'Hardening' Windows

Privacy Questions
68

The setting is actually Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled folder access .

Before this there are several BIOS settings you should adjust.

  1. turn Secure boot on and disable third party Microsoft UEFI CA which is for Linux.
  2. turn virtulization related settings on.
  3. turn Thunderbolt related security settings to the highest level.
  4. set Bios password.
  5. only boot your hard drive and disable all other items in the boot sequence settings.
  6. turn on TPM and set Pluton as default it you have it.

Let’s return to the policy. This policy contains several IMPORTANT settings. The settings in this policy cannot be easily to revert to default status.

  1. Secure Boot and DMA protection. If your laptop is shipped after 2018 select it to secureboot and DMA protection.
  2. VBS aka code integrity. most hardware are compatible with it. select it to on/on with uefi lock. uefi lock means this settings is written to your bios rather than only the system(Windows). also turn on Require UEFI Memory Attributes Table.
  3. Credential Guard. select it to on/on with uefi lock.
  4. Secure Launch aka system guard secure launch aka firmware protection. smm protection is included in secure launch. this requires a Intel vPro CPU. If your device is compatiable, turn it on.
  5. hardware enforced stack protection. requirments. If your device is compatiable, turn it on.

open the xlsx file and you can see that this policy is for domain joined device. these settings are in red in the xlsx file.

see above

I donot know about this.

There is a baseline file for this. it’s in baseline.zip/scripts/configfiles/ep-reset.xml. config the policy Windows components > Windows Defender Exploit Guard > Exploit Protection > Use a common set of exploit protection settings to use the xml.

this answer of mine contains all of the related settings that may not be in the security baseline and privacy settings like RTLFB.

any examples?

see above. the baseline seggests uefi memory table.

Did you throw admx and adml files into the correct place before applying the baseline? I agree with sha123 here. There is quite a lot privacy related settings in Edge.

can you explain this more clearly? have you try rebooting? what’s it like before and after set to default? did you click ok after change the settings?check the status of the VBS related settings in Windows Defender app-device security-core isolation.

2 Likes