I don’t think we should make a complete overhaul of the Windows Guide, as I think @ikelatomig’s PR is already a great starting point to rework the Windows guide. We should just rework some things here and there, update info, etc…
Somebody mail me on May 9th or the 8th. I will have everything over and giddy up myself and finish the draft within a week. So, It is possible for people to give suggestions and add their own taste of corrects, either technically, factually or grammatically.
It is my fault that, the PR has merge conflicts.
But there is been a new PR by @anon34108895
In the new PR, my opinions,
-
there is a point for Optional Diagnostics to be enabled. More people will contradict about that. Required is enough.
-
There is no need to loop Windows Enterprise from Pro to Enterprise. There is an ISO where you can do that directly.
-
Do not suggest KMS activation scripts, It is up to the user to activate them. There is https://massgrave.dev but I am not sure how to link them and safely say PG and him are not related.
-
Actually wanted to check about Security baselines. Never got the time.
-
App sandbox is not true for UWP. There are apps which can have full access to the system despite being .msix or .appx
-
For TPM, It depends on the user’s threat model. You need to detail it without lot of wordings but in a sentence. So, users choose what they want.
-
Be sure about exploit guard as it randomizes the kernel memory causing some programs to break such as Git, GCC, etc.
-
For the group policy maybe we need to create a file that enables it like registry files. And if done, we should state that, it could be easily checked that there is no malware by opening it with notepad.
-
Again, don’t speak about activation. I would say. Even though it is about using own KMS servers.
What should we do ??
Not to like discourage, but if you can see the markdown files in my PR cuz currently preview is broken.
Work separately and merge the best of them. I literally have no idea. @dngray or @jonah - what do you say ?
And in the overview page, it should be about a general Overview of Windows. And all the other things should go under recommendations.
I say combine the guides and remove overlapping information, by choosing the best parts in this case. Focus on making the guides easy to implement, scripts (or batch scripts, I don’t know the technical term) or whatever makes the process the easiest are definitely favoured, before these scripts are provided we could have a description of what they do and effect, and how to revert them, this would mean everything should go smoothly!
1 Like
I feel like the Windows guide will forever be a moving target, more so than the usual moving targets of updates in MacOS and the various Linux distros out there. Microsoft likes to change things in what feels like a whim most of the time, apart of the usual configuration resets to their default values during each update.
I think the best way forward is just put Windows 11 in a VM so as to avoid the tantrums it does with each update. It also has the bonus of having the capability of having a whole image backup (along with all its hassles) and the ability to firewall(?) the VM, or allow specific domains to connect.
Do we have the capability to just download the updates piecemeal or does the VM have to be completely online to do Window Updates?
2 Likes
Will be reviewing this, tidying up the hardware guide which touches on windows secure core then will be looking at the windows PR next.
We will likely have the later PR superseed the previous one, but I’ll check to see nothing was missed in the comments of those PRs and in the merge request.
A single PR can always have co-authors, so we’ll make sure to put the original author on there as a co-author of it using the Co-authored-by keyword in the commit. That way you will get credit for it on your Github activity.
1 Like
Would suggest to split up a Windows guide into different parts. For example one for privacy, one for security, intersections of security and privacy, and maybe a setup guide (how to make an installer, which edition to choose, showing differences, driver best practices and so on). Stick to official guidelines and baselines as much as possible with little reliance on third-party tools.
Start with privacy, because that’s the most important part for PrivacyGuides and also the most difficult. It will be a big part. Show how to apply Windows Restricted Traffic Limited Functionality Baseline. Show which things must be patched afterwards (preferably provide a ready-to-use patch policy), for example to make Updates (Windows, Defender, Certificates), Store and a few more, which are needed for a secure and working distro. Show which can optionally be patched. Show privacy consequences and considerations (for example some users might want to be able to use XBOX services while others don’t). Show differences between Enterprise editions and Pro (e.g. which settings won’t take effect and whether there are other ways to achieve it). Explain considerations between privacy and security (e.g. Defender cloud protection, SAC, ISG). Show which built-in apps can be used in a privacy respecting way, whether settings are necessary to adjust and when it’s better to simply delete the app. Show which services and apps can or should be disabled/deleted. Show blocking of network communication with DNS filters and solutions like Simplewall to whitelist apps and which apps need to be whitelisted to keep the system secure and working.
Then you can start with security (or different people working on it in parallel), but the privacy guide should be worked on with higher priority, because it will also be needed for security vs privacy considerations. Security baselines, WDAC, Applocker, bitlocker, ISG, SAC, ASR-Rules, exploit protection rules and so on. All solutions have different consequences for privacy, security and usability, so a lot of explanation is needed (e.g. for which use cases is metadata transmitted for ISG acceptable). Explain why to apply privacy settings after security baselines, if users prefer privacy over security.
That’s just what quickly comes to mind. As you see this will be a long guide.
2 Likes
100% this is one of the reasons we hadn’t actually gotten around to doing this. Writing the general material was the easy part but talking about the LGPO policies was going to be the time consuming portion.
What you suggested in your post is exactly what I had in mind though.
I can’t say I am a fan of things like privacy.sexy because modifying registry entries directly isn’t really the right way to do that.
Afaik all UWP apps are sandboxed. However UWP devs can ask for special permissions, which need special approval from Microsoft to get into the Store and can weaken the sandbox or allow more broad access. And UWP devs can ship a desktop bridge for more broad or even full desktop access. I am not sure if you need to confirm installation of both, the UWP part and the bridge in this case of how security is handled there. Microsoft Store uses both approaches for its own app. You might be confusing UWP with apps on Microsoft Store. Microsoft store does distribute different forms of apps.
The Windows guide I envision would have a user interactive interface that can export corresponding LGPO files based on selected policies with explanations. This would also make my new Windows guide pull request look more concise. However, unfortunately, explaining each policy would be exhausting, and I don’t know how to write this kind of interactive interface.
Also we should avoid registry modification and make a group policy file for all registrys not in the current group policy editor. Though I have no idea how to make a admx/adml file.
This is NOT recommended as it disables Windows Update and lots of important things. For security, Security Baselines are recommended.
Both optional diagnostics and required diagnostics data are not necssary.
Not sure if thats applicable to ARM version.
Why? activating windows enterprise is not piracy. the code in my guide is official code from Microsoft. using third party scripts or modifying system components to activate is a security threat. We should avoid things like https://massgrave.dev/
You didn’t read my pr carefully enough. Here
No. TPM is a must for Windows 11.
Anyway, thank you for your time @ikelatomig
1 Like
I’m thinking this might be something we might do as a revised version of the page, but not immediately to begin with.
Likely the reason that is because the baseline disables much of the reliance on MS and is really meant to be used in high security environments where devices are part of a larger workgroup with local WSUS.
Oh I never thinked about that. Should PG provide guides for such users?
Pls read further what I wrote. I wrote to patch the policy so that it won’t disable security critical things like Windows update. It’s less work to apply everything and patch only the few things needed than to apply everything by hand. Patching can be done by editing the baseline before applying it or afterwards by applying the patches as a separate policy.
1 Like
Well, it’s a baseline. They are supposed to be adjusted and that’s also what I would propose. It’s easier to use the baseline and adjust it to your needs either by editing it or applying patches afterwards than to apply privacy settings by hand.
1 Like
No, i don’t think so, because that requires a windows server as well, and really ads no privacy benefit. You also then need to do a tonne of other things.
We don’t want PG to basically become learn.microsoft, but when there are relevant articles I’m happy if we link to those in the course of whatever it is we’re explaining.
I think there are 3 threads about this Windows Guide, could we just use one ?
2 Likes
Advice
Definitely feel free to use my original post as an inspiration, but do acknowledge if you use some of it. Note: @anon34108895 has contributed the most to that post and @sha123 has also contributed.
As I said before keep it simple, do not overwhelm yourselves, we do not need to explain the purpose of each setting, at the very least their implications need to be explained (for 99% of the modified settings you won’t notice a difference), I went through the painstaking process of applying all of this, so do use my experiences to identify some implications, I identified the main ones in my original post.
To do list:
-
Combine the guides and remove overlapping information, by choosing the best parts in cases where overlapping info is present. You could use software to do this by comparing the guides as text files.
-
Use AI sparingly and strictly as a grammar checker, this is a no-brainer, but ensure to only let it edit small chunks of text at a time and prompt it to not change the meaning of the text, when it inevitably does change the meaning of the text without telling you, you should be able to notice if you go chunk by chunk. Do not risk making it format large chunks of text because it will omit things and change the meaning of things without telling you.
-
Important goal: Focus on making the guides easy to implement, scripts (or batch scripts, I don’t know the technical term) or whatever makes the process the easiest are definitely favoured, before these scripts are provided we could have a super brief description of what major settings do and effect, and how to revert them, this would mean everything should go smoothly! By major settings I mean the only settings people might notice. Assume an average computer user.
If you do this you don’t have to bother explaining how to do it manually this will save everyone’s time! I do understand this is tricky because so many settings are changed in the baselines, heck I do not know if some settings are effecting me negatively.
I think you all know what to do, good luck!
I have locked the two other threads
and want to direct the discussion here. I thought about merging the threads but that might create a bit of unnecessary clutter.
7 Likes
Why are we including Microsoft Edge in the Windows Guide ? I see no reason to use Edge, which isn’t a desktop browser recommended by PG (neither is Safari).
Now I understand we include for Microsoft Office as it might be a reason people use Windows in the first place, but I don’t see Edge as having any added value. We have other great browsers.
2 Likes
The main reason is because if you’re already on Windows you can make use of Microsoft Edge and Microsoft Defender Application Guard | Microsoft Learn which further isolates the browser.