Last active
March 19, 2021 12:25
-
-
Save michiiii/8547657a74f55aba82a5df8ee84f1d2b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Requires -RunAsAdministrator | |
############################################################ | |
# Install Chocolatey | |
############################################################ | |
if (!(Get-Package -Name *choco*)) | |
{ | |
Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')) | |
} | |
############################################################ | |
## Windows 10 Config | |
############################################################ | |
# Get-WindowsCapability -Online | ? name -like *OpenSSH.Server* | |
Add-WindowsCapability -Name OpenSSH.Server~~~~0.0.1.0 -Online | |
Set-Service sshd -StartupType Automatic | |
Set-Service ssh-agent -StartupType Automatic | |
Start-Service sshd | |
Start-Service ssh-agent | |
Get-Service -Name *ssh* | select DisplayName, Status, StartType | |
############################################################ | |
## install | |
############################################################ | |
## Apps | |
choco install visualstudiocode -y | |
choco install vmwareworkstation -y | |
choco install sysinternals -y | |
choco install wireshark -y | |
## Source Control | |
choco install git -y | |
choco install github -y -ignore-checksums | |
## DevOps Tools | |
choco install docker-desktop -y | |
choco install packer -y | |
choco install vagrant -y | |
## Connection Tools | |
choco install mobaxterm -y | |
## common tools | |
choco install foxitreader -y | |
choco install googlechrome -y | |
choco install jre8 -y | |
choco install 7zip.install -y | |
choco install python3 -y | |
choco install dotnetfx -y | |
choco install vcredist2015 -y | |
## Remove shit | |
function RemoveApps(){ | |
################################################################# | |
Write-Warning 'Removing bloatware...' | |
[Array]$Apps = | |
'Microsoft.3DBuilder', | |
'Microsoft.Microsoft3DViewer', | |
'Microsoft.Print3D', | |
'Microsoft.Appconnector', | |
'Microsoft.BingFinance', | |
'Microsoft.BingNews', | |
'Microsoft.BingSports', | |
'Microsoft.BingTranslator', | |
'Microsoft.BingWeather', | |
'Microsoft.BingFoodAndDrink', | |
'Microsoft.BingTravel', | |
'Microsoft.BingHealthAndFitness', | |
'Microsoft.FreshPaint', | |
'Microsoft.MicrosoftOfficeHub', | |
'Microsoft.WindowsFeedbackHub', | |
'Microsoft.MicrosoftSolitaireCollection', | |
'Microsoft.MicrosoftPowerBIForWindows', | |
'Microsoft.MinecraftUWP', | |
'Microsoft.MicrosoftStickyNotes', | |
'Microsoft.NetworkSpeedTest', | |
'Microsoft.Office.OneNote', | |
'Microsoft.OneConnect', | |
'Microsoft.People', | |
'Microsoft.SkypeApp', | |
'Microsoft.Wallet', | |
'Microsoft.WindowsAlarms', | |
'Microsoft.WindowsCamera', | |
'Microsoft.windowscommunicationsapps', | |
'Microsoft.WindowsMaps', | |
'Microsoft.WindowsPhone', | |
'Microsoft.WindowsSoundRecorder', | |
'Microsoft.XboxApp', | |
'Microsoft.XboxGameOverlay', | |
'Microsoft.XboxIdentityProvider', | |
'Microsoft.XboxSpeechToTextOverlay', | |
'Microsoft.ZuneMusic', | |
'Microsoft.ZuneVideo', | |
'Microsoft.CommsPhone', | |
'Microsoft.ConnectivityStore', | |
'Microsoft.GetHelp', | |
'Microsoft.Getstarted', | |
'Microsoft.Messaging', | |
'Microsoft.Office.Sway', | |
'Microsoft.WindowsReadingList', | |
'9E2F88E3.Twitter', | |
'PandoraMediaInc.29680B314EFC2', | |
'Flipboard.Flipboard', | |
'ShazamEntertainmentLtd.Shazam', | |
'king.com.CandyCrushSaga', | |
'king.com.CandyCrushSodaSaga', | |
'king.com.*', | |
'ClearChannelRadioDigital.iHeartRadio', | |
'4DF9E0F8.Netflix', | |
'6Wunderkinder.Wunderlist', | |
'Drawboard.DrawboardPDF', | |
'2FE3CB00.PicsArt-PhotoStudio', | |
'D52A8D61.FarmVille2CountryEscape', | |
'TuneIn.TuneInRadio', | |
'GAMELOFTSA.Asphalt8Airborne', | |
'TheNewYorkTimes.NYTCrossword', | |
'DB6EA5DB.CyberLinkMediaSuiteEssentials', | |
'Facebook.Facebook', | |
'flaregamesGmbH.RoyalRevolt2', | |
'Playtika.CaesarsSlotsFreeCasino', | |
'A278AB0D.MarchofEmpires', | |
'KeeperSecurityInc.Keeper', | |
'ThumbmunkeysLtd.PhototasticCollage', | |
'XINGAG.XING', | |
'89006A2E.AutodeskSketchBook', | |
'D5EA27B7.Duolingo-LearnLanguagesforFree', | |
'46928bounde.EclipseManager', | |
'ActiproSoftwareLLC.562882FEEB491', | |
'DolbyLaboratories.DolbyAccess', | |
'A278AB0D.DisneyMagicKingdoms', | |
'WinZipComputing.WinZipUniversal', | |
'Microsoft.ScreenSketch', | |
'Microsoft.XboxGamingOverlay', | |
'Microsoft.Xbox.TCUI', | |
'Microsoft.XboxGameCallableUI', | |
'Microsoft.YourPhone' | |
Foreach ($App in $Apps) { | |
Get-AppxPackage $App | Remove-AppxPackage -AllUsers -ErrorAction 'SilentlyContinue' | |
} | |
Write-Host 'Done.' | |
} | |
# | |
# Disable NetBios | |
function DisableNetBios { | |
Write-Warning("Disabling NetBios..") | |
$key = "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces" | |
Get-ChildItem $key | ForEach-Object { | |
Set-ItemProperty -Path "$key\$($_.pschildname)" -Name NetBiosOptions -Value 2 | |
} | |
Write-Host("Done.") | |
} | |
# Disable AutoPlay and AutoRun | |
function DisableAutoPlayRun { | |
Write-Warning "Disabling AutoPlay and AutoRun..." | |
Set-RegistryValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name 'NoAutorun' -Value '1' -Type 'Dword' # Disables Autorun | |
Set-RegistryValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name 'NoDriveTypeAutoRun' -Value '255' -Type 'Dword' # Disables Autorun | |
Set-RegistryValue -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers' -Name 'DisableAutoplay' -Value '1' -Type 'Dword' # Disables Autoplay | |
Write-Host("Done.") | |
} | |
# Disable Find My Device | |
function DisableFindMyDevice { | |
Write-Warning "Disabling Find My Device..." | |
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\FindMyDevice" -Name "AllowFindMyDevice" -Value 0 -Type Dword | |
Set-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Settings\FindMyDevice" -Name "LocationSyncEnabled" -Value 0 -Type Dword | |
Write-Host("Done.") | |
} | |
# Disable Win Insider Program | |
function DisableWinInsiderProgram { | |
Write-Warning "Disabling Win Insider Program..." | |
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" -Name "AllowBuildPreview" -Value 0 -Type Dword | |
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" -Name "EnableConfigFlighting" -Value 0 -Type Dword | |
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "ManagePreviewBuilds" -Value 1 -Type Dword | |
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "ManagePreviewBuildsPolicyValue" -Value 0 -Type Dword | |
Write-Host("Done.") | |
} | |
# Disable Picture Password | |
function DisablePicturePassword { | |
Write-Warning "Disable Picture Password..." | |
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "BlockDomainPicturePassword" -Value 1 -Type Dword | |
Write-Host("Done.") | |
} | |
# Enable Enhanced Face Spoofing Protection | |
function EnableEnhancedFaceSpoofingProtection { | |
Write-Warning "Enable Enhanced Face Spoofing Protection..." | |
Set-RegistryValue -Name "HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" -Name "EnhancedAntiSpoofing" -Value 1 -Type Dword | |
Write-Host("Done.") | |
} | |
# Disable Link-Local Multicast Name Resolution (LLMNR) protocol | |
function DisableLLMNR { | |
Write-Warning "Disabling LLMNR..." | |
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -Type DWord -Value 0 | |
Write-Host("Done.") | |
} | |
# Disable SMB Server - Completely disables file and printer sharing, but leaves the system able to connect to another SMB server as a client | |
function DisableSMBServer { | |
Write-Warning "Disabling SMB Server..." | |
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force | |
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol | |
Set-SmbServerConfiguration -EnableSMB2Protocol $false -Force | |
Set-RegistryValue -Path "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\" -Name SMBDeviceEnabled -Value 0 -Type Dword | |
Write-Host("Done.") | |
} | |
# Disable sharing mapped drives between users | |
function DisableSharingMappedDrives { | |
Write-Warning "Disabling sharing mapped drives between users..." | |
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLinkedConnections" -ErrorAction SilentlyContinue | |
Write-Host("Done.") | |
} | |
# Disable implicit administrative shares | |
function DisableAdminShares { | |
Write-Warning "Disabling implicit administrative shares..." | |
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "AutoShareWks" -Type DWord -Value 0 | |
Write-Host("Done.") | |
} | |
# Disable Advertising ID | |
function DisableAdvertisingID { | |
Write-Warning "Disabling Advertising ID..." | |
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" -Name "Enabled" -Type DWord -Value 0 | |
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" -Name "DisabledByGroupPolicy" -Type DWord -Value 1 | |
Write-Host("Done.") | |
} | |
# Disable Feedback | |
function DisableFeedback { | |
Write-Warning "Disabling Feedback..." | |
Set-RegistryValue -Path "HKCU:\SOFTWARE\Microsoft\Siuf\Rules" -Name "NumberOfSIUFInPeriod" -Type DWord -Value 0 | |
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "DoNotShowFeedbackNotifications" -Type DWord -Value 1 | |
Set-RegistryValue -Path "HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0" -Name "NoExplicitFeedback" -Type DWord -Value 1 | |
Set-RegistryValue -Path "HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0" -Name "NoImplicitFeedback" -Type DWord -Value 1 | |
Set-RegistryValue -Path "HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0" -Name "NoOnlineAssist" -Type DWord -Value 1 | |
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0" -Name "NoActiveHelp" -Type DWord -Value 1 | |
Disable-ScheduledTask -TaskName "Microsoft\Windows\Feedback\Siuf\DmClient" -ErrorAction SilentlyContinue | Out-Null | |
Disable-ScheduledTask -TaskName "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" -ErrorAction SilentlyContinue | Out-Null | |
Write-Host("Done.") | |
} | |
function DisableBackgroundApps { | |
Write-Warning "Disabling Background application access..." | |
Get-ChildItem -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" -Exclude "Microsoft.Windows.Cortana*" | ForEach { | |
Set-ItemProperty -Path $_.PsPath -Name "Disabled" -Type DWord -Value 1 | |
Set-ItemProperty -Path $_.PsPath -Name "DisabledByUser" -Type DWord -Value 1 | |
} | |
Write-Host("Done.") | |
} | |
function DisableWebSearch { | |
Write-Warning "Disabling Web Search..." | |
Set-RegistryValue -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" -Name "BingSearchEnabled" -Type DWord -Value 0 # Disables Bing search | |
Set-RegistryValue -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" -Name "CortanaConsent" -Type DWord -Value 0 | |
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" -Name "DisableWebSearch" -Type DWord -Value 1 | |
Write-Host("Done.") | |
} | |
function EnableSmartScreen(){ | |
Write-Warning "Enabling SmartScreen Filter..." | |
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "EnableSmartScreen" -Type DWord -Value 1 | |
Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" -Name "EnabledV9" -Type DWord -Value 1 | |
Set-RegistryValue -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" -Name "EnableWebContentEvaluation" -Type Dword -Value 1 | |
# Disable SmartScreen | |
# Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "EnableSmartScreen" -Type DWord -Value 0 | |
# Set-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" -Name "EnabledV9" -Type DWord -Value 0 | |
# Set-RegistryValue -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" -Name "EnableWebContentEvaluation" -Type Dword -Value 0 | |
Write-Host("Done.") | |
} | |
function DisableTelemetry { | |
Write-Warning "Disabling Telemetry..." | |
Set-RegistryValue -Path "Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type Dword -Value 0 | |
Set-RegistryValue -Path "Registry::HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type Dword -Value 0 | |
Set-RegistryValue -Path "Registry::HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -Type Dword -Value 0 | |
Set-RegistryValue -Path "Registry::HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" -Name "AllowBuildPreview" -Type Dword -Value 0 | |
Set-RegistryValue -Path "Registry::HKCU\Software\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -Type Dword -Value 0 | |
Set-RegistryValue -Path "Registry::HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" -Name"AITEnable" -Type Dword -Value 0 | |
Set-RegistryValue -Path "Registry::HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "LimitEnhancedDiagnosticDataWindowsAnalytics" -Type Dword -Value 0 | |
Set-RegistryValue -Path "Registry::HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "DoNotShowFeedbackNotifications" -Type Dword -Value 1 | |
Disable-ScheduledTask -TaskName "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" | Out-Null | |
Disable-ScheduledTask -TaskName "Microsoft\Windows\Application Experience\ProgramDataUpdater" | Out-Null | |
Disable-ScheduledTask -TaskName "Microsoft\Windows\Autochk\Proxy" | Out-Null | |
Disable-ScheduledTask -TaskName "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" | Out-Null | |
Disable-ScheduledTask -TaskName "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" | Out-Null | |
Disable-ScheduledTask -TaskName "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" | Out-Null | |
Write-Host("Done.") | |
} | |
function DisableServices(){ | |
################################################################# | |
Write-Warning 'Disabling Unneeded Windows services...' | |
[Array]$Services = | |
'lmhosts', # TCP/IP NetBIOS Helper | |
#'wlidsvc', # Microsoft Account Sign-in Assistant | |
'SEMgrSvc', # Payments NFC/SE Manager | |
'tzautoupdate', # Auto Time Zone Updater | |
'AppVClient', # Microsoft App-V Client | |
'RemoteRegistry', # Remote Registry | |
'shpamsvc', # Shared PC Account Manager | |
'WwanSvc', # WWAN AutoConfig | |
'PushToInstall', # Windows PushToInstall Service | |
'spectrum', # Windows Perception Service | |
'icssvc', # Windows Mobile Hotspot Service | |
'wisvc', # Windows Insider Service | |
'WerSvc', # Windows Error Reporting Service | |
'dmwappushservice', # Device Management Wireless Application Protocol (WAP) Push message Routing Service | |
'FrameServer', # Windows Camera Frame Service | |
'WFDSConMgrSvc', # Wi-Fi Direct Services Connection Manager Service | |
'ScDeviceEnum', # Smart Card Device Enumeration Service | |
'SCardSvr', # Smart Card | |
'PhoneSvc', # Phone Service | |
'IpxlatCfgSvc', # IP Translation Configuration Service | |
'SharedAccess', # Internet Connection Sharing (ICS) | |
'vmicvss', # Hyper-V Volume Shadow Copy Requestor | |
'vmictimesync', # Hyper-V TIme Synchronization Service | |
'vmicrdv', # Hyper-V Remote Desktop Virtualization Service | |
'vmicvmsession', # Hyper-V PowerShell Direct Service | |
'vmicheartbeat', # Hyper-V Heartbeat Service | |
'vmicshutdown', # Hyper-V Guest Shudown Service | |
'vmicguestinterface', # Hyper-V Guest Service Interface | |
'vmickvpexchange', # Hyper-V Data Exchange Service | |
'HvHost', # HV Host Service | |
'FDResPub', # function Discovery Resource Publication | |
'diagsvc', # Diagnostic Execution Service | |
'autotimesvc', # Cellular Time | |
'bthserv', # Bluetooth Support Service | |
'BTAGService', # Bluetooth Audio Gateway Service | |
'AssignedAccessManagerSvc', # AssignedAccessManager Service | |
'AJRouter', # AllJoyn Router Service | |
'lfsvc', # Geolocation Service | |
'CDPSvc', # Connected Devices Platform Service | |
'DiagTrack', # Connected User Experiences and Telemetry | |
'DPS', # Diagnostic Policy Service | |
'iphlpsvc', # IP Helper | |
'RasMan', # Remote Access Connection Manager | |
'SstpSvc', # Secure Socket Tunneling Protocol Service | |
'ShellHWDetection', # Shell Hardware Detection | |
'SSDPSRV', # SSDP Discovery | |
'WbioSrvc', # Windows Biometric Service | |
'stisvc', # Windows Image Acquisition (WIA) | |
'MessagingService', # Instant messaging Universal Windows Platform Service | |
'PcaSvc' # Program Compatibility Assistant (PCA) | |
Foreach ($Service in $Services) { | |
Set-Service -Name $Service -StartupType 'Disabled' | |
Stop-Service -Name $Service -Force | |
} | |
Write-Host 'Done.' | |
} | |
function EnableTLS1_2(){ | |
Write-Warning 'Enabling TLSv1.2...' | |
Set-Variable -Name 'Path' -Value 'Registry::HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols' | |
Set-Variable -Name 'Protocol' -Value 'TLS 1.2' | |
if (!(Test-Path "$Path\$Protocol")){ | |
New-Item -Path $Path -Name $Protocol -Type 'Directory' -ErrorAction 'SilentlyContinue' | |
} | |
Set-Variable -Name 'key' -Value $Path\$Protocol | |
Set-RegistryValue -Path $key -Name 'Client' -Type 'Directory' | |
Set-RegistryValue -Path $key -Name 'Server' -Type 'Directory' | |
Set-RegistryValue -Path "$key\Client" -Name "DisabledByDefault" -Value "0" -Type 'Dword' | |
Set-RegistryValue -Path "$key\Client" -Name "Enabled" -Value "1" -Type 'Dword' | |
Set-RegistryValue -Path "$key\Server" -Name "DisabledByDefault" -Value "0" -Type 'Dword' | |
Set-RegistryValue -Path "$key\Server" -Name "Enabled" -Value "1" -Type 'Dword' | |
Set-RegistryValue -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp' -Name 'DefaultSecureProtocols' -Value '0x800' -Type 'Dword' | |
Set-RegistryValue -Path 'Registry::HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp' -Name 'DefaultSecureProtocols' -Value '0x800' -Type 'Dword' | |
Set-RegistryValue -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name 'SecureProtocols' -Value '0x800' -Type 'Dword' | |
Set-RegistryValue -Path 'Registry::HKLM\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'chUseStrongCrypto' -Value '1' -Type 'Dword' | |
Set-RegistryValue -Path 'Registry::HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'chUseStrongCrypto' -Value '1' -Type 'Dword' | |
Write-Host 'Done.' | |
} | |
function DisableIPv6(){ | |
Write-Warning 'Disabling IPv6...' | |
Set-RegistryValue -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' -Name 'DisabledComponents' -Value '0xFF' -Type 'Dword' # Disables IPv6 completely | |
Disable-NetAdapterBinding -Name '*' -ComponentID 'ms_tcpip6' # Internet Protocol Version 6 (TCP/IPv6) | |
Write-Host 'Done.' | |
} | |
function DisableWiFiSense(){ | |
# Disable Wi-Fi Sense | |
Write-Warning "Disabling Wi-Fi Sense..." | |
Set-RegistryValue -Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" -Name "Value" -Type DWord -Value 0 | |
Set-RegistryValue -Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" -Name "Value" -Type DWord -Value 0 | |
Set-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" -Name "AutoConnectAllowedOEM" -Type Dword -Value 0 | |
Set-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" -Name "WiFISenseAllowed" -Type Dword -Value 0 | |
Write-Host("Done.") | |
} | |
function SetLoginMOTD{ | |
$confirm = Read-Host("Set a login MOTD? [y/N]") | |
$captiontext = 'UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.' | |
$text = 'You must have explicit authorized permission to access or configure this device. Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties. All activities on this device are logged and monitored.' | |
if ( ("y", "yes") -contains $confirm){ | |
Write-Host("$captiontext`n$text") | |
$confirm = Read-Host("Use the default value above? [y/N]") | |
if ( !(("y", "yes") -contains $confirm)){ | |
$captiontext = Read-Host("Enter MOTD caption value") | |
$text = Read-Host("Enter your MOTD") | |
} | |
if(!(Test-Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System')){ | |
New-Item 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' | |
} | |
Set-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'legalnoticecaption' -Value "$captiontext" | |
Set-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'legalnoticetext' -Value "$text" | |
Write-Host("`nLogin MOTD set to:`n$captiontext`n$text") | |
} | |
else { | |
Write-Host("No MOTD set") | |
} | |
} | |
function DisableSysRestore{ | |
$confirm = Read-Host("Disable System Restore? [y/N]") | |
if ( ("y", "yes") -contains $confirm){ | |
vssadmin delete shadows /all /Quiet |Out-Null | |
Write-Host("shadow copies deleted") | |
Set-RegistryValue -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore' -Name 'DisableConfig' -Value '1' -Type 'Dword' | |
Set-RegistryValue -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore' -Name 'DisableSR' -Value '1' -Type 'Dword' | |
Set-RegistryValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore' -Name 'DisableConfig' -Value '1' -Type 'Dword' | |
Set-RegistryValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore' -Name 'DisableSR' -Value '1' -Type 'Dword' | |
Disable-ScheduledTask -TaskName "\Microsoft\Windows\SystemRestore\SR" | |
Write-Host("System Restore Disabled") | |
} | |
} | |
function DisableStickyKeys{ | |
Write-Warning("Disabling Sticky Keys..") | |
Set-RegistryValue -Path 'HKCU:\Control Panel\Accessibility\StickyKeys' -Name 'Flags' -Value '506' -Type 'Dword' | |
Write-Host("Done.") | |
} | |
# Make sure the script is run with Administrator privileges | |
if (-Not (IsAdmin)) | |
{ | |
Write-Warning("The script must be executed with Administrator privileges") | |
return | |
} | |
# Let the user choose the registry backup destination directory | |
$regBckpDir = Get-Folder(Get-Location) | |
if (!$regBckpDir) | |
{ | |
Write-Warning("You must select a directory to save the .reg files") | |
return | |
} | |
# Remove existing backup files | |
Remove-Item -Path $regBckpDir\*.reg | |
# Perform a backup of the interested Registry Hives | |
Write-Host("Backing up registry hives..") | |
reg export HKLM $regBckpDir\hklm.reg | Out-Null | |
Write-Host("HKLM saved successfully") | |
reg export HKCU $regBckpDir\hkcu.reg | Out-Null | |
Write-Host("HKCU saved successfully") | |
reg export HKCR $regBckpDir\hkcr.reg | Out-Null | |
Write-Host("HKCR saved successfully") | |
Write-Host("Done.") | |
# Flush caches | |
FlushCaches | |
# Disable unneeded network connections | |
DisableNetworks | |
# Disable unsafe network security protocols and enable TLS 1.2 | |
DisableNetSecProtocols | |
# Disable IPv6 | |
DisableIPv6 | |
# Disable the SMB Server | |
DisableSMBServer | |
# Disable Sharing MappedDrives | |
DisableSharingMappedDrives | |
# Disable any Admin Share | |
DisableAdminShares | |
# Disable the LLMNR Protocol | |
DisableLLMNR | |
# Disable NetBios | |
DisableNetBios | |
# Hardening RDP | |
RDP_hardening | |
# Remove Unneeded Apps | |
RemoveApps | |
# Stop and Disable Unneeded Services | |
DisableServices | |
# Disable WiFi-Sense | |
DisableWiFiSense | |
# Disable Telemetry | |
DisableTelemetry | |
# Disable SmartScreen | |
EnableSmartScreen | |
# Disable WebSearch | |
DisableWebSearch | |
# Disable DisableBackgroundApps | |
DisableBackgroundApps | |
# Disable Feedback | |
DisableFeedback | |
# Disable Adv. ID | |
DisableAdvertisingID | |
# Disables Sticky keys | |
DisableStickyKeys | |
# Windows Firewall hardening | |
FirewallHardening | |
# Scheduled Tasks Hardening | |
DisableScheduledTasks | |
# Mixed Privacy & Security Features | |
Misc | |
# Disable System Restore | |
DisableSysRestore | |
# Set login screen MOTD | |
SetLoginMOTD | |
# Set UAC Level to High | |
Write-Warning 'Setting UAC level to High...' | |
# Set the UAC level to the maximum value | |
Set-UACLevel 3 | |
Write-Host 'Done.' | |
# Enable and Configure Windows Defender | |
if(!$NoAV){ | |
ConfigureWinDef | |
} | |
# Set user password restrictions | |
SetPasswordPolicy | |
# Enforce Exploit Mitigation settings (System-level only) | |
# Set-ProcessMitigation -System -Enable DEP, CFG, BottomUp, SEHOP, TerminateOnError, HighEntropy, ForceRelocateImages | |
# Enable Memory Integrity -- Core Isolation Win10 | |
#Set-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "Enabled" -Value 1 -Type Dword | |
# Restart the device | |
Write-Warning 'Hardening has finished successfully. Would you like to restart now?' | |
Set-Variable -Name 'UserResponse' -Value (Read-Host -Prompt '(Y/n)') | |
Set-ExecutionPolicy restricted | |
If (($UserResponse -eq 'Y') -or ($UserResponse -eq 'y') -or ($UserResponse -eq "yes")) { | |
Restart-Computer -Confirm | |
} | |
Else { | |
Write-Host 'Not restarting. Please restart device soon.' | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment