Skip to content

Instantly share code, notes, and snippets.

@michiiii
Last active Mar 19, 2021
Embed
What would you like to do?
#Requires -RunAsAdministrator
############################################################
# Install Chocolatey
############################################################
if (!(Get-Package -Name *choco*))
{
Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
}
############################################################
## Windows 10 Config
############################################################
# Get-WindowsCapability -Online | ? name -like *OpenSSH.Server*
Add-WindowsCapability -Name OpenSSH.Server~~~~0.0.1.0 -Online
Set-Service sshd -StartupType Automatic
Set-Service ssh-agent -StartupType Automatic
Start-Service sshd
Start-Service ssh-agent
Get-Service -Name *ssh* | select DisplayName, Status, StartType
############################################################
## install
############################################################
## Apps
choco install visualstudiocode -y
choco install vmwareworkstation -y
choco install sysinternals -y
choco install wireshark -y
## Source Control
choco install git -y
choco install github -y -ignore-checksums
## DevOps Tools
choco install docker-desktop -y
choco install packer -y
choco install vagrant -y
## Connection Tools
choco install mobaxterm -y
## common tools
choco install foxitreader -y
choco install googlechrome -y
choco install jre8 -y
choco install 7zip.install -y
choco install python3 -y
choco install dotnetfx -y
choco install vcredist2015 -y
## Remove shit
function RemoveApps(){
#################################################################
Write-Warning 'Removing bloatware...'
[Array]$Apps =
'Microsoft.3DBuilder',
'Microsoft.Microsoft3DViewer',
'Microsoft.Print3D',
'Microsoft.Appconnector',
'Microsoft.BingFinance',
'Microsoft.BingNews',
'Microsoft.BingSports',
'Microsoft.BingTranslator',
'Microsoft.BingWeather',
'Microsoft.BingFoodAndDrink',
'Microsoft.BingTravel',
'Microsoft.BingHealthAndFitness',
'Microsoft.FreshPaint',
'Microsoft.MicrosoftOfficeHub',
'Microsoft.WindowsFeedbackHub',
'Microsoft.MicrosoftSolitaireCollection',
'Microsoft.MicrosoftPowerBIForWindows',
'Microsoft.MinecraftUWP',
'Microsoft.MicrosoftStickyNotes',
'Microsoft.NetworkSpeedTest',
'Microsoft.Office.OneNote',
'Microsoft.OneConnect',
'Microsoft.People',
'Microsoft.SkypeApp',
'Microsoft.Wallet',
'Microsoft.WindowsAlarms',
'Microsoft.WindowsCamera',
'Microsoft.windowscommunicationsapps',
'Microsoft.WindowsMaps',
'Microsoft.WindowsPhone',
'Microsoft.WindowsSoundRecorder',
'Microsoft.XboxApp',
'Microsoft.XboxGameOverlay',
'Microsoft.XboxIdentityProvider',
'Microsoft.XboxSpeechToTextOverlay',
'Microsoft.ZuneMusic',
'Microsoft.ZuneVideo',
'Microsoft.CommsPhone',
'Microsoft.ConnectivityStore',
'Microsoft.GetHelp',
'Microsoft.Getstarted',
'Microsoft.Messaging',
'Microsoft.Office.Sway',
'Microsoft.WindowsReadingList',
'9E2F88E3.Twitter',
'PandoraMediaInc.29680B314EFC2',
'Flipboard.Flipboard',
'ShazamEntertainmentLtd.Shazam',
'king.com.CandyCrushSaga',
'king.com.CandyCrushSodaSaga',
'king.com.*',
'ClearChannelRadioDigital.iHeartRadio',
'4DF9E0F8.Netflix',
'6Wunderkinder.Wunderlist',
'Drawboard.DrawboardPDF',
'2FE3CB00.PicsArt-PhotoStudio',
'D52A8D61.FarmVille2CountryEscape',
'TuneIn.TuneInRadio',
'GAMELOFTSA.Asphalt8Airborne',
'TheNewYorkTimes.NYTCrossword',
'DB6EA5DB.CyberLinkMediaSuiteEssentials',
'Facebook.Facebook',
'flaregamesGmbH.RoyalRevolt2',
'Playtika.CaesarsSlotsFreeCasino',
'A278AB0D.MarchofEmpires',
'KeeperSecurityInc.Keeper',
'ThumbmunkeysLtd.PhototasticCollage',
'XINGAG.XING',
'89006A2E.AutodeskSketchBook',
'D5EA27B7.Duolingo-LearnLanguagesforFree',
'46928bounde.EclipseManager',
'ActiproSoftwareLLC.562882FEEB491',
'DolbyLaboratories.DolbyAccess',
'A278AB0D.DisneyMagicKingdoms',
'WinZipComputing.WinZipUniversal',
'Microsoft.ScreenSketch',
'Microsoft.XboxGamingOverlay',
'Microsoft.Xbox.TCUI',
'Microsoft.XboxGameCallableUI',
'Microsoft.YourPhone'
Foreach ($App in $Apps) {
Get-AppxPackage $App | Remove-AppxPackage -AllUsers -ErrorAction 'SilentlyContinue'
}
Write-Host 'Done.'
}
#
# Disable NetBios
function DisableNetBios {
Write-Warning("Disabling NetBios..")
$key = "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"
Get-ChildItem $key | ForEach-Object {
Set-ItemProperty -Path "$key\$($_.pschildname)" -Name NetBiosOptions -Value 2
}
Write-Host("Done.")
}
# Disable AutoPlay and AutoRun
function DisableAutoPlayRun {
Write-Warning "Disabling AutoPlay and AutoRun..."
Set-RegistryValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name 'NoAutorun' -Value '1' -Type 'Dword' # Disables Autorun
Set-RegistryValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name 'NoDriveTypeAutoRun' -Value '255' -Type 'Dword' # Disables Autorun
Set-RegistryValue -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers' -Name 'DisableAutoplay' -Value '1' -Type 'Dword' # Disables Autoplay
Write-Host("Done.")
}
# Disable Find My Device
function DisableFindMyDevice {
Write-Warning "Disabling Find My Device..."
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\FindMyDevice" -Name "AllowFindMyDevice" -Value 0 -Type Dword
Set-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Settings\FindMyDevice" -Name "LocationSyncEnabled" -Value 0 -Type Dword
Write-Host("Done.")
}
# Disable Win Insider Program
function DisableWinInsiderProgram {
Write-Warning "Disabling Win Insider Program..."
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" -Name "AllowBuildPreview" -Value 0 -Type Dword
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" -Name "EnableConfigFlighting" -Value 0 -Type Dword
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "ManagePreviewBuilds" -Value 1 -Type Dword
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "ManagePreviewBuildsPolicyValue" -Value 0 -Type Dword
Write-Host("Done.")
}
# Disable Picture Password
function DisablePicturePassword {
Write-Warning "Disable Picture Password..."
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "BlockDomainPicturePassword" -Value 1 -Type Dword
Write-Host("Done.")
}
# Enable Enhanced Face Spoofing Protection
function EnableEnhancedFaceSpoofingProtection {
Write-Warning "Enable Enhanced Face Spoofing Protection..."
Set-RegistryValue -Name "HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" -Name "EnhancedAntiSpoofing" -Value 1 -Type Dword
Write-Host("Done.")
}
# Disable Link-Local Multicast Name Resolution (LLMNR) protocol
function DisableLLMNR {
Write-Warning "Disabling LLMNR..."
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -Type DWord -Value 0
Write-Host("Done.")
}
# Disable SMB Server - Completely disables file and printer sharing, but leaves the system able to connect to another SMB server as a client
function DisableSMBServer {
Write-Warning "Disabling SMB Server..."
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
Set-SmbServerConfiguration -EnableSMB2Protocol $false -Force
Set-RegistryValue -Path "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\" -Name SMBDeviceEnabled -Value 0 -Type Dword
Write-Host("Done.")
}
# Disable sharing mapped drives between users
function DisableSharingMappedDrives {
Write-Warning "Disabling sharing mapped drives between users..."
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLinkedConnections" -ErrorAction SilentlyContinue
Write-Host("Done.")
}
# Disable implicit administrative shares
function DisableAdminShares {
Write-Warning "Disabling implicit administrative shares..."
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "AutoShareWks" -Type DWord -Value 0
Write-Host("Done.")
}
# Disable Advertising ID
function DisableAdvertisingID {
Write-Warning "Disabling Advertising ID..."
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" -Name "Enabled" -Type DWord -Value 0
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" -Name "DisabledByGroupPolicy" -Type DWord -Value 1
Write-Host("Done.")
}
# Disable Feedback
function DisableFeedback {
Write-Warning "Disabling Feedback..."
Set-RegistryValue -Path "HKCU:\SOFTWARE\Microsoft\Siuf\Rules" -Name "NumberOfSIUFInPeriod" -Type DWord -Value 0
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "DoNotShowFeedbackNotifications" -Type DWord -Value 1
Set-RegistryValue -Path "HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0" -Name "NoExplicitFeedback" -Type DWord -Value 1
Set-RegistryValue -Path "HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0" -Name "NoImplicitFeedback" -Type DWord -Value 1
Set-RegistryValue -Path "HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0" -Name "NoOnlineAssist" -Type DWord -Value 1
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0" -Name "NoActiveHelp" -Type DWord -Value 1
Disable-ScheduledTask -TaskName "Microsoft\Windows\Feedback\Siuf\DmClient" -ErrorAction SilentlyContinue | Out-Null
Disable-ScheduledTask -TaskName "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" -ErrorAction SilentlyContinue | Out-Null
Write-Host("Done.")
}
function DisableBackgroundApps {
Write-Warning "Disabling Background application access..."
Get-ChildItem -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" -Exclude "Microsoft.Windows.Cortana*" | ForEach {
Set-ItemProperty -Path $_.PsPath -Name "Disabled" -Type DWord -Value 1
Set-ItemProperty -Path $_.PsPath -Name "DisabledByUser" -Type DWord -Value 1
}
Write-Host("Done.")
}
function DisableWebSearch {
Write-Warning "Disabling Web Search..."
Set-RegistryValue -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" -Name "BingSearchEnabled" -Type DWord -Value 0 # Disables Bing search
Set-RegistryValue -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" -Name "CortanaConsent" -Type DWord -Value 0
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" -Name "DisableWebSearch" -Type DWord -Value 1
Write-Host("Done.")
}
function EnableSmartScreen(){
Write-Warning "Enabling SmartScreen Filter..."
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "EnableSmartScreen" -Type DWord -Value 1
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" -Name "EnabledV9" -Type DWord -Value 1
Set-RegistryValue -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" -Name "EnableWebContentEvaluation" -Type Dword -Value 1
# Disable SmartScreen
# Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "EnableSmartScreen" -Type DWord -Value 0
# Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" -Name "EnabledV9" -Type DWord -Value 0
# Set-RegistryValue -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" -Name "EnableWebContentEvaluation" -Type Dword -Value 0
Write-Host("Done.")
}
function DisableTelemetry {
Write-Warning "Disabling Telemetry..."
Set-RegistryValue -Path "Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type Dword -Value 0
Set-RegistryValue -Path "Registry::HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type Dword -Value 0
Set-RegistryValue -Path "Registry::HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -Type Dword -Value 0
Set-RegistryValue -Path "Registry::HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" -Name "AllowBuildPreview" -Type Dword -Value 0
Set-RegistryValue -Path "Registry::HKCU\Software\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -Type Dword -Value 0
Set-RegistryValue -Path "Registry::HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" -Name"AITEnable" -Type Dword -Value 0
Set-RegistryValue -Path "Registry::HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "LimitEnhancedDiagnosticDataWindowsAnalytics" -Type Dword -Value 0
Set-RegistryValue -Path "Registry::HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "DoNotShowFeedbackNotifications" -Type Dword -Value 1
Disable-ScheduledTask -TaskName "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" | Out-Null
Disable-ScheduledTask -TaskName "Microsoft\Windows\Application Experience\ProgramDataUpdater" | Out-Null
Disable-ScheduledTask -TaskName "Microsoft\Windows\Autochk\Proxy" | Out-Null
Disable-ScheduledTask -TaskName "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" | Out-Null
Disable-ScheduledTask -TaskName "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" | Out-Null
Disable-ScheduledTask -TaskName "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" | Out-Null
Write-Host("Done.")
}
function DisableServices(){
#################################################################
Write-Warning 'Disabling Unneeded Windows services...'
[Array]$Services =
'lmhosts', # TCP/IP NetBIOS Helper
#'wlidsvc', # Microsoft Account Sign-in Assistant
'SEMgrSvc', # Payments NFC/SE Manager
'tzautoupdate', # Auto Time Zone Updater
'AppVClient', # Microsoft App-V Client
'RemoteRegistry', # Remote Registry
'shpamsvc', # Shared PC Account Manager
'WwanSvc', # WWAN AutoConfig
'PushToInstall', # Windows PushToInstall Service
'spectrum', # Windows Perception Service
'icssvc', # Windows Mobile Hotspot Service
'wisvc', # Windows Insider Service
'WerSvc', # Windows Error Reporting Service
'dmwappushservice', # Device Management Wireless Application Protocol (WAP) Push message Routing Service
'FrameServer', # Windows Camera Frame Service
'WFDSConMgrSvc', # Wi-Fi Direct Services Connection Manager Service
'ScDeviceEnum', # Smart Card Device Enumeration Service
'SCardSvr', # Smart Card
'PhoneSvc', # Phone Service
'IpxlatCfgSvc', # IP Translation Configuration Service
'SharedAccess', # Internet Connection Sharing (ICS)
'vmicvss', # Hyper-V Volume Shadow Copy Requestor
'vmictimesync', # Hyper-V TIme Synchronization Service
'vmicrdv', # Hyper-V Remote Desktop Virtualization Service
'vmicvmsession', # Hyper-V PowerShell Direct Service
'vmicheartbeat', # Hyper-V Heartbeat Service
'vmicshutdown', # Hyper-V Guest Shudown Service
'vmicguestinterface', # Hyper-V Guest Service Interface
'vmickvpexchange', # Hyper-V Data Exchange Service
'HvHost', # HV Host Service
'FDResPub', # function Discovery Resource Publication
'diagsvc', # Diagnostic Execution Service
'autotimesvc', # Cellular Time
'bthserv', # Bluetooth Support Service
'BTAGService', # Bluetooth Audio Gateway Service
'AssignedAccessManagerSvc', # AssignedAccessManager Service
'AJRouter', # AllJoyn Router Service
'lfsvc', # Geolocation Service
'CDPSvc', # Connected Devices Platform Service
'DiagTrack', # Connected User Experiences and Telemetry
'DPS', # Diagnostic Policy Service
'iphlpsvc', # IP Helper
'RasMan', # Remote Access Connection Manager
'SstpSvc', # Secure Socket Tunneling Protocol Service
'ShellHWDetection', # Shell Hardware Detection
'SSDPSRV', # SSDP Discovery
'WbioSrvc', # Windows Biometric Service
'stisvc', # Windows Image Acquisition (WIA)
'MessagingService', # Instant messaging Universal Windows Platform Service
'PcaSvc' # Program Compatibility Assistant (PCA)
Foreach ($Service in $Services) {
Set-Service -Name $Service -StartupType 'Disabled'
Stop-Service -Name $Service -Force
}
Write-Host 'Done.'
}
function EnableTLS1_2(){
Write-Warning 'Enabling TLSv1.2...'
Set-Variable -Name 'Path' -Value 'Registry::HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols'
Set-Variable -Name 'Protocol' -Value 'TLS 1.2'
if (!(Test-Path "$Path\$Protocol")){
New-Item -Path $Path -Name $Protocol -Type 'Directory' -ErrorAction 'SilentlyContinue'
}
Set-Variable -Name 'key' -Value $Path\$Protocol
Set-RegistryValue -Path $key -Name 'Client' -Type 'Directory'
Set-RegistryValue -Path $key -Name 'Server' -Type 'Directory'
Set-RegistryValue -Path "$key\Client" -Name "DisabledByDefault" -Value "0" -Type 'Dword'
Set-RegistryValue -Path "$key\Client" -Name "Enabled" -Value "1" -Type 'Dword'
Set-RegistryValue -Path "$key\Server" -Name "DisabledByDefault" -Value "0" -Type 'Dword'
Set-RegistryValue -Path "$key\Server" -Name "Enabled" -Value "1" -Type 'Dword'
Set-RegistryValue -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp' -Name 'DefaultSecureProtocols' -Value '0x800' -Type 'Dword'
Set-RegistryValue -Path 'Registry::HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp' -Name 'DefaultSecureProtocols' -Value '0x800' -Type 'Dword'
Set-RegistryValue -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name 'SecureProtocols' -Value '0x800' -Type 'Dword'
Set-RegistryValue -Path 'Registry::HKLM\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'chUseStrongCrypto' -Value '1' -Type 'Dword'
Set-RegistryValue -Path 'Registry::HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'chUseStrongCrypto' -Value '1' -Type 'Dword'
Write-Host 'Done.'
}
function DisableIPv6(){
Write-Warning 'Disabling IPv6...'
Set-RegistryValue -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' -Name 'DisabledComponents' -Value '0xFF' -Type 'Dword' # Disables IPv6 completely
Disable-NetAdapterBinding -Name '*' -ComponentID 'ms_tcpip6' # Internet Protocol Version 6 (TCP/IPv6)
Write-Host 'Done.'
}
function DisableWiFiSense(){
# Disable Wi-Fi Sense
Write-Warning "Disabling Wi-Fi Sense..."
Set-RegistryValue -Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" -Name "Value" -Type DWord -Value 0
Set-RegistryValue -Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" -Name "Value" -Type DWord -Value 0
Set-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" -Name "AutoConnectAllowedOEM" -Type Dword -Value 0
Set-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" -Name "WiFISenseAllowed" -Type Dword -Value 0
Write-Host("Done.")
}
function SetLoginMOTD{
$confirm = Read-Host("Set a login MOTD? [y/N]")
$captiontext = 'UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.'
$text = 'You must have explicit authorized permission to access or configure this device. Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties. All activities on this device are logged and monitored.'
if ( ("y", "yes") -contains $confirm){
Write-Host("$captiontext`n$text")
$confirm = Read-Host("Use the default value above? [y/N]")
if ( !(("y", "yes") -contains $confirm)){
$captiontext = Read-Host("Enter MOTD caption value")
$text = Read-Host("Enter your MOTD")
}
if(!(Test-Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System')){
New-Item 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
}
Set-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'legalnoticecaption' -Value "$captiontext"
Set-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'legalnoticetext' -Value "$text"
Write-Host("`nLogin MOTD set to:`n$captiontext`n$text")
}
else {
Write-Host("No MOTD set")
}
}
function DisableSysRestore{
$confirm = Read-Host("Disable System Restore? [y/N]")
if ( ("y", "yes") -contains $confirm){
vssadmin delete shadows /all /Quiet |Out-Null
Write-Host("shadow copies deleted")
Set-RegistryValue -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore' -Name 'DisableConfig' -Value '1' -Type 'Dword'
Set-RegistryValue -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore' -Name 'DisableSR' -Value '1' -Type 'Dword'
Set-RegistryValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore' -Name 'DisableConfig' -Value '1' -Type 'Dword'
Set-RegistryValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore' -Name 'DisableSR' -Value '1' -Type 'Dword'
Disable-ScheduledTask -TaskName "\Microsoft\Windows\SystemRestore\SR"
Write-Host("System Restore Disabled")
}
}
function DisableStickyKeys{
Write-Warning("Disabling Sticky Keys..")
Set-RegistryValue -Path 'HKCU:\Control Panel\Accessibility\StickyKeys' -Name 'Flags' -Value '506' -Type 'Dword'
Write-Host("Done.")
}
# Make sure the script is run with Administrator privileges
if (-Not (IsAdmin))
{
Write-Warning("The script must be executed with Administrator privileges")
return
}
# Let the user choose the registry backup destination directory
$regBckpDir = Get-Folder(Get-Location)
if (!$regBckpDir)
{
Write-Warning("You must select a directory to save the .reg files")
return
}
# Remove existing backup files
Remove-Item -Path $regBckpDir\*.reg
# Perform a backup of the interested Registry Hives
Write-Host("Backing up registry hives..")
reg export HKLM $regBckpDir\hklm.reg | Out-Null
Write-Host("HKLM saved successfully")
reg export HKCU $regBckpDir\hkcu.reg | Out-Null
Write-Host("HKCU saved successfully")
reg export HKCR $regBckpDir\hkcr.reg | Out-Null
Write-Host("HKCR saved successfully")
Write-Host("Done.")
# Flush caches
FlushCaches
# Disable unneeded network connections
DisableNetworks
# Disable unsafe network security protocols and enable TLS 1.2
DisableNetSecProtocols
# Disable IPv6
DisableIPv6
# Disable the SMB Server
DisableSMBServer
# Disable Sharing MappedDrives
DisableSharingMappedDrives
# Disable any Admin Share
DisableAdminShares
# Disable the LLMNR Protocol
DisableLLMNR
# Disable NetBios
DisableNetBios
# Hardening RDP
RDP_hardening
# Remove Unneeded Apps
RemoveApps
# Stop and Disable Unneeded Services
DisableServices
# Disable WiFi-Sense
DisableWiFiSense
# Disable Telemetry
DisableTelemetry
# Disable SmartScreen
EnableSmartScreen
# Disable WebSearch
DisableWebSearch
# Disable DisableBackgroundApps
DisableBackgroundApps
# Disable Feedback
DisableFeedback
# Disable Adv. ID
DisableAdvertisingID
# Disables Sticky keys
DisableStickyKeys
# Windows Firewall hardening
FirewallHardening
# Scheduled Tasks Hardening
DisableScheduledTasks
# Mixed Privacy & Security Features
Misc
# Disable System Restore
DisableSysRestore
# Set login screen MOTD
SetLoginMOTD
# Set UAC Level to High
Write-Warning 'Setting UAC level to High...'
# Set the UAC level to the maximum value
Set-UACLevel 3
Write-Host 'Done.'
# Enable and Configure Windows Defender
if(!$NoAV){
ConfigureWinDef
}
# Set user password restrictions
SetPasswordPolicy
# Enforce Exploit Mitigation settings (System-level only)
# Set-ProcessMitigation -System -Enable DEP, CFG, BottomUp, SEHOP, TerminateOnError, HighEntropy, ForceRelocateImages
# Enable Memory Integrity -- Core Isolation Win10
#Set-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "Enabled" -Value 1 -Type Dword
# Restart the device
Write-Warning 'Hardening has finished successfully. Would you like to restart now?'
Set-Variable -Name 'UserResponse' -Value (Read-Host -Prompt '(Y/n)')
Set-ExecutionPolicy restricted
If (($UserResponse -eq 'Y') -or ($UserResponse -eq 'y') -or ($UserResponse -eq "yes")) {
Restart-Computer -Confirm
}
Else {
Write-Host 'Not restarting. Please restart device soon.'
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment