Last active
January 23, 2024 19:20
-
-
Save AzimsTech/55cf0dd2cad5ae5a08c5dd96875b1aa9 to your computer and use it in GitHub Desktop.
Windows 11 Config by CHEF-KOCH | https://chef-koch.bearblog.dev/windows-11-config-by-chef-koch/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
:: Windows 11 Config by CHEF-KOCH source: https://chef-koch.bearblog.dev/windows-11-config-by-chef-koch/ | |
:: Remove and rebuild Font Cache | |
:: Some params might not work in Windows Terminal | |
:: This is not needed anymore in Windows Codename Nickel+. | |
del "%WinDir%\ServiceProfiles\LocalService\AppData\Local\FontCache\*FontCache*" /s /f /q | |
del "%WinDir%\System32\FNTCACHE.DAT" /s /f /q | |
:: Remove the old Windows Powershell v1.x version which is vulnerable | |
:: taskkill /im PowerShell.exe /f | |
:: taskkill /im PowerShell_ISE.exe /f | |
:: takeown /s %computername% /u %username% /f "%ProgramFiles%\WindowsPowerShell" /r /d y | |
:: icacls "%ProgramFiles%\WindowsPowerShell" /inheritance:r /grant:r %username%:(OI)(CI)F /t /l /q /c | |
:: rd "%ProgramFiles%\WindowsPowerShell" /s /q | |
:: takeown /s %computername% /u %username% /f "%ProgramFiles(x86)%\WindowsPowerShell" /r /d y | |
:: icacls "%ProgramFiles(x86)%\WindowsPowerShell" /grant:r %username%:(OI)(CI)F /t /l /q /c | |
:: rd "%ProgramFiles(x86)%\WindowsPowerShell" /s /q | |
:: takeown /s %computername% /u %username% /f "%WinDir%\System32\WindowsPowerShell" /r /d y | |
:: icacls "%WinDir%\System32\WindowsPowerShell" /grant:r %username%:(OI)(CI)F /t /l /q /c | |
:: rd "%WinDir%\System32\WindowsPowerShell" /s /q | |
:: takeown /s %computername% /u %username% /f "%WinDir%\SysWOW64\WindowsPowerShell" /r /d y | |
:: icacls "%WinDir%\SysWOW64\WindowsPowerShell" /grant:r %username%:(OI)(CI)F /t /l /q /c | |
:: rd "%WinDir%\SysWOW64\WindowsPowerShell" /s /q | |
:: Remove random reg keys which could be abused by Malware | |
:: reg delete "HKCU\Software\Classes\ms-settings\shell\open" /f | |
:: reg delete "HKCU\Software\Microsoft\Command Processor" /v "AutoRun" /f | |
:: reg delete "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /f | |
:: reg delete "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /f | |
:: reg delete "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" /f | |
:: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /f | |
:: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /f | |
:: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved" /f | |
:: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths" /f | |
:: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery" /f | |
:: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug" /f | |
:: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies" /f | |
:: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f | |
:: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /f | |
:: reg delete "HKCU\Software\Policies" /f | |
:: reg delete "HKLM\Software\Microsoft\Command Processor" /v "AutoRun" /f | |
:: reg delete "HKLM\Software\Microsoft\Policies" /f | |
:: reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers" /f | |
:: reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server" /f | |
:: reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs" /f | |
:: reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /f | |
:: reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit" /f | |
:: reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "VMApplet" /f | |
:: reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells" /f | |
:: reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" /f | |
:: reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman" /f | |
:: reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" /f | |
:: reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\AppModelUnlock" /f | |
:: reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f | |
:: reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler" /f | |
:: reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks" /f | |
:: reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved" /f | |
:: reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies" /f | |
:: reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /f | |
:: reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" /f | |
:: reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx" /f | |
:: reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad" /f | |
:: reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate" /f | |
:: reg delete "HKLM\Software\Policies" /f | |
:: reg delete "HKLM\Software\WOW6432Node\Microsoft\Policies" /f | |
:: reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs" /f | |
:: reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /f | |
:: reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit" /f | |
:: reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "VMApplet" /f | |
:: reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells" /f | |
:: reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" /f | |
:: reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman" /f | |
:: reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" /f | |
:: reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f | |
:: reg delete "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies" /f | |
:: reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f | |
:: reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce" /f | |
:: reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx" /f | |
:: reg delete "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate" /f | |
:: reg delete "HKLM\Software\WOW6432Node\Policies" /f | |
:: reg delete "HKLM\System\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /f | |
:: reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot" /v "AlternateShell" /f | |
:: reg delete "HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg" /f | |
:: reg delete "HKLM\System\CurrentControlSet\Control\Session Manager" /v "BootExecute" /f | |
:: reg delete "HKLM\System\CurrentControlSet\Control\Session Manager" /v "Execute" /f | |
:: reg delete "HKLM\System\CurrentControlSet\Control\Session Manager" /v "SETUPEXECUTE" /f | |
:: reg delete "HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd" /v "StartupPrograms" /f | |
:: Windows Defender Security Center | |
:: TamperProtection | |
:: https://bearblog.dev/dashboard/posts/8465 | |
:: Disable SmartScreen | |
:: OFF - Disable Windows SmartScreen | |
:: On - Enable Windows SmartScreen | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f | |
:: OFF - Disable SmartScreen Filter in Microsoft Edge | |
:: 1 - Enable | |
reg add "HKCU\Software\Microsoft\Edge\SmartScreenEnabled" /ve /t REG_DWORD /d "1" /f | |
:: 0 - Disable SmartScreen PUA in Microsoft Edge | |
:: 1 - Enable | |
reg add "HKCU\Software\Microsoft\Edge\SmartScreenPuaEnabled" /ve /t REG_DWORD /d "0" /f | |
:: 0 - Disable Windows SmartScreen for Windows Store Apps | |
:: 1 - Enable | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_SZ /d "Anywhere" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f | |
:: Remove Smartscreen | |
:: takeown /s %computername% /u %username% /f "%WinDir%\System32\smartscreen.exe" | |
:: icacls "%WinDir%\System32\smartscreen.exe" /grant:r %username%:F | |
:: taskkill /im smartscreen.exe /f | |
:: del "%WinDir%\System32\smartscreen.exe" /s /f /q | |
:: Windows Defender Security Center | |
:: Specifies how the System responds when a user tries to install device driver files that are not digitally signed | |
:: 00 - Ignore | |
:: 01 - Warn | |
:: 02 - Block | |
reg add "HKLM\Software\Microsoft\Driver Signing" /v "Policy" /t REG_BINARY /d "01" /f | |
:: Prevent device metadata retrieval from the Internet / Do not automatically download manufacturers’ apps and custom icons available for your devices | |
:: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d "1" /f | |
:: sc config DsmSvc start= disabled | |
:: Do you want Windows to download driver Software / 0 - Never / 1 - Allways / 2 - Install driver Software, if it is not found on my computer | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d "0" /f | |
:: Specify search order for device driver source locations | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\DriverSearching" /v "DontSearchWindowsUpdate" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\DriverSearching" /v "DriverUpdateWizardWuSearchEnabled" /t REG_DWORD /d "0" /f | |
:: Disable driver updates in Windows Update | |
reg add "HKLM\Software\Microsoft\PolicyManager\current\device\Update" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Microsoft\PolicyManager\default\device\Update" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Microsoft\WindowsUpdate\UX\Settings" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f | |
:: Avoid the driver signing enforcement for EV cert / SHA256 Microsoft Windows signed drivers which is further enforced via Secure Boot | |
:: reg add "HKLM\System\ControlSet001\Control\CI\Policy" /v "UpgradedSystem" /t REG_DWORD /d "1" /f | |
:: Windows Error Reporting | |
:: https://docs.microsoft.com/en-us/windows/win32/wer/wer-settings | |
:: Disable Microsoft Support Diagnostic Tool MSDT | |
reg add "HKLM\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy" /v "DisableQuery::oteServer" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy" /v "EnableQuery::oteServer" /t REG_DWORD /d "0" /f | |
:: Disable System Debugger (alias Dr. Watson) | |
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug" /v "Auto" /t REG_SZ /d "0" /f | |
:: Disable Windows Error Reporting (WER) | |
reg add "HKLM\Software\Microsoft\PCHealth\ErrorReporting" /v "DoReport" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f | |
:: Default User Consent opt-out | |
:: 1 - Always ask (default) | |
:: 2 - Parameters only | |
:: 3 - Parameters and safe data | |
:: 4 - All data | |
reg add "HKCU\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "1" /f | |
:: Disable WER sending second-level data | |
reg add "HKCU\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f | |
:: Disable WER crash dialogs and popups | |
reg add "HKLM\Software\Microsoft\PCHealth\ErrorReporting" /v "ShowUI" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Windows\Windows Error Reporting" /v "DontShowUI" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontShowUI" /t REG_DWORD /d "1" /f | |
:: Disable WER logging | |
reg add "HKCU\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "1" /f | |
:: Disable WER tasks | |
schtasks /Change /TN "Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable | |
:: Disable Windows Error Reporting Service | |
sc config WerSvc start= disabled | |
:: Windows Explorer | |
:: 2 - Open File Explorer to Quick access | |
:: 1 - Open File Explorer to This PC | |
:: 3 - Open File Explorer to Downloads | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d "1" /f | |
:: Single-click to open an item | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShellState" /t REG_BINARY /d "2400000017a8000000000000000000000000000001000000130000000000000073000000" /f | |
:: 2 - Underline icon titles consistent with my browser | |
:: 3 - Underline icon titles only when I point at them | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "IconUnderline" /t REG_DWORD /d "2" /f | |
:: Show recently used folders in Quick Access | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowRecent" /t REG_DWORD /d "0" /f | |
:: Show frequently folders in Quick Access | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowFrequent" /t REG_DWORD /d "0" /f | |
:: Open Explorer - Choose the desired View - View - Options - View - Apply to Folders - OK - Close Explorer ASAP | |
:: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags" /f | |
:: reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU" /f | |
:: reg delete "HKCU\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\Bags" /f | |
:: reg delete "HKCU\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\BagMRU" /f | |
:: reg delete "HKCU\Software\Microsoft\Windows\Shell\Bags" /f | |
:: reg delete "HKCU\Software\Microsoft\Windows\Shell\BagMRU" /f | |
:: reg delete "HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags" /f | |
:: reg delete "HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU" /f | |
:: reg add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell" /v "FolderType" /t REG_SZ /d "NotSpecified" /f | |
:: ::Remove Network Icon from Navigation Panel | |
:: reg add "HKCR\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder" /v "Attributes" /t REG_DWORD /d "2962489444" /f | |
:: 1 - Hide Quick access from This PC | |
:: 0 - Show | |
:: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "HubMode" /t REG_DWORD /d "1" /f | |
:: Hide - 3D Objects from This PC | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f | |
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f | |
:: Hide - Desktop from This PC | |
:: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f | |
:: reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f | |
:: Hide - Documents from This PC | |
:: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f | |
:: reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f | |
:: Hide - Downloads from This PC | |
:: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f | |
:: reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f | |
:: Hide - Movies/Videos from This PC | |
:: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f | |
:: reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f | |
:: Hide - Music from This PC | |
:: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f | |
:: reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f | |
:: Hide - Pictures from This PC | |
:: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f | |
:: reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f | |
:: Show hidden files, folders and drives | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t REG_DWORD /d "1" /f | |
:: Show extensions for known file types | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d "0" /f | |
:: Hide protected operating system files | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSuperHidden" /t REG_DWORD /d "1" /f | |
:: Launch folder windows in a separate process | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "SeparateProcess" /t REG_DWORD /d "1" /f | |
:: Show Sync Provider Notifications in Windows Explorer (ADs) | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d "0" /f | |
:: Use Sharing Wizard | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "SharingWizardOn" /t REG_DWORD /d "0" /f | |
:: Expand navigation pane to open folder | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "NavPaneExpandToCurrentFolder" /t REG_DWORD /d "0" /f | |
:: Since 2004 (?) opening folders is automatically created in a separate process (no matter what the GUI claims, you see this via ProcessHacker) | |
:: 0 - All of the components of Windows Explorer run a single process | |
:: 1 - All instances of Windows Explorer run in one process and the Desktop and Taskbar run in a separate process | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "DesktopProcess" /t REG_DWORD /d "1" /f | |
:: Do not use Inline AutoComplete in File Explorer and Run Dialog | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete" /v "Append Completion" /t REG_SZ /d "No" /f | |
:: Do this for all current items checkbox | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v "ConfirmationCheckBoxDoForAll" /t REG_DWORD /d "0" /f | |
:: Always show more details in copy dialog | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v "EnthusiastMode" /t REG_DWORD /d "0" /f | |
:: Disable Previous Version Tab (makes sense if you disable Shadow Copies) | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "NoPreviousVersionsPage" /t REG_DWORD /d "1" /f | |
:: Display confirmation dialog when deleting files | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ConfirmFileDelete" /t REG_DWORD /d "1" /f | |
:: Auto arrange icons and Align icons to grid on Desktop | |
:: Default 1075839520 | |
:: 1075839521 | |
:: 1075839524 | |
:: reg add "HKCU\Software\Microsoft\Windows\Shell\Bags\1\Desktop" /v "FFlags" /t REG_DWORD /d "1075839525" /f | |
:: Disable Look for an app in the Store (How do you want to open this file?) | |
reg add "HKLM\Software\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d "1" /f | |
:: Windows Optimizations | |
:: Determines whether user processes end automatically when the user either logs off or shuts down | |
:: 1 - Processes end automatically | |
reg add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f | |
:: Specifies the number of times the taskbar button flashes to notify the user that the system has activated a background window | |
:: If the time elapsed since the last user input exceeds the value of the ForegroundLockTimeout entry, the window will automatically be brought to the foreground (focus) | |
reg add "HKCU\Control Panel\Desktop" /v "ForegroundFlashCount" /t REG_SZ /d "0" /f | |
:: ForegroundLockTimeout specifies the time in milliseconds, following user input, during which the system keeps applications from moving into the foreground / 0 - Disabled / 200000 - Default | |
reg add "HKCU\Control Panel\Desktop" /v "ForegroundLockTimeout" /t REG_DWORD /d "0" /f | |
:: Specifies in milliseconds how long the System waits for user processes to end after the user clicks the End Task command button in Task Manager | |
reg add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "25000" /f | |
:: Determines how long the System waits for user processes to end after the user attempts to log off or to shut down | |
reg add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "25000" /f | |
:: Determines in milliseconds how long the System waits for services to stop after notifying the service that the System is shutting down | |
reg add "HKLM\System\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d "25000" /f | |
:: Determines in milliseconds the interval from the time the cursor is pointed at a menu until the menu items are displayed | |
reg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f | |
:: Remove Windows Mouse Acceleration Curve | |
reg delete "HKCU\Control Panel\Mouse" /v "SmoothMouseXCurve" /f | |
reg delete "HKCU\Control Panel\Mouse" /v "SmoothMouseYCurve" /f | |
:: Mouse Hover Time in milliseconds before Pop-up Display | |
reg add "HKCU\Control Panel\Mouse" /v "MouseHoverTime" /t REG_SZ /d "0" /f | |
:: How long in milliseconds you want to have for a startup delay time for desktop apps that run at startup to load | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Serialize" /v "StartupDelayInMSec" /t REG_DWORD /d "0" /f | |
:: Disable Background disk defragmentation | |
:: Issues are fixed, leave it enabled (default) | |
:: reg add "HKLM\Software\Microsoft\Dfrg\BootOptimizeFunction" /v "Enable" /t REG_SZ /d "n" /f | |
:: Disable Background auto-layout | |
:: Disable Optimize Hard Disk when idle (default) | |
:: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\OptimalLayout" /v "EnableAutoLayout" /t REG_DWORD /d "0" /f | |
:: Disable Automatic Maintenance & Scheduled System Maintenance | |
:: reg add "HKLM\Software\Microsoft\Windows\ScheduledDiagnostics" /v "EnabledExecution" /t REG_DWORD /d "0" /f | |
:: reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f | |
:: reg add "HKLM\Software\Policies\Microsoft\Windows\ScheduledDiagnostics" /v "EnabledExecution" /t REG_DWORD /d "0" /f | |
:: Disable 8dot3 name creation for all volumes on the system | |
:: 1 - Disables 8dot3 name creation for all volumes on the system | |
:: 2 - Sets 8dot3 name creation on a per volume basis | |
:: 3 - Disables 8dot3 name creation for all volumes except the system volume | |
:: fsutil 8dot3name scan c:\ | |
fsutil behavior set disable8dot3 1 | |
:: Disable the Encrypting File System (EFS) | |
fsutil behavior set disableencryption 1 | |
:: When listing directories, NTFS does not update the last-access timestamp, and it does not record time stamp updates in the NTFS log | |
:: fsutil behavior query disablelastaccess | |
fsutil behavior set disablelastaccess 3 | |
:: Delay Chkdsk startup time at OS Boot and set the limit to 5 seconds | |
reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "AutoChkTimeout" /t REG_DWORD /d "5" /f | |
:: Establishes a standard size file-system cache of approximately 8 MB | |
:: 1 - Establishes a large system cache working set that can expand to physical memory, minus 4 MB, if needed | |
reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1" /f | |
:: Drivers and the kernel can be paged to disk as needed | |
:: 1 - Drivers and the kernel must remain in physical memory | |
reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f | |
:: Disable Prefetch | |
:: 1 - Enable Prefetch when the application starts | |
:: 2 - Enable Prefetch when the device starts up | |
:: 3 - Enable Prefetch when the application or device starts up | |
reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f | |
:: Disable SuperFetch | |
:: 1 - Enable SuperFetch when the application starts up | |
:: 2 - Enable SuperFetch when the device starts up | |
:: 3 - Enable SuperFetch when the application or device starts up | |
reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t REG_DWORD /d "0" /f | |
:: Disable Boot Tracing which is only relevant for debugging | |
:: 1 - Default | |
reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableBootTrace" /t REG_DWORD /d "0" /f | |
reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "SfTracingState" /t REG_DWORD /d "0" /f | |
:: Disable Fast Startup for a Full Shutdown | |
:: 1 - Enable Fast Startup (Hybrid Boot) for a Hybrid Shutdown | |
reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f | |
:: Disable Fast Startup (Hybrid Boot) and Disable Hibernation | |
powercfg -h off | |
:: DiagLog is required by Diagnostic Policy Service (Troubleshooting) | |
:: No performance impact because it runs in memory only. | |
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f | |
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DiagLog" /v "Start" /t REG_DWORD /d "0" /f | |
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f | |
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\WiFiSession" /v "Start" /t REG_DWORD /d "0" /f | |
:: Windows Policies | |
:: Disable the warning The Publisher could not be verified | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "1808" /f | |
:: Disable Security warning to unblock the downloaded file | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f | |
:: Disable Low Disk Space Alerts | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d "1" /f | |
:: Do not run specified exe files to avoid LOLBins | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "addinprocess.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "10" /t REG_SZ /d "cscript.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "11" /t REG_SZ /d "csi.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "12" /t REG_SZ /d "dbghost.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "13" /t REG_SZ /d "dnx.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "14" /t REG_SZ /d "dotnet.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "15" /t REG_SZ /d "fsi.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "16" /t REG_SZ /d "fsiAnyCpu.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "17" /t REG_SZ /d "infdefaultinstall.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "18" /t REG_SZ /d "hh.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "19" /t REG_SZ /d "kd.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "2" /t REG_SZ /d "addinprocess32.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "20" /t REG_SZ /d "kill.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "21" /t REG_SZ /d "lxrun.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "22" /t REG_SZ /d "msbuild.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "23" /t REG_SZ /d "mshta.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "24" /t REG_SZ /d "msra.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "25" /t REG_SZ /d "nc.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "26" /t REG_SZ /d "nc64.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "27" /t REG_SZ /d "ntkd.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "28" /t REG_SZ /d "ntsd.exe" /f | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "29" /t REG_SZ /d "powershell.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "3" /t REG_SZ /d "addinutil.exe" /f | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "30" /t REG_SZ /d "powershell_ise.exe" /f | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "31" /t REG_SZ /d "powershellcustomhost.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "32" /t REG_SZ /d "psexec.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "33" /t REG_SZ /d "rcsi.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "34" /t REG_SZ /d "regsvr32.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "35" /t REG_SZ /d "runscripthelper.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "36" /t REG_SZ /d "scrcons.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "37" /t REG_SZ /d "texttransform.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "38" /t REG_SZ /d "visualuiaverifynative.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "39" /t REG_SZ /d "wbemtest.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "4" /t REG_SZ /d "aspnet_compiler.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "40" /t REG_SZ /d "wecutil.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "41" /t REG_SZ /d "werfault.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "42" /t REG_SZ /d "finger.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "43" /t REG_SZ /d "windbg.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "44" /t REG_SZ /d "winrm.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "45" /t REG_SZ /d "winrs.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "46" /t REG_SZ /d "wmic.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "47" /t REG_SZ /d "wscript.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "48" /t REG_SZ /d "wsl.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "49" /t REG_SZ /d "wslconfig.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "5" /t REG_SZ /d "bash.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "50" /t REG_SZ /d "wslhost.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "51" /t REG_SZ /d "ftp.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "52" /t REG_SZ /d "certutil.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "53" /t REG_SZ /d "regsvr32.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "54" /t REG_SZ /d "rundll32.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "6" /t REG_SZ /d "bginfo.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "7" /t REG_SZ /d "bitsadmin.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "8" /t REG_SZ /d "cdb.exe" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "9" /t REG_SZ /d "cipher.exe" /f | |
:: Disable Distributed Component Object Model (DCOM) support in Windows | |
:: Default: Y - Enabled | |
reg add "HKLM\Software\Microsoft\Ole" /v "EnableDCOM" /t REG_SZ /d "N" /f | |
:: Disable Microsoft Windows Just-In-Time (JIT) script debugging | |
:: No impact on performance but because of security. | |
reg add "HKCU\Software\Microsoft\Windows Script\Settings" /v "JITDebug" /t REG_DWORD /d "0" /f | |
reg add "HKU\.Default\Microsoft\Windows Script\Settings" /v "JITDebug" /t REG_DWORD /d "0" /f | |
:: When the system detects that the user is downloading an external program that runs as part of the Windows user interface, the system searches for a digital certificate or requests that the user approve the action | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "EnforceShellExtensionSecurity" /t REG_DWORD /d "1" /f | |
:: Disable Active Desktop | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideIcons" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v "NoAddingComponents" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v "NoComponents" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ForceActiveDesktopOn" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoActiveDesktop" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoActiveDesktopChanges" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDesktop" /t REG_DWORD /d "0" /f | |
:: Disable the retrieval of online tips and help for the Settings app (ADs) | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "AllowOnlineTips" /t REG_DWORD /d "0" /f | |
:: Disable recent documents history | |
:: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d "1" /f | |
:: Do not add shares from recently opened documents to the My Network Places folder | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "Norecentdocsnethood" /t REG_DWORD /d "1" /f | |
:: Disable configuring the machine at boot-up | |
:: 1 - Enable configuring the machine at boot-up | |
:: 2 - Enable configuring the machine only if DSC is in pending or current state (Default) | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DSCAutomationHostEnabled" /t REG_DWORD /d "0" /f | |
:: Disable cursor suppression | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableCursorSuppression" /t REG_DWORD /d "0" /f | |
:: Disable Administrative Shares | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "LocalAccountTokenFilterPolicy" /t REG_DWORD /d "0" /f | |
reg add "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareServer" /t REG_DWORD /d "0" /f | |
reg add "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d "0" /f | |
reg add "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d "0" /f | |
:: Disabling PowerShell script execution and Restricting PowerShell to Constrained Language mode | |
:: Set-ExecutionPolicy bypass - noprofile | |
:: reg add "HKLM\Software\Microsoft\PowerShell\1\ShellIds\ScriptedDiagnostics" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f | |
:: reg add "HKLM\Software\WOW6432Node\Microsoft\PowerShell\1\ShellIds\ScriptedDiagnostics" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f | |
:: reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d "0" /f | |
:: reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Environment" /v "__PSLockDownPolicy" /t REG_SZ /d "4" /f | |
:: The device does not store the users credentials for automatic sign-in after a Windows Update restart. The users lock screen apps are not restarted after the system restarts. | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableAutomaticRestartSignOn" /t REG_DWORD /d "1" /f | |
:: Determines how many user account entries Windows saves in the logon cache on the local computer. | |
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "CachedLogonsCount" /t REG_DWORD /d "0" /f | |
:: Locky ransomware using VBscript (Visual Basic Script) | |
:: Alias Script Hosting | |
:: reg add "HKCU\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f | |
:: reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f | |
:: reg add "HKLM\Software\WOW6432Node\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f | |
:: Disable Customer Experience Improvement (CEIP/SQM - Software Quality Management) | |
reg add "HKLM\Software\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Policies\Microsoft\Messenger\Client" /v "CEIP" /t REG_DWORD /d "2" /f | |
reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f | |
:: Disable Application Impact Telemetry (AIT) | |
reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d "0" /f | |
:: Disable Inventory Collector | |
reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d "1" /f | |
:: Disable Program Compatibility Assistant | |
reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisablePCA" /t REG_DWORD /d "1" /f | |
:: Disable Steps Recorder (Steps Recorder keeps a record of steps taken by the user, the data includes user actions such as keyboard input and mouse input user interface data and screenshots). | |
reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Application-Experience/Steps-Recorder" /v "Enabled" /t REG_DWORD /d "0" /f | |
:: Specifies that Windows does not automatically encrypt eDrives | |
reg add "HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices" /v "TCGSecurityActivationDisabled" /t REG_DWORD /d "1" /f | |
:: Disable Network Connection Status Indicator (NCSI) | |
:: HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet | |
reg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f | |
reg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f | |
:: Disable PerfTrack, tracking of responsiveness events. | |
reg add "HKLM\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" /v "ScenarioExecutionEnabled" /t REG_DWORD /d "0" /f | |
:: Block untrusted fonts and log events | |
:: 2000000000000 - Do not block untrusted fonts | |
:: 3000000000000 - Log events without blocking untrusted fonts | |
reg add "HKLM\Software\Policies\Microsoft\Windows NT\MitigationOptions" /v "MitigationOptions_FontBocking" /t REG_SZ /d "1000000000000" /f | |
:: Enable Shutdown Event Tracker | |
:: 0 - Disable (Default) | |
:: reg add "HKLM\Software\Policies\Microsoft\Windows NT\Reliability" /v "ShutdownReasonOn" /t REG_DWORD /d "0" /f | |
:: reg add "HKLM\Software\Policies\Microsoft\Windows NT\Reliability" /v "ShutdownReasonUI" /t REG_DWORD /d "0" /f | |
:: Do not allow storage of passwords and credentials for network authentication in the Credential Manager | |
reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "DisableDomainCreds" /t REG_DWORD /d "1" /f | |
:: Digest Security Provider is disabled by default, but malware can enable it to recover the plain text passwords from the system’s memory | |
reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest" /v "UseLogonCredential" /t REG_DWORD /d "0" /f | |
:: The system registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803 and higher. | |
reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Configuration Manager" /v "EnablePeriodicBackup" /t REG_DWORD /d "1" /f | |
:: No-one will be a member of the built-in group, although it will still be visible in the Object Picker | |
:: 1 - All users logging on to a session on the server will be made a member of the Terminal server user group | |
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v "TSUserEnabled" /t REG_DWORD /d "0" /f | |
:: Disable SMB 1.0/2.0 | |
:: Default since 1909+ | |
:: reg add "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "SMB1" /t REG_DWORD /d "0" /f | |
:: reg add "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "SMB2" /t REG_DWORD /d "0" /f | |
:: Microsoft Edge | |
:: Automatic HTTPS functionality | |
:: 0 - Disabled | |
:: 1 - Switch to supported domains | |
:: 2 - Always | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "AutomaticHttpsDefault" /t REG_DWORD /d "2" /f | |
:: AllowJavaScriptJit | |
:: 2 - BlockJavaScriptJit (Do not allow any site to run JavaScript JIT) | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DefaultJavaScriptJitSetting" /t REG_DWORD /d "0" /f | |
:: Do not allow Developer Tools | |
:: 0 - Default | |
:: 2 - DeveloperToolsDisallowed (Do not allow using the developer tools) | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DeveloperToolsAvailability" /t REG_DWORD /d "2" /f | |
:: Do not allow users to open files using the DirectInvoke protocol | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DirectInvokeEnabled" /t REG_DWORD /d "0" /f | |
:: Disable taking screenshots | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DisableScreenshots" /t REG_DWORD /d "1" /f | |
:: Allow Google Cast to connect to Cast devices on all IP addresses, Edge trying to connect to 239.255.255.250 via UDP port 1900 | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "EnableMediaRouter" /t REG_DWORD /d "0" /f | |
:: Allow QUIC protocol | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "QuicAllowed" /t REG_DWORD /d "1" /f | |
:: Disable Remote debugging | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "RemoteDebuggingAllowed" /t REG_DWORD /d "0" /f | |
:: Prent screen capture | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "ScreenCaptureAllowed" /t REG_DWORD /d "0" /f | |
:: Disallow notifications to set Microsoft Edge as default PDF reader | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "ShowPDFDefaultRecommendationsEnabled" /t REG_DWORD /d "0" /f | |
:: Do not allow Speech Recognition | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "SpeechRecognitionEnabled" /t REG_DWORD /d "0" /f | |
:: Do not video capture | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "VideoCaptureAllowed" /t REG_DWORD /d "0" /f | |
:: Do not show share button | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "ConfigureShare" /t REG_DWORD /d "1" /f | |
:: Do not show Collections button | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "EdgeCollectionsEnabled" /t REG_DWORD /d "0" /f | |
:: Show favorites bar | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "FavoritesBarEnabled" /t REG_DWORD /d "1" /f | |
:: Do not show Math Solver button | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "MathSolverEnabled" /t REG_DWORD /d "0" /f | |
:: Do not show home button | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "ShowHomeButton" /t REG_DWORD /d "0" /f | |
:: Do not show feedback button | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "UserFeedbackAllowed" /t REG_DWORD /d "0" /f | |
:: Do not show tab actions menu (Show vertical tabs) | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "VerticalTabsAllowed" /t REG_DWORD /d "0" /f | |
:: Do not show web capture button | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "WebCaptureEnabled" /t REG_DWORD /d "0" /f | |
:: Disallow background updates to the list of available templates for Collections and other features that use templates | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "BackgroundTemplateListUpdatesEnabled" /t REG_DWORD /d "0" /f | |
:: Disable Web Widget | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "WebWidgetAllowed" /t REG_DWORD /d "0" /f | |
:: Disable Motion or light sensors permissions | |
:: 1 - AllowSensors | |
:: 2 - BlockSensors | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DefaultSensorsSetting" /t REG_DWORD /d "2" /f | |
:: Open PDF Documents not within the Browser and use external programs | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "AlwaysOpenPdfExternally" /t REG_DWORD /d "1" /f | |
:: File Editing (read) | |
:: 2 - BlockFileSystemRead | |
:: 3 - AskFileSystemRead | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DefaultFileSystemReadGuardSetting" /t REG_DWORD /d "2" /f | |
:: File Editing (write) | |
:: 2 - BlockFileSystemWrite | |
:: 3 - AskFileSystemWrite | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DefaultFileSystemWriteGuardSetting" /t REG_DWORD /d "2" /f | |
:: Location | |
:: 1 - AllowGeolocation | |
:: 2 - BlockGeolocation | |
:: 3 - AskGeolocation | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DefaultGeolocationSetting" /t REG_DWORD /d "2" /f | |
:: Insecure Content | |
:: 2 - BlockInsecureContent | |
:: 3 - AllowExceptionsInsecureContent | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DefaultInsecureContentSetting" /t REG_DWORD /d "2" /f | |
:: Notifications | |
:: 1 - AllowNotifications | |
:: 2 - BlockNotifications | |
:: 3 - AskNotifications | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DefaultNotificationsSetting" /t REG_DWORD /d "2" /f | |
:: Serial ports | |
:: 2 - BlockSerial | |
:: 3 - AskSerial | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DefaultSerialGuardSetting" /t REG_DWORD /d "2" /f | |
:: USB Devices | |
:: 2 - Block WebUsb | |
:: 3 - Ask WebUsb | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DefaultWebUsbGuardSetting" /t REG_DWORD /d "2" /f | |
:: 1 - Prevent audio capture | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "AudioCaptureAllowed" /t REG_DWORD /d "0" /f | |
:: Bluetooth permissions | |
:: 2 - Block Web Bluetooth | |
:: 3 - Ask Web Bluetooth | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DefaultWebBluetoothGuardSetting" /t REG_DWORD /d "2" /f | |
:: Set download directory | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DownloadDirectory" /t REG_SZ /d "C:\Desktop" /f | |
:: Ask me what to do with each download | |
:: Ignored when download directory is set | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "PromptForDownloadLocation" /t REG_DWORD /d "1" /f | |
:: Blocks external extensions from being installed | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "BlockExternalExtensions" /t REG_DWORD /d "1" /f | |
:: Enable spellcheck by default | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "SpellcheckEnabled" /t REG_DWORD /d "1" /f | |
:: Do not offer to translate pages that are not in my language I have read | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "TranslateEnabled" /t REG_DWORD /d "0" /f | |
:: Page Layout | |
:: 1 - DisableImageOfTheDay | |
:: 2 - DisableCustomImage | |
:: 3 - DisableAll | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "NewTabPageAllowedBackgroundTypes" /t REG_DWORD /d "1" /f | |
:: Do not allow Microsoft News content on the new tab page | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "NewTabPageContentEnabled" /t REG_DWORD /d "0" /f | |
:: Do not preload the new tab page for a faster experience | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "NewTabPagePrerenderEnabled" /t REG_DWORD /d "0" /f | |
:: Hide the default top sites from the new tab page | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "NewTabPageHideDefaultTopSites" /t REG_DWORD /d "1" /f | |
:: Do not allow quick links on the new tab page | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "NewTabPageQuickLinksEnabled" /t REG_DWORD /d "0" /f | |
:: Do not allow to add new profile(s) | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "BrowserAddProfileEnabled" /t REG_DWORD /d "0" /f | |
:: Prevent browsing as guest | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "BrowserGuestModeEnabled" /t REG_DWORD /d "0" /f | |
:: Do not suggest similar sites when a website canot be found | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "AlternateErrorPagesEnabled" /t REG_DWORD /d "0" /f | |
:: Diagnostic Data | |
:: 0 - Off | |
:: 1 - RequiredData | |
:: 2 - OptionalData | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DiagnosticData" /t REG_DWORD /d "0" /f | |
:: Search on new tabs uses search box or address bar | |
:: redirect - Address bar | |
:: bing - Search box | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "NewTabPageSearchBox" /t REG_SZ /d "redirect" /f | |
:: Tracking prevention | |
:: Do not Track is useless. | |
:: 0 - Off | |
:: 1 - Basic | |
:: 2 - Balanced | |
:: 3 - Strict | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "TrackingPrevention" /t REG_DWORD /d "0" /f | |
:: Disable Microsoft Search in Bing suggestions in the address bar | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "AddressBarMicrosoftSearchInBingProviderEnabled" /t REG_DWORD /d "0" /f | |
:: Disallow personalization of ads, Microsoft Edge, search, news and other Microsoft services by sending browsing history, favorites and collections, usage and other browsing data to Microsoft | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "PersonalizationReportingEnabled" /t REG_DWORD /d "0" /f | |
:: Disable full-tab promotional content | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "PromotionalTabsEnabled" /t REG_DWORD /d "0" /f | |
:: Disable recommendations and promotional notifications from Microsoft Edge | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "ShowRecommendationsEnabled" /t REG_DWORD /d "0" /f | |
:: Choose whether users can receive customized background images and text, suggestions, notifications, and tips for Microsoft services | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "SpotlightExperiencesAndRecommendationsEnabled" /t REG_DWORD /d "0" /f | |
:: Use secure DNS (DoH) in Microsoft Edge, example NextDNS | |
:: reg add "HKLM\Software\Policies\Microsoft\Edge" /v "BuiltInDnsClientEnabled" /t REG_DWORD /d "1" /f | |
:: reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DnsOverHttpsMode" /t REG_SZ /d "secure" /f | |
:: reg add "HKLM\Software\Policies\Microsoft\Edge" /v "DnsOverHttpsTemplates" /t REG_SZ /d "https://dns.nextdns.io/xxxxxx?" /f | |
:: Disable adds Website using this Profile | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "AADWebSiteSSOUsingThisProfileEnabled" /t REG_DWORD /d "0" /f | |
:: Do not save and fill personal info (use KeePass) | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "AutofillAddressEnabled" /t REG_DWORD /d "0" /f | |
:: Do not save and fill payment info | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "AutofillCreditCardEnabled" /t REG_DWORD /d "0" /f | |
:: Do not show rewards points in Microsoft Edge user profile | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "EdgeShoppingAssistantEnabled" /t REG_DWORD /d "0" /f | |
:: Do not suggest strong passwords | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "PasswordGeneratorEnabled" /t REG_DWORD /d "0" /f | |
:: Do not offer to save passwords | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "PasswordManagerEnabled" /t REG_DWORD /d "0" /f | |
:: Do not show alerts when passwords are found in an online leak | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "PasswordMonitorAllowed" /t REG_DWORD /d "0" /f | |
:: Do not show alerts when passwords are found in an online leak | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "PasswordMonitorAllowed" /t REG_DWORD /d "0" /f | |
:: Do not show the "Reveal password" button in password fields | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "PasswordRevealEnabled" /t REG_DWORD /d "0" /f | |
:: Do not allow auto sign-in | |
:: 0 - Automatically | |
:: 1 - With device password | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "PrimaryPasswordSetting" /t REG_DWORD /d "1" /f | |
:: Do not use a web service to help resolve navigation errors | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "ResolveNavigationErrorsUseWebService" /t REG_DWORD /d "0" /f | |
:: Do not show me search and site suggestions using my typed characters (use bookmarks instead) | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "SearchSuggestEnabled" /t REG_DWORD /d "0" /f | |
:: Do not show rewards points in Microsoft Edge user profile | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "ShowMicrosoftRewards" /t REG_DWORD /d "0" /f | |
:: Do not continue running background apps when Microsoft Edge is closed | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "BackgroundModeEnabled" /t REG_DWORD /d "0" /f | |
:: Use hardware acceleration when available | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "HardwareAccelerationModeEnabled" /t REG_DWORD /d "1" /f | |
:: Do not save resources with sleeping tabs | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "SleepingTabsEnabled" /t REG_DWORD /d "0" /f | |
:: Disable Startup boost | |
:: Prevents and fixes some known issues. | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "StartupBoostEnabled" /t REG_DWORD /d "0" /f | |
:: Disable Network prediction or guessing | |
:: 0 - Always | |
:: 1 - WifiOnly | |
:: 2 - Never | |
reg add "HKLM\Software\Policies\Microsoft\Edge" /v "NetworkPredictionOptions" /t REG_DWORD /d "2" /f | |
:: User Account Control | |
:: 0 - Elevate without prompting | |
:: 1 - Prompt for credentials on the secure desktop | |
:: 2 - Prompt for consent on the secure desktop | |
:: 3 - Prompt for credentials | |
:: 4 - Prompt for consent | |
:: 5 - Prompt for consent for non-Windows binaries (Default) | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "1" /f | |
:: Automatically deny elevation requests | |
:: 1 - Prompt for credentials on the secure desktop | |
:: 3 - Prompt for credentials (Default) | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorUser" /t REG_DWORD /d "0" /f | |
:: Disable trusted Startup Tasks | |
:: 2 - Default | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableFullTrustStartupTasks" /t REG_DWORD /d "0" /f | |
:: Detect application installations and prompt for elevation | |
:: 1 - Enabled (default for Retail/Home) | |
:: 0 - Disabled (default for Enterprise) | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableInstallerDetection" /t REG_DWORD /d "1" /f | |
:: Run all administrators in Admin Approval Mode / 0 - Disabled (UAC) / 1 - Enabled (UAC) | |
:: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "1" /f | |
:: Only elevate UIAccess applications that are installed in secure locations | |
:: 0 - Disabled | |
:: 1 - Enabled (Default) | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableSecureUIAPaths" /t REG_DWORD /d "1" /f | |
:: Disable UWP startup tasks | |
:: 2 - Enabled (Default) | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableUwpStartupTasks" /t REG_DWORD /d "0" /f | |
:: Allow UIAccess applications to prompt for elevation without using the secure desktop | |
:: 0 = Disabled (Default) | |
:: 1 - Enabled | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableUIADesktopToggle" /t REG_DWORD /d "0" /f | |
:: Disable Virtualization | |
:: 0 - Disabled | |
:: 1 - Enabled (Default) | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableVirtualization" /t REG_DWORD /d "0" /f | |
:: Admin Approval Mode for the built-in Administrator account | |
:: 0 - Disabled (Default) | |
:: 1 - Enabled | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "FilterAdministratorToken" /t REG_DWORD /d "1" /f | |
:: Allow UIAccess applications to prompt for elevation without using the secure desktop | |
:: 0 - Disabled (Default) | |
:: 1 - Enabled | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "1" /f | |
:: Enforce cryptographic signatures on any interactive application that requests elevation of privilege | |
:: 0 - Disabled (Default) | |
:: 1 - Enabled | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ValidateAdminCodeSignatures" /t REG_DWORD /d "1" /f | |
:: Display highly detailed status messages | |
:: 0 - Disabled (Default) | |
:: 1 - Enabled | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "VerboseStatus" /t REG_DWORD /d "1" /f | |
:: Enable command-line auditing | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v "ProcessCreationIncludeCmdLine_Enabled" /t REG_DWORD /d "1" /f | |
:: Windows Scheduled Tasks | |
:: We disable useless stuff without breaking something useful. | |
:: You can ignore "The system cannot find the file specified." because some stuff is platform specific (AMD/Intel). | |
schtasks /Change /TN "CreateExplorerShellUnelevatedTask" /Enable | |
schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /Disable | |
schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /Disable | |
schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /Disable | |
schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /Disable | |
schtasks /Change /TN "Microsoft\Windows\::oteAssistance\::oteAssistanceTask" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable | |
schtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable | |
schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable | |
schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable | |
schtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable | |
schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable | |
schtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable | |
schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable | |
schtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable | |
schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable | |
schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable | |
schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable | |
schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable | |
schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable | |
schtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Multimedia\SystemSoundsService" /Disable | |
schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable | |
schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable | |
schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable | |
schtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable | |
schtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable | |
schtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable | |
schtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable | |
schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable | |
schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable | |
schtasks /Change /TN "Microsoft\Windows\TextServicesFramework\MsCtfMonitor" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable | |
schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable | |
schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable | |
schtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable | |
schtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable | |
schtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable | |
schtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable | |
schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable | |
schtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable | |
schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable | |
schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable | |
schtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable | |
schtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable | |
schtasks /DELETE /TN "AMDInstallLauncher" /f | |
schtasks /DELETE /TN "AMDLinkUpdate" /f | |
schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f | |
schtasks /DELETE /TN "Driver Easy Scheduled Scan" /f | |
schtasks /DELETE /TN "ModifyLinkUpdate" /f | |
schtasks /DELETE /TN "SoftMakerUpdater" /f | |
schtasks /DELETE /TN "StartCN" /f | |
schtasks /DELETE /TN "StartDVR" /f | |
:: Windows Services | |
:: AMD Crash Defender Driver | |
sc config amdfendr start= disabled | |
:: AMD Crash Defender Driver | |
sc config amdfendrmgr start= disabled | |
:: AMD Crash Defender Service | |
sc config "AMD Crash Defender Service" start= disabled | |
:: AMD External Events Utility | |
sc config "AMD External Events Utility" start= disabled | |
:: AOMEI Backupper Scheduler Service | |
sc config "Backupper Service" start= demand | |
:: AVCTP service | |
sc config BthAvctpSvc start= disabled | |
:: BitLocker Drive Encryption Service | |
sc config BDESVC start= disabled | |
:: Clipboard User Service | |
::sc config cbdhsvc start= disabled | |
:: Connected User Experiences and Telemetry | |
sc config DiagTrack start= disabled | |
:: Contact Data | |
reg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f | |
:: Data Usage | |
sc config DusmSvc start= disabled | |
:: DevQuery Background Discovery Broker | |
sc config DevQueryBroker start= disabled | |
:: Display Enhancement Service | |
sc config DisplayEnhancementService start= disabled | |
:: Display Policy Service | |
sc config DispBrokerDesktopSvc start= disabled | |
:: dLauncherLoopback | |
sc config dLauncherLoopback start= demand | |
:: Encrypting File System (EFS) | |
sc config EFS start= disabled | |
:: Function Discovery Provider Host | |
sc config fdPHost start= disabled | |
:: Function Discovery Resource Publication | |
sc config FDResPub start= disabled | |
:: Geolocation Service | |
sc config lfsvc start= disabled | |
:: IKE and AuthIP IPsec Keying Modules | |
sc config IKEEXT start= disabled | |
:: IP Helper | |
sc config iphlpsvc start= disabled | |
:: Network Policy Server Management Service | |
sc config NPSMSvc start= disabled | |
:: Payments and NFC/SE Manager | |
sc config SEMgrSvc start= disabled | |
:: Program Compatibility Assistant Service | |
sc config PcaSvc start= disabled | |
:: Print Spooler | |
sc config Spooler start= disabled | |
:: Radio Management Service | |
sc config RmSvc start= disabled | |
:: ::ote Access Connection Manager | |
sc config RasMan start= disabled | |
:: ::ote Desktop Services | |
sc config TermService start= disabled | |
:: Retail Demo | |
sc config RetailDemo start=disabled | |
:: Secure Socket Tunneling Protocol Service | |
sc config SstpSvc start=disabled | |
:: Server | |
sc config LanmanServer start= disabled | |
:: Shell Hardware Detection | |
:: If you use BitLocker, this must be enabled. | |
sc config ShellHWDetection start= disabled | |
:: SSDP Discovery | |
sc config SSDPSRV start= disabled | |
:: Superfetch | |
sc config SysMain start= disabled | |
:: TCP/IP NetBIOS Helper | |
sc config lmhosts start= disabled | |
:: Touch Keyboard and Handwriting Panel Service (keeps ctfmon.exe running) | |
::sc config TabletInputService start= disabled | |
:: WebClient | |
sc config WebClient start= disabled | |
:: Windows Font Cache Service | |
sc config FontCache start= disabled | |
:: Windows Remote Management (WS-Management) | |
sc config WinRM start= disabled | |
:: Windows Search | |
:: sc config WSearch start= disabled | |
:: Windows Time | |
:: sc config W32Time start= disabled | |
:: WinHTTP Web Proxy Auto-Discovery Service | |
reg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f | |
:: Workstation | |
sc config LanmanWorkstation start= disabled | |
:: Windows Settings | |
:: Permanently delete Windows Default Sounds | |
:: reg delete "HKCU\AppEvents\Schemes\Apps" /f | |
:: When windows detects communications activity | |
:: Sound ducking is not useful on OS level because Disocrd, OBS Stduio and co. have their own ducking option. | |
:: 0 - Mute all other sounds | |
:: 1 - Reduce all other by 80% | |
:: 2 - Reduce all other by 50% | |
:: 3 - Do nothing | |
reg add "HKCU\Software\Microsoft\Multimedia\Audio" /v "UserDuckingPreference" /t REG_DWORD /d "3" /f | |
:: Do not Windows Startup sound | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\EditionOverrides" /v "UserSetting_DisableStartupSound" /t REG_DWORD /d "1" /f | |
:: Mouse Keys | |
:: 62 - Disable | |
:: 63 - Default | |
:: reg add "HKCU\Control Panel\Accessibility\MouseKeys" /v "Flags" /t REG_SZ /d "62" /f | |
:: Filter Keyboard keys | |
:: 126 - Disable All | |
:: 127 - Default | |
:: reg add "HKCU\Control Panel\Accessibility\ToggleKeys" /v "Flags" /t REG_SZ /d "126" /f | |
:: Sticky keys | |
:: 26 - Disable All | |
:: 511 - Default | |
:: reg add "HKCU\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d "26" /f | |
:: Toggle keys | |
:: 58 - Disable All | |
:: 63 - Default | |
:: reg add "HKCU\Control Panel\Accessibility\ToggleKeys" /v "Flags" /t REG_SZ /d "58" /f | |
:: Disable Windows Key Hotkeys | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWinKeys" /t REG_DWORD /d "1" /f | |
:: Disable specific Windows Key Hotkeys only (like Win+R) | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisabledHotkeys" /t REG_EXPAND_SZ /d "R" /f | |
:: Do not show text suggestions when typing on the physical keyboard (Privacy) | |
:: reg add "HKCU\Software\Microsoft\Input\Settings" /v "EnableHwkbTextPrediction" /t REG_DWORD /d "0" /f | |
:: Disable Typing insights (Privacy) | |
:: reg add "HKCU\Software\Microsoft\Input\Settings" /v "InsightsEnabled" /t REG_DWORD /d "0" /f | |
:: Disable Multilingual text suggestions (Privacy) | |
:: reg add "HKCU\Software\Microsoft\Input\Settings" /v "MultilingualEnabled" /t REG_DWORD /d "0" /f | |
:: Disable autocorrect misspelled words (Privacy) | |
:: reg add "HKCU\Software\Microsoft\TabletTip\1.7" /v "EnableAutocorrection" /t REG_DWORD /d "0" /f | |
:: Disable highlight misspelled words (Privacy) | |
:: reg add "HKCU\Software\Microsoft\TabletTip\1.7" /v "EnableSpellchecking" /t REG_DWORD /d "0" /f | |
:: Disable input preload | |
:: reg add "HKCU\Software\Microsoft\Input" /v "IsInputAppPreloadEnabled" /t REG_DWORD /d "0" /f | |
:: Disable Voice typing | |
reg add "HKCU\Software\Microsoft\Input\Settings" /v "VoiceTypingEnabled" /t REG_DWORD /d "0" /f | |
:: Disable Text input via third-party apps | |
:: reg add "HKCU\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d "0" /f | |
:: Do not automatically save my restartable apps when I sign out and restart them after I sign in | |
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "RestartApps" /t REG_DWORD /d "0" /f | |
:: Apps | |
:: Choose where to get apps | |
:: This is security critial, we assume no one has physical (or other) access to the OS/profile. | |
:: Anywhere | |
:: PreferStore | |
:: StoreOnly | |
:: Recommendations | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "AicEnabled" /t REG_SZ /d "Anywhere" /f | |
:: Disable share across devices | |
:: 1 - My devices only (Default) | |
:: 2 - Everyone nearby | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CDP" /v "CdpSessionUserAuthzPolicy" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CDP" /v "RomeSdkChannelUserAuthzPolicy" /t REG_DWORD /d "0" /f | |
:: Disable sharing nearby location auth | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CDP" /v "NearShareChannelUserAuthzPolicy" /t REG_DWORD /d "0" /f | |
:: Do not let apps run in the background | |
:: 0 - Enabled | |
:: 1 - Disabled | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f | |
:: Do not let apps run in the background | |
:: 1 - Enabled | |
:: 0 - Disabled | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f | |
:: Do not let apps run in the background | |
:: 0 - Default | |
:: 1 - Enabled | |
:: 2 - Disabled | |
reg add "HKLM\Software\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsRunInBackground" /t REG_DWORD /d "2" /f | |
:: Disallow usage of Autoplay for all media and devices | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers" /v "DisableAutoplay" /t REG_DWORD /d "1" /f | |
:: Disable AutoPlay and AutoRun | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d "255" /f | |
:: 1/6/10 - Enhance pointer precision (Mouse Acceleration) | |
reg add "HKCU\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f | |
reg add "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f | |
reg add "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f | |
:: Disable smooth scrolling | |
:: reg add "HKCU\Control Panel\Desktop" /v "SmoothScroll" /t REG_DWORD /d "0" /f | |
:: Disable Mouse Trails | |
reg add "HKCU\Control Panel\Mouse" /v "MouseTrails" /t REG_SZ /d "0" /f | |
:: Download over metered connections | |
:: reg add "HKLM\Microsoft\Windows\CurrentVersion\DeviceSetup" /v "CostedNetworkPolicy" /t REG_DWORD /d "0" /f | |
:: Do not show me suggestions for using my Android phone with Windows | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Mobility" /v "OptedIn" /t REG_DWORD /d "0" /f | |
:: Do not record what happened | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f | |
:: Do not Capture audio when recording a game | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f | |
:: Do not Capture mosue cursor when recording a game | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f | |
:: Do not allow captureing microphone sounds (global switch) via GameDVR | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f | |
:: Disable Fullscreen Optimizations for Current User | |
:: Useless since 1809/1903+ | |
:: 0 - Enabled | |
:: 2 - Disabled | |
:: reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f | |
:: reg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f | |
:: Disable Game DVR / "Press Win + G to record a clip" | |
reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f | |
reg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f | |
:: Disable GameDVR services and tasks | |
reg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f | |
sc config XblAuthManager start= disabled | |
sc config XblGameSave start= disabled | |
sc config XboxGipSvc start= disabled | |
sc config XboxNetApiSvc start= disabled | |
schtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable | |
:: Disable Game Mode | |
reg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f | |
:: Remove GameBarPresenceWriter.exe | |
:: takeown /s %computername% /u %username% /f "%WINDIR%\System32\GameBarPresenceWriter.exe" | |
:: icacls "%WINDIR%\System32\GameBarPresenceWriter.exe" /inheritance:r /grant:r %username%:F | |
:: taskkill /im GameBarPresenceWriter.exe /f | |
:: del "%WINDIR%\System32\GameBarPresenceWriter.exe" /s /f /q | |
:: Disable open Xbox Game Bar | |
reg add "HKCU\Software\Microsoft\GameBar" /v "UseNexusForGameBarEnabled" /t REG_DWORD /d "0" /f | |
:: Network & internet | |
:: Replace the MAC and DNS servers as per own needs. | |
:: To get adapters index number use | |
:: wmic nicconfig get caption,index,TcpipNetbiosOptions | |
:: Setup DNS Servers on DHCP Enabled Network (Quad9) | |
:: wmic nicconfig where DHCPEnabled=TRUE call SetDNSServerSearchOrder ("9.9.9.9","149.112.112.112") | |
:: Setup IP, Gateway and DNS Servers based on the MAC address | |
:: http://www.subnet-calculator.com/subnet.php?net_class=A | |
:: wmic nicconfig where macaddress="xx:xx:xx:xx::xx" call EnableStatic ("192.168.9.2"), ("255.255.255.0") | |
:: wmic nicconfig where macaddress="xx:xx:xx:xx::xx" call SetDNSServerSearchOrder ("45.90.28.91","45.90.30.91") | |
:: wmic nicconfig where macaddress="xx:xx:xx:xx::xx" call SetGateways ("192.168.9.1") | |
:: reg add "HKLM\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\{da9e43ac-0335-4747-a5d1-f645dd7d3a39}\DohInterfaceSettings\Doh\9.9.9.9" /v "DohFlags" /t REG_QWORD /d "1" /f | |
:: reg add "HKLM\System\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters\{da9e43ac-0335-4747-a5d1-f645dd7d3a39}\DohInterfaceSettings\Doh\149.112.112.112" /v "DohFlags" /t REG_QWORD /d "1" /f | |
:: Disable LMHOSTS Lookup on all adapters | |
reg add "HKLM\System\CurrentControlSet\Services\NetBT\Parameters" /v "EnableLMHOSTS" /t REG_DWORD /d "0" /f | |
:: Disable NetBIOS over TCP/IP on all adapters | |
wmic nicconfig where TcpipNetbiosOptions=0 call SetTcpipNetbios 2 | |
wmic nicconfig where TcpipNetbiosOptions=1 call SetTcpipNetbios 2 | |
:: Disable WinInetCacheServer | |
:: You need to take-own the specific keys. | |
:: %LocalAppData%\Microsoft\Windows\WebCache | |
reg delete "HKCR\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}" /f | |
reg delete "HKCR\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}" /v "AppID" /f | |
reg delete "HKCR\Wow6432Node\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}" /f | |
reg delete "HKCR\Wow6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}" /v "AppID" /f | |
reg delete "HKLM\SOFTWARE\Wow6432Node\Classes\AppID\{3eb3c877-1f16-487c-9050-104dbcd66683}" /f | |
reg delete "HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}" /v "AppID" /f | |
schtasks /Change /TN "Microsoft\Windows\Wininet\CacheTask" /Disable | |
:: Disable WiFi Sense - shares your WiFi network login with other people | |
reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "value" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "value" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Microsoft\WcmSvc\wifinetworkmanager\config" /v "AutoConnectAllowedOEM" /t REG_DWORD /d "0" /f | |
:: Disable IDN (internationalized domain name) | |
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "DisableIdnEncoding" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "EnableIdnMapping" /t REG_DWORD /d "0" /f | |
:: Disable Multicast | |
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "EnableMulticast" /t REG_DWORD /d "0" /f | |
:: Setup DNS over HTTPS (DoH) | |
:: netsh dns show encryption | |
reg add "HKLM\System\CurrentControlSet\Services\Dnscache\Parameters" /v "EnableAutoDoh" /t REG_DWORD /d "2" /f | |
:: Setup DNS over HTTPS (DoH) Add Custom Servers | |
:: Example config with CL & co. | |
:: HKLM\System\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers | |
:: netsh dns add encryption server=1.0.0.1 dohtemplate=https://cloudflare-dns.com/dns-query autoupgrade=yes udpfallback=no | |
:: netsh dns add encryption server=1.1.1.1 dohtemplate=https://cloudflare-dns.com/dns-query autoupgrade=yes udpfallback=no | |
:: netsh dns add encryption server=149.112.112.112 dohtemplate=https://dns.quad9.net/dns-query autoupgrade=yes udpfallback=no | |
:: netsh dns add encryption server=185.228.168.10 dohtemplate=https://doh.cleanbrowsing.org/doh/adult-filter autoupgrade=yes udpfallback=no | |
:: netsh dns add encryption server=185.228.169.11 dohtemplate=https://doh.cleanbrowsing.org/doh/adult-filter autoupgrade=yes udpfallback=no | |
:: netsh dns add encryption server=9.9.9.9 dohtemplate=https://dns.quad9.net/dns-query autoupgrade=yes udpfallback=no | |
:: netsh dns add encryption server=94.140.14.15 dohtemplate=https://dns-family.adguard.com/dns-query autoupgrade=yes udpfallback=no | |
:: netsh dns add encryption server=94.140.15.16 dohtemplate=https://dns-family.adguard.com/dns-query autoupgrade=yes udpfallback=no | |
:: reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\45.90.28.91" /v "Template" /t REG_SZ /d "https://dns.nextdns.io/xxxxxx" /f | |
:: reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\45.90.30.91" /v "Template" /t REG_SZ /d "https://dns.nextdns.io/xxxxxx" /f | |
:: Restrict NTLM: Incoming NTLM traffic - Deny All | |
reg add "HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0" /v "RestrictReceivingNTLMTraffic" /t REG_DWORD /d "2" /f | |
:: Restrict NTLM: Outgoing NTLM traffic to ::ote servers - Deny All | |
reg add "HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0" /v "RestrictSendingNTLMTraffic" /t REG_DWORD /d "2" /f | |
:: Disable IPv6 | |
:: netsh int ipv6 isatap set state disabled | |
:: netsh int teredo set state disabled | |
:: netsh interface ipv6 6to4 set state state=disabled undoonstop=disabled | |
:: reg add "HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d "255" /f | |
:: Disable Domain Name Devolution (DNS AutoCorrect) | |
reg add "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters" /v "UseDomainNameDevolution" /t REG_DWORD /d "0" /f | |
:: Personalization | |
:: Choose your picture (Black/Dark recommended) | |
:: Example | |
:: reg add "HKCU\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\test\Wallpaper.jpg" /f | |
:: Choose to fit (Wallpaper) | |
:: 10 - Fill | |
:: 6 - Fit | |
:: 2 - Stretch | |
:: 0 - Tile/Center | |
:: reg add "HKCU\Control Panel\Desktop" /v "WallpaperStyle" /t REG_SZ /d "2" /f | |
:: Default Wallpaper image quality | |
:: 85 - Default | |
reg add "HKCU\Control Panel\Desktop" /v "JPEGImportQuality" /t REG_DWORD /d "100" /f | |
:: Accent color | |
:: 0 - Manual | |
:: 1 - Automatic (from Wallpaper) | |
:: reg add "HKCU\Control Panel\Desktop" /v "AutoColorization" /t REG_SZ /d "1" /f | |
:: Enable transparency effects | |
:: Sreg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "1" /f | |
:: Show accent color on Start and taskbar | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "ColorPrevalence" /t REG_DWORD /d "1" /f | |
:: Show accent color on the title bars and windows borders | |
:: reg add "HKCU\Software\Microsoft\Windows\DWM" /v "ColorPrevalence" /t REG_DWORD /d "1" /f | |
:: Lock screen | |
:: Personalize your lock screen | |
:: 0 - Picture | |
:: 1 - Slideshow | |
:: reg add "HKCU\Control Panel\Desktop" /v "LockScreenAutoLockActive" /t REG_SZ /d "0" /f | |
::reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Lock Screen" /v "SlideshowEnabled" /t REG_DWORD /d "0" /f | |
:: Do not get fun facts, tips, and more from Windows and Cortana on your lock screen (Windows spotlight) | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d "0" /f | |
:: Disable LockScreen | |
:: reg add "HKLM\Software\Policies\Microsoft\Windows\Personalization" /v "NoLockScreen" /t REG_DWORD /d "1" /f | |
:: Disable Sign-in Screen Background Image | |
:: reg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableLogonBackgroundImage" /t REG_DWORD /d "1" /f | |
:: Disable Sign-in screen acrylic (blur) background | |
:: reg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableAcrylicBackgroundOnLogon" /t REG_DWORD /d "1" /f | |
:: A screen saver is selected | |
reg add "HKCU\Control Panel\Desktop" /v "ScreenSaveActive" /t REG_SZ /d "1" /f | |
:: Screen saver is password-protected | |
reg add "HKCU\Control Panel\Desktop" /v "ScreenSaverIsSecure" /t REG_SZ /d "1" /f | |
:: Specifies in seconds how long the System remains idle before the screen saver starts | |
reg add "HKCU\Control Panel\Desktop" /v "ScreenSaveTimeOut" /t REG_SZ /d "250" /f | |
:: Screensaver - Mystify.scr | |
reg add "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "Mystify.scr" /f | |
:: Start and Taskbar | |
:: Do not show recently opened items in Start, Jump Lists, and File Explorer | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackDocs" /t REG_DWORD /d "0" /f | |
:: Task view | |
:: 0 - Off | |
:: 1 - On | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d "0" /f | |
:: Taskbar Alignment | |
:: 0 - Left | |
:: 1 - Center | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAl" /t REG_DWORD /d "0" /f | |
:: Widgets | |
:: 0 - Off | |
:: 1 - On | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d "0" /f | |
:: MS Teams Chat (remove the default shortcut from the taskbar) | |
:: 0 - Off | |
:: 1 - On | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d "0" /f | |
:: Search | |
:: 0 - Off | |
:: 1 - On | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d "0" /f | |
:: Size of Taskbar Icons | |
:: Does not work anymore. | |
:: 0 - Small | |
:: 1 - Medium | |
:: 2 - Large | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarSi" /t REG_DWORD /d "1" /f | |
:: Remove Search (Cortana/to restore run SFC scan) | |
:: takeown /s %computername% /u %username% /f "%WINDIR%\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" | |
:: icacls "%WINDIR%\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" /inheritance:r /grant:r %username%:F | |
:: taskkill /im SearchHost.exe /f | |
:: del "%WINDIR%\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" /s /f /q | |
:: Remove Widgets (News/to restore run SFC scan) | |
:: takeown /s %computername% /u %username% /f "%ProgramFiles%\WindowsApps\MicrosoftWindows.Client.WebExperience_421.20019.195.0_x64__cw5n1h2txyewy\Dashboard\Widgets.exe" | |
:: icacls "%ProgramFiles%\WindowsApps\MicrosoftWindows.Client.WebExperience_421.20019.195.0_x64__cw5n1h2txyewy\Dashboard\Widgets.exe" /inheritance:r /grant:r %username%:F | |
:: taskkill /im Widgets.exe /f | |
:: del "%ProgramFiles%\WindowsApps\MicrosoftWindows.Client.WebExperience_421.20019.195.0_x64__cw5n1h2txyewy\Dashboard\Widgets.exe" /s /f /q | |
:: Themes, Icons on Desktop | |
:: Hide Control Panel | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}" /t REG_DWORD /d "1" /f | |
:: Hide Network | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}" /t REG_DWORD /d "1" /f | |
:: Hide OneDrive | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /t REG_DWORD /d "1" /f | |
:: Hide Recycle Bin | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{645FF040-5081-101B-9F08-00AA002F954E}" /t REG_DWORD /d "1" /f | |
:: Hide Quick access | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{679f85cb-0220-4080-b29b-5540cc05aab6}" /t REG_DWORD /d "1" /f | |
:: Hide This PC | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" /t REG_DWORD /d "1" /f | |
:: Hide User Files | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{59031a47-3f72-44a7-89c5-5595fe6b30ee}" /t REG_DWORD /d "1" /f | |
:: Allow - Account info access | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /t REG_SZ /d "Allow" /f | |
:: Allow/Deny - Let apps access your account info / Microsoft Content / Email and accounts | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation\Microsoft.AccountsControl_cw5n1h2txyewy" /v "Value" /t REG_SZ /d "Allow" /f | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /v "Value" /t REG_SZ /d "Allow" /f | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" /v "Value" /t REG_SZ /d "Allow" /f | |
:: Allow/Deny - Allow access to account info on this device | |
:: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /t REG_SZ /d "Deny" /f | |
:: App diagnostic / default permissions | |
:: Set default levels | |
:: It is placebo but makes some "hardening tools" happy. The reason why it is placebo is that there is no malware or exploit known that bypass the UAC + User approval dialouge, bypass app checks and Windows Defender at the same time. | |
:: Deny - App diagnostic access | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Let apps access diagnostic info about your other apps | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Calendar access | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Let apps access your calendar | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Call history access | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCallHistory" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Let apps access your call history | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCallHistory" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Camera access | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Let Apps access your camera | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Contacts access | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Let apps access your contacts | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Diagnostics & feedback | |
:: Disable - improve inking and typing | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CPSS\Store\ImproveInkingAndTyping" /v "Value" /t REG_DWORD /d "0" /f | |
:: Disable - Send optional diagnostic data / 1 - No | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d "1" /f | |
:: Disable - Tailored experiences | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f | |
:: Send optional dianostgic data | |
:: 0 - Security (Not aplicable on Home/Pro, it resets to Basic) | |
:: 1 - Basic | |
:: 2 - Enhanced (Hidden) | |
:: 3 - Full | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f | |
:: Feedback Frequency - Windows should ask for my feedback: | |
:: 0 - Never | |
:: Removed - Automatically | |
reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_DWORD /d "0" /f | |
:: Deny - Documents library access | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Let apps access your documents library | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Downloads folders access | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\downloadsFolder" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Let apps access your downloads folder | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\downloadsFolder" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Email access | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Let apps access your email | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Allow/Deny - File system access | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Let apps access your file system | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Do not let apps show me personalized ads by using my advertising ID | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CPSS\Store\AdvertisingInfo" /v "Value" /t REG_DWORD /d "0" /f | |
:: Do not let websites show me locally relevant content by accessing my language list (let browsers access your local language) | |
reg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f | |
:: Do not let Windows improve Start and search results by tracking app launches (Remember commands typed in Run) | |
:: Disable "Show most used apps" | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /t REG_DWORD /d "0" /f | |
:: Do not show me suggested content in the Settings app | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d "0" /f | |
:: Deny - Location services | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Let apps access your location | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Messaging access | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Let apps read or send messages | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Microphone access | |
:: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Let apps access your microphone | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Allow access to music libraries on this device | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\musicLibrary" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Allow apps to access your music library | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\musicLibrary" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Notifications access | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /t REG_SZ /d "Allow" /f | |
:: Deny - Let apps access your notifications | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /t REG_SZ /d "Allow" /f | |
:: Deny - Communicate with unpaired devices | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetoothSync" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Phone calls access | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCall" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Let apps make phone calls | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCall" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Pictures library access | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Let apps access your pictures library | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Do not help make online speech recognition better | |
reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t REG_DWORD /d "0" /f | |
:: Deny - Radio control access | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Let apps control device radios | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Screenshot borders access | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\graphicsCaptureWithoutBorder" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Let apps turn off the screenshot border | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\graphicsCaptureWithoutBorder" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Let desktop apps turn off the screenshot border | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\graphicsCaptureWithoutBorder" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Screenshot access | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\graphicsCaptureProgrammatic" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Let apps take screenshots of various windows or displays | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\graphicsCaptureProgrammatic" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Let desktop apps take screenshots of various windows or displays | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\graphicsCaptureProgrammatic\NonPackaged" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Cloud content search | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SearchSettings" /v "IsAADCloudSearchEnabled" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SearchSettings" /v "IsMSACloudSearchEnabled" /t REG_DWORD /d "0" /f | |
:: Deny - Search history on this device | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SearchSettings" /v "IsDeviceSearchHistoryEnabled" /t REG_DWORD /d "0" /f | |
:: Deny - SafeSearch | |
:: 0 - Off | |
:: 1 - Moderate (Default) | |
:: 2 - Strict | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SearchSettings" /v "SafeSearchMode" /t REG_DWORD /d "0" /f | |
:: Deny - Task access | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Let apps access your tasks | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Videos library access | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Let apps access your videos library | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /t REG_SZ /d "Deny" /f | |
:: Deny - Let apps access voice activation services | |
reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationEnabled" /t REG_DWORD /d "0" /f | |
:: Deny - Let apps use voice activation when device is locked | |
reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationOnLockScreenEnabled" /t REG_DWORD /d "0" /f | |
:: Rename your PC | |
:: System info | |
:: reg add "HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName" /v "ComputerName" /t REG_SZ /d "xxx" /f | |
:: reg add "HKLM\System\CurrentControlSet\Control\ComputerName\ComputerName" /v "ComputerName" /t REG_SZ /d "xxx" /f | |
:: reg add "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters" /v "Hostname" /t REG_SZ /d "xxx" /f | |
:: reg add "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters" /v "NV Hostname" /t REG_SZ /d "xxx" /f | |
:: Support page | |
:: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\OEMInformation" /v "Manufacturer" /t REG_SZ /d "xxx" /f | |
:: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\OEMInformation" /v "Model" /t REG_SZ /d "xxx" /f | |
:: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\OEMInformation" /v "SupportHours" /t REG_SZ /d "xxx" /f | |
:: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\OEMInformation" /v "SupportPhone" /t REG_SZ /d "xxx" /f | |
:: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\OEMInformation" /v "SupportURL" /t REG_SZ /d "xxx" /f | |
:: Computer Description | |
:: reg add "HKLM\System\CurrentControlSet\services\LanmanServer\Parameters" /v "srvcomment" /t REG_SZ /d "xxx" /f | |
:: System info | |
:: Logo - 120x120.bmp | |
:: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\OEMInformation" /v "Logo" /t REG_SZ /d "C:\TEST\Logo.bmp" /f | |
:: reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "RegisteredOrganization" /t REG_SZ /d "(-_-)" /f | |
:: reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "RegisteredOwner" /t REG_SZ /d "Brony" /f | |
:: System protection | |
:: Disable System restore and Set the minimal size | |
:: reg add "HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f | |
:: schtasks /Change /TN "Microsoft\Windows\SystemRestore\SR" /Disable | |
:: vssadmin Resize ShadowStorage /For=C: /On=C: /Maxsize=320MB | |
:: System Protection - Enable System restore and Set the size | |
:: reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients" /v " {09F7EDC5-294E-4180-AF6A-FB0E6A0E9513}" /t REG_MULTI_SZ /d "1" /f | |
:: reg delete "HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /f | |
:: reg delete "HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /f | |
:: sc config swprv start= demand | |
:: sc config vds start= demand | |
:: sc config VSS start= demand | |
:: sc config wbengine start= demand | |
:: schtasks /Change /TN "Microsoft\Windows\SystemRestore\SR" /Enable | |
:: vssadmin Resize ShadowStorage /For=C: /On=C: /Maxsize=5GB | |
:: Performance settings | |
:: Processor Scheduling | |
:: Handled by the OS dynamically since 1909+ | |
:: 0 - Foreground and background applications equally responsive | |
:: 1 - Foreground application more responsive than background | |
:: 2 - Best foreground application response time (Default) | |
:: 38 - Adjust for best performance of Programs | |
:: 24 - Adjust for best performance of Background Services | |
:: reg add "HKLM\System\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation " /t REG_DWORD /d "38" /f | |
:: Disable pagefile | |
:: wmic computersystem where name="%computername%" set AutomaticManagedPagefile=False | |
:: wmic pagefileset where name="%SystemDrive%\\pagefile.sys" set InitialSize=0,MaximumSize=0 | |
:: wmic pagefileset where name="%SystemDrive%\\pagefile.sys" delete | |
:: Smooth edges | |
:: reg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "1" /f | |
:: reg add "HKCU\Control Panel\Desktop" /v "FontSmoothingType" /t REG_DWORD /d "2" /f | |
:: reg add "HKCU\Control Panel\Desktop" /v "UserPreferencesMask" /t REG_BINARY /d "9012038010000000" /f | |
:: reg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "IconsOnly" /t REG_DWORD /d "0" /f | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d "0" /f | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d "0" /f | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d "0" /f | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d "3" /f | |
:: reg add "HKCU\Software\Microsoft\Windows\DWM" /v "AlwaysHibernateThumbnails" /t REG_DWORD /d "0" /f | |
:: reg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d "0" /f | |
:: Disable Remote Assistance | |
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "TSAppCompat" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "TSEnabled" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "TSUserEnabled" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "fAllowToGetHelp" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "fAllowUnsolicited" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "fAllowUnsolicitedFullControl" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "fDenyTSConnections" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" /v "AllowRemoteShellAccess" /t REG_DWORD /d "0" /f | |
reg add "HKLM\System\CurrentControlSet\Control\::ote Assistance" /v "fAllowFullControl" /t REG_DWORD /d "0" /f | |
reg add "HKLM\System\CurrentControlSet\Control\::ote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d "0" /f | |
sc config remoteRegistry start= disabled | |
:: Disable automatically Restart (on System Failure) alias BSOD | |
reg add "HKLM\System\CurrentControlSet\Control\CrashControl" /v "AutoReboot" /t REG_DWORD /d "0" /f | |
:: Time to display list of operating systems | |
:: bcdedit /timeout 5 | |
:: Encrypt the Pagefile | |
:: Decreases I/O performance. | |
:: fsutil behavior set EncryptPagingFile 1 | |
:: Clipboard History | |
:: reg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "AllowClipboardHistory" /t REG_DWORD /d "0" /f | |
:: reg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "AllowCrossDeviceClipboard " /t REG_DWORD /d "0" /f | |
:: Do not show snap layouts when I hover over a window maximize button | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableSnapAssistFlyout" /t REG_DWORD /d "0" /f | |
:: Do not show snap layouts that the app is part of when I hover over the taskbar buttons | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableTaskGroups" /t REG_DWORD /d "0" /f | |
:: Notifications | |
:: Do not show me the Windows welcome experience | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d "0" /f | |
:: Do not get tips and suggestions when I use Windows | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d "0" /f | |
:: Do not show Toast Notifications | |
:: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "1" /f | |
:: Do not offer suggestions on how I can set up my device | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d "0" /f | |
:: Power Settings | |
:: Put my device to sleep after 30 minutes (ac-plugged in) | |
:: powercfg -change -standby-timeout-ac 30 | |
:: powercfg -change -standby-timeout-dc 30 | |
:: Turn off my screen after 25 minutes (ac-plugged in) | |
powercfg -change -monitor-timeout-ac 25 | |
powercfg -change -monitor-timeout-dc 25 | |
:: Storage | |
:: Disable Storage Sense | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v "01" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows\StorageSense" /v "AllowStorageSenseGlobal" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows\StorageSense" /v "AllowStorageSenseTemporaryFilesCleanup" /t REG_DWORD /d "0" /f | |
:: fsutil storagereserve query C: | |
:: Dism /Online /Set-ReservedStorageState /State:Disabled /Quiet /NoRestart | |
:: 2/0/0 - Disable Reserved Storage (7GB) | |
:: 1/1/1 - Enabled | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\MiscPolicyInfo" /v "ShippedWithReserves" /t REG_DWORD /d "2" /f | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\PassedPolicy" /v "ShippedWithReserves" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "0" /f | |
:: Date & time | |
:: Time Zone - Central Europe Standard Time | |
:: tzutil /s "Central Europe Standard Time" | |
:: Replace it with yout region | |
:: 244 - Set Location to United States | |
:: reg add "HKCU\Control Panel\International\Geo" /v "Nation" /t REG_SZ /d "244" /f | |
:: Set Formats to Metric | |
:: reg add "HKCU\Control Panel\International" /v "iDigits" /t REG_SZ /d "2" /f | |
:: reg add "HKCU\Control Panel\International" /v "iLZero" /t REG_SZ /d "1" /f | |
:: reg add "HKCU\Control Panel\International" /v "iMeasure" /t REG_SZ /d "0" /f | |
:: reg add "HKCU\Control Panel\International" /v "iNegNumber" /t REG_SZ /d "1" /f | |
:: reg add "HKCU\Control Panel\International" /v "iPaperSize" /t REG_SZ /d "1" /f | |
:: reg add "HKCU\Control Panel\International" /v "iTLZero" /t REG_SZ /d "1" /f | |
:: reg add "HKCU\Control Panel\International" /v "sDecimal" /t REG_SZ /d "," /f | |
:: reg add "HKCU\Control Panel\International" /v "sNativeDigits" /t REG_SZ /d "0123456789" /f | |
:: reg add "HKCU\Control Panel\International" /v "sNegativeSign" /t REG_SZ /d "-" /f | |
:: reg add "HKCU\Control Panel\International" /v "sPositiveSign" /t REG_SZ /d "" /f | |
:: reg add "HKCU\Control Panel\International" /v "NumShape" /t REG_SZ /d "1" /f | |
:: Set Time to 24h | |
:: Week starts Monday | |
:: reg add "HKCU\Control Panel\International" /v "iCalendarType" /t REG_SZ /d "1" /f | |
:: reg add "HKCU\Control Panel\International" /v "iDate" /t REG_SZ /d "1" /f | |
:: reg add "HKCU\Control Panel\International" /v "iFirstDayOfWeek" /t REG_SZ /d "0" /f | |
:: reg add "HKCU\Control Panel\International" /v "iFirstWeekOfYear" /t REG_SZ /d "0" /f | |
:: reg add "HKCU\Control Panel\International" /v "iTime" /t REG_SZ /d "1" /f | |
:: reg add "HKCU\Control Panel\International" /v "iTimePrefix" /t REG_SZ /d "0" /f | |
:: reg add "HKCU\Control Panel\International" /v "sDate" /t REG_SZ /d "-" /f | |
:: reg add "HKCU\Control Panel\International" /v "sList" /t REG_SZ /d "," /f | |
:: reg add "HKCU\Control Panel\International" /v "sLongDate" /t REG_SZ /d "d MMMM, yyyy" /f | |
:: reg add "HKCU\Control Panel\International" /v "sMonDecimalSep" /t REG_SZ /d "." /f | |
:: reg add "HKCU\Control Panel\International" /v "sMonGrouping" /t REG_SZ /d "3;0" /f | |
:: reg add "HKCU\Control Panel\International" /v "sMonThousandSep" /t REG_SZ /d "," /f | |
:: reg add "HKCU\Control Panel\International" /v "sShortDate" /t REG_SZ /d "dd-MMM-yy" /f | |
:: reg add "HKCU\Control Panel\International" /v "sTime" /t REG_SZ /d ":" /f | |
:: reg add "HKCU\Control Panel\International" /v "sTimeFormat" /t REG_SZ /d "HH:mm:ss" /f | |
:: reg add "HKCU\Control Panel\International" /v "sShortTime" /t REG_SZ /d "HH:mm" /f | |
:: reg add "HKCU\Control Panel\International" /v "sYearMonth" /t REG_SZ /d "MMMM yyyy" /f | |
:: Typing | |
:: Input language hot keys | |
:: Change Key Sequence | |
:: 3 - Not assigned | |
:: 2 - CTRL+SHIFT | |
:: 1 - Left ALT+SHIFT | |
:: reg add "HKCU\Keyboard Layout\Toggle" /v "Language Hotkey" /t REG_SZ /d "3" /f | |
:: reg add "HKCU\Keyboard Layout\Toggle" /v "Hotkey" /t REG_SZ /d "3" /f | |
:: reg add "HKCU\Keyboard Layout\Toggle" /v "Layout Hotkey" /t REG_SZ /d "3" /f | |
:: Disable Num Lock on Sign-in Screen | |
:: 2147483648 - Disable | |
:: reg add "HKCU\Control Panel\Keyboard" /v "InitialKeyboardIndicators" /t REG_SZ /d "2" /f | |
:: reg add "HKU\.DEFAULT\Control Panel\Keyboard" /v "InitialKeyboardIndicators" /t REG_SZ /d "2" /f | |
:: Windows Update | |
:: Active hours (18 hours) 6am to 0am | |
:: Windows Updates will not automatically restart your device during active hours | |
:: reg add "HKLM\Software\Microsoft\WindowsUpdate\UX\Settings" /v "ActiveHoursStart" /t REG_DWORD /d "6" /f | |
:: reg add "HKLM\Software\Microsoft\WindowsUpdate\UX\Settings" /v "ActiveHoursEnd" /t REG_DWORD /d "0" /f | |
:: Disable File History (Creating previous versions of files/Windows Backup) | |
reg add "HKLM\Software\Policies\Microsoft\Windows\FileHistory" /v "Disabled" /t REG_DWORD /d "1" /f | |
:: Disable Malicious Software Removal Tool offered via Windows Updates (MRT) | |
:: Disable Heartbeat Telemetry | |
reg add "HKLM\Software\Microsoft\::ovalTools\MpGears" /v "HeartbeatTrackingIndex" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Microsoft\::ovalTools\MpGears" /v "SpyNetReportingLocation" /t REG_MULTI_SZ /d "" /f | |
reg add "HKLM\Software\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f | |
:: Choose how updates are delivered | |
:: 0 - Turns off Delivery Optimization | |
:: 1 - Gets or sends updates and apps to PCs on the same NAT only | |
:: 2 - Gets or sends updates and apps to PCs on the same local network domain | |
:: 3 - Gets or sends updates and apps to PCs on the Internet | |
:: 99 - Simple download mode with no peering | |
:: 100 - Use BITS instead of Windows Update Delivery Optimization | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v "DODownloadMode" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows\DeliveryOptimization" /v "DODownloadMode" /t REG_DWORD /d "0" /f | |
:: Update apps automatically | |
:: 2 - Off | |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate" /v "AutoDownload" /t REG_DWORD /d "4" /f | |
:: Windows Shell | |
:: Add "Take Ownership" Option in Files and Folders Context Menu in Windows | |
reg add "HKCR\*\shell\runas" /v "HasLUAShield" /t REG_SZ /d "" /f | |
reg add "HKCR\*\shell\runas" /v "NoWorkingDirectory" /t REG_SZ /d "" /f | |
reg add "HKCR\*\shell\runas" /ve /t REG_SZ /d "Take ownership" /f | |
reg add "HKCR\*\shell\runas\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%%1\" && icacls \"%%1\" /grant administrators:F" /f | |
reg add "HKCR\*\shell\runas\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%%1\" && icacls \"%%1\" /grant administrators:F" /f | |
reg add "HKCR\Directory\shell\runas" /v "HasLUAShield" /t REG_SZ /d "" /f | |
reg add "HKCR\Directory\shell\runas" /v "NoWorkingDirectory" /t REG_SZ /d "" /f | |
reg add "HKCR\Directory\shell\runas" /ve /t REG_SZ /d "Take ownership" /f | |
reg add "HKCR\Directory\shell\runas\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%%1\" /r /d y && icacls \"%%1\" /grant administrators:F /t" /f | |
reg add "HKCR\Directory\shell\runas\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%%1\" /r /d y && icacls \"%%1\" /grant administrators:F /t" /f | |
:: Remove open in Windows Terminal from context menu | |
:: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked" /v "{9F156763-7844-4DC4-B2B1-901F640F5155}" /t REG_SZ /d "" /f | |
:: Remove Send To from context Menu | |
:: reg delete "HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\SendTo" /f | |
:: Remove Share from Context menu | |
reg delete "HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ModernSharing" /f | |
reg delete "HKLM\Software\Classes\*\shellex\ContextMenuHandlers\Sharing" /f | |
reg delete "HKLM\Software\Classes\Drive\shellex\ContextMenuHandlers\Sharing" /f | |
reg delete "HKLM\Software\Classes\Drive\shellex\PropertySheetHandlers\Sharing" /f | |
reg delete "HKLM\Software\Classes\Directory\background\shellex\ContextMenuHandlers\Sharing" /f | |
reg delete "HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\Sharing" /f | |
reg delete "HKLM\Software\Classes\Directory\shellex\CopyHookHandlers\Sharing" /f | |
reg delete "HKLM\Software\Classes\Directory\shellex\PropertySheetHandlers\Sharing" /f | |
:: Disable ADs and Auto-install subscribed/suggested apps (preinstalled games like Candy Crush Soda Saga or Minecraft) | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "Featu::anagementEnabled" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SlideshowEnabled" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-88000326Enabled" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d "0" /f | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Policies\Microsoft\PushToInstall" /v "DisablePushToInstall" /t REG_DWORD /d "1" /f | |
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions" /f | |
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps" /f |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment