Don't link a local workstation account with an online account.
For Windows 10 Home, during OOBE do not connect to a network (Click "I don't have internet"), otherwise you are forced to use a Microsoft account. Windows 10 Pro installs give you the choice even if you do connect to the internet.
No seriously, set the User Account Control setting to the highest setting and miss me with that disable UAC mess.
Use ShutUp 10
Programs like ShutUp 10 are risky because they can have some unintended consequences. At the moment, ShutUp 10 is working fine and is generally accepted in the community.
I apply all of the recommended settings plus a handful of others:
- Disable location services for desktops
- Disable Bing in Windows 10 Search
- Disable ads in Windows Explorer
Delete the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}
There is an unfournate amount of bad apps in the Microsoft store so I like to disable this shortcut to prevent accidential installation of said bad apps.
Create or modify a DWORD with the value of 1 at:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer\NoUseStoreOpenWith
Unless the user intends to use OneDrive, of course.
ShutUp 10 can disable it, or you can uninstall it from programs and features.
Lot of right clicking...
ShutUp 10 does this
Create or modify a DWORD with the value of 1 at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility\HideInsiderPage
In Explorer's options page uncheck "Hide extensions of known file types"
Create the following DWORD keys with the associated values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowAllTrustedApps : 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense : 0
Create the following DWORD key with the value of 1 at:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine\MpEnablePus
Create or modify a DWORD with the value of 0 at:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled
From an elevated powershell prompt:
Set-ExecutionPolicy -ExecutionPolicy Restricted -Scope LocalMachine -ForceThis doesn't disable powershell, but limits it to only commands typed in the prompt.
By default, certain text files have default associations that are dangerous.
Save the following as a .reg file and install it. This forces the reg, bat, js, jse, and ps1 files to always open with notepad and not execute.
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\.reg]
@="txtfile"
[HKEY_CLASSES_ROOT\.bat]
@="txtfile"
[HKEY_CLASSES_ROOT\.js]
@="txtfile"
[HKEY_CLASSES_ROOT\.JSE]
@="txtfile"
[HKEY_CLASSES_ROOT\.ps1]
@="txtfile"
If they have Microsoft Office installed, change the following:
From any any Office app, Go File -> Options -> Trust Center -> Trust Center Settings... -> Macro Settings
Select "Disable all macros without notification"
Note: This may interfere with OneDrive*
From any any Office app, Go File -> Options -> General -> Private Settings...
Uncheck "Enable connected experiences"
If you are using Google Chrome I recommend that you also apply some of these Group Policies from Chrome's administrative template.
Download the GPO templates from: https://chromeenterprise.google/browser/download/ and load them into gpedit.msc
Honestly it's stupid that Chrome includes developer tools in the base installiation of Chrome, and instead of a developer build. Developer tools often confuse non-developers.
https://cloud.google.com/docs/chrome-enterprise/policies/?policy=DeveloperToolsAvailability
The about flags page is a powerful settings page that lets you tweak many aspects of chrome's settings that aren't normally seen in the options page. It shouldn't be used by normal users (again, why is chrome including this in the base install?)
https://cloud.google.com/docs/chrome-enterprise/policies/?policy=URLBlacklist
The Notification Web API is only used to deliver spam. Full stop. While some websites use it legitmately, it's gotten so bad that browsers are reeling back on support for it due to the overwhelming spam it delivers.
https://cloud.google.com/docs/chrome-enterprise/policies/?policy=DefaultNotificationsSetting
I've marked this one as optional as extensions are a pretty big part of Chrome, however depending on the skill level of the user that will be using this computer it may be valulable to disable the ability to install extensions entirely, due to the number of malicious extensions out there.
https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionInstallBlacklist
You can also use this to force install an extension (such as uBlock-Origin), this ignored the denylist:
https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionInstallForcelist