Instructions on Hardening Windows (What I Have Learnt So Far)

Disclaimer: I have no knowledge in this field, therefore, I have certainly missed steps, or done steps incorrectly, so please feel free to correct me. Furthermore, make sure you understand the purposes of the recommended settings before applying them (you can always revert individual settings). Please feel free to suggest edits to this post so I can add more information on the purpose of each setting and the impacts of each settings on your system, as well as formatting advice.

Shout out to @fiwayan173 and @sha123.

1. Before applying the security baseline you need to do the following:

• Navigate to the Microsoft Edge for Business download page.

• Click on ‘Download Windows 64-bit Policy’. Please note that this is different from the main download button located above it.

• After downloading, extract the ‘MicrosoftEdgePolicyTemplates.cab’ file. This will create a file named ‘MicrosoftEdgePolicyTemplates.zip’.

• Open the ‘MicrosoftEdgePolicyTemplates.zip’ file.

• Navigate to the following path within the zip file: MicrosoftEdgePolicyTemplates.zip > windows > admx > msedge.admx.

• Move the ‘msedge.admx’ file to your C:\Windows\PolicyDefinitions folder.

• Next, find the file at this path: MicrosoftEdgePolicyTemplates.zip > windows > admx > (your locale code) > msedge.adml.

• Move the ‘msedge.adml’ file to your C:\Windows\PolicyDefinitions(your locale code) folder.

• Download the Administrative Template files (ADMX/ADML) and Office Customization Tool for Microsoft 365 Apps for enterprise, Office 2019, and Office 2016.

• Click the big blue download button.

• Find the ‘admintemplates_x64_5423.1000_en-us.exe’ file, open it, accept the conditions, then choose a folder for it to extract files there. For example, you can choose the ‘Downloads’ folder.

• It will create two side-by-side folders named ‘admin’ and ‘admx’.

• Open the ‘admx’ folder and copy all the files with the format ‘something16.admx’ over to the C:\Windows\PolicyDefinitions folder.

• Similarly, for the language-specific files, navigate to the ‘admx > (your locale code)’ folder within the ‘admin’ folder.

• Copy all the ‘something16.adml’ files to your C:\Windows\PolicyDefinitions(your locale code) folder.

I am using Fluent Reader to subscribe to the Microsoft Security Baselines Blog articles (use the URL and click ‘add source’ on Fluent Reader), where update for the security baseline are updated by Microsoft. However, I do not know whether I have the time to update these baselines and apply them again.

2. Apply the Windows security baselines.

• Warning: Baselines affect hundreds of settings, but you can create a recovery point before proceeding with the following steps!

1. Download the ‘Windows 11 v23H2 Security Baseline.zip’, ‘Microsoft Edge v117 Security Baseline.zip’ and ‘Microsoft 365 Apps for Enterprise 2306.zip’ and ‘LGPO.zip’ files from here.

• I will show you how to apply the ‘Windows 11 v23H2 Security Baseline’ below, the steps are the same for the ‘Microsoft Edge v117 Security Baseline.zip’ and ‘Microsoft 365 Apps for Enterprise 2306.zip’ files.

• Begin by unzipping both the ‘LGPO.zip’ and ‘Windows 11 v23H2 Security Baseline.zip’ files.

• In the unzipped LGPO file, navigate to LGPO_30 > LGPO.exe.

• Copy the LGPO.exe file to Windows 11 v23H2 Security Baseline > Scripts > Tools.

• Open Windows PowerShell as an administrator.

• Change the directory to the Scripts folder in the Windows 11 v23H2 Security Baseline file by typing:

cd 'C:\Users\Redacted\Downloads\Windows 11 v23H2 Security Baseline\Windows 11 v23H2 Security Baseline\Scripts'

• Set the execution policy to unrestricted for the current process by typing:

Set-ExecutionPolicy -Scope Process Unrestricted

• You will be prompted with a message about the execution policy change. Respond with Y to confirm the change.

• Run the Baseline-LocalInstall.ps1 script with the -Win11NonDomainJoined parameter (if your device is not connected to a domain [which I don’t know what this is to be honest]) by typing:

.\Baseline-LocalInstall.ps1 -Win11NonDomainJoined

• You will receive a security warning. Respond with R to run the script once.

• Leave PowerShell open and repeat the steps above for the other two baselines: ‘Microsoft Edge v117 Security Baseline.zip’ and ‘Microsoft 365 Apps for Enterprise 2306.zip’.

• Once you have finished applying the three baselines, open PowerShell as an administrator and type in the following to set the execution policy for the LocalMachine scope to AllSigned:

Set-ExecutionPolicy -ExecutionPolicy AllSigned

• Now, click enter. You will be prompted with a message about the execution policy change. Respond with Y to confirm the change.

3. The baseline configuration will disable Controlled Folder Access, setting it to Audit Mode. If you want to change this setting to Block, you can do so manually.

• Open the Group Policy Management Editor.

• Navigate to Computer Configuration and select Administrative Templates.

• Expand the tree to the following path:

Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled folder access

• Double-click on the Configure Controlled folder access setting.

• In the options, set it to Enabled.

• This will enable the Controlled Folder Access setting in Microsoft Defender. Please note that this might restrict access to protected folders by applications, which can affect their functionality.

• After applying the baseline, there is an additional step you should take. There is a specific file for this in the baseline package.

• Locate the file ep-reset.xml in the following path within the baseline package:

Windows 11 v23H2 Security Baseline.zip/scripts/configfiles/ep-reset.xml

• You need to configure a policy to use this XML file. In the Group Policy Management Editor, navigate to the following path:

Windows components > Windows Defender Exploit Guard > Exploit Protection > Use a common set of exploit protection settings

• Configure this policy to use the ep-reset.xml file.

• This will apply a common set of exploit protection settings across your system, enhancing its security. Please note that changes to security settings can have significant impacts on your system. Always ensure you understand the changes you’re making, and consider backing up your system before making any modifications. If you’re unsure, seek assistance from a professional.

4. Important settings:

• Before adjusting the Virtualization Based Security policy, there are several BIOS settings you should modify:

• Secure Boot: Turn this on and (if applicable) disable the third-party Microsoft UEFI CA which is for Linux.

• Virtualization Settings: Turn these on (this was @fiwayan173’s advice, I have no idea what these are specifically).

• Thunderbolt Security Settings: Set these to the highest level (again, if applicable I couldn’t find these).

• BIOS Password: Set a BIOS password.

• Boot Sequence Settings: Only boot your hard drive and disable all other items (if applicable, I couldn’t find these).

• TPM: Turn on TPM and set Pluton as default if you have it (if applicable, I couldn’t find these).

• After adjusting the BIOS settings, navigate to the policy by clicking Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security. This policy contains several important settings that cannot be easily reverted to default status:

• Secure Boot and DMA Protection: If your laptop was shipped after 2018, select it to secure boot and DMA protection.

• VBS (Code Integrity): Most hardware is compatible with this. Select it to on/on with UEFI lock. UEFI lock means this setting is written to your BIOS rather than only the system (Windows). Also, turn on Require UEFI Memory Attributes Table.

• Credential Guard: Select it to on/on with UEFI lock.

• Secure Launch (System Guard Secure Launch/Firmware Protection): SMM protection is included in secure launch. This requires an Intel vPro CPU. If your device is compatible, turn it on.

• Hardware Enforced Stack Protection: If your device is compatible, turn it on.

5. Turning on Smart App Control without using Windows Defender settings:

• First, install the WDAC Wizard on your system.

• Open the WDAC Wizard and follow these steps:

  Select ‘Policy Creator’.
  Choose ‘Base Policy’.
  Select ‘Signed and Reputable Mode’.
  Under ‘Policy Rules’, disable ‘Audit Mode’.
  Under ‘File Rules’, check ‘Merge and the 2 rules’.

• Once done, click ‘Finish’.

• Find the .cip file you created (it should be in your Documents folder). Open an administrator command prompt and execute the following command:

$PolicyBinary = "C:\Users\YourUsername\Documents\{BF7C2699-87B0-4A61-B0D5-EED077419032}.cip"
CiTool --update-policy $PolicyBinary [-json]

• Replace YourUsername with your actual username.

• If you need to disable the WDAC policy, use the following command:

CiTool.exe -rp "{BF7C2699-87B0-4A61-B0D5-EED077419032}" -json

• Note: WDAC might not be suitable for everyone due to its strict control over applications. Please consider your needs and system requirements before enabling it.

6. Apply additional measures as recommended by @fiwayan173:

• Configuring Attack Surface Reduction Rules:

• In the Group Policy Editor, navigate to the following path:

Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack surface reduction > Configure Attack Surface Reduction rules

• This policy should already be enabled by the security baseline. Then, click the ‘Show’ option next to ‘See the state for each ASR rule’. You will see 13 lines there. Add these 3 lines:

56a863a9-875e-4185-98a7-b882c64b5ce5
d1e49aac-8f56-4280-b9ba-993a6d77406c
01443614-cd74-433a-b99e-2ecdc07bfc25

• Then, change the value of all 16 lines from 1 to 6. These rules warn you when you are about to perform an action that may infect your PC. You can only continue to execute the potentially dangerous operation if you click ‘allow’.

• Securing your Intel CPU:

• If your CPU is Intel, execute the following commands in an administrator command prompt or PowerShell:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v RetsPredictedFromRsbOnly /t REG_DWORD /d 1 /f

• These settings may slow down your PC a bit but will make your PC more secure against some CPU exploits.

• Some more recommended settings:

• Open the command prompt as an administrator.

• Execute the following commands:

setx /M MP_FORCE_USE_SANDBOX 1
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config" /v EnableCertPaddingCheck /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config" /v EnableCertPaddingCheck /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\OLELinkConversionFromOLESTREAMToIStorage" /v Disabled /t REG_DWORD /d 1 /f

Below are what the commands do:

setx /M MP_FORCE_USE_SANDBOX 1

• This command sets the environment variable MP_FORCE_USE_SANDBOX to 1.

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 0 /f

• This command disables the LocalAccountTokenFilterPolicy.

reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f

• This command disables the DisableRestrictedAdmin policy.

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config" /v EnableCertPaddingCheck /t REG_DWORD /d 1 /f

• This command enables the EnableCertPaddingCheck policy.

reg add "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config" /v EnableCertPaddingCheck /t REG_DWORD /d 1 /f

• This command enables the EnableCertPaddingCheck policy for 32-bit applications on 64-bit platforms.

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\OLELinkConversionFromOLESTREAMToIStorage" /v Disabled /t REG_DWORD /d 1 /f

• This command disables the OLELinkConversionFromOLESTREAMToIStorage policy.

Windows privacy

• Just like the Windows security baselines you can apply the Windows Restricted Traffic Limited Functionality Baseline, however, not all settings within this baseline are recommended. Which settings to apply and not to apply is a work in progress for me. We will need more discussion on this matter.

Well done! Congradulations

Thank you very much. You’ve done great work. I’d like to make it more complete.
0.(before section 1) hardware security and out-of-box-experience

• Choose a secured-core PC that have a long period lifetime support. Microsoft Surface for business series are the best in terms of this.
• Choose a PC with Microsoft Pluton.
• Create a Windows 11 23H2 Enterprise image and perform a clean install.
• Delete all partitions during the install. Select your region to EEA and allow optional diagnostic data. Use a local account instead of a Microsoft account.
• After OOBE, turn on Smart App Control (Windows Security Centre-App&browser control-Smart App Control settings).
• Update and only update Windows, firmware and drivers through Windows Update, OEM website and vendoer website. Do not use third party tools to update drivers.
• Check for software updates regularly by winget upgrade in command prompt.

0.1 Activate Windows Enterprise
Do not use third party software or scripts. There are basiclly 2 ways: KMS and MAK.
KMS: Open an administrator command prompt and execute the following command:

cd "c:\windows\system32"
cscript slmgr.vbs /skms input.your.kms.server.here
cscript slmgr.vbs /ato

MAK: Open an administrator command prompt and execute the following command:

cd "c:\windows\system32"
cscript slmgr.vbs /ipk input-your-mak-key-here
cscript slmgr.vbs /ato

4 . Secure Boot and DMA Protection : If your laptop was shipped before 2018, select it to secure boot and turn on:
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption> Disable new DMA devices when this computer is locked
5 . If you have turned on SAC during OOBE, skip section 5. In 5.5, adjust the command according to your real file path and file name. Do not modify the filename or the file manually. Learn more: Understand Windows Defender Application Control (WDAC) policy rules and file rules. Use multiple Windows Defender Application Control Policies.
6 .add this one: turn off remote assistance. In the search box on the taskbar, type remote assistance , and then select Allow Remote Assistance invitations to be sent from this computer from the list of results. Then, on the Remote tab, unselect the Allow Remote Assistance connections to this computer check box, and then select OK .
Securing your AMD cpu(it seems not all the mitigations can be applied to AMD cpus at the same time. Reference.)

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v RetsPredictedFromRsbOnly /t REG_DWORD /d 1 /f

7 . Do not join your personal PC to a domain. Avoid Microsoft account and Work/School account unless it’s a must.
8 .Turn Bitlocker on (Windows Security Centre-Device security-Data encryption). Before that, set:

**Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**> Choose drive encryption method and cipher strength=256 bit
**Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives**> Require additional authentication at startup=uncheck, allow, allow, allow
**Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives**> Allow enhanced PINs for startup=enabled

Set a comprehensive PIN for your Bitlocker. Encrypt all the space of your disk.
9 .Windows Defender (Windows Security Centre).
In the UI:

**Windows Security Settings -> Virus & threat protection**>turn on every items.
Windows Security Settings -> Firewall and network protection>(your network type)>Block all inbound connections.
Windows Security Settings ->app&browser control>reputation based protection>turn on every items
Windows Security Settings ->app&browser control>exploit protection>system settings>turn on every items

10 . Account Security
Consider using a standard local account for daily tasks. I’m not doing this cause it’s impractical for me. Use yubikey as local account 2FA method.
11 .App sandbox.

• Only open untrusted files and exectubles in Windows sandbox. Use the search bar on the task bar and type Turn Windows Features on or off to access the Windows Optional Features tool. Select Windows Sandbox and then OK . Restart the computer if you’re prompted.
• Download apps from Microsoft Store when possible. However, if the app have the Access all your files, peripheral devices, apps, programs, and registry permission, it’s not sandboxed.

12 . Developer mode
In the UI: Settings-System-Developer Options, turn off developer mode, remote desktop and powershell settings. Turn on all file explorer settings.

13 .Some future security features: win32 app isolation and adminless WIndows.
14 . Windows Privacy
14.1 Cortana and Search
Uninstall Cortana. Uninstall Bing search if you can. In Computer Configuration > Administrative Templates > Windows Components > Search, disable Allow Cortana&Allow search and Cortana to use location; enable Do not allow web search& Don’t search the web or display web results in Search.
14.2 Insider Preview
Do not enroll in Insider Preview. Check Settings > Update & security > Windows Insider Program to make sure you are not participating in it.
14.3 Microsoft Account
Disble logging in MS account in Windows system (you can still log in apps like Mails and Microsoft store) :Enable Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ Accounts: Block Microsoft accounts= The user can’t add or sign in with a Microsoft account.
14.4 Preinstalled apps
Uninstall Onedrive, News, Weather, Money, Sports, Twitter, XBOX, Sway, OneNote, Get Office, Get Skype, Sticky notes if you do not use it.
14.5 Settings > Privacy & security
Turn off all items in General, Speech, Inking, Diagnostics and Aactivity History. Adjust app permission by using the remaining settings.
To turn off diagnostic data: Computer Configuration\Administrative Templates\Windows Components\Data Collection And Preview Builds\Allow Telemetry=Disallow/Security/0
To Turn off Cloud Content: Computer Configuration > Administrative Templates > Windows Components > Cloud Content Enable all 4 policies; User Configuration > Administrative Templates > Windows Components > Cloud Content > Enable Do not use diagnostic data for tailored experiences
Enable the Group Policy: User Configuration > Administrative Templates > Windows Components > Cloud Content > Do not use diagnostic data for tailored experiences
To Turn off WIndows Error Reporting :Computer Configuration > Administrative Templates > Windows Components > WIndows Error Reporting>Disable WIndows Error Reporting(Enabled)
14.6 Software Protection Platform (You can opt out of sending KMS client activation data to Microsoft automatically)
Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Software Protection Platform > Turn off KMS Client Online AVS Validation.
14.7 Sync. WIndows Sync is not end-to end encrption. Turn this off In the UI: Settings > Accounts > Sync your settings
To turn off Message Sync: Computer Configuration > Administrative Templates > Windows Components> Messaging Set the Allow Message Service Cloud Sync to Disable & Open an administrator command prompt
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Messaging" /v CloudServiceSyncEnabled /t REG_DWORD /d 0 /f
14.8 Teredo
TO turn off Teredo, Enable the Group Policy: Computer Configuration > Administrative Templates > Network > TCPIP Settings > IPv6 Transition Technologies > Set Teredo State and set it to Disabled State .
14.9 Windows Defender
Turn off Malicious Software Reporting Tool (MSRT) diagnostic data
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MRT" /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
Turn off Windows Defender Error Reporting:Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus >Reporting> * Configure Watson events(Disabled)
14.9.1 SmartScreen
Settings-apps-Advanced app settings- Choose where to get apps-Anywhere
14.10 Delivery Optimization
Enable the Download Mode Group Policy under Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization and set the Download Mode to “Simple Mode (99)” to prevent traffic between peers as well as traffic back to the Delivery Optimization Cloud Service.
14.11 Widgets
Computer Configuration > Administrative Templates > Windows Components > Widgets . Set Allow Widgets value to Disabled .
14.12 Recommendations
Settings- Personalization > Start turn off 4 settings.
14.13 wifi mac randomization
Settings-Network and INternet-WLAN- Turn on Random hardware addresses
Settings-Network and INternet-WLAN- (your network) properties- Random hardware addresses-enabled(never change)/change every day
14.14 Hide username on lockscreen
Enable Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ Interactive logon: Don’t display last signed-in& Interactive logon: Don’t display username at sign-in.
also Settings-Accounts- Sign-in options-display detailed account info on lockscreen.
14.15 Others

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v "EnableFeeds" /t REG_DWORD /d 0 /f
setx /M DOTNET_CLI_TELEMETRY_OPTOUT 1
setx /M POWERSHELL_TELEMETRY_OPTOUT 1
setx /M MSEDGEDRIVER_TELEMETRY_OPTOUT 1

14.16 Windows Spotlight
Enable the following Group Policy User Configuration > Administrative Templates > Windows Components > Cloud Content > Turn off all Windows spotlight features
Enable the following Group Policy Computer Configuration > Administrative Templates > Windows Components > Cloud Content > Turn off cloud optimized content
15 Edge Privacy
If you donot use Edge, uninstall it.
15.1 Microsoft Account
Computer Configuration > Administrative Templates > Microsoft Edge > Browser sign-in settings:Enabled;Disable browser sign-in
Computer Configuration > Administrative Templates > Microsoft Edge > Configure whether a user always has a default profile automatically signed in with their work or school account=Disabled
15.2 edge://settings/profiles
Microsoft Rewards:off
Profile Preferences:all off
Share browser data with… :off
15.3 edge://wallet/settings:all off
15.4 edge://settings/privacy
tracking protection:strict
what to clear everytime you close browser:all
“Do Not Track”:on
allow to be checked payment methods:off
Security: on; strict mode .
everything else:off
15.5 edge://settings/sidebar:all off. turn off App specific settings one by one.
15.6 edge://settings/startHomeNTP
Preload:off
new tab page:layout=custom, quick links=off, content=off
15.7 edge://settings/shareCopyPaste
plain text; checked
15.8 edge://settings/content/cookies
block third party cookies; donot preload
15.9 edge://settings/languages
turn off writing assistance and share additional os region format
15.10 Edge security&privacy policies
Computer Configuration > Administrative Templates > Microsoft Edge > Configure browser process code integrity guard setting enalbed,forced
Computer Configuration > Administrative Templates > Microsoft Edge > Application Guard settings>Application Guard Traffic Identification disabled
Computer Configuration > Administrative Templates > Microsoft Edge >Enables default browser settings campaigns disabled
Computer Configuration > Administrative Templates > Microsoft Edge >Edge 3P SERP Telemetry Enabled disabled
Computer Configuration > Administrative Templates > Microsoft Edge >Enable online OCSP/CRL checks enabled
Computer Configuration > Administrative Templates > Microsoft Edge >Enable network prediction Don’t predict network actions on any network connection
Computer Configuration > Administrative Templates > Microsoft Edge >Enable the network service sandbox enabled
Computer Configuration > Administrative Templates > Microsoft Edge > Configure Automatic HTTPS=All navigations delivered over HTTP are switched to HTTPS
Computer Configuration > Administrative Templates > Microsoft Edge >Microsoft Edge built-in PDF reader powered by Adobe Acrobat enabled enabled
Computer Configuration > Administrative Templates > Microsoft Edge >Secure mode and Certificate-based Digital Signature validation in native PDF reader enabled
Computer Configuration > Administrative Templates > Microsoft Edge > Content settings>Choose whether users can receive customized background images and text, suggestions, notifications, and tips for Microsoft services disabled
Computer Configuration > Administrative Templates > Microsoft Edge >Restrict exposure of local IP address by WebRTC=Use TCP unless proxy server supports UDP. This doesn’t expose the local IP address
16. Office Privacy
16.1 Install Office LTSC 2021
Office LTSC does not requires Microsoft Account. Download Office Deployment Tool and extract it. Create a config file without log in. Open an elevated command prompt:
setup /download your-created-config-file.xml
16.2 Activation
KMS:In an admin command prompt

cd "c:\Program Files\Microsoft Office\Office16"
cscript ospp.vbs /sethst:your.kms.server.here
cscript ospp.vbs /act

MAK: input your MAK key during Creating a config file.
16.3 Disable Microsoft account
Administrative Templates (Users)>Microsoft Office 2016>Miscellaneous> Block signing into Office
16.4 Privacy settings
Administrative Templates (Users)>Microsoft Office 2016>\Privacy\Trust Center> Configure the level of client software diagnostic data sent by Office to Microsoft=neither
Administrative Templates (Users)>Microsoft Office 2016>\Privacy\Trust Center> Allow the use of connected experiences in Office=disabled
Administrative Templates (Users)>Microsoft Office 2016>\Privacy\Trust Center> *Enable Customer Experience Improvement Program=disbled

@jonah This guide can be a good starting point for PG windows guide imo. While I donot have time to write it in APA style, I can do my best to answer questions. I’m not an expert in Windows btw.

How are you not an expert? I refuse to believe that. Surely you have a background in computer science or something? Also, we could work on making that list easier to implement and more digestable.

Great starting point! I’d just like to add that according to Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn the spotlight features have to be disabled within the first 15 minutes after install.

Microsoft moment

This is an absolutely God-Tier post.

It actually got me to sign up to the forums just so I can let you know that.

Thanks for your contribution to privacy.

If you are directing it to me, you are welcome and thanks for the complement, it is basically all of @fiwayan173’s recommendations and instructions, except for applying the baselines, I had to find out how to do that myself, and it was torture! I also wrote the instructions (except for some smaller parts which @fiwayan173 wrote) and then ran them through Bing Chat, which is already not ideal, but so far so good!

Is this a joke, are we speed running this?

edit:
0.1 For kms server, you can try KMS LIST or some Github repo.
9. you can enable these policys to enhance scan features
Administrative Templates (Computers)>Windows Components>Microsoft Defender Antivirus>Scan, Turn on e-mail scanning, Turn on reparse point scanning, Scan removable drives, *Scan network files, Run full scan on mapped network drives
14.3 If you’ve logged in apps using MS account, in Settings-Account-Email&accounts-click your account-app need to ask me to use this account
14.17 network share
Settings-network&internet-advanced network setings-private networks=all off; public networks=all off; all networks=off, 128bit, on.
14.18 Bluetooth
TUrn bluetooth off when not using it. Settings-Bluetooth&devices-devices-more bluetooth settings-turn off discovery.
14.19 DNS over https
Settings-Network&internet-WLAN-(your network name)-DNS Server Assignment-edit-manual
15.0 Edge out-of-box-experience
do not import settings from other browser; do not log in
15.10 Edge in always incognito mode
Computer Configuration > Administrative Templates > Microsoft Edge > Configure InPrivate mode availability=Forced (you cannot open Edge settings page)
15.11 edge://extensions/
turn off developer mode and uninstall unused extensions.
15.12 DRM
edge://settings/content/protectedContent;
edge://flags/#edge-widevine-drm
15.13 Edge diagnostic see14.5
15.14 Windows defender application guard: deprecated. use Edge in Windows sandbox instead.
15.15 others
turn off edge://settings/content/applicationLinks
turn off edge://settings/accessibility- Get image descriptions from Microsoft for screen readers

15.16 guest mode
If you are using others’ PC, use guest mode so all the cookies disappears after you close the guest mode Edge. Click the icon in the top left corner-other profiles-browse as guest
15.17 DNS over HTTPS:
Computer Configuration > Administrative Templates > Microsoft Edge > Control the mode of DNS-over-HTTPS=secure and
Computer Configuration > Administrative Templates > Microsoft Edge > Specify URI template of desired DNS-over-HTTPS resolver=“https://dns.example.net/dns-query{?dns}”

Does anyone know if disabling MS telemetry using the host file is effective?
127.0.0.1 data.microsoft.com
127.0.0.1 msftconnecttest.com
127.0.0.1 azureedge.net
127.0.0.1 activity.window.com
127.0.0.1 bingapis.com
127.0.0.1 msedge.net
127.0.0.1 assets.msn.com
127.0.0.1 scorecardresearch.com
127.0.0.1 edge.microsoft.com
127.0.0.1 data.msn.com
Thanks!

Did I get it right that your suggestion is to use unlicensed software (which is illegal in many countries, let alone the ethics of stealing)?

Yes, that’s what I mean.

Do you recommend TPM + PIN? Having to enter a pin and password, aka something in twice during each startup is definitely inconvenient. Would you call this overkill?

Yes

They serve different purposes. The PIN is for decryption and the password to login to your windows account.

Without the PIN, to my knowledge, anyone with physical access to your computer can access the information on your drive.

Trying this out on my PC. I use Window 10 IoT Enterprise edition.

Thoughts:

Security Baseline

One thing you might want to note (sorry if its included and I do not see it) but the security baseline completley disables elevating permissions from a standard user (ie running something as an administrator).

It makes a lot of sense to do this if you are the admin at a company but for personal use this can be annoying for the average user, as there are a lot of common applications that can require elevation to run.

I think it would be helpful to show how to change that policy so people do not end up using their admin account as the daily driver or reverting back to not using the security baseline.

The can be done by going into settings under Windows Settings/Local Policies/Security Options/User Account Control

and changing either

User Account Control: Behavior of the elevation prompt for standard users (this is the one I had to change)

or

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

Attack Surface Reduction

EDIT: was able to find the options, somehow was not seeing the options in plain sight

Also a bit confusing that in GPO it states

But if you got to the microsoft page about attack surface reduction 6 (warn) is also an option.

Why the IOT edition?

the big reason is much longer extended support. Windows 10 IoT Enterprise LTSC 2021 is supported until 2032, thats an extra 7 years from most other W10 versions.

It also has all the features of enterprise edition and generally has much less bloatware then home or pro edition

There are actually some GitHub repos that automate this. I’ll find them and post some of them. Of course, running without understanding may cripple your system unexpectedly.

Before anyone runs scripts, I’d recommend understanding the basics of Group Policy on Windows. Some of it helps privacy, most is for security.