivate-secure-windows/lists"}