Well it is, a lot of people do not know that Linux can be feasible for everyday people and professionals, including myself. If I am wrong, then Linux kinda stinks.
I still think that it would be much better to simply recommend a 1-click powershell script that changed all the ābadā settings to good ones.
3 Likes
Hello everyone, the group policy page was good, but unfortunately, thereās an issue. People using the home edition of Windows donāt have the group policy editor, but they do have the Registry Editor. So is it possible to add the regedit keys associated with these group policies to the page. You can find the regedit keys and values associated with the group policies using website like https://gpsearch.azurewebsites.net/ or https://admx.help/ . Thanks.
1 Like
You can also use this tool:
4 Likes
I would caution against doing this if you donāt understand what that script is doing. It is really easy to end up locking yourself out of things (especially if you use one that adds all the microsoft security baseline rules) you may want and spending a ton of time figuring out what setting was changed that caused the issue.
All of a sudden you are googling how to fix
blindly running a script, especially to make system level changes, is the opposite of good security practices.
3 Likes
Sure. I was thinking about privacy tweaks specifically, things that everyone here would want i.e. no web search in start menu, disabled telemetry, etc.
1 Like
What not start by using Windows LTSC IOT ?
You could also make your own private windows version with nlite (or another similar tool).
1 Like
No. Never use third-party āanti-spyingā/āprivacy hardeningā tools. Use official documentation from Microsoft only and follow Microsoft best practices. Using third-party tools increases your attack surface, requires you to trust the developers of the tool, is not needed to disable all telemetry in Windows, and can break your system.
Recommended guide:
2 Likes
Did you even check the website?
The dev of https://hotcakex.github.io put this really well.
LTSC is the platform for no updates ever. LTSC is for devices where you install the OS and donāt plan on touching it for the next 10 years.
Itās true that LTSC has a lot of its components stripped out, but that also means many of the security features are also unavailable. The security features in the normal edition of the OS decrease the attack surface more than anything LTSC has to offer.
Normal editions of the OS have policy for everything, most components can be configured or removed using policies, Intune CSPs etc.
People trying to use this guide with an LTSC or LTSB version are going to run into issues where they do not have the options specified in the guide.
That false information. Stating no updated ever it not true.
I already had updates, there security updates for 10 years, just no FEATURES updates.
I read your second link and the other himself stated :
Security features arenāt backported to LTSC AFAIK.
So he admit that now, there no security features missing from Windows11 LTSC
1 Like
Windows 10 IoT Enterprise LTSC 2021 will receive security updates until 2032, 7 years longer than regular versions of W10.
2 Likes
This is how I understood it was meant considering the context of the thread.
Anyway AFAIK this still holds true. There are not the same policy options included in these versions so it would be counter productive to this guide to recommend them. Especially since the average home user is unlikely to be able to get these versions legitimately.
Here is just a small example of that occurring
Has anyone used the hotcakex script yet? I see they have recommended or basic presets. I am unsure what to use because i would also like to use portmaster. Or is that a no-no?
I didnāt use the script, but I used the page and other hardening guides (for example beerisgood, german bsi and troennes private-secure-windows among others) alongside the official windows documentation to harden my system since I wanted to do it the proper way instead of some downloaded script.
Oh, for sure. Do you think one must have to worry about the script even though she is claiming itās all done through official Microsoft tools?
As said before I only used it as inspiration and didnāt use the script. IMHO you should at least check what the script changes before running it, to avoid being surprised by some kind of āthis action has been blocked by your administratorā screen or your windows installation behaving different from what you expect (in regards to bitlocker, controlled folder access, etc.). Also note that it hasnāt been upgraded to the official 24H2 security baselines. There is also this thread which has many valuable pieces of information.
That makes sense. Thanks for the tip!
HotcakeX actually reduces security:
Hyper-V admin to full admin is not a security boundary, meaning that a technique that allows Hyper-V admins to elevate to administrator will not be considered a security issue and therefore wonāt be quickly patched if patched at all. HotcakeX gives this permission to all standard users, essentially giving every user on the machine administrator permissions by default, which is the complete opposite of what a āhardeningā script should be doing. The script also enables many options that can reduce privacy, I really donāt see any reason for anyone to use it.
These sorts of scripts should always be avoided, privacy.sexy has similar problems where it changes settings for no reason in ways that can cause breakage even when thereās no privacy impact.
What would you recommend as an alternative?