michiiii/Harden.ps1

## Harden.ps1
# Enable Windows Firewall
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

# SMB # require elevated privileges #
## Turn on SMB signing and encryption
Set-SmbServerConfiguration -RequireSecuritySignature $True -EnableSecuritySignature $True -EncryptData $True -Confirm:$false -Verbose

## Turn off the default workstations shares
Set-SmbServerConfiguration -AutoShareWorkstation $False -Confirm:$false -Verbose

## Turn off SMB1
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Confirm:$false -Verbose

# NTLM: Value 5 corresponds to the policy option 'Send NTLMv2 response only;'.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 4 -Verbose
# Enabling Windows Defender Remote Credential Guard
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value 0 -Verbose


# Configuring 'Application Identity' (AppLocker)
Set-Service -Name AppIDSvc -StartupType Automatic -Verbose # sc.exe config appidsvc start= auto
Start-Service -Name AppIDSvc -Verbose # sc.exe start appidsvc

# Scripting Hardening #
# Disabling Windows Script Host - Responsible for executing '.vbs' and '.js' and '.hta'.
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Script Host\Settings" -Name "Enabled" -Value 0 -Verbose

# Disable Powershell V2
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -Verbose

# Setting ConstrainedLanguageMode
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Session Manager\Environment" -Name "__PSLockDownPolicy" -Value 4 -Verbose


# Activating Microsoft Protection - Defender
Set-MpPreference -DisableRealtimeMonitoring $false -Verbose
Set-MpPreference -DisableScriptScanning $false -Verbose
Set-MpPreference -DisableIntrusionPreventionSystem $false -Verbose
Set-MpPreference -DisableBehaviorMonitoring $false -Verbose

# Disable LLMNR
If (!(Test-Path "KLM:\Software\policies\Microsoft\Windows NT\DNSClient")) {
  New-ItemProperty -Path "HKLM:\Software\policies\Microsoft\Windows NT\" -Name "DNSClient" -ErrorAction SilentlyContinue -Verbose | Out-Null
}
Set-ItemProperty -Path "HKLM:\Software\policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -Value 0 -Verbose

# Disable NBT-NS
$regkey = "HKLM:\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"
Get-ChildItem $regkey |ForEach-Object -Process { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose}


# Exploit guard configuration - https://github.com/palantir/exploitguard/blob/master/configureBaseMachine.ps1
# Blocking DLL loading from remote paths(UNC), Blocking 3rd party fonts, 3rd party system dlls loading
Write-Host "Setting Process mitigations protection in ExploitGuard..."
Set-ProcessMitigation -System -Enable DEP,BottomUp,CFG,SEHOP, BlockRemoteImageLoads, DisableNonSystemFonts, DisableExtensionPoints
# Basic processes with added security
Set-ProcessMitigation -Name outlook.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
Set-ProcessMitigation -Name winword.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
Set-ProcessMitigation -Name excel.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
Set-ProcessMitigation -Name powerpnt.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
Set-ProcessMitigation -Name visio.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
Set-ProcessMitigation -Name pptview.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
Set-ProcessMitigation -Name groove.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,BlockRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,DisallowChildProcessCreation
Set-ProcessMitigation -Name onedrive.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
Set-ProcessMitigation -Name iexplore.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
Set-ProcessMitigation -Name microsoftedge.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
Set-ProcessMitigation -Name chrome.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,SEHOP,AuditChildProcess
Set-ProcessMitigation -Name AcroRd32.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
Set-ProcessMitigation -Name acrobat.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
Set-ProcessMitigation -Name firefox.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
Set-ProcessMitigation -Name slack.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,SEHOP,AuditChildProcess
Set-ProcessMitigation -Name quip.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,SEHOP,AuditChildProcess
Set-ProcessMitigation -Name zoom.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,SEHOP,AuditChildProcess
Set-ProcessMitigation -Name mspub.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
Set-ProcessMitigation -Name msaccess.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
Set-ProcessMitigation -Name lync.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
Set-ProcessMitigation -Name fltldr.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
Set-ProcessMitigation -Name infopath.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
Set-ProcessMitigation -Name wordpad.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
Set-ProcessMitigation -Name plugin-container.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
Set-ProcessMitigation -Name java.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
Set-ProcessMitigation -Name javaw.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
Set-ProcessMitigation -Name javaws.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
Set-ProcessMitigation -Name wmplayer.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess


# Restrict Windows Update P2P only to local network
Write-Host "Restricting Windows Update P2P only to local network..."
If (!(Test-Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization")) {
  New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" -Verbose | Out-Null
}
If (!(Test-Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config")) {
  New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" -Verbose | Out-Null
}
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" -Name "DODownloadMode" -Type DWord -Value 1 -Verbose
If (!(Test-Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization")) {
  New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" -Verbose | Out-Null
}
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" -Name "SystemSettingsDownloadMode" -Type DWord -Value 3 -Verbose


# Stop and disable Diagnostics Tracking Service
Write-Host "Stopping and disabling Diagnostics Tracking Service..."
Stop-Service "DiagTrack"
Set-Service "DiagTrack" -StartupType Disabled

# Stop and disable WAP Push Service
Write-Host "Stopping and disabling WAP Push Service..."
Stop-Service "dmwappushservice"
Set-Service "dmwappushservice" -StartupType Disabled


# -------------------  #


##########
# Service Tweaks
##########

# Raise UAC level
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Type DWord -Value 1 -Verbose
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Type DWord -Value 1 -Verbose


# Disable sharing mapped drives between users
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLinkedConnections" -Verbose -ErrorAction SilentlyContinue

# Enable Firewall
Set-NetFirewallProfile -Profile * -Enabled True

# Enable Windows Defender
Remove-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Verbose -ErrorAction SilentlyContinue
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Type DWord -Value 0 -Verbose

# Disable Windows Update automatic restart
Write-Host "Disabling Windows Update automatic restart..def."
Set-ItemProperty -Path "HKLM:\Software\Microsoft\WindowsUpdate\UX\Settings" -Name "UxOption" -Type DWord -Value 1 -Verbose

# Disable Remote Assistance
Write-Host "Disabling Remote Assistance..."
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Remote Assistance" -Name "fAllowToGetHelp" -Type DWord -Value 0 -Verbose

# Disable Remote Desktop
#Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Type DWord -Value 1 -Verbose
#Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Type DWord -Value 1 -Verbose

# ------------- #

##########
# Applications settings
##########

# Force DEP to always on for every application (available options are: AlwaysOff, AlwaysOn, OptIn, OptOut)
Write-Host "Turning on DEP for all applications."
bcdedit /set nx AlwaysON
Write-Host "Enable Exception Write-Protection SEHOP"
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel" -Name "DisableExceptionChainValidation" -Value 0 -Verbose

# Disable NetBios (Forces File Sharing over port 445 DirectSMB/stops various worms.)
Write-Host "Disabling Outdated NetBIOS Protocol..."
sc.exe config netbt start= disabled
sc.exe stop netbt

# The Two Lines Below Enable Superfectch and Prefetch
Write-Host "Enabling Superfetch and Prefetch..."
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" -Name "EnableSuperfetch" -Value 00000003 -Verbose
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" -Name "EnablePrefetcher" -Value 00000003 -Verbose

Write-Host "Upgrading TCP Security..."
If (!(Test-Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter")) {
  New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Verbose | Out-Null
}
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "IPEnableRouter" -Value 00000000 -Verbose
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "EnableICMPRedirect" -Value 00000000 -Verbose
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "SynAttackProtect" -Value 00000002 -Verbose
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "TcpMaxHalfOpen" -Value 00000064 -Verbose
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "TcpMaxHalfOpenRetried" -Value 00000050 -Verbose
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "DisableIPSourceRouting" -Value 00000002 -Verbose
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "NoNameReleaseOnDemand" -Value 00000001 -Verbose
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "EnableDeadGWDetect" -Value 00000000 -Verbose
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "KeepAliveTime" -Value 0x000493E0 -Verbose

# Enable NTFS Last-Access Timestamp
Write-Host "Enabling NTFS Last-Access Timestamps..."
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name "NtfsDisableLastAccessUpdate" -Value 00000000 -Verbose

# Force High Level of Remote Desktop Encryption and TLS Authentication.
Write-Host "Requiring Strong Remote Desktop Encryption if enabled... And forcing TLS Authentication"
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "MinEncryptionLevel" -Value 00000003 -Verbose
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "SecurityLayer" -Value 00000002 -Verbose

# Enable safe DLL search order
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Session Manager" -Name "SafeDllSearchMode" -Value 1 -Verbose

# If it's a workstation
If ((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
  #Disable RDP
  Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1 -Verbose
}

# Enforce code integrity (restart required)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\" -Name "HypervisorEnforcedCodeIntegrity" -Value 1 -Verbose
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "Enabled" -Value 1 -Verbose
Write-Host "Restart reuired to enable code integrity - core isolation!" -ForegroundColor Yellow

# List Active local users on computer
(Get-WmiObject Win32_UserAccount -filter "LocalAccount=True AND Disabled=False")

# Search for unqoated service paths and add quotes
Get-CimInstance -ClassName Win32_Service | Where-Object {$_.PathName -notLike '*"*'} | Where-Object {$_.PathName -like '*Program *'} |
Select-Object name,pathname,displayname,startmode | ForEach-Object {
  $reg_root = "HKLM:\System\CurrentControlSet\Services"
  $scvBinaryPath = '"'+ $_.PathName + '"'
  Set-ItemProperty -Path $reg_root\$($_.Name) -Name ImagePath -Value $scvBinaryPath -Verbose
  sc.exe qc $_.Name
}

# search for user writable folders
Get-ChildItem -Recurse  -ErrorAction SilentlyContinue -Path C:| Get-Acl | Out-String -Stream | Select-String -Pattern "everyone" | Select-String -Pattern "Write","FullControl"

# Limiting Cached accounts on host
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "CachedLogonsCount" -Value 1 -Verbose

# If it's a Domain Controller
if ((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 2) { # Doesn't work
  # Not tested. Checking AES encryption - preventing kerberos attack
  #$Users = Get-ADUser -Filter * -Properties "msDS-SupportedEncryptionTypes"
  #foreach($User in $Users)
  #{
  #  # If none are currently supported, enable AES256
  #  $encTypes = $User."msDS-SupportedEncryptionType"
  #  if(($encTypes -band $AES128) -ne $AES128 -and ($encTypes -band $AES256) -ne $AES256)
  #  {
  #    Set-ADUser $User -Replace @{"msDS-SupportedEncryptionTypes"=($encTypes -bor $AES256)}
  #  }
  #}
}
	# Enable Windows Firewall
	Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

	# SMB # require elevated privileges #
	## Turn on SMB signing and encryption
	Set-SmbServerConfiguration -RequireSecuritySignature $True -EnableSecuritySignature $True -EncryptData $True -Confirm:$false -Verbose

	## Turn off the default workstations shares
	Set-SmbServerConfiguration -AutoShareWorkstation $False -Confirm:$false -Verbose

	## Turn off SMB1
	Set-SmbServerConfiguration -EnableSMB1Protocol $false -Confirm:$false -Verbose

	# NTLM: Value 5 corresponds to the policy option 'Send NTLMv2 response only;'.
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 4 -Verbose
	# Enabling Windows Defender Remote Credential Guard
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value 0 -Verbose


	# Configuring 'Application Identity' (AppLocker)
	Set-Service -Name AppIDSvc -StartupType Automatic -Verbose # sc.exe config appidsvc start= auto
	Start-Service -Name AppIDSvc -Verbose # sc.exe start appidsvc

	# Scripting Hardening #
	# Disabling Windows Script Host - Responsible for executing '.vbs' and '.js' and '.hta'.
	Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Script Host\Settings" -Name "Enabled" -Value 0 -Verbose

	# Disable Powershell V2
	Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -Verbose

	# Setting ConstrainedLanguageMode
	Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Session Manager\Environment" -Name "__PSLockDownPolicy" -Value 4 -Verbose


	# Activating Microsoft Protection - Defender
	Set-MpPreference -DisableRealtimeMonitoring $false -Verbose
	Set-MpPreference -DisableScriptScanning $false -Verbose
	Set-MpPreference -DisableIntrusionPreventionSystem $false -Verbose
	Set-MpPreference -DisableBehaviorMonitoring $false -Verbose

	# Disable LLMNR
	If (!(Test-Path "KLM:\Software\policies\Microsoft\Windows NT\DNSClient")) {
	New-ItemProperty -Path "HKLM:\Software\policies\Microsoft\Windows NT\" -Name "DNSClient" -ErrorAction SilentlyContinue -Verbose \| Out-Null
	}
	Set-ItemProperty -Path "HKLM:\Software\policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -Value 0 -Verbose

	# Disable NBT-NS
	$regkey = "HKLM:\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"
	Get-ChildItem $regkey \|ForEach-Object -Process { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose}


	# Exploit guard configuration - https://github.com/palantir/exploitguard/blob/master/configureBaseMachine.ps1
	# Blocking DLL loading from remote paths(UNC), Blocking 3rd party fonts, 3rd party system dlls loading
	Write-Host "Setting Process mitigations protection in ExploitGuard..."
	Set-ProcessMitigation -System -Enable DEP,BottomUp,CFG,SEHOP, BlockRemoteImageLoads, DisableNonSystemFonts, DisableExtensionPoints
	# Basic processes with added security
	Set-ProcessMitigation -Name outlook.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name winword.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name excel.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name powerpnt.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name visio.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name pptview.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name groove.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,BlockRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,DisallowChildProcessCreation
	Set-ProcessMitigation -Name onedrive.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name iexplore.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name microsoftedge.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name chrome.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,SEHOP,AuditChildProcess
	Set-ProcessMitigation -Name AcroRd32.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name acrobat.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name firefox.exe -Enable DEP,BottomUp,ForceRelocateImages,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name slack.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,SEHOP,AuditChildProcess
	Set-ProcessMitigation -Name quip.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,SEHOP,AuditChildProcess
	Set-ProcessMitigation -Name zoom.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,SEHOP,AuditChildProcess
	Set-ProcessMitigation -Name mspub.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name msaccess.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name lync.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name fltldr.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name infopath.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name wordpad.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name plugin-container.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name java.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name javaw.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name javaws.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess
	Set-ProcessMitigation -Name wmplayer.exe -Enable DEP,BottomUp,CFG,AuditRemoteImageLoads,AuditLowLabelImageLoads,EnableRopStackPivot,EnableRopCallerCheck,EnableRopSimExec,SEHOP,TerminateOnError,AuditChildProcess


	# Restrict Windows Update P2P only to local network
	Write-Host "Restricting Windows Update P2P only to local network..."
	If (!(Test-Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization")) {
	New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" -Verbose \| Out-Null
	}
	If (!(Test-Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config")) {
	New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" -Verbose \| Out-Null
	}
	Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" -Name "DODownloadMode" -Type DWord -Value 1 -Verbose
	If (!(Test-Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization")) {
	New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" -Verbose \| Out-Null
	}
	Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" -Name "SystemSettingsDownloadMode" -Type DWord -Value 3 -Verbose


	# Stop and disable Diagnostics Tracking Service
	Write-Host "Stopping and disabling Diagnostics Tracking Service..."
	Stop-Service "DiagTrack"
	Set-Service "DiagTrack" -StartupType Disabled

	# Stop and disable WAP Push Service
	Write-Host "Stopping and disabling WAP Push Service..."
	Stop-Service "dmwappushservice"
	Set-Service "dmwappushservice" -StartupType Disabled


	# ------------------- #


	##########
	# Service Tweaks
	##########

	# Raise UAC level
	Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Type DWord -Value 1 -Verbose
	Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Type DWord -Value 1 -Verbose


	# Disable sharing mapped drives between users
	Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLinkedConnections" -Verbose -ErrorAction SilentlyContinue

	# Enable Firewall
	Set-NetFirewallProfile -Profile * -Enabled True

	# Enable Windows Defender
	Remove-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Verbose -ErrorAction SilentlyContinue
	Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Type DWord -Value 0 -Verbose

	# Disable Windows Update automatic restart
	Write-Host "Disabling Windows Update automatic restart..def."
	Set-ItemProperty -Path "HKLM:\Software\Microsoft\WindowsUpdate\UX\Settings" -Name "UxOption" -Type DWord -Value 1 -Verbose

	# Disable Remote Assistance
	Write-Host "Disabling Remote Assistance..."
	Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Remote Assistance" -Name "fAllowToGetHelp" -Type DWord -Value 0 -Verbose

	# Disable Remote Desktop
	#Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Type DWord -Value 1 -Verbose
	#Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Type DWord -Value 1 -Verbose

	# ------------- #

	##########
	# Applications settings
	##########

	# Force DEP to always on for every application (available options are: AlwaysOff, AlwaysOn, OptIn, OptOut)
	Write-Host "Turning on DEP for all applications."
	bcdedit /set nx AlwaysON
	Write-Host "Enable Exception Write-Protection SEHOP"
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel" -Name "DisableExceptionChainValidation" -Value 0 -Verbose

	# Disable NetBios (Forces File Sharing over port 445 DirectSMB/stops various worms.)
	Write-Host "Disabling Outdated NetBIOS Protocol..."
	sc.exe config netbt start= disabled
	sc.exe stop netbt

	# The Two Lines Below Enable Superfectch and Prefetch
	Write-Host "Enabling Superfetch and Prefetch..."
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" -Name "EnableSuperfetch" -Value 00000003 -Verbose
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" -Name "EnablePrefetcher" -Value 00000003 -Verbose

	Write-Host "Upgrading TCP Security..."
	If (!(Test-Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter")) {
	New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Verbose \| Out-Null
	}
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "IPEnableRouter" -Value 00000000 -Verbose
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "EnableICMPRedirect" -Value 00000000 -Verbose
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "SynAttackProtect" -Value 00000002 -Verbose
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "TcpMaxHalfOpen" -Value 00000064 -Verbose
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "TcpMaxHalfOpenRetried" -Value 00000050 -Verbose
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "DisableIPSourceRouting" -Value 00000002 -Verbose
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "NoNameReleaseOnDemand" -Value 00000001 -Verbose
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "EnableDeadGWDetect" -Value 00000000 -Verbose
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter" -Name "KeepAliveTime" -Value 0x000493E0 -Verbose

	# Enable NTFS Last-Access Timestamp
	Write-Host "Enabling NTFS Last-Access Timestamps..."
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name "NtfsDisableLastAccessUpdate" -Value 00000000 -Verbose

	# Force High Level of Remote Desktop Encryption and TLS Authentication.
	Write-Host "Requiring Strong Remote Desktop Encryption if enabled... And forcing TLS Authentication"
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "MinEncryptionLevel" -Value 00000003 -Verbose
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "SecurityLayer" -Value 00000002 -Verbose

	# Enable safe DLL search order
	Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Session Manager" -Name "SafeDllSearchMode" -Value 1 -Verbose

	# If it's a workstation
	If ((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
	#Disable RDP
	Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1 -Verbose
	}

	# Enforce code integrity (restart required)
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\" -Name "HypervisorEnforcedCodeIntegrity" -Value 1 -Verbose
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "Enabled" -Value 1 -Verbose
	Write-Host "Restart reuired to enable code integrity - core isolation!" -ForegroundColor Yellow

	# List Active local users on computer
	(Get-WmiObject Win32_UserAccount -filter "LocalAccount=True AND Disabled=False")

	# Search for unqoated service paths and add quotes
	Get-CimInstance -ClassName Win32_Service \| Where-Object {$_.PathName -notLike '"'} \| Where-Object {$_.PathName -like 'Program '} \|
	Select-Object name,pathname,displayname,startmode \| ForEach-Object {
	$reg_root = "HKLM:\System\CurrentControlSet\Services"
	$scvBinaryPath = '"'+ $_.PathName + '"'
	Set-ItemProperty -Path $reg_root\$($_.Name) -Name ImagePath -Value $scvBinaryPath -Verbose
	sc.exe qc $_.Name
	}

	# search for user writable folders
	Get-ChildItem -Recurse -ErrorAction SilentlyContinue -Path C:\| Get-Acl \| Out-String -Stream \| Select-String -Pattern "everyone" \| Select-String -Pattern "Write","FullControl"

	# Limiting Cached accounts on host
	Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "CachedLogonsCount" -Value 1 -Verbose

	# If it's a Domain Controller
	if ((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 2) { # Doesn't work
	# Not tested. Checking AES encryption - preventing kerberos attack
	#$Users = Get-ADUser -Filter * -Properties "msDS-SupportedEncryptionTypes"
	#foreach($User in $Users)
	#{
	# # If none are currently supported, enable AES256
	# $encTypes = $User."msDS-SupportedEncryptionType"
	# if(($encTypes -band $AES128) -ne $AES128 -and ($encTypes -band $AES256) -ne $AES256)
	# {
	# Set-ADUser $User -Replace @{"msDS-SupportedEncryptionTypes"=($encTypes -bor $AES256)}
	# }
	#}
	}