Disabling the Microsoft UEFI CA caused my computer to stop POSTing.
Yup. That can happen. You should not have done that without researching your hardware beforehand
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
You might be able to reset the certificates if you remove the battery that powers the BIOS and wait a few minutes before putting it back in??? (Im not sure on this one)
1 Like
Regarding the Controlled Folder Access. You can also have the policy not configured and, enable CFA in the Ransomware Protection part of Windows Security. This may be a simpler way to do it if you are not managing multiple users.
Omg! Thatās alot of homework. Thanks for this post. All i do is install Firefox, then run Chris titus winutil and few more bits and im done.
2 Likes
Doing this is to only allow Windows to boot and prevent other OS from booting. Maybe your OEM drivers use this CA? Pls note that Windows bootloader does NOT use Microsoft UEFI CA.
This settings may cause problem in WinRE. Change it to The user canāt add a Microsoft account.
If you are using Yubikey, enable Computer Configuration\System\Local Security Authority\Allow Custom SSPs and APs to be loaded into LSASS
Iām not sure if thereās warning mode on IoT Windows.
1 Like
Possible. I have it set to block for now, just in case.
It can be effective. I have used it to block some annoyances from Edge before but I would probably reccommend just blocking those sites on the DNS level if you can.
Wouldnāt recommend using a tool from someone who is more of an entertainer than anything else.
2 Likes
To be fair we are all participating in a hardening guide written by someone who has
1 Like
to be fair he is an IT guy for many years and still active. But i understand.
Also his YouTube videos have been under par because heās being focusing on his winutil programming via twitch.
You might be able to reset the certificates if you remove the battery that powers the BIOS and wait a few minutes before putting it back in??? (Im not sure on this one)
That didnāt work, I had to reflash my motherboard lmfao. Thanks anyway.
1 Like
Wanted to suggest that it might be helpful at the end to direct users to check system enformation to see if virtualization policies are actually running. As they can be enabled and not enforced. For example, if the user forgot to enable secure boot.
Good call on not using famous script from github but use your command and using kms servers, worked like a charm 
But i disagree with:
āChoose a PC with Microsoft Plutonā
Because the amount of data MS harvests off us and then we go and use a Microsoft chip. Nope not for me. Yes itās great for security. Not for privacy. Being a privacy guides i disagree 
Do you have any proof of Microsoft collecting data through Pluton?
No i dont but once a rat always a rat.
Its Microsoft chip , do you really trust them?
I dont.
Wasnt all those hospitals hacked because of MS making a backdoor for fbi or something?
Edit: WannaCry ransomware attack
Nearly all of the cpus and security chips are closed source, including Pluton, Intel, AMD, Google Tensor/Titan, Qualcomm, various TPMs and Apple Silicon. Itās not a good idea to decide what to trust(and untrust) based on previous reputation. Also you have already trusted Microsoft by using Windows.
2 Likes
Feel free to do whatever you like with your choice of devices or software. But pls stick to facts and refrain from fear mongering. Yes, Microsoft has had terrible privacy practices, but that does not mean that they spy on users through a security chip.
Where does the article say that MS introduced a backdoor? An exploit which implements a backdoor for persistent remote access is something else than MS installing a backdoor beforehand.
5 Likes
aka - Block executable files from running unless they meet a prevalence, age, or trusted list criteria
This rule can cause issues. For example, this can block you from being able to use Mullvad browser.
@Sprout3425 it might be nice to let users know in the attack surface reduction section that they can see if something has been blocked in the Windows Security Protection History and they can match the rule to the GUID here
1 Like
You can get notifications when an app is blocked and unblock it at once using warning mode. Also, itās a good opportunity to test if you can use warning mode on IoT Windows using Mullvadbrowser.exe.
1 Like
Hey why are we selecting region to EEA and allow optional diagnostic data?.
Is EEA any country in EU?
And what is OOBE?
Thanks