Harden Windows Security Module v0.2.7 #161
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a variable name conflict between Harden Windows Security module and WDACConfig module Since WDACConfig would create a read-only constant variable, if you ran the other module in the same session, you would see an error.
And fixed variable name casings
in lock screen category
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What's Changed
Improved best practices in the code.
Added progress bar to the
Unprotect-WindowsSecuritycmdlet, now all the cmdlets of the module have progress bars!The
Unprotect-WindowsSecuritycmdlet now prompts for confirmation using native PowerShell methods. This prompt can be bypassed if you use the familiar-Forceparameter, useful when not running this module interactively.Removed untrusted font blocking which was an optional additional policy in the Miscellaneous category. The reason for its removal is mentioned here and its removal was suggested a while ago in this repo as well. The reason why it's finally being removed is that it can cause some blocked fonts logs to be generated for 1st party inbox apps such as OneDrive.
Removed the
UAC: Behavior of the elevation prompt for standard userspolicy from the User Account Control (UAC) category because it's already being applied by Microsoft Security Baselines. The security baselines correctly prevent any elevation of request on Standard user accounts.The compliance checking and verification for this policy continues to exist in
Confirm-SystemCompliancecmdlet.For highly secure scenarios, use Standard account for regular everyday tasks, and if you want to perform administrative tasks such as installing a program system-wide or changing system settings, completely log out of the Standard account and log into an Administrator account, perform the tasks, then completely log out and log back into the Standard account to continue your work. No fast user switching.
The module now supports environments where
Cis not the OS drive's label.Made the policy that requires CTRL + ALT + DEL at lock screen optional for accessibility reasons. It's in lock screen category.
Added CSP links for the policies included in the compliance checking CSV file.