Instructions on Hardening Windows (What I Have Learnt So Far)

sha123 · February 21, 2024, 9:16am

Probably to allow users to use SAC in the future . If you don’t need SAC, do not allow optional diagnostic data.

anon29374801 · February 21, 2024, 2:57pm

I had the rule set to block (1) for Win10 IoT Enterprise and warn (6) for Win11 IoT Enterprise. Did not make a difference. I got the same error message / warning a user would get if they attempted to access something that needs administrator priveleges but did not have the correct credentials.

That seems to be more of an error message. To me, it would not seem to help anyone realize its the attack surface reduction rules blocking the program.

anon34108895 · February 22, 2024, 8:09am

My suggestion is to switch to Windows enterprise edition.

It’s to make sure you can uninstall Edge and Bing if you want. To turn on SAC, you’d better turn on optional diagnostic data during the out-of-box-experience. After that, you can follow section 14.5 to turn off diagnostic data.

anon29374801 · February 22, 2024, 7:52pm

It is an Enterpise edition of Windows. Not sure if the warn feature is worth giving up 7 years of extra support on the w10 machine.

Even for people using a more common version of Windows, knowing where to lookup the GUID and see what rules they are actually adding is, I think, a good thing.

anon34108895 · March 6, 2024, 1:58am

You can change to a more modern hardware for better security. see section 0 for the recommendation.

anon34108895 · March 8, 2024, 8:23am

2024/3/8 Update:
As DMA comes into effect, there are several changes to this guide.
15.11 Edge Telemetry
Edge in EEA no longer respects Windows telemetry settings in 14.5. A new policy is introduced in version 122: Computer Configuration > Administrative Templates > Microsoft Edge > Send required and optional diagnostic data about browser usage=enabled, off.

Viper · March 10, 2024, 6:47am

Til i can uninstall edge if select EEA region,
Just pick a country Omg

P.s. dont forget to install a web browser app before uninstall, otherwise

exaCORE · March 10, 2024, 6:56am

You could just curl from cmd if you forgot, right?

Viper · March 10, 2024, 7:51am

Yeh i think so. But would need to know url and command, probably pain in the arse. And i realised internet explorer was around. Had to get into windows features etc to turn it off. Geez MS sure does like forcing shit. Not as bad as apple though.

anon34108895 · March 29, 2024, 6:59am

hey guys I created a new Windows Guide pr. everyone is welcomed to contribute!

Sprout3425 · March 30, 2024, 2:05am

@anon34108895 I wish I knew how to use GitHub, I can only edit text on Word, I am an academic in the making (maybe) by trade, so I can only improve text by these basic means.

Viper · March 30, 2024, 5:25am

Same. We can suggest improvements here

sha123 · April 1, 2024, 8:53pm

GitHub is not that complicated and it’s much better suited to work on something than in a long thread on the forum.

dngray · April 4, 2024, 3:41am

As this is one of the shorter threads I’m going to lock it and encourage future suggestions be made in: Windows Guide.

but it will take some work. Please continue discussion in the above thread.