Last active
February 14, 2023 17:52
-
-
Save te-online/34665bf84be5f937b04a00822ed8b30d to your computer and use it in GitHub Desktop.
MDT Script Series: Decrapify most of Windows 10 settings in terms of privacy and usability + enable policy settings for PDQ Deploy without domain.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Note: Some inspiration was taken from here: https://gist.github.com/ThaddeusAid/55a137fb48fc01594eca4e89a025b456 | |
# Activate Remote Desktop | |
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f | |
# Enable PDQ Deploy to find the computer without domain | |
REG add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint" /f /v Enabled /t REG_DWORD /d 1 | |
REG add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint" /f /v RemoteAddresses /t REG_SZ /d "" | |
REG add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings" /f /v AllowOutboundParameterProblem /t REG_DWORD /d 1 | |
REG add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings" /f /v AllowOutboundSourceQuench /t REG_DWORD /d 1 | |
REG add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings" /f /v AllowOutboundTimeExceeded /t REG_DWORD /d 1 | |
REG add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings" /f /v AllowRedirect /t REG_DWORD /d 1 | |
REG add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings" /f /v AllowOutboundPacketTooBig /t REG_DWORD /d 1 | |
REG add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings" /f /v AllowOutboundDestinationUnreachable /t REG_DWORD /d 1 | |
REG add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings" /f /v AllowInboundRouterRequest /t REG_DWORD /d 1 | |
REG add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings" /f /v AllowInboundTimestampRequest /t REG_DWORD /d 1 | |
REG add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings" /f /v AllowInboundEchoRequest /t REG_DWORD /d 1 | |
REG add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings" /f /v AllowInboundMaskRequest /t REG_DWORD /d 1 | |
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 | |
# Disable first logon animation | |
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableFirstLogonAnimation /t REG_DWORD /d 0 | |
# Disable Suggested Apps, Feedback, Lockscreen Spotlight | |
Write-Host "***Disabling Suggested Apps, Feedback, Lockscreen Spotlight***" | |
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\" /f /t REG_DWORD /v SystemPaneSuggestionsEnabled /d 0 | |
reg add "HKCU\Software\Microsoft\CurrentVersion\ContentDeliveryManager\SoftLandingEnabled" /f /t REG_DWORD /v SoftLandingEnabled /d 0 | |
reg add "HKCU\Software\Microsoft\CurrentVersion\ContentDeliveryManager\" /f /t REG_DWORD /v RotatingLockScreenEnable /d 0 | |
# Disable One Drive | |
write-Host "***Disabling OneDrive...***" | |
reg add "HKLM\Software\Policies\Microsoft\Windows\OneDrive" /f /t REG_DWORD /v DisableFileSyncNGSC /d 1 | |
reg add "HKLM\Software\Policies\Microsoft\Windows\OneDrive" /f /t REG_DWORD /v DisableFileSync /d 1 | |
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /f /t REG_BINARY /v OneDrive /d 0300000021B9DEB396D7D001 | |
# Disable telemetry | |
write-Host "***Disabling telemetry...***" | |
reg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /f /t REG_DWORD /v AllowTelemetry /d 0 | |
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /f /v PreventDeviceMetadataFromNetwork /t REG_DWORD /d 1 | |
reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /f /v DontOfferThroughWUAU /t REG_DWORD /d 1 | |
reg add "HKLM\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /f /v "CEIPEnable" /t REG_DWORD /d 0 | |
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /f /v "AITEnable" /t REG_DWORD /d 0 | |
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /f /v "DisableUAR" /t REG_DWORD /d 1 | |
# Set Windows 10 privacy options | |
write-Host "***Setting Windows 10 privacy options...***" | |
reg add "HKLM\Software\Policies\Microsoft\Windows\AppPrivacy" /t REG_DWORD /v LetAppsAccessAccountInfo /d 2 /f | |
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /t REG_DWORD /v Enabled /d 0 /f | |
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /t REG_DWORD /v EnableWebContentEvaluation /d 0 /f | |
reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /t REG_DWORD /v Enabled /d 0 /f | |
reg add "HKCU\Control Panel\International\User Profile" /t REG_DWORD /v HttpAcceptLanguageOptOut /d 1 /f | |
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /t REG_SZ /v Value /d DENY /f | |
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E5323777-F976-4f5b-9B55-B94699C46E44}" /t REG_SZ /v Value /d DENY /f | |
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2EEF81BE-33FA-4800-9670-1CD474972C3F}" /t REG_SZ /v Value /d DENY /f | |
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v Value /d DENY /f | |
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E5323777-F976-4f5b-9B55-B94699C46E44}" /t REG_SZ /v Value /d DENY /f | |
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{D89823BA-7180-4B81-B50C-7E471E6121A3}" /t REG_SZ /v Value /d DENY /f | |
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{992AFA70-6F47-4148-B3E9-3003349C1548}" /t REG_SZ /v Value /d DENY /f | |
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{A8804298-2D5F-42E3-9531-9C8C39EB29CE}" /t REG_SZ /v Value /d DENY /f | |
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" /t REG_SZ /v Value /d DENY /f | |
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{D89823BA-7180-4B81-B50C-7E471E6121A3}" /t REG_SZ /v Value /d DENY /f | |
reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /t REG_DWORD /v AcceptedPrivacyPolicy /d 0 /f | |
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /t REG_DWORD /v Enabled /d 0 /f | |
reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /t REG_DWORD /v RestrictImplicitTextCollection /d 1 /f | |
reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /t REG_DWORD /v RestrictImplicitInkCollection /d 1 /f | |
reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /t REG_DWORD /v HarvestContacts /d 0 /f | |
reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /t REG_DWORD /v NumberOfSIUFInPeriod /d 0 /f | |
# Disable Cortana | |
write-Host "***Disabling Cortana and Bing search...***" | |
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f | |
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f | |
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f | |
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 0 /f | |
# Disable delivery optimization - I don't see why we should disable this, loads Windows Updates from other peer computers. | |
#write-Host "***Disabling delivery optimization...***" | |
#reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /t REG_DWORD /v DODownloadMode /d 0 /f | |
#reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v "DownloadMode" /t REG_DWORD /d 0 /f | |
#reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization" /t REG_DWORD /v SystemSettingsDownloadMode /d 3 /f | |
#reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v "DODownloadMode" /t REG_DWORD /d 0 /f | |
# Disable a couple of services | |
write-Host "***Disabling scheduled tasks...***" | |
#schtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /Disable | |
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable | |
#schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable | |
#schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable | |
#schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable | |
write-Host "***Stopping and disabling diagnostics tracking services, Onedrive sync service, various Xbox services, Distributed Link Tracking, and Windows Media Player network sharing (you can turn this back on if you share your media libraries with WMP)...***" | |
get-service Diagtrack,DmwApPushService,OneSyncSvc,XblAuthManager,XblGameSave,XboxNetApiSvc,TrkWks,WMPNetworkSvc | stop-service -passthru | set-service -startuptype disabled | |
# Remove all built-in apps for the current user, exclude calculator | |
Get-AppxPackage -AllUsers | where-object {$_.name -notlike "*Microsoft.WindowsCalculator*"} | Remove-AppxPackage | |
# Remove provisioning of all packages, exclude calculator | |
Get-AppxProvisionedPackage -online | where-object {$_.packagename -notlike "*Microsoft.WindowsCalculator*"} | Remove-AppxProvisionedPackage -online | |
exit |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks for sharing. I've written my own powershell script thanks to this script. I've since found a few errors with yours...
In this section you forgot the Windows part of the registry key path....
Should be...
And in the "Set Windows 10 privacy options" section you have some duplicates.
Also, several sections you have the order different for reg.exe add parameters, and some names are in quotes while others are not. Registry key Names don't need quotes since they never have white-space.
Some advice: use variables to reduce repetitive typing of registry key paths. Example:
And finally, a question. Why did you use reg.exe commands instead of New-ItemProperty commands? This is a powershell script, not a batch file, so no need to invoke reg.exe to add registry keys.
Same with disabling scheduled tasks, you can do more powershell and less batch file-ness. Example: