Skip to content

Instantly share code, notes, and snippets.

@ecnepsnai
Last active November 23, 2022 07:32
Show Gist options
  • Save ecnepsnai/d39af9217dee376049ee4df86294f0d7 to your computer and use it in GitHub Desktop.
Save ecnepsnai/d39af9217dee376049ee4df86294f0d7 to your computer and use it in GitHub Desktop.
Windows 10 New PC Setup

Windows 10 New PC Setup

The Basics

Local account only

Don't link a local workstation account with an online account.

For Windows 10 Home, during OOBE do not connect to a network (Click "I don't have internet"), otherwise you are forced to use a Microsoft account. Windows 10 Pro installs give you the choice even if you do connect to the internet.

Max UAC

No seriously, set the User Account Control setting to the highest setting and miss me with that disable UAC mess.

Programs like ShutUp 10 are risky because they can have some unintended consequences. At the moment, ShutUp 10 is working fine and is generally accepted in the community.

I apply all of the recommended settings plus a handful of others:

  • Disable location services for desktops
  • Disable Bing in Windows 10 Search
  • Disable ads in Windows Explorer

Remove "3D Objects" folder

Delete the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}

Disable "Look for app in App Store" on default app prompt

There is an unfournate amount of bad apps in the Microsoft store so I like to disable this shortcut to prevent accidential installation of said bad apps.

Create or modify a DWORD with the value of 1 at:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer\NoUseStoreOpenWith

Uninstall OneDrive

Unless the user intends to use OneDrive, of course.

ShutUp 10 can disable it, or you can uninstall it from programs and features.

Uninstall all adware apps in the start menu

Lot of right clicking...

Disable Cortana

ShutUp 10 does this

Disable access to Windows Insider Program

Create or modify a DWORD with the value of 1 at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility\HideInsiderPage

Show File Extensions in Explorer

In Explorer's options page uncheck "Hide extensions of known file types"

Disable Developer Mode

Create the following DWORD keys with the associated values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowAllTrustedApps : 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense : 0

Enable Windows Defender PUP/PUS Protection

Create the following DWORD key with the value of 1 at:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine\MpEnablePus

Enhanced Security

Disable Windows Script Host / JScript

Create or modify a DWORD with the value of 0 at:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled

Disable running Powershell Scripts

From an elevated powershell prompt:

Set-ExecutionPolicy -ExecutionPolicy Restricted -Scope LocalMachine -Force

This doesn't disable powershell, but limits it to only commands typed in the prompt.

Change dangerous file associations

By default, certain text files have default associations that are dangerous.

Save the following as a .reg file and install it. This forces the reg, bat, js, jse, and ps1 files to always open with notepad and not execute.

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.reg]
@="txtfile"

[HKEY_CLASSES_ROOT\.bat]
@="txtfile"

[HKEY_CLASSES_ROOT\.js]
@="txtfile"

[HKEY_CLASSES_ROOT\.JSE]
@="txtfile"

[HKEY_CLASSES_ROOT\.ps1]
@="txtfile"

Microsoft Office

If they have Microsoft Office installed, change the following:

Disable Macros

From any any Office app, Go File -> Options -> Trust Center -> Trust Center Settings... -> Macro Settings

Select "Disable all macros without notification"

Disable all Online Features

Note: This may interfere with OneDrive*

From any any Office app, Go File -> Options -> General -> Private Settings...

Uncheck "Enable connected experiences"

Google Chrome

If you are using Google Chrome I recommend that you also apply some of these Group Policies from Chrome's administrative template.

Download the GPO templates from: https://chromeenterprise.google/browser/download/ and load them into gpedit.msc

Disable Developer Tools

Honestly it's stupid that Chrome includes developer tools in the base installiation of Chrome, and instead of a developer build. Developer tools often confuse non-developers.

https://cloud.google.com/docs/chrome-enterprise/policies/?policy=DeveloperToolsAvailability

Disable Access to chrome:flags

The about flags page is a powerful settings page that lets you tweak many aspects of chrome's settings that aren't normally seen in the options page. It shouldn't be used by normal users (again, why is chrome including this in the base install?)

https://cloud.google.com/docs/chrome-enterprise/policies/?policy=URLBlacklist

(Optional) Disable the Notification API

The Notification Web API is only used to deliver spam. Full stop. While some websites use it legitmately, it's gotten so bad that browsers are reeling back on support for it due to the overwhelming spam it delivers.

https://cloud.google.com/docs/chrome-enterprise/policies/?policy=DefaultNotificationsSetting

(Optional) Disallow Installing Extensions

I've marked this one as optional as extensions are a pretty big part of Chrome, however depending on the skill level of the user that will be using this computer it may be valulable to disable the ability to install extensions entirely, due to the number of malicious extensions out there.

https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionInstallBlacklist

You can also use this to force install an extension (such as uBlock-Origin), this ignored the denylist:

https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionInstallForcelist

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer]
"NoUseStoreOpenWith"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility]
"HideInsiderPage"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine]
"MpEnablePus"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"ExecutionPolicy"="Restricted"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization]
"NoLockScreen"=dword:00000001
[HKEY_CLASSES_ROOT\.reg]
@="txtfile"
[HKEY_CLASSES_ROOT\.bat]
@="txtfile"
[HKEY_CLASSES_ROOT\.js]
@="txtfile"
[HKEY_CLASSES_ROOT\.JSE]
@="txtfile"
[HKEY_CLASSES_ROOT\.ps1]
@="txtfile"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment