From 562a22ba45326ec8cfe5c983b59f7aa7cc7008f2 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Sun, 10 Dec 2023 11:03:57 -0930
Subject: [PATCH 01/79] Added missing position 0 parameter names
---
Harden-Windows-Security.ps1 | 212 ++++++++++++++++++------------------
1 file changed, 106 insertions(+), 106 deletions(-)
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index 04e2caca7..1997bbb53 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -275,19 +275,19 @@ Function Write-SmartText {
if ($PSVersionTable.PSEdition -eq 'Core') {
switch ($CustomColor) {
- 'Fuchsia' { Write-Host "$($PSStyle.Foreground.FromRGB(236,68,155))$InputText$($PSStyle.Reset)"; break }
- 'Orange' { Write-Host "$($PSStyle.Foreground.FromRGB(255,165,0))$InputText$($PSStyle.Reset)"; break }
- 'NeonGreen' { Write-Host "$($PSStyle.Foreground.FromRGB(153,244,67))$InputText$($PSStyle.Reset)"; break }
- 'MintGreen' { Write-Host "$($PSStyle.Foreground.FromRGB(152,255,152))$InputText$($PSStyle.Reset)"; break }
- 'PinkBoldBlink' { Write-Host "$($PSStyle.Foreground.FromRgb(255,192,203))$($PSStyle.Bold)$($PSStyle.Blink)$InputText$($PSStyle.Reset)"; break }
- 'PinkBold' { Write-Host "$($PSStyle.Foreground.FromRgb(255,192,203))$($PSStyle.Bold)$($PSStyle.Reverse)$InputText$($PSStyle.Reset)"; break }
- 'Gold' { Write-Host "$($PSStyle.Foreground.FromRgb(255,215,0))$InputText$($PSStyle.Reset)"; break }
- 'VioletNoNewLine' { Write-Host "$($PSStyle.Foreground.FromRGB(153,0,255))$InputText$($PSStyle.Reset)" -NoNewline; break }
- 'PinkNoNewLine' { Write-Host "$($PSStyle.Foreground.FromRGB(255,0,230))$InputText$($PSStyle.Reset)" -NoNewline; break }
- 'Violet' { Write-Host "$($PSStyle.Foreground.FromRGB(153,0,255))$InputText$($PSStyle.Reset)"; break }
- 'Pink' { Write-Host "$($PSStyle.Foreground.FromRGB(255,0,230))$InputText$($PSStyle.Reset)"; break }
- 'LavenderNoNewLine' { Write-Host "$($PSStyle.Foreground.FromRgb(255,179,255))$InputText$($PSStyle.Reset)" -NoNewline; break }
- 'TeaGreenNoNewLine' { Write-Host "$($PSStyle.Foreground.FromRgb(133, 222, 119))$InputText$($PSStyle.Reset)" -NoNewline; break }
+ 'Fuchsia' { Write-Host -Object "$($PSStyle.Foreground.FromRGB(236,68,155))$InputText$($PSStyle.Reset)"; break }
+ 'Orange' { Write-Host -Object "$($PSStyle.Foreground.FromRGB(255,165,0))$InputText$($PSStyle.Reset)"; break }
+ 'NeonGreen' { Write-Host -Object "$($PSStyle.Foreground.FromRGB(153,244,67))$InputText$($PSStyle.Reset)"; break }
+ 'MintGreen' { Write-Host -Object "$($PSStyle.Foreground.FromRGB(152,255,152))$InputText$($PSStyle.Reset)"; break }
+ 'PinkBoldBlink' { Write-Host -Object "$($PSStyle.Foreground.FromRgb(255,192,203))$($PSStyle.Bold)$($PSStyle.Blink)$InputText$($PSStyle.Reset)"; break }
+ 'PinkBold' { Write-Host -Object "$($PSStyle.Foreground.FromRgb(255,192,203))$($PSStyle.Bold)$($PSStyle.Reverse)$InputText$($PSStyle.Reset)"; break }
+ 'Gold' { Write-Host -Object "$($PSStyle.Foreground.FromRgb(255,215,0))$InputText$($PSStyle.Reset)"; break }
+ 'VioletNoNewLine' { Write-Host -Object "$($PSStyle.Foreground.FromRGB(153,0,255))$InputText$($PSStyle.Reset)" -NoNewline; break }
+ 'PinkNoNewLine' { Write-Host -Object "$($PSStyle.Foreground.FromRGB(255,0,230))$InputText$($PSStyle.Reset)" -NoNewline; break }
+ 'Violet' { Write-Host -Object "$($PSStyle.Foreground.FromRGB(153,0,255))$InputText$($PSStyle.Reset)"; break }
+ 'Pink' { Write-Host -Object "$($PSStyle.Foreground.FromRGB(255,0,230))$InputText$($PSStyle.Reset)"; break }
+ 'LavenderNoNewLine' { Write-Host -Object "$($PSStyle.Foreground.FromRgb(255,179,255))$InputText$($PSStyle.Reset)" -NoNewline; break }
+ 'TeaGreenNoNewLine' { Write-Host -Object "$($PSStyle.Foreground.FromRgb(133, 222, 119))$InputText$($PSStyle.Reset)" -NoNewline; break }
'Rainbow' {
[System.Object[]]$Colors = @(
[System.Drawing.Color]::Pink,
@@ -463,7 +463,7 @@ function Get-AvailableRemovableDrives {
# Write an exit option at the end of the table
Write-Host ('{0,-4}' -f "$ExitCodeRemovableDriveSelection") -NoNewline -ForegroundColor DarkRed
- Write-Host '|Skip encryptions altogether' -ForegroundColor DarkRed
+ Write-Host -Object '|Skip encryptions altogether' -ForegroundColor DarkRed
# A function to validate the user input
function Confirm-Choice {
@@ -487,12 +487,12 @@ function Get-AvailableRemovableDrives {
# Prompt the user to enter the number of the drive they want to select, or exit value to exit, until they enter a valid input
do {
# Read the user input as a string
- [System.String]$Choice = $(Write-Host "Enter the number of the drive you want to select or press $ExitCodeRemovableDriveSelection to Cancel" -ForegroundColor cyan; Read-Host)
+ [System.String]$Choice = $(Write-Host -Object "Enter the number of the drive you want to select or press $ExitCodeRemovableDriveSelection to Cancel" -ForegroundColor cyan; Read-Host)
# Check if the input is valid using the Confirm-Choice function
if (-not (Confirm-Choice $Choice)) {
# Write an error message in red if invalid
- Write-Host "Invalid input. Please enter a number between 1 and $ExitCodeRemovableDriveSelection." -ForegroundColor Red
+ Write-Host -Object "Invalid input. Please enter a number between 1 and $ExitCodeRemovableDriveSelection." -ForegroundColor Red
}
} while (-not (Confirm-Choice $Choice))
@@ -542,21 +542,21 @@ try {
# Check the current hard-coded version against the latest version online
# the messages can technically only be seen if installing the script in standalone mode using old Windows PowerShell
if ($CurrentVersion -lt $LatestVersion) {
- Write-Host "The currently installed script's version is $CurrentVersion while the latest version is $LatestVersion" -ForegroundColor Cyan
- Write-Host 'Please update your script using:' -ForegroundColor Yellow
- Write-Host "Update-Script -Name 'Harden-Windows-Security' -Force" -ForegroundColor Green
- Write-Host 'and run it again after that.' -ForegroundColor Yellow
- Write-Host 'You can view the change log on GitHub: https://github.com/HotCakeX/Harden-Windows-Security/releases' -ForegroundColor Magenta
+ Write-Host -Object "The currently installed script's version is $CurrentVersion while the latest version is $LatestVersion" -ForegroundColor Cyan
+ Write-Host -Object 'Please update your script using:' -ForegroundColor Yellow
+ Write-Host -Object "Update-Script -Name 'Harden-Windows-Security' -Force" -ForegroundColor Green
+ Write-Host -Object 'and run it again after that.' -ForegroundColor Yellow
+ Write-Host -Object 'You can view the change log on GitHub: https://github.com/HotCakeX/Harden-Windows-Security/releases' -ForegroundColor Magenta
break
}
- Write-Host "`r`n"
+ Write-Host -Object "`r`n"
Write-SmartText -CustomColor Rainbow -GenericColor Cyan -InputText "############################################################################################################`r`n"
Write-SmartText -CustomColor MintGreen -GenericColor Cyan -InputText "### Please read the Readme in the GitHub repository: https://github.com/HotCakeX/Harden-Windows-Security ###`r`n"
Write-SmartText -CustomColor Rainbow -GenericColor Cyan -InputText "############################################################################################################`r`n"
# Show a prompt to the user if they're using the old PowerShell
- if ($PSVersionTable.PSEdition -eq 'Desktop') { Write-Host "You're using old PowerShell. Please use the new PowerShell Core for much better styling and performance:`nhttps://apps.microsoft.com/detail/powershell/9MZ1SNWT0N5D" -ForegroundColor Yellow }
+ if ($PSVersionTable.PSEdition -eq 'Desktop') { Write-Host -Object "You're using old PowerShell. Please use the new PowerShell Core for much better styling and performance:`nhttps://apps.microsoft.com/detail/powershell/9MZ1SNWT0N5D" -ForegroundColor Yellow }
#region RequirementsCheck
# check if user's OS is Windows Home edition
@@ -678,25 +678,25 @@ try {
# a switch for when the original URLs are failing and to provide Alt URL
switch ($Tag) {
'Security-Baselines-X' {
- Write-Host 'Using Azure DevOps for Security-Baselines-X.zip' -ForegroundColor Yellow
+ Write-Host -Object 'Using Azure DevOps for Security-Baselines-X.zip' -ForegroundColor Yellow
[System.Uri]$AltURL = 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/Security-Baselines-X.zip'
$WC.DownloadFile($AltURL, $Path)
break
}
'Registry' {
- Write-Host 'Using Azure DevOps for Registry.csv' -ForegroundColor Yellow
+ Write-Host -Object 'Using Azure DevOps for Registry.csv' -ForegroundColor Yellow
[System.Uri]$AltURL = 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/Registry.csv'
$WC.DownloadFile($AltURL, $Path)
break
}
'ProcessMitigations' {
- Write-Host 'Using Azure DevOps for ProcessMitigations.CSV' -ForegroundColor Yellow
+ Write-Host -Object 'Using Azure DevOps for ProcessMitigations.CSV' -ForegroundColor Yellow
[System.Uri]$AltURL = 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/ProcessMitigations.csv'
$WC.DownloadFile($AltURL, $Path)
break
}
'EventViewerCustomViews' {
- Write-Host 'Using Azure DevOps for EventViewerCustomViews.zip' -ForegroundColor Yellow
+ Write-Host -Object 'Using Azure DevOps for EventViewerCustomViews.zip' -ForegroundColor Yellow
[System.Uri]$AltURL = 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/EventViewerCustomViews.zip'
$WC.DownloadFile($AltURL, $Path)
break
@@ -761,7 +761,7 @@ try {
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x30 /f
- Write-Host 'The required security measures have been applied to the system' -ForegroundColor Green
+ Write-Host -Object 'The required security measures have been applied to the system' -ForegroundColor Green
Write-Warning 'Make sure to restart your device once. After restart, wait for at least 5-10 minutes and perform a 2nd restart to finish applying security measures completely.'
} 'No' { break }
'Exit' { &$CleanUp }
@@ -1114,11 +1114,11 @@ try {
# Enables or disables DMA protection from Bitlocker Countermeasures based on the status of Kernel DMA protection.
if ($BootDMAProtection) {
- Write-Host 'Kernel DMA protection is enabled on the system, disabling Bitlocker DMA protection.' -ForegroundColor Blue
+ Write-Host -Object 'Kernel DMA protection is enabled on the system, disabling Bitlocker DMA protection.' -ForegroundColor Blue
.\LGPO.exe /q /m '..\Security-Baselines-X\Overrides for Microsoft Security Baseline\Bitlocker DMA\Bitlocker DMA Countermeasure OFF\Registry.pol'
}
else {
- Write-Host 'Kernel DMA protection is unavailable on the system, enabling Bitlocker DMA protection.' -ForegroundColor Blue
+ Write-Host -Object 'Kernel DMA protection is unavailable on the system, enabling Bitlocker DMA protection.' -ForegroundColor Blue
.\LGPO.exe /q /m '..\Security-Baselines-X\Overrides for Microsoft Security Baseline\Bitlocker DMA\Bitlocker DMA Countermeasure ON\Registry.pol'
}
@@ -1134,8 +1134,8 @@ try {
# check make sure Bitlocker isn't in the middle of decryption/encryption operation (on System Drive)
if ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).EncryptionPercentage -ne '100' -and (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).EncryptionPercentage -ne '0') {
$EncryptionPercentageVar = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).EncryptionPercentage
- Write-Host "`nPlease wait for Bitlocker to finish encrypting or decrypting the Operation System Drive." -ForegroundColor Yellow
- Write-Host "Drive $env:SystemDrive encryption is currently at $EncryptionPercentageVar percent." -ForegroundColor Yellow
+ Write-Host -Object "`nPlease wait for Bitlocker to finish encrypting or decrypting the Operation System Drive." -ForegroundColor Yellow
+ Write-Host -Object "Drive $env:SystemDrive encryption is currently at $EncryptionPercentageVar percent." -ForegroundColor Yellow
# break from the entire BitLocker category and continue to the next category
break BitLockerCategoryLabel
}
@@ -1226,7 +1226,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# If the OS Drive doesn't have (TPM + PIN) key protector
if ($KeyProtectorTypesOSDrive -notcontains 'Tpmpin') {
- Write-Host "`nTPM and Start up PIN are missing, adding them now..." -ForegroundColor Cyan
+ Write-Host -Object "`nTPM and Start up PIN are missing, adding them now..." -ForegroundColor Cyan
do {
[securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I "`nEnter a Pin for Bitlocker startup (between 10 to 20 characters)"; Read-Host -AsSecureString)
@@ -1238,7 +1238,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
[securestring]$Pin = $Pin1
}
- else { Write-Host 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
+ else { Write-Host -Object 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
# Repeat this process until the entered PINs match and they are at least 10 characters long, max 20 characters
until ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) )
@@ -1249,7 +1249,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-SmartText -C MintGreen -G Green -I "`nPINs matched, enabling TPM and startup PIN now`n"
}
catch {
- Write-Host 'These errors occured, run Bitlocker category again after meeting the requirements' -ForegroundColor Red
+ Write-Host -Object 'These errors occured, run Bitlocker category again after meeting the requirements' -ForegroundColor Red
$_
break BitLockerCategoryLabel
}
@@ -1260,7 +1260,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Backup the recovery code of the OS drive in a file just in case - This is for when the disk is automatically encrypted and using TPM + Recovery code by default
New-Item -Path "$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsOSDrive) -ItemType File -Force | Out-Null
- Write-Host "The recovery password was backed up in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
+ Write-Host -Object "The recovery password was backed up in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
}
}
@@ -1268,7 +1268,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Do this if Bitlocker is not enabled for the OS drive at all
else {
- Write-Host "`nBitlocker is not enabled for the OS Drive, activating it now..." -ForegroundColor Yellow
+ Write-Host -Object "`nBitlocker is not enabled for the OS Drive, activating it now..." -ForegroundColor Yellow
do {
[securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I 'Enter a Pin for Bitlocker startup (between 10 to 20 characters)'; Read-Host -AsSecureString)
[securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
@@ -1278,7 +1278,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
[securestring]$Pin = $Pin1
}
- else { Write-Host 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
+ else { Write-Host -Object 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
until ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) )
@@ -1287,7 +1287,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Enable-BitLocker -MountPoint $env:SystemDrive -EncryptionMethod 'XtsAes256' -Pin $Pin -TpmAndPinProtector -SkipHardwareTest -ErrorAction Stop *> $null
}
catch {
- Write-Host 'These errors occured, run Bitlocker category again after meeting the requirements' -ForegroundColor Red
+ Write-Host -Object 'These errors occured, run Bitlocker category again after meeting the requirements' -ForegroundColor Red
$_
break BitLockerCategoryLabel
}
@@ -1303,7 +1303,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Resume-BitLocker -MountPoint $env:SystemDrive | Out-Null
Write-SmartText -C MintGreen -G Green -I "`nBitlocker is now enabled for the OS drive with Normal security level."
- Write-Host "The recovery password will be saved in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
+ Write-Host -Object "The recovery password will be saved in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
}
}
@@ -1379,7 +1379,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
[securestring]$Pin = $Pin1
}
- else { Write-Host 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
+ else { Write-Host -Object 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
# Repeat this process until the entered PINs match and they are at least 10 characters long, max 20 characters
until ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) )
@@ -1391,7 +1391,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -TpmAndPinAndStartupKeyProtector -StartupKeyPath (Get-AvailableRemovableDrives) -Pin $Pin -ErrorAction Stop | Out-Null
}
catch {
- Write-Host 'There was a problem adding Startup Key to the removable drive, try ejecting and reinserting the flash drive into your device and run this category again.' -ForegroundColor Red
+ Write-Host -Object 'There was a problem adding Startup Key to the removable drive, try ejecting and reinserting the flash drive into your device and run this category again.' -ForegroundColor Red
$_
break BitLockerCategoryLabel
}
@@ -1402,7 +1402,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Backup the recovery code of the OS drive in a file just in case - This is for when the disk is automatically encrypted and using TPM + Recovery code by default
New-Item -Path "$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsOSDrive) -ItemType File -Force | Out-Null
- Write-Host "The recovery password was backed up in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
+ Write-Host -Object "The recovery password was backed up in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
}
}
@@ -1410,7 +1410,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Do this if Bitlocker is not enabled for the OS drive at all
else {
- Write-Host "`nBitlocker is not enabled for the OS Drive, activating it now..." -ForegroundColor Yellow
+ Write-Host -Object "`nBitlocker is not enabled for the OS Drive, activating it now..." -ForegroundColor Yellow
do {
[securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I "`nEnter a Pin for Bitlocker startup (between 10 to 20 characters)"; Read-Host -AsSecureString)
@@ -1422,7 +1422,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
[securestring]$Pin = $Pin1
}
- else { Write-Host 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
+ else { Write-Host -Object 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
# Repeat this process until the entered PINs match and they are at least 10 characters long, max 20 characters
until ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) )
@@ -1434,7 +1434,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Enable-BitLocker -MountPoint $env:SystemDrive -EncryptionMethod 'XtsAes256' -TpmAndPinAndStartupKeyProtector -StartupKeyPath (Get-AvailableRemovableDrives) -Pin $Pin -SkipHardwareTest -ErrorAction Stop *> $null
}
catch {
- Write-Host 'There was a problem adding Startup Key to the removable drive, try ejecting and reinserting the flash drive into your device and run this category again.' -ForegroundColor Red
+ Write-Host -Object 'There was a problem adding Startup Key to the removable drive, try ejecting and reinserting the flash drive into your device and run this category again.' -ForegroundColor Red
$_
break BitLockerCategoryLabel
}
@@ -1451,7 +1451,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Resume-BitLocker -MountPoint $env:SystemDrive | Out-Null
Write-SmartText -C MintGreen -G Green -I "`nBitlocker is now enabled for the OS drive with Enhanced security level."
- Write-Host "The recovery password will be saved in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
+ Write-Host -Object "The recovery password will be saved in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
}
}
'Skip encryptions altogether' { break BitLockerCategoryLabel } # Exit the entire BitLocker category, only
@@ -1525,13 +1525,13 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
if ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).EncryptionPercentage -ne '100' -and (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).EncryptionPercentage -ne '0') {
# Check if the drive isn't already encrypted and locked
if ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).lockstatus -eq 'Locked') {
- Write-Host "`nThe drive $MountPoint is already encrypted and locked." -ForegroundColor Magenta
+ Write-Host -Object "`nThe drive $MountPoint is already encrypted and locked." -ForegroundColor Magenta
break
}
else {
$EncryptionPercentageVar = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).EncryptionPercentage
- Write-Host "`nPlease wait for Bitlocker to finish encrypting or decrypting drive $MountPoint" -ForegroundColor Magenta
- Write-Host "Drive $MountPoint encryption is currently at $EncryptionPercentageVar percent." -ForegroundColor Magenta
+ Write-Host -Object "`nPlease wait for Bitlocker to finish encrypting or decrypting drive $MountPoint" -ForegroundColor Magenta
+ Write-Host -Object "Drive $MountPoint encryption is currently at $EncryptionPercentageVar percent." -ForegroundColor Magenta
break
}
}
@@ -1683,7 +1683,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
New-Item -Path "$MountPoint\Drive $($MountPoint.Remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsNonOS) -ItemType File -Force | Out-Null
Write-SmartText -C MintGreen -G Green -I "`nBitLocker has started encrypting drive $MountPoint"
- Write-Host "Recovery password will be saved in a text file in '$($MountPoint)\Drive $($MountPoint.Remove(1)) recovery password.txt'" -ForegroundColor Cyan
+ Write-Host -Object "Recovery password will be saved in a text file in '$($MountPoint)\Drive $($MountPoint.Remove(1)) recovery password.txt'" -ForegroundColor Cyan
}
} 'No' { break }
'Exit' { &$CleanUp }
@@ -1870,10 +1870,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# since PowerShell Core (only if installed from Microsoft Store) has problem with these commands, making sure the built-in PowerShell handles them
# There are Github issues for it already: https://github.com/PowerShell/PowerShell/issues/13866
- powershell.exe {
+ powershell.exe -Command {
# Disable PowerShell v2 (part 1)
- Write-Host "`nDisabling PowerShellv2 1st part" -ForegroundColor Yellow
+ Write-Host -Object "`nDisabling PowerShellv2 1st part" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2).state -eq 'enabled') {
try {
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 -NoRestart -ErrorAction Stop
@@ -1884,16 +1884,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'PowerShellv2 1st part is already disabled' -ForegroundColor Green
+ Write-Host -Object 'PowerShellv2 1st part is already disabled' -ForegroundColor Green
}
# Disable PowerShell v2 (part 2)
- Write-Host "`nDisabling PowerShellv2 2nd part" -ForegroundColor Yellow
+ Write-Host -Object "`nDisabling PowerShellv2 2nd part" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root).state -eq 'enabled') {
try {
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -NoRestart -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host 'PowerShellv2 2nd part was successfully disabled' -ForegroundColor Green
+ Write-Host -Object 'PowerShellv2 2nd part was successfully disabled' -ForegroundColor Green
}
catch {
# show error
@@ -1901,16 +1901,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'PowerShellv2 2nd part is already disabled' -ForegroundColor Green
+ Write-Host -Object 'PowerShellv2 2nd part is already disabled' -ForegroundColor Green
}
# Disable Work Folders client
- Write-Host "`nDisabling Work Folders" -ForegroundColor Yellow
+ Write-Host -Object "`nDisabling Work Folders" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName WorkFolders-Client).state -eq 'enabled') {
try {
Disable-WindowsOptionalFeature -Online -FeatureName WorkFolders-Client -NoRestart -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host 'Work Folders was successfully disabled' -ForegroundColor Green
+ Write-Host -Object 'Work Folders was successfully disabled' -ForegroundColor Green
}
catch {
#show error
@@ -1918,16 +1918,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'Work Folders is already disabled' -ForegroundColor Green
+ Write-Host -Object 'Work Folders is already disabled' -ForegroundColor Green
}
# Disable Internet Printing Client
- Write-Host "`nDisabling Internet Printing Client" -ForegroundColor Yellow
+ Write-Host -Object "`nDisabling Internet Printing Client" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName Printing-Foundation-Features).state -eq 'enabled') {
try {
Disable-WindowsOptionalFeature -Online -FeatureName Printing-Foundation-Features -NoRestart -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host 'Internet Printing Client was successfully disabled' -ForegroundColor Green
+ Write-Host -Object 'Internet Printing Client was successfully disabled' -ForegroundColor Green
}
catch {
# show errors
@@ -1935,16 +1935,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'Internet Printing Client is already disabled' -ForegroundColor Green
+ Write-Host -Object 'Internet Printing Client is already disabled' -ForegroundColor Green
}
# Uninstall Windows Media Player (legacy)
- Write-Host "`nUninstalling Windows Media Player (legacy)" -ForegroundColor Yellow
+ Write-Host -Object "`nUninstalling Windows Media Player (legacy)" -ForegroundColor Yellow
if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Media.WindowsMediaPlayer*' }).state -ne 'NotPresent') {
try {
Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Media.WindowsMediaPlayer*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host 'Windows Media Player (legacy) has been uninstalled.' -ForegroundColor Green
+ Write-Host -Object 'Windows Media Player (legacy) has been uninstalled.' -ForegroundColor Green
}
catch {
# show error
@@ -1952,16 +1952,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'Windows Media Player (legacy) is already uninstalled.' -ForegroundColor Green
+ Write-Host -Object 'Windows Media Player (legacy) is already uninstalled.' -ForegroundColor Green
}
# Enable Microsoft Defender Application Guard
- Write-Host "`nEnabling Microsoft Defender Application Guard" -ForegroundColor Yellow
+ Write-Host -Object "`nEnabling Microsoft Defender Application Guard" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard).state -eq 'disabled') {
try {
Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard -NoRestart -ErrorAction Stop
# Shows the successful message only if enablement process was successful
- Write-Host 'Microsoft Defender Application Guard was successfully enabled' -ForegroundColor Green
+ Write-Host -Object 'Microsoft Defender Application Guard was successfully enabled' -ForegroundColor Green
}
catch {
# show errors
@@ -1969,21 +1969,21 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'Microsoft Defender Application Guard is already enabled' -ForegroundColor Green
+ Write-Host -Object 'Microsoft Defender Application Guard is already enabled' -ForegroundColor Green
}
}
# Need to split the commands in 2 scriptblocks so we don't get "program PowerShell.exe failed to run: The filename or extension is too long" error
- powershell.exe {
+ powershell.exe -Command {
# Enable Windows Sandbox
- Write-Host "`nEnabling Windows Sandbox" -ForegroundColor Yellow
+ Write-Host -Object "`nEnabling Windows Sandbox" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM).state -eq 'disabled') {
try {
Enable-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM -All -NoRestart -ErrorAction Stop
# Shows the successful message only if enablement process was successful
- Write-Host 'Windows Sandbox was successfully enabled' -ForegroundColor Green
+ Write-Host -Object 'Windows Sandbox was successfully enabled' -ForegroundColor Green
}
catch {
# show errors
@@ -1991,16 +1991,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'Windows Sandbox is already enabled' -ForegroundColor Green
+ Write-Host -Object 'Windows Sandbox is already enabled' -ForegroundColor Green
}
# Enable Hyper-V
- Write-Host "`nEnabling Hyper-V" -ForegroundColor Yellow
+ Write-Host -Object "`nEnabling Hyper-V" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V).state -eq 'disabled') {
try {
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -NoRestart -ErrorAction Stop
# Shows the successful message only if enablement process was successful
- Write-Host 'Hyper-V was successfully enabled' -ForegroundColor Green
+ Write-Host -Object 'Hyper-V was successfully enabled' -ForegroundColor Green
}
catch {
# show errors
@@ -2008,16 +2008,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'Hyper-V is already enabled' -ForegroundColor Green
+ Write-Host -Object 'Hyper-V is already enabled' -ForegroundColor Green
}
# Enable Virtual Machine Platform
- Write-Host "`nEnabling Virtual Machine Platform" -ForegroundColor Yellow
+ Write-Host -Object "`nEnabling Virtual Machine Platform" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform).state -eq 'disabled') {
try {
Enable-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform -NoRestart -ErrorAction Stop
# Shows the successful message only if enablement process was successful
- Write-Host 'Virtual Machine Platform was successfully enabled' -ForegroundColor Green
+ Write-Host -Object 'Virtual Machine Platform was successfully enabled' -ForegroundColor Green
}
catch {
# show errors
@@ -2025,16 +2025,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'Virtual Machine Platform is already enabled' -ForegroundColor Green
+ Write-Host -Object 'Virtual Machine Platform is already enabled' -ForegroundColor Green
}
# Uninstall VBScript that is now uninstallable as an optional features since Windows 11 insider Dev build 25309 - Won't do anything in other builds
if (Get-WindowsCapability -Online | Where-Object { $_.Name -like '*VBSCRIPT*' }) {
try {
- Write-Host "`nUninstalling VBSCRIPT" -ForegroundColor Yellow
+ Write-Host -Object "`nUninstalling VBSCRIPT" -ForegroundColor Yellow
Get-WindowsCapability -Online | Where-Object { $_.Name -like '*VBSCRIPT*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host 'VBSCRIPT has been uninstalled' -ForegroundColor Green
+ Write-Host -Object 'VBSCRIPT has been uninstalled' -ForegroundColor Green
}
catch {
# show errors
@@ -2043,12 +2043,12 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
# Uninstall Internet Explorer mode functionality for Edge
- Write-Host "`nUninstalling Internet Explorer mode functionality for Edge" -ForegroundColor Yellow
+ Write-Host -Object "`nUninstalling Internet Explorer mode functionality for Edge" -ForegroundColor Yellow
if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Browser.InternetExplorer*' }).state -ne 'NotPresent') {
try {
Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Browser.InternetExplorer*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host 'Internet Explorer mode functionality for Edge has been uninstalled' -ForegroundColor Green
+ Write-Host -Object 'Internet Explorer mode functionality for Edge has been uninstalled' -ForegroundColor Green
}
catch {
# show errors
@@ -2056,16 +2056,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'Internet Explorer mode functionality for Edge is already uninstalled.' -ForegroundColor Green
+ Write-Host -Object 'Internet Explorer mode functionality for Edge is already uninstalled.' -ForegroundColor Green
}
# Uninstall WMIC
- Write-Host "`nUninstalling WMIC" -ForegroundColor Yellow
+ Write-Host -Object "`nUninstalling WMIC" -ForegroundColor Yellow
if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*wmic*' }).state -ne 'NotPresent') {
try {
Get-WindowsCapability -Online | Where-Object { $_.Name -like '*wmic*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host 'WMIC has been uninstalled' -ForegroundColor Green
+ Write-Host -Object 'WMIC has been uninstalled' -ForegroundColor Green
}
catch {
# show error
@@ -2073,16 +2073,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'WMIC is already uninstalled.' -ForegroundColor Green
+ Write-Host -Object 'WMIC is already uninstalled.' -ForegroundColor Green
}
# Uninstall Legacy Notepad
- Write-Host "`nUninstalling Legacy Notepad" -ForegroundColor Yellow
+ Write-Host -Object "`nUninstalling Legacy Notepad" -ForegroundColor Yellow
if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.Notepad.System*' }).state -ne 'NotPresent') {
try {
Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.Notepad.System*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host 'Legacy Notepad has been uninstalled. The modern multi-tabbed Notepad is unaffected.' -ForegroundColor Green
+ Write-Host -Object 'Legacy Notepad has been uninstalled. The modern multi-tabbed Notepad is unaffected.' -ForegroundColor Green
}
catch {
# show error
@@ -2090,16 +2090,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'Legacy Notepad is already uninstalled.' -ForegroundColor Green
+ Write-Host -Object 'Legacy Notepad is already uninstalled.' -ForegroundColor Green
}
# Uninstall WordPad
- Write-Host "`nUninstalling WordPad" -ForegroundColor Yellow
+ Write-Host -Object "`nUninstalling WordPad" -ForegroundColor Yellow
if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.WordPad*' }).state -ne 'NotPresent') {
try {
Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.WordPad*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host 'WordPad has been uninstalled.' -ForegroundColor Green
+ Write-Host -Object 'WordPad has been uninstalled.' -ForegroundColor Green
}
catch {
# show error
@@ -2107,16 +2107,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'WordPad is already uninstalled.' -ForegroundColor Green
+ Write-Host -Object 'WordPad is already uninstalled.' -ForegroundColor Green
}
# Uninstall PowerShell ISE
- Write-Host "`nUninstalling PowerShell ISE" -ForegroundColor Yellow
+ Write-Host -Object "`nUninstalling PowerShell ISE" -ForegroundColor Yellow
if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.PowerShell.ISE*' }).state -ne 'NotPresent') {
try {
Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.PowerShell.ISE*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host 'PowerShell ISE has been uninstalled.' -ForegroundColor Green
+ Write-Host -Object 'PowerShell ISE has been uninstalled.' -ForegroundColor Green
}
catch {
# show error
@@ -2124,19 +2124,19 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'PowerShell ISE is already uninstalled.' -ForegroundColor Green
+ Write-Host -Object 'PowerShell ISE is already uninstalled.' -ForegroundColor Green
}
}
- powershell.exe {
+ powershell.exe -Command {
# Uninstall Steps Recorder
- Write-Host "`nUninstalling Steps Recorder" -ForegroundColor Yellow
+ Write-Host -Object "`nUninstalling Steps Recorder" -ForegroundColor Yellow
if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*App.StepsRecorder*' }).state -ne 'NotPresent') {
try {
Get-WindowsCapability -Online | Where-Object { $_.Name -like '*App.StepsRecorder*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host 'Steps Recorder has been uninstalled.' -ForegroundColor Green
+ Write-Host -Object 'Steps Recorder has been uninstalled.' -ForegroundColor Green
}
catch {
# show error
@@ -2144,7 +2144,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'Steps Recorder is already uninstalled.' -ForegroundColor Green
+ Write-Host -Object 'Steps Recorder is already uninstalled.' -ForegroundColor Green
}
}
@@ -2309,13 +2309,13 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
catch {
- Write-Host "sigcheck64.exe couldn't be downloaded from https://live.sysinternals.com" -ForegroundColor Red
+ Write-Host -Object "sigcheck64.exe couldn't be downloaded from https://live.sysinternals.com" -ForegroundColor Red
break
}
- Write-Host -NoNewline "`nListing valid certificates not rooted to the Microsoft Certificate Trust List in the" -ForegroundColor Yellow; Write-Host " User store`n" -ForegroundColor cyan
+ Write-Host -NoNewline "`nListing valid certificates not rooted to the Microsoft Certificate Trust List in the" -ForegroundColor Yellow; Write-Host -Object " User store`n" -ForegroundColor cyan
.\sigcheck64.exe -tuv -accepteula -nobanner
- Write-Host -NoNewline "`nListing valid certificates not rooted to the Microsoft Certificate Trust List in the" -ForegroundColor Yellow; Write-Host " Machine Store`n" -ForegroundColor Blue
+ Write-Host -NoNewline "`nListing valid certificates not rooted to the Microsoft Certificate Trust List in the" -ForegroundColor Yellow; Write-Host -Object " Machine Store`n" -ForegroundColor Blue
.\sigcheck64.exe -tv -accepteula -nobanner
Remove-Item -Path .\sigcheck64.exe -Force
} 'No' { break }
@@ -2348,7 +2348,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# makes sure the list isn't empty
if ($IPList.count -eq 0) {
- Write-Host "The IP list was empty, skipping $ListName" -ForegroundColor Yellow
+ Write-Host -Object "The IP list was empty, skipping $ListName" -ForegroundColor Yellow
break
}
@@ -2401,7 +2401,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/Registry.csv' -OutFile '.\Registry.csv' -ErrorAction Stop
}
catch {
- Write-Host 'Using Azure DevOps...' -ForegroundColor Yellow
+ Write-Host -Object 'Using Azure DevOps...' -ForegroundColor Yellow
Invoke-WebRequest -Uri 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/Registry.csv' -OutFile '.\Registry.csv' -ErrorAction Stop
}
}
@@ -2414,7 +2414,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Only suggest restarting the device if Admin related categories were run
if (Test-IsAdmin) {
- Write-Host "`r`n"
+ Write-Host -Object "`r`n"
Write-SmartText -C Rainbow -G Cyan -I "################################################################################################`r`n"
Write-SmartText -C MintGreen -G Cyan -I "### Please Restart your device to completely apply the security measures and Group Policies ###`r`n"
Write-SmartText -C Rainbow -G Cyan -I "################################################################################################`r`n"
From 5894f3cdd6d593ea63b7063616dcc0c5aa33cbfe Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Sun, 10 Dec 2023 11:11:51 -0930
Subject: [PATCH 02/79] Improved code best practices
---
Harden-Windows-Security.ps1 | 114 ++++++++++++++++++------------------
1 file changed, 57 insertions(+), 57 deletions(-)
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index 1997bbb53..9ce3ed16a 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -307,7 +307,7 @@ Function Write-SmartText {
$Color = $Colors[$I % $Colors.Length]
$Output += "$($PSStyle.Foreground.FromRGB($Color.R, $Color.G, $Color.B))$($PSStyle.Blink)$($InputText[$I])$($PSStyle.BlinkOff)$($PSStyle.Reset)"
}
- Write-Output $Output
+ Write-Output -InputObject $Output
break
}
@@ -316,10 +316,10 @@ Function Write-SmartText {
}
else {
if ($NoNewLineLegacy) {
- Write-Host $InputText -ForegroundColor $GenericColor -NoNewline
+ Write-Host -Object $InputText -ForegroundColor $GenericColor -NoNewline
}
else {
- Write-Host $InputText -ForegroundColor $GenericColor
+ Write-Host -Object $InputText -ForegroundColor $GenericColor
}
}
@@ -331,8 +331,8 @@ function Get-AvailableRemovableDrives {
# An empty array of objects that holds the final removable drives list
[System.Object[]]$AvailableRemovableDrives = @()
- Get-Volume | Where-Object { $_.DriveLetter -and $_.DriveType -eq 'Removable' } |
- ForEach-Object {
+ Get-Volume | Where-Object -FilterScript { $_.DriveLetter -and $_.DriveType -eq 'Removable' } |
+ ForEach-Object -Process {
# Prepare to create an extremely random file name
[System.String]$Path = "$($_.DriveLetter + ':')\$(New-Guid).$(Get-Random -Maximum 400)"
@@ -366,8 +366,8 @@ function Get-AvailableRemovableDrives {
# An empty array of objects that holds the final removable drives list
[System.Object[]]$AvailableRemovableDrives = @()
- Get-Volume | Where-Object { $_.DriveLetter -and $_.DriveType -eq 'Removable' } |
- ForEach-Object {
+ Get-Volume | Where-Object -FilterScript { $_.DriveLetter -and $_.DriveType -eq 'Removable' } |
+ ForEach-Object -Process {
# Prepare to create an extremely random file name
[System.String]$ExtremelyRandomPath = "$($_.DriveLetter + ':')\$(New-Guid).$(Get-Random -Maximum 400)"
@@ -629,7 +629,7 @@ try {
Set-Location $HOME
Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force
# Disable progress bars
- 0..6 | ForEach-Object { Write-Progress -Id $_ -Activity 'Done' -Completed }
+ 0..6 | ForEach-Object -Process { Write-Progress -Id $_ -Activity 'Done' -Completed }
exit
}
@@ -716,7 +716,7 @@ try {
Write-Progress -Id 1 -ParentId 0 -Activity "Downloading $($file.tag)" -Status "$RequiredFilesCounter of $TotalRequiredFiles" -PercentComplete ($RequiredFilesCounter / $TotalRequiredFiles * 100)
}
# Wait until all jobs are completed
- while ($Jobs | Where-Object { $_.State -ne 'Completed' }) {
+ while ($Jobs | Where-Object -FilterScript { $_.State -ne 'Completed' }) {
Start-Sleep -Milliseconds 700
}
@@ -876,7 +876,7 @@ try {
Set-MpPreference -EnableConvertWarnToBlock $True
# Add OneDrive folders of all user accounts (personal and work accounts) to the Controlled Folder Access for Ransomware Protection
- Get-ChildItem 'C:\Users\*\OneDrive*\' -Directory | ForEach-Object { Add-MpPreference -ControlledFolderAccessProtectedFolders $_ }
+ Get-ChildItem 'C:\Users\*\OneDrive*\' -Directory | ForEach-Object -Process { Add-MpPreference -ControlledFolderAccessProtectedFolders $_ }
# Enable Mandatory ASLR Exploit Protection system-wide
Set-ProcessMitigation -System -Enable ForceRelocateImages
@@ -910,10 +910,10 @@ try {
$ProgramName = $Group.Name
# Get the list of mitigations to enable
- $EnableMitigations = $Group.Group | Where-Object { $_.Action -eq 'Enable' } | Select-Object -ExpandProperty Mitigation
+ $EnableMitigations = $Group.Group | Where-Object -FilterScript { $_.Action -eq 'Enable' } | Select-Object -ExpandProperty Mitigation
# Get the list of mitigations to disable
- $DisableMitigations = $Group.Group | Where-Object { $_.Action -eq 'Disable' } | Select-Object -ExpandProperty Mitigation
+ $DisableMitigations = $Group.Group | Where-Object -FilterScript { $_.Action -eq 'Disable' } | Select-Object -ExpandProperty Mitigation
# Call the Set-ProcessMitigation cmdlet with the lists of mitigations
if ($null -ne $EnableMitigations) {
@@ -1151,13 +1151,13 @@ To verify that this is the correct recovery key, compare the start of the follow
Identifier:
- $(($KeyProtectorsInputFromScriptBlock | Where-Object { $_.keyprotectortype -eq 'RecoveryPassword' }).KeyProtectorId.Trim('{', '}'))
+ $(($KeyProtectorsInputFromScriptBlock | Where-Object -FilterScript { $_.keyprotectortype -eq 'RecoveryPassword' }).KeyProtectorId.Trim('{', '}'))
If the above identifier matches the one displayed by your PC, then use the following key to unlock your drive.
Recovery Key:
- $(($KeyProtectorsInputFromScriptBlock | Where-Object { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)
+ $(($KeyProtectorsInputFromScriptBlock | Where-Object -FilterScript { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)
If the above identifier doesn't match the one displayed by your PC, then this isn't the right key to unlock your drive.
Try another recovery key, or refer to https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview for additional assistance.
@@ -1200,7 +1200,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-SmartText -C MintGreen -G Green -I 'Bitlocker is already enabled for the OS drive with Normal security level.'
Write-SmartText -C Fuchsia -GenericColor Magenta -I 'Here is your 48-digits recovery password for the OS drive in case you were looking for it:'
- Write-SmartText -C Rainbow -GenericColor Yellow -I "$(($KeyProtectorsOSDrive | Where-Object { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)"
+ Write-SmartText -C Rainbow -GenericColor Yellow -I "$(($KeyProtectorsOSDrive | Where-Object -FilterScript { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)"
}
else {
@@ -1210,7 +1210,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
[System.String]$BitLockerMsg = "`nThe recovery password is missing, adding it now... `n" +
"It will be saved in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'"
- Write-Host $BitLockerMsg -ForegroundColor Yellow
+ Write-Host -Object $BitLockerMsg -ForegroundColor Yellow
# Add RecoveryPasswordProtector key protector to the OS drive
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector *> $null
@@ -1331,7 +1331,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-SmartText -C MintGreen -G Green -I 'Bitlocker is already enabled for the OS drive with Enhanced security level.'
Write-SmartText -C Fuchsia -GenericColor Magenta -I 'Here is your 48-digits recovery password for the OS drive in case you were looking for it:'
- Write-SmartText -C Rainbow -GenericColor Yellow -I "$(($KeyProtectorsOSDrive | Where-Object { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)"
+ Write-SmartText -C Rainbow -GenericColor Yellow -I "$(($KeyProtectorsOSDrive | Where-Object -FilterScript { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)"
}
else {
@@ -1341,7 +1341,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
[System.String]$BitLockerMsg = "`nThe recovery password is missing, adding it now... `n" +
"It will be saved in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'"
- Write-Host $BitLockerMsg -ForegroundColor Yellow
+ Write-Host -Object $BitLockerMsg -ForegroundColor Yellow
# Add RecoveryPasswordProtector key protector to the OS drive
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector *> $null
@@ -1364,8 +1364,8 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
if ($KeyProtectorTypesOSDrive -contains 'ExternalKey') {
(Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).KeyProtector |
- Where-Object { $_.keyprotectortype -eq 'ExternalKey' } |
- ForEach-Object { Remove-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $_.KeyProtectorId | Out-Null }
+ Where-Object -FilterScript { $_.keyprotectortype -eq 'ExternalKey' } |
+ ForEach-Object -Process { Remove-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $_.KeyProtectorId | Out-Null }
}
@@ -1489,12 +1489,12 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Using -ErrorAction SilentlyContinue because after running the Microsoft Security baseline category, if there is a flash drive attached to the device, you "might" see this error: Device Id: \\?\Volume{83196d59-0000-0000-0000-107d00000000}\ does not have a corresponding volume.
# It only suppresses Non-terminating errors
[System.Object[]]$NonOSBitLockerVolumes = Get-BitLockerVolume -ErrorAction SilentlyContinue |
- Where-Object { $_.volumeType -ne 'OperatingSystem' }
+ Where-Object -FilterScript { $_.volumeType -ne 'OperatingSystem' }
# Get all the volumes and filter out removable ones
[System.Object[]]$RemovableVolumes = Get-Volume |
- Where-Object { $_.DriveType -eq 'Removable' } |
- Where-Object { $_.DriveLetter }
+ Where-Object -FilterScript { $_.DriveType -eq 'Removable' } |
+ Where-Object -FilterScript { $_.DriveLetter }
# Check if there is any removable volumes
if ($RemovableVolumes) {
@@ -1506,7 +1506,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Filter out removable drives from BitLocker volumes to process
$NonOSBitLockerVolumes = $NonOSBitLockerVolumes |
- Where-Object { ($_.MountPoint -notin $RemovableVolumesLetters) }
+ Where-Object -FilterScript { ($_.MountPoint -notin $RemovableVolumesLetters) }
}
#endregion Non-OS-BitLocker-Drives-Detection
@@ -1557,8 +1557,8 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Additional Check 1: if there are more than 1 ExternalKey key protector, try delete all of them and add a new one
# The external key protector that is being used to unlock the drive will not be deleted
((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector |
- Where-Object { $_.keyprotectortype -eq 'ExternalKey' }).KeyProtectorId |
- ForEach-Object {
+ Where-Object -FilterScript { $_.keyprotectortype -eq 'ExternalKey' }).KeyProtectorId |
+ ForEach-Object -Process {
# -ErrorAction SilentlyContinue makes sure no error is thrown if the drive only has 1 External key key protector
# and it's being used to unlock the drive
Remove-BitLockerKeyProtector -MountPoint $MountPoint -KeyProtectorId $_ -ErrorAction SilentlyContinue | Out-Null
@@ -1569,17 +1569,17 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Additional Check 2: if there are more than 1 Recovery Password, delete all of them and add a new one
[System.String[]]$RecoveryPasswordKeyProtectors = ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector |
- Where-Object { $_.keyprotectortype -eq 'RecoveryPassword' }).KeyProtectorId
+ Where-Object -FilterScript { $_.keyprotectortype -eq 'RecoveryPassword' }).KeyProtectorId
if ($RecoveryPasswordKeyProtectors.Count -gt 1) {
[System.String]$BitLockerMsg = "`nThere are more than 1 recovery password key protector associated with the drive $mountpoint `n" +
"Removing all of them and adding a new one. `n" +
"It will be saved in a text file in '$($MountPoint)\Drive $($MountPoint.Remove(1)) recovery password.txt'"
- Write-Host $BitLockerMsg -ForegroundColor Yellow
+ Write-Host -Object $BitLockerMsg -ForegroundColor Yellow
# Remove all of the recovery password key protectors of the selected Non-OS Drive
- $RecoveryPasswordKeyProtectors | ForEach-Object {
+ $RecoveryPasswordKeyProtectors | ForEach-Object -Process {
Remove-BitLockerKeyProtector -MountPoint $MountPoint -KeyProtectorId $_ | Out-Null
}
@@ -1600,7 +1600,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
[System.Object[]]$KeyProtectorsNonOS = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector
Write-SmartText -C Fuchsia -GenericColor Magenta -I "Here is your 48-digits recovery password for drive $MountPoint in case you were looking for it:"
- Write-SmartText -C Rainbow -GenericColor Yellow -I "$(($KeyProtectorsNonOS | Where-Object { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)"
+ Write-SmartText -C Rainbow -GenericColor Yellow -I "$(($KeyProtectorsNonOS | Where-Object -FilterScript { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)"
}
@@ -1610,8 +1610,8 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# if there are more than 1 ExternalKey key protector, try delete all of them and add a new one
# The external key protector that is being used to unlock the drive will not be deleted
((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector |
- Where-Object { $_.keyprotectortype -eq 'ExternalKey' }).KeyProtectorId |
- ForEach-Object {
+ Where-Object -FilterScript { $_.keyprotectortype -eq 'ExternalKey' }).KeyProtectorId |
+ ForEach-Object -Process {
# -ErrorAction SilentlyContinue makes sure no error is thrown if the drive only has 1 External key key protector
# and it's being used to unlock the drive
Remove-BitLockerKeyProtector -MountPoint $MountPoint -KeyProtectorId $_ -ErrorAction SilentlyContinue | Out-Null
@@ -1631,7 +1631,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
[System.String]$BitLockerMsg = "`nDrive $MountPoint is auto-unlocked but doesn't have Recovery Password, adding it now... `n" +
"It will be saved in a text file in '$($MountPoint)\Drive $($MountPoint.Remove(1)) recovery password.txt'"
- Write-Host $BitLockerMsg -ForegroundColor Cyan
+ Write-Host -Object $BitLockerMsg -ForegroundColor Cyan
}
# Check 3: If the selected drive has Recovery Password key protector but doesn't have Auto Unlock enabled
@@ -1642,17 +1642,17 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# if there are more than 1 Recovery Password, delete all of them and add a new one
[System.String[]]$RecoveryPasswordKeyProtectors = ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector |
- Where-Object { $_.keyprotectortype -eq 'RecoveryPassword' }).KeyProtectorId
+ Where-Object -FilterScript { $_.keyprotectortype -eq 'RecoveryPassword' }).KeyProtectorId
if ($RecoveryPasswordKeyProtectors.Count -gt 1) {
[System.String]$BitLockerMsg = "`nThere are more than 1 recovery password key protector associated with the drive $mountpoint `n" +
'Removing all of them and adding a new one.' +
"It will be saved in a text file in '$($MountPoint)\Drive $($MountPoint.Remove(1)) recovery password.txt'"
- Write-Host $BitLockerMsg -ForegroundColor Yellow
+ Write-Host -Object $BitLockerMsg -ForegroundColor Yellow
# Delete all Recovery Passwords because there were more than 1
- $RecoveryPasswordKeyProtectors | ForEach-Object {
+ $RecoveryPasswordKeyProtectors | ForEach-Object -Process {
Remove-BitLockerKeyProtector -MountPoint $MountPoint -KeyProtectorId $_ | Out-Null
}
@@ -1718,7 +1718,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
'RC4 64/128', # RC4 64-bit
'RC4 128/128', # RC4 128-bit
'Triple DES 168' # 3DES 168-bit (Triple DES 168)
- ) | ForEach-Object {
+ ) | ForEach-Object -Process {
[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, $env:COMPUTERNAME).CreateSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$_") | Out-Null
}
@@ -1848,8 +1848,8 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Disables Multicast DNS (mDNS) UDP-in Firewall Rules for all 3 Firewall profiles - disables only 3 rules
Get-NetFirewallRule |
- Where-Object { $_.RuleGroup -eq '@%SystemRoot%\system32\firewallapi.dll,-37302' -and $_.Direction -eq 'inbound' } |
- ForEach-Object { Disable-NetFirewallRule -DisplayName $_.DisplayName }
+ Where-Object -FilterScript { $_.RuleGroup -eq '@%SystemRoot%\system32\firewallapi.dll,-37302' -and $_.Direction -eq 'inbound' } |
+ ForEach-Object -Process { Disable-NetFirewallRule -DisplayName $_.DisplayName }
} 'No' { break }
'Exit' { &$CleanUp }
}
@@ -1940,9 +1940,9 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Uninstall Windows Media Player (legacy)
Write-Host -Object "`nUninstalling Windows Media Player (legacy)" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Media.WindowsMediaPlayer*' }).state -ne 'NotPresent') {
+ if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Media.WindowsMediaPlayer*' }).state -ne 'NotPresent') {
try {
- Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Media.WindowsMediaPlayer*' } | Remove-WindowsCapability -Online -ErrorAction Stop
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Media.WindowsMediaPlayer*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
Write-Host -Object 'Windows Media Player (legacy) has been uninstalled.' -ForegroundColor Green
}
@@ -2029,10 +2029,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
# Uninstall VBScript that is now uninstallable as an optional features since Windows 11 insider Dev build 25309 - Won't do anything in other builds
- if (Get-WindowsCapability -Online | Where-Object { $_.Name -like '*VBSCRIPT*' }) {
+ if (Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*VBSCRIPT*' }) {
try {
Write-Host -Object "`nUninstalling VBSCRIPT" -ForegroundColor Yellow
- Get-WindowsCapability -Online | Where-Object { $_.Name -like '*VBSCRIPT*' } | Remove-WindowsCapability -Online -ErrorAction Stop
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*VBSCRIPT*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
Write-Host -Object 'VBSCRIPT has been uninstalled' -ForegroundColor Green
}
@@ -2044,9 +2044,9 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Uninstall Internet Explorer mode functionality for Edge
Write-Host -Object "`nUninstalling Internet Explorer mode functionality for Edge" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Browser.InternetExplorer*' }).state -ne 'NotPresent') {
+ if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Browser.InternetExplorer*' }).state -ne 'NotPresent') {
try {
- Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Browser.InternetExplorer*' } | Remove-WindowsCapability -Online -ErrorAction Stop
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Browser.InternetExplorer*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
Write-Host -Object 'Internet Explorer mode functionality for Edge has been uninstalled' -ForegroundColor Green
}
@@ -2061,9 +2061,9 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Uninstall WMIC
Write-Host -Object "`nUninstalling WMIC" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*wmic*' }).state -ne 'NotPresent') {
+ if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*wmic*' }).state -ne 'NotPresent') {
try {
- Get-WindowsCapability -Online | Where-Object { $_.Name -like '*wmic*' } | Remove-WindowsCapability -Online -ErrorAction Stop
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*wmic*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
Write-Host -Object 'WMIC has been uninstalled' -ForegroundColor Green
}
@@ -2078,9 +2078,9 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Uninstall Legacy Notepad
Write-Host -Object "`nUninstalling Legacy Notepad" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.Notepad.System*' }).state -ne 'NotPresent') {
+ if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.Notepad.System*' }).state -ne 'NotPresent') {
try {
- Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.Notepad.System*' } | Remove-WindowsCapability -Online -ErrorAction Stop
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.Notepad.System*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
Write-Host -Object 'Legacy Notepad has been uninstalled. The modern multi-tabbed Notepad is unaffected.' -ForegroundColor Green
}
@@ -2095,9 +2095,9 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Uninstall WordPad
Write-Host -Object "`nUninstalling WordPad" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.WordPad*' }).state -ne 'NotPresent') {
+ if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.WordPad*' }).state -ne 'NotPresent') {
try {
- Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.WordPad*' } | Remove-WindowsCapability -Online -ErrorAction Stop
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.WordPad*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
Write-Host -Object 'WordPad has been uninstalled.' -ForegroundColor Green
}
@@ -2112,9 +2112,9 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Uninstall PowerShell ISE
Write-Host -Object "`nUninstalling PowerShell ISE" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.PowerShell.ISE*' }).state -ne 'NotPresent') {
+ if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.PowerShell.ISE*' }).state -ne 'NotPresent') {
try {
- Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.PowerShell.ISE*' } | Remove-WindowsCapability -Online -ErrorAction Stop
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.PowerShell.ISE*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
Write-Host -Object 'PowerShell ISE has been uninstalled.' -ForegroundColor Green
}
@@ -2132,9 +2132,9 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Uninstall Steps Recorder
Write-Host -Object "`nUninstalling Steps Recorder" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*App.StepsRecorder*' }).state -ne 'NotPresent') {
+ if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*App.StepsRecorder*' }).state -ne 'NotPresent') {
try {
- Get-WindowsCapability -Online | Where-Object { $_.Name -like '*App.StepsRecorder*' } | Remove-WindowsCapability -Online -ErrorAction Stop
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*App.StepsRecorder*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
Write-Host -Object 'Steps Recorder has been uninstalled.' -ForegroundColor Green
}
@@ -2214,7 +2214,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
# Allow all Windows users to use Hyper-V and Windows Sandbox by adding all Windows users to the "Hyper-V Administrators" security group using its SID
- Get-LocalUser | Where-Object { $_.enabled -eq 'True' } | ForEach-Object { Add-LocalGroupMember -SID 'S-1-5-32-578' -Member "$($_.SID)" -ErrorAction SilentlyContinue }
+ Get-LocalUser | Where-Object -FilterScript { $_.enabled -eq 'True' } | ForEach-Object -Process { Add-LocalGroupMember -SID 'S-1-5-32-578' -Member "$($_.SID)" -ErrorAction SilentlyContinue }
# Makes sure auditing for the "Other Logon/Logoff Events" subcategory under the Logon/Logoff category is enabled, doesn't touch affect any other sub-category
# For tracking Lock screen unlocks and locks
@@ -2444,7 +2444,7 @@ finally {
Set-Location $HOME; Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
# Disable progress bars
- 0..6 | ForEach-Object { Write-Progress -Id $_ -Activity 'Done' -Completed }
+ 0..6 | ForEach-Object -Process { Write-Progress -Id $_ -Activity 'Done' -Completed }
# Restore the title of the PowerShell back to what it was prior to running the script/module
$Host.UI.RawUI.WindowTitle = $CurrentPowerShellTitle
From a466e048f12a8130103c345f360061d94c182e99 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Sun, 10 Dec 2023 11:13:37 -0930
Subject: [PATCH 03/79] Got rid of all the trailing whitespaces
---
.../Main files/Confirm-SystemCompliance.psm1 | 884 +++++++++---------
.../Main files/Functions.ps1 | 34 +-
.../Harden-Windows-Security-Module.psd1 | 2 +-
.../Main files/Harden-Windows-Security.ps1 | 860 ++++++++---------
.../Main files/Protect-WindowsSecurity.psm1 | 8 +-
.../Main files/Unprotect-WindowsSecurity.psm1 | 72 +-
6 files changed, 930 insertions(+), 930 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
index 3a93c0775..e2275ffda 100644
--- a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
+++ b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
@@ -8,7 +8,7 @@ function ConvertFrom-IniFile {
# Don't prompt to continue if '-Debug' is specified.
$DebugPreference = 'Continue'
-
+
[System.Collections.Hashtable]$IniObject = @{}
[System.String]$SectionName = ''
@@ -37,23 +37,23 @@ function ConvertFrom-IniFile {
}
# Main function
-function Confirm-SystemCompliance {
+function Confirm-SystemCompliance {
[CmdletBinding()]
param (
- [parameter(Mandatory = $false)]
+ [parameter(Mandatory = $false)]
[System.Management.Automation.SwitchParameter]$ExportToCSV,
- [parameter(Mandatory = $false)]
+ [parameter(Mandatory = $false)]
[System.Management.Automation.SwitchParameter]$ShowAsObjectsOnly,
- [parameter(Mandatory = $false)]
+ [parameter(Mandatory = $false)]
[System.Management.Automation.SwitchParameter]$DetailedDisplay,
[Parameter(Mandatory = $false, DontShow = $True)] # To hide PowerShell common parameters that clutter parameter auto completion menu
- $DummyParam
+ $DummyParam
)
begin {
# Stop operation as soon as there is an error anywhere, unless explicitly specified otherwise
$global:ErrorActionPreference = 'Stop'
- Write-Progress -Activity 'Starting' -Status 'Processing...' -PercentComplete 5
+ Write-Progress -Activity 'Starting' -Status 'Processing...' -PercentComplete 5
# Makes sure this cmdlet is invoked with Admin privileges
if ().IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
@@ -63,7 +63,7 @@ function Confirm-SystemCompliance {
Write-Progress -Activity 'Checking for updates' -Status 'Processing...' -PercentComplete 10
. "$psscriptroot\Functions.ps1"
-
+
Write-Progress -Activity 'Gathering Security Policy Information' -Status 'Processing...' -PercentComplete 15
# Total number of Compliant values not equal to N/A
@@ -78,12 +78,12 @@ function Confirm-SystemCompliance {
# Storing the output of the ini file parsing function
[PSCustomObject]$SecurityPoliciesIni = ConvertFrom-IniFile -IniFile .\security_policy.inf
-
+
Write-Progress -Activity 'Importing Registry CSV File' -Status 'Processing...' -PercentComplete 20
-
+
# Import the CSV file
[System.Object[]]$CSVResource = Import-Csv -Path "$psscriptroot\Resources\Registry resources.csv"
-
+
# An object to hold all the initial registry items
[System.Object[]]$AllRegistryItems = @()
@@ -92,17 +92,17 @@ function Confirm-SystemCompliance {
$AllRegistryItems += [PSCustomObject]@{
FriendlyName = $Row.FriendlyName
category = $Row.Category
- key = $Row.Key
+ key = $Row.Key
value = $Row.Value
name = $Row.Name
- type = $Row.Type
+ type = $Row.Type
regPath = "Registry::$($Row.Key)" # Build the registry path
Method = $Row.Origin
}
}
# An object to store the FINAL results
- $FinalMegaObject = [PSCustomObject]@{}
+ $FinalMegaObject = [PSCustomObject]@{}
# Function for processing each item in $AllRegistryItems for each category
function Invoke-CategoryProcessing {
@@ -112,26 +112,26 @@ function Confirm-SystemCompliance {
# an array to hold the output
[System.Object[]]$Output = @()
-
+
foreach ($Item in $AllRegistryItems | Where-Object { $_.category -eq $CatName } | Where-Object { $_.Method -eq $Method }) {
-
+
# Initialize a flag to indicate if the key exists
[System.Boolean]$keyExists = $false
-
+
# Initialize a flag to indicate if the value exists and matches the type
[System.Boolean]$ValueMatches = $false
-
+
# Try to get the registry key
try {
$regKey = Get-Item -Path $Item.regPath
# If no error is thrown, the key exists
$keyExists = $true
-
+
# Try to get the registry value and type
try {
$RegValue = Get-ItemPropertyValue -Path $Item.regPath -Name $Item.name
# If no error is thrown, the value exists
-
+
# Check if the value matches the expected one
if ($RegValue -eq $Item.value) {
# If it matches, set the flag to true
@@ -147,7 +147,7 @@ function Confirm-SystemCompliance {
# If an error is thrown, the key does not exist or is not accessible
# Do nothing, the flag remains false
}
-
+
# Create a custom object with the results for this row
$Output += [PSCustomObject]@{
# Category = $Item.category
@@ -157,11 +157,11 @@ function Confirm-SystemCompliance {
# ValueMatches = $ValueMatches
# Type = $Item.type
# Value = $Item.value
-
+
FriendlyName = $Item.FriendlyName
Compliant = $ValueMatches
- Value = $Item.value
- Name = $Item.name
+ Value = $Item.value
+ Name = $Item.name
Category = $CatName
Method = $Method
}
@@ -189,81 +189,81 @@ function Confirm-SystemCompliance {
# Give the Defender internals time to process the updated exclusions list
Start-Sleep -Seconds '3'
-
+
#Region Microsoft-Defender-Category
Write-Progress -Activity 'Validating Microsoft Defender Category' -Status 'Processing...' -PercentComplete 35
# An array to store the nested custom objects, inside the main output object
- [System.Object[]]$NestedObjectArray = @()
- [System.String]$CatName = 'Microsoft Defender'
-
+ [System.Object[]]$NestedObjectArray = @()
+ [System.String]$CatName = 'Microsoft Defender'
+
# Process items in Registry resources.csv file with "Group Policy" origin and add them to the $NestedObjectArray array as custom objects
- $NestedObjectArray += [PSCustomObject](Invoke-CategoryProcessing -catname $CatName -Method 'Group Policy')
-
+ $NestedObjectArray += [PSCustomObject](Invoke-CategoryProcessing -catname $CatName -Method 'Group Policy')
+
# For PowerShell Cmdlet
$IndividualItemResult = $MDAVPreferencesCurrent.AllowSwitchToAsyncInspection
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'AllowSwitchToAsyncInspection'
+ FriendlyName = 'AllowSwitchToAsyncInspection'
Compliant = $IndividualItemResult
- Value = $IndividualItemResult
- Name = 'AllowSwitchToAsyncInspection'
+ Value = $IndividualItemResult
+ Name = 'AllowSwitchToAsyncInspection'
Category = $CatName
- Method = 'Cmdlet'
+ Method = 'Cmdlet'
}
-
+
# For PowerShell Cmdlet
$IndividualItemResult = $MDAVPreferencesCurrent.oobeEnableRtpAndSigUpdate
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'oobeEnableRtpAndSigUpdate'
+ FriendlyName = 'oobeEnableRtpAndSigUpdate'
Compliant = $IndividualItemResult
- Value = $IndividualItemResult
- Name = 'oobeEnableRtpAndSigUpdate'
+ Value = $IndividualItemResult
+ Name = 'oobeEnableRtpAndSigUpdate'
Category = $CatName
- Method = 'Cmdlet'
+ Method = 'Cmdlet'
}
-
+
# For PowerShell Cmdlet
$IndividualItemResult = $MDAVPreferencesCurrent.IntelTDTEnabled
$NestedObjectArray += [PSCustomObject]@{
FriendlyName = 'IntelTDTEnabled'
Compliant = $IndividualItemResult
- Value = $IndividualItemResult
- Name = 'IntelTDTEnabled'
+ Value = $IndividualItemResult
+ Name = 'IntelTDTEnabled'
Category = $CatName
- Method = 'Cmdlet'
+ Method = 'Cmdlet'
}
-
+
# For PowerShell Cmdlet
$IndividualItemResult = $((Get-ProcessMitigation -System).aslr.ForceRelocateImages)
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Mandatory ASLR'
+ FriendlyName = 'Mandatory ASLR'
Compliant = $IndividualItemResult -eq 'on' ? $True : $false
- Value = $IndividualItemResult
+ Value = $IndividualItemResult
Name = 'Mandatory ASLR'
Category = $CatName
- Method = 'Cmdlet'
- }
-
+ Method = 'Cmdlet'
+ }
+
# Verify the NX bit as shown in bcdedit /enum or Get-BcdEntry, info about numbers and values correlation: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/bcd/bcdosloader-nxpolicy
- $NestedObjectArray += [PSCustomObject]@{
+ $NestedObjectArray += [PSCustomObject]@{
FriendlyName = 'Boot Configuration Data (BCD) No-eXecute (NX) Value'
Compliant = (((Get-BcdEntry).elements | Where-Object { $_.name -eq 'nx' }).value -eq '3')
- Value = (((Get-BcdEntry).elements | Where-Object { $_.name -eq 'nx' }).value -eq '3')
+ Value = (((Get-BcdEntry).elements | Where-Object { $_.name -eq 'nx' }).value -eq '3')
Name = 'Boot Configuration Data (BCD) No-eXecute (NX) Value'
Category = $CatName
- Method = 'Cmdlet'
+ Method = 'Cmdlet'
}
-
+
# For PowerShell Cmdlet
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Smart App Control State'
+ FriendlyName = 'Smart App Control State'
Compliant = 'N/A'
- Value = $MDAVConfigCurrent.SmartAppControlState
+ Value = $MDAVConfigCurrent.SmartAppControlState
Name = 'Smart App Control State'
Category = $CatName
- Method = 'Cmdlet'
+ Method = 'Cmdlet'
}
-
+
# For PowerShell Cmdlet
try {
$IndividualItemResult = $((Get-ScheduledTask -TaskPath '\MSFT Driver Block list update\' -TaskName 'MSFT Driver Block list update' -ErrorAction SilentlyContinue) ? $True : $false)
@@ -272,15 +272,15 @@ function Confirm-SystemCompliance {
# suppress any possible terminating errors
}
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Fast weekly Microsoft recommended driver block list update'
+ FriendlyName = 'Fast weekly Microsoft recommended driver block list update'
Compliant = $IndividualItemResult
- Value = $IndividualItemResult
+ Value = $IndividualItemResult
Name = 'Fast weekly Microsoft recommended driver block list update'
Category = $CatName
- Method = 'Cmdlet'
+ Method = 'Cmdlet'
}
-
-
+
+
[System.Collections.Hashtable]$DefenderPlatformUpdatesChannels = @{
0 = 'NotConfigured'
2 = 'Beta'
@@ -291,15 +291,15 @@ function Confirm-SystemCompliance {
}
# For PowerShell Cmdlet
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Microsoft Defender Platform Updates Channel'
+ FriendlyName = 'Microsoft Defender Platform Updates Channel'
Compliant = 'N/A'
- Value = $($DefenderPlatformUpdatesChannels[[System.Int64]($MDAVPreferencesCurrent).PlatformUpdatesChannel])
+ Value = $($DefenderPlatformUpdatesChannels[[System.Int64]($MDAVPreferencesCurrent).PlatformUpdatesChannel])
Name = 'Microsoft Defender Platform Updates Channel'
Category = $CatName
- Method = 'Cmdlet'
+ Method = 'Cmdlet'
}
-
-
+
+
[System.Collections.Hashtable]$DefenderEngineUpdatesChannels = @{
0 = 'NotConfigured'
2 = 'Beta'
@@ -310,36 +310,36 @@ function Confirm-SystemCompliance {
}
# For PowerShell Cmdlet
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Microsoft Defender Engine Updates Channel'
+ FriendlyName = 'Microsoft Defender Engine Updates Channel'
Compliant = 'N/A'
- Value = $($DefenderEngineUpdatesChannels[[System.Int64]($MDAVPreferencesCurrent).EngineUpdatesChannel])
+ Value = $($DefenderEngineUpdatesChannels[[System.Int64]($MDAVPreferencesCurrent).EngineUpdatesChannel])
Name = 'Microsoft Defender Engine Updates Channel'
Category = $CatName
- Method = 'Cmdlet'
+ Method = 'Cmdlet'
}
-
+
# For PowerShell Cmdlet
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Controlled Folder Access Exclusions'
+ FriendlyName = 'Controlled Folder Access Exclusions'
Compliant = 'N/A'
Value = [PSCustomObject]@{
Count = $MDAVPreferencesCurrent.ControlledFolderAccessAllowedApplications.count
- Programs = $MDAVPreferencesCurrent.ControlledFolderAccessAllowedApplications
+ Programs = $MDAVPreferencesCurrent.ControlledFolderAccessAllowedApplications
}
Name = 'Controlled Folder Access Exclusions'
Category = $CatName
- Method = 'Cmdlet'
- }
-
+ Method = 'Cmdlet'
+ }
+
# For PowerShell Cmdlet
$IndividualItemResult = $MDAVPreferencesCurrent.DisableRestorePoint
$NestedObjectArray += [PSCustomObject]@{
FriendlyName = 'Enable Restore Point scanning'
Compliant = ($IndividualItemResult -eq $False)
- Value = ($IndividualItemResult -eq $False)
+ Value = ($IndividualItemResult -eq $False)
Name = 'Enable Restore Point scanning'
Category = $CatName
- Method = 'Cmdlet'
+ Method = 'Cmdlet'
}
# For PowerShell Cmdlet
@@ -347,10 +347,10 @@ function Confirm-SystemCompliance {
$NestedObjectArray += [PSCustomObject]@{
FriendlyName = 'PerformanceModeStatus'
Compliant = [System.Boolean]($IndividualItemResult -eq '0')
- Value = $IndividualItemResult
- Name = 'PerformanceModeStatus'
+ Value = $IndividualItemResult
+ Name = 'PerformanceModeStatus'
Category = $CatName
- Method = 'Cmdlet'
+ Method = 'Cmdlet'
}
# For PowerShell Cmdlet
@@ -358,15 +358,15 @@ function Confirm-SystemCompliance {
$NestedObjectArray += [PSCustomObject]@{
FriendlyName = 'EnableConvertWarnToBlock'
Compliant = $IndividualItemResult
- Value = $IndividualItemResult
- Name = 'EnableConvertWarnToBlock'
+ Value = $IndividualItemResult
+ Name = 'EnableConvertWarnToBlock'
Category = $CatName
- Method = 'Cmdlet'
+ Method = 'Cmdlet'
}
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray
#EndRegion Microsoft-Defender-Category
-
+
#Region Attack-Surface-Reduction-Rules-Category
Write-Progress -Activity 'Validating Attack Surface Reduction Rules Category' -Status 'Processing...' -PercentComplete 40
[System.Object[]]$NestedObjectArray = @()
@@ -374,9 +374,9 @@ function Confirm-SystemCompliance {
# Process items in Registry resources.csv file with "Group Policy" origin and add them to the $NestedObjectArray array as custom objects
$NestedObjectArray += [PSCustomObject](Invoke-CategoryProcessing -catname $CatName -Method 'Group Policy')
-
-
- # Individual ASR rules verification
+
+
+ # Individual ASR rules verification
[System.String[]]$Ids = $MDAVPreferencesCurrent.AttackSurfaceReductionRules_Ids
[System.String[]]$Actions = $MDAVPreferencesCurrent.AttackSurfaceReductionRules_Actions
@@ -384,7 +384,7 @@ function Confirm-SystemCompliance {
if ($Ids) { $Ids = $Ids.tolower() }
# Hashtable to store the descriptions for each ID
- [System.Collections.Hashtable]$ASRsTable = @{
+ [System.Collections.Hashtable]$ASRsTable = @{
'26190899-1602-49e8-8b27-eb1d0a1ce869' = 'Block Office communication application from creating child processes'
'd1e49aac-8f56-4280-b9ba-993a6d77406c' = 'Block process creations originating from PSExec and WMI commands'
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4' = 'Block untrusted and unsigned processes that run from USB'
@@ -427,17 +427,17 @@ function Confirm-SystemCompliance {
$NestedObjectArray += [PSCustomObject]@{
FriendlyName = $ASRsTable[$name]
Compliant = [System.Boolean]($Action -eq 1) # Compare action value with 1 and cast to boolean
- Value = $Action
- Name = $Name
+ Value = $Action
+ Name = $Name
Category = $CatName
- Method = 'Cmdlet'
- }
+ Method = 'Cmdlet'
+ }
}
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray
#EndRegion Attack-Surface-Reduction-Rules-Category
-
+
#Region Bitlocker-Category
Write-Progress -Activity 'Validating Bitlocker Category' -Status 'Processing...' -PercentComplete 45
[System.Object[]]$NestedObjectArray = @()
@@ -493,14 +493,14 @@ function Confirm-SystemCompliance {
'@
Add-Type -TypeDefinition $BootDMAProtectionCheck
# Returns true or false depending on whether Kernel DMA Protection is on or off
- [System.Boolean]$BootDMAProtection = ([SystemInfo.NativeMethods]::BootDmaCheck()) -ne 0
+ [System.Boolean]$BootDMAProtection = ([SystemInfo.NativeMethods]::BootDmaCheck()) -ne 0
- # Get the status of Bitlocker DMA protection
- try {
+ # Get the status of Bitlocker DMA protection
+ try {
[System.Int64]$BitlockerDMAProtectionStatus = Get-ItemPropertyValue -Path 'Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE' -Name 'DisableExternalDMAUnderLock' -ErrorAction SilentlyContinue
}
catch {
- # -ErrorAction SilentlyContinue wouldn't suppress the error if the path exists but property doesn't, so using try-catch
+ # -ErrorAction SilentlyContinue wouldn't suppress the error if the path exists but property doesn't, so using try-catch
}
# Bitlocker DMA counter measure status
# Returns true if only either Kernel DMA protection is on and Bitlocker DMA protection if off
@@ -509,13 +509,13 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'DMA protection'
+ FriendlyName = 'DMA protection'
Compliant = $ItemState
- Value = $ItemState
+ Value = $ItemState
Name = 'DMA protection'
Category = $CatName
- Method = 'Group Policy'
- }
+ Method = 'Group Policy'
+ }
# Process items in Registry resources.csv file with "Group Policy" origin and add them to the $NestedObjectArray array as custom objects
@@ -530,7 +530,7 @@ function Confirm-SystemCompliance {
# suppress the errors if any
}
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Hibernate is set to full'
+ FriendlyName = 'Hibernate is set to full'
Compliant = [System.Boolean]($IndividualItemResult)
Value = [System.Boolean]($IndividualItemResult)
Name = 'Hibernate is set to full'
@@ -545,87 +545,87 @@ function Confirm-SystemCompliance {
# OS Drive encryption verifications
# Check if BitLocker is on for the OS Drive
# The ProtectionStatus remains off while the drive is encrypting or decrypting
- if ((Get-BitLockerVolume -MountPoint $env:SystemDrive).ProtectionStatus -eq 'on') {
-
+ if ((Get-BitLockerVolume -MountPoint $env:SystemDrive).ProtectionStatus -eq 'on') {
+
# Get the key protectors of the OS Drive
[System.String[]]$KeyProtectors = (Get-BitLockerVolume -MountPoint $env:SystemDrive).KeyProtector.keyprotectortype
-
+
# Check if TPM+PIN and recovery password are being used - Normal Security level
- if (($KeyProtectors -contains 'Tpmpin') -and ($KeyProtectors -contains 'RecoveryPassword')) {
-
+ if (($KeyProtectors -contains 'Tpmpin') -and ($KeyProtectors -contains 'RecoveryPassword')) {
+
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Secure OS Drive encryption'
+ FriendlyName = 'Secure OS Drive encryption'
Compliant = $True
- Value = 'Normal Security Level'
+ Value = 'Normal Security Level'
Name = 'Secure OS Drive encryption'
Category = $CatName
Method = 'Cmdlet'
-
+
}
}
-
+
# Check if TPM+PIN+StartupKey and recovery password are being used - Enhanced security level
- elseif (($KeyProtectors -contains 'TpmPinStartupKey') -and ($KeyProtectors -contains 'RecoveryPassword')) {
-
+ elseif (($KeyProtectors -contains 'TpmPinStartupKey') -and ($KeyProtectors -contains 'RecoveryPassword')) {
+
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Secure OS Drive encryption'
+ FriendlyName = 'Secure OS Drive encryption'
Compliant = $True
- Value = 'Enhanced Security Level'
+ Value = 'Enhanced Security Level'
Name = 'Secure OS Drive encryption'
Category = $CatName
Method = 'Cmdlet'
-
+
}
}
else {
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Secure OS Drive encryption'
+ FriendlyName = 'Secure OS Drive encryption'
Compliant = $false
- Value = $false
+ Value = $false
Name = 'Secure OS Drive encryption'
Category = $CatName
Method = 'Cmdlet'
}
- }
+ }
}
else {
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Secure OS Drive encryption'
+ FriendlyName = 'Secure OS Drive encryption'
Compliant = $false
- Value = $false
+ Value = $false
Name = 'Secure OS Drive encryption'
Category = $CatName
Method = 'Cmdlet'
}
}
- #region Non-OS-Drive-BitLocker-Drives-Encryption-Verification
+ #region Non-OS-Drive-BitLocker-Drives-Encryption-Verification
# Get the list of non OS volumes
[System.Object[]]$NonOSBitLockerVolumes = Get-BitLockerVolume | Where-Object {
($_.volumeType -ne 'OperatingSystem')
}
-
+
# Get all the volumes and filter out removable ones
[System.Object[]]$RemovableVolumes = Get-Volume |
Where-Object { $_.DriveType -eq 'Removable' } |
Where-Object { $_.DriveLetter }
-
+
# Check if there is any removable volumes
if ($RemovableVolumes) {
-
+
# Get the letters of all the removable volumes
[System.String[]]$RemovableVolumesLetters = foreach ($RemovableVolume in $RemovableVolumes) {
$(($RemovableVolume).DriveLetter + ':' )
}
-
+
# Filter out removable drives from BitLocker volumes to process
$NonOSBitLockerVolumes = $NonOSBitLockerVolumes | Where-Object {
($_.MountPoint -notin $RemovableVolumesLetters)
- }
+ }
}
# Check if there is any non-OS volumes
- if ($NonOSBitLockerVolumes) {
+ if ($NonOSBitLockerVolumes) {
# Loop through each non-OS volume and verify their encryption
foreach ($MountPoint in $($NonOSBitLockerVolumes | Sort-Object).MountPoint) {
@@ -634,16 +634,16 @@ function Confirm-SystemCompliance {
$global:TotalNumberOfTrueCompliantValues++
# If status is unknown, that means the non-OS volume is encrypted and locked, if it's on then it's on
- if ((Get-BitLockerVolume -MountPoint $MountPoint).ProtectionStatus -in 'on', 'Unknown') {
+ if ((Get-BitLockerVolume -MountPoint $MountPoint).ProtectionStatus -in 'on', 'Unknown') {
# Check 1: if Recovery Password and Auto Unlock key protectors are available on the drive
- [System.Object[]]$KeyProtectors = (Get-BitLockerVolume -MountPoint $MountPoint).KeyProtector.keyprotectortype
+ [System.Object[]]$KeyProtectors = (Get-BitLockerVolume -MountPoint $MountPoint).KeyProtector.keyprotectortype
if (($KeyProtectors -contains 'RecoveryPassword') -or ($KeyProtectors -contains 'Password')) {
-
+
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = "Secure Drive $MountPoint encryption"
+ FriendlyName = "Secure Drive $MountPoint encryption"
Compliant = $True
- Value = 'Encrypted'
+ Value = 'Encrypted'
Name = "Secure Drive $MountPoint encryption"
Category = $CatName
Method = 'Cmdlet'
@@ -651,24 +651,24 @@ function Confirm-SystemCompliance {
}
else {
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = "Secure Drive $MountPoint encryption"
+ FriendlyName = "Secure Drive $MountPoint encryption"
Compliant = $false
- Value = 'Not properly encrypted'
+ Value = 'Not properly encrypted'
Name = "Secure Drive $MountPoint encryption"
Category = $CatName
Method = 'Cmdlet'
- }
+ }
}
}
else {
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = "Secure Drive $MountPoint encryption"
+ FriendlyName = "Secure Drive $MountPoint encryption"
Compliant = $false
- Value = 'Not encrypted'
+ Value = 'Not encrypted'
Name = "Secure Drive $MountPoint encryption"
Category = $CatName
Method = 'Cmdlet'
- }
+ }
}
}
}
@@ -677,15 +677,15 @@ function Confirm-SystemCompliance {
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray
#EndRegion Bitlocker-Category
-
+
#Region TLS-Category
Write-Progress -Activity 'Validating TLS Category' -Status 'Processing...' -PercentComplete 50
[System.Object[]]$NestedObjectArray = @()
[System.String]$CatName = 'TLS'
-
+
# Process items in Registry resources.csv file with "Group Policy" origin and add them to the $NestedObjectArray array as custom objects
$NestedObjectArray += [PSCustomObject](Invoke-CategoryProcessing -catname $CatName -Method 'Group Policy')
-
+
# ECC Curves
[System.Object[]]$ECCCurves = Get-TlsEccCurve
[System.Object[]]$list = ('nistP521', 'curve25519', 'NistP384', 'NistP256')
@@ -694,13 +694,13 @@ function Confirm-SystemCompliance {
$IndividualItemResult = Compare-Object $ECCCurves $list -SyncWindow 0
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'ECC Curves and their positions'
+ FriendlyName = 'ECC Curves and their positions'
Compliant = [System.Boolean]($IndividualItemResult ? $false : $True)
- Value = $list
+ Value = $list
Name = 'ECC Curves and their positions'
Category = $CatName
Method = 'Cmdlet'
- }
+ }
# Process items in Registry resources.csv file with "Registry Keys" origin and add them to the $NestedObjectArray array as custom objects
$NestedObjectArray += [PSCustomObject](Invoke-CategoryProcessing -catname $CatName -Method 'Registry Keys')
@@ -708,77 +708,77 @@ function Confirm-SystemCompliance {
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray
#EndRegion TLS-Category
-
+
#Region LockScreen-Category
Write-Progress -Activity 'Validating Lock Screen Category' -Status 'Processing...' -PercentComplete 55
[System.Object[]]$NestedObjectArray = @()
[System.String]$CatName = 'LockScreen'
-
+
# Process items in Registry resources.csv file with "Group Policy" origin and add them to the $NestedObjectArray array as custom objects
$NestedObjectArray += [PSCustomObject](Invoke-CategoryProcessing -catname $CatName -Method 'Group Policy')
-
+
# Verify a Security Group Policy setting
- $IndividualItemResult = [System.Boolean]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs'] -eq '4,120') ? $True : $False
+ $IndividualItemResult = [System.Boolean]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs'] -eq '4,120') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
FriendlyName = 'Machine inactivity limit'
Compliant = $IndividualItemResult
- Value = $IndividualItemResult
- Name = 'Machine inactivity limit'
+ Value = $IndividualItemResult
+ Name = 'Machine inactivity limit'
Category = $CatName
Method = 'Security Group Policy'
}
-
+
# Verify a Security Group Policy setting
$IndividualItemResult = [System.Boolean]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD'] -eq '4,0') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Interactive logon: Do not require CTRL+ALT+DEL'
+ FriendlyName = 'Interactive logon: Do not require CTRL+ALT+DEL'
Compliant = $IndividualItemResult
- Value = $IndividualItemResult
- Name = 'Interactive logon: Do not require CTRL+ALT+DEL'
+ Value = $IndividualItemResult
+ Name = 'Interactive logon: Do not require CTRL+ALT+DEL'
Category = $CatName
Method = 'Security Group Policy'
}
-
+
# Verify a Security Group Policy setting
$IndividualItemResult = [System.Boolean]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\MaxDevicePasswordFailedAttempts'] -eq '4,5') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Interactive logon: Machine account lockout threshold'
+ FriendlyName = 'Interactive logon: Machine account lockout threshold'
Compliant = $IndividualItemResult
- Value = $IndividualItemResult
- Name = 'Interactive logon: Machine account lockout threshold'
+ Value = $IndividualItemResult
+ Name = 'Interactive logon: Machine account lockout threshold'
Category = $CatName
Method = 'Security Group Policy'
}
-
+
# Verify a Security Group Policy setting
$IndividualItemResult = [System.Boolean]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLockedUserId'] -eq '4,4') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Interactive logon: Display user information when the session is locked'
+ FriendlyName = 'Interactive logon: Display user information when the session is locked'
Compliant = $IndividualItemResult
- Value = $IndividualItemResult
- Name = 'Interactive logon: Display user information when the session is locked'
+ Value = $IndividualItemResult
+ Name = 'Interactive logon: Display user information when the session is locked'
Category = $CatName
Method = 'Security Group Policy'
}
-
+
# Verify a Security Group Policy setting
$IndividualItemResult = [System.Boolean]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayUserName'] -eq '4,1') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = "Interactive logon: Don't display username at sign-in"
+ FriendlyName = "Interactive logon: Don't display username at sign-in"
Compliant = $IndividualItemResult
- Value = $IndividualItemResult
- Name = "Interactive logon: Don't display username at sign-in"
+ Value = $IndividualItemResult
+ Name = "Interactive logon: Don't display username at sign-in"
Category = $CatName
Method = 'Security Group Policy'
}
- # Verify a Security Group Policy setting
+ # Verify a Security Group Policy setting
$IndividualItemResult = [System.Boolean]$($SecurityPoliciesIni.'System Access'['LockoutBadCount'] -eq '5') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Account lockout threshold'
+ FriendlyName = 'Account lockout threshold'
Compliant = $IndividualItemResult
- Value = $IndividualItemResult
- Name = 'Account lockout threshold'
+ Value = $IndividualItemResult
+ Name = 'Account lockout threshold'
Category = $CatName
Method = 'Security Group Policy'
}
@@ -786,21 +786,21 @@ function Confirm-SystemCompliance {
# Verify a Security Group Policy setting
$IndividualItemResult = [System.Boolean]$($SecurityPoliciesIni.'System Access'['LockoutDuration'] -eq '1440') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Account lockout duration'
+ FriendlyName = 'Account lockout duration'
Compliant = $IndividualItemResult
Value = $IndividualItemResult
- Name = 'Account lockout duration'
+ Name = 'Account lockout duration'
Category = $CatName
Method = 'Security Group Policy'
}
- # Verify a Security Group Policy setting
+ # Verify a Security Group Policy setting
$IndividualItemResult = [System.Boolean]$($SecurityPoliciesIni.'System Access'['ResetLockoutCount'] -eq '1440') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Reset account lockout counter after'
+ FriendlyName = 'Reset account lockout counter after'
Compliant = $IndividualItemResult
- Value = $IndividualItemResult
- Name = 'Reset account lockout counter after'
+ Value = $IndividualItemResult
+ Name = 'Reset account lockout counter after'
Category = $CatName
Method = 'Security Group Policy'
}
@@ -808,22 +808,22 @@ function Confirm-SystemCompliance {
# Verify a Security Group Policy setting
$IndividualItemResult = [System.Boolean]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName'] -eq '4,1') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = "Interactive logon: Don't display last signed-in"
+ FriendlyName = "Interactive logon: Don't display last signed-in"
Compliant = $IndividualItemResult
- Value = $IndividualItemResult
+ Value = $IndividualItemResult
Name = "Interactive logon: Don't display last signed-in"
Category = $CatName
Method = 'Security Group Policy'
}
-
+
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray
#EndRegion LockScreen-Category
-
+
#Region User-Account-Control-Category
Write-Progress -Activity 'Validating User Account Control Category' -Status 'Processing...' -PercentComplete 60
[System.Object[]]$NestedObjectArray = @()
- [System.String]$CatName = 'UAC'
+ [System.String]$CatName = 'UAC'
# Process items in Registry resources.csv file with "Group Policy" origin and add them to the $NestedObjectArray array as custom objects
$NestedObjectArray += [PSCustomObject](Invoke-CategoryProcessing -catname $CatName -Method 'Group Policy')
@@ -831,19 +831,19 @@ function Confirm-SystemCompliance {
# Verify a Security Group Policy setting
$IndividualItemResult = [System.Boolean]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin'] -eq '4,2') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode'
+ FriendlyName = 'UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode'
Compliant = $IndividualItemResult
- Value = $IndividualItemResult
- Name = 'UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode'
+ Value = $IndividualItemResult
+ Name = 'UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode'
Category = $CatName
Method = 'Security Group Policy'
}
-
-
- # This particular policy can have 2 values and they are both acceptable depending on whichever user selects
+
+
+ # This particular policy can have 2 values and they are both acceptable depending on whichever user selects
[System.String]$ConsentPromptBehaviorUserValue = $SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser']
# This option is automatically applied when UAC category is run
- if ($ConsentPromptBehaviorUserValue -eq '4,1') {
+ if ($ConsentPromptBehaviorUserValue -eq '4,1') {
$ConsentPromptBehaviorUserCompliance = $true
$IndividualItemResult = 'Prompt for credentials on the secure desktop'
}
@@ -860,49 +860,49 @@ function Confirm-SystemCompliance {
# Verify a Security Group Policy setting
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'UAC: Behavior of the elevation prompt for standard users'
+ FriendlyName = 'UAC: Behavior of the elevation prompt for standard users'
Compliant = $ConsentPromptBehaviorUserCompliance
- Value = $IndividualItemResult
- Name = 'UAC: Behavior of the elevation prompt for standard users'
+ Value = $IndividualItemResult
+ Name = 'UAC: Behavior of the elevation prompt for standard users'
Category = $CatName
Method = 'Security Group Policy'
- }
+ }
# Verify a Security Group Policy setting
$IndividualItemResult = [System.Boolean]($($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures'] -eq '4,1') ? $True : $False)
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'UAC: Only elevate executables that are signed and validated'
+ FriendlyName = 'UAC: Only elevate executables that are signed and validated'
Compliant = $IndividualItemResult
- Value = $IndividualItemResult
- Name = 'UAC: Only elevate executables that are signed and validated'
+ Value = $IndividualItemResult
+ Name = 'UAC: Only elevate executables that are signed and validated'
Category = $CatName
Method = 'Security Group Policy'
}
-
+
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray
#EndRegion User-Account-Control-Category
-
+
#Region Device-Guard-Category
Write-Progress -Activity 'Validating Device Guard Category' -Status 'Processing...' -PercentComplete 65
[System.Object[]]$NestedObjectArray = @()
[System.String]$CatName = 'Device Guard'
-
+
# Process items in Registry resources.csv file with "Group Policy" origin and add them to the $NestedObjectArray array as custom objects
$NestedObjectArray += [PSCustomObject](Invoke-CategoryProcessing -catname $CatName -Method 'Group Policy')
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray
#EndRegion Device-Guard-Category
-
+
#Region Windows-Firewall-Category
Write-Progress -Activity 'Validating Windows Firewall Category' -Status 'Processing...' -PercentComplete 70
[System.Object[]]$NestedObjectArray = @()
[System.String]$CatName = 'Windows Firewall'
-
+
# Process items in Registry resources.csv file with "Group Policy" origin and add them to the $NestedObjectArray array as custom objects
$NestedObjectArray += [PSCustomObject](Invoke-CategoryProcessing -catname $CatName -Method 'Group Policy')
-
+
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray
#EndRegion Windows-Firewall-Category
@@ -911,7 +911,7 @@ function Confirm-SystemCompliance {
Write-Progress -Activity 'Validating Optional Windows Features Category' -Status 'Processing...' -PercentComplete 75
[System.Object[]]$NestedObjectArray = @()
[System.String]$CatName = 'Optional Windows Features'
-
+
# Windows PowerShell handling Windows optional features verifications
[System.Object[]]$Results = @()
$Results = powershell.exe {
@@ -935,144 +935,144 @@ function Confirm-SystemCompliance {
}
# Verify PowerShell v2 is disabled
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'PowerShell v2 is disabled'
+ FriendlyName = 'PowerShell v2 is disabled'
Compliant = ($Results[0] -and $Results[1]) ? $True : $False
- Value = ($Results[0] -and $Results[1]) ? $True : $False
- Name = 'PowerShell v2 is disabled'
+ Value = ($Results[0] -and $Results[1]) ? $True : $False
+ Name = 'PowerShell v2 is disabled'
Category = $CatName
Method = 'Optional Windows Features'
}
# Verify Work folders is disabled
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Work Folders client is disabled'
+ FriendlyName = 'Work Folders client is disabled'
Compliant = [System.Boolean]($Results[2] -eq 'Disabled')
- Value = [System.String]$Results[2]
+ Value = [System.String]$Results[2]
Name = 'Work Folders client is disabled'
Category = $CatName
Method = 'Optional Windows Features'
}
- # Verify Internet Printing Client is disabled
+ # Verify Internet Printing Client is disabled
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Internet Printing Client is disabled'
+ FriendlyName = 'Internet Printing Client is disabled'
Compliant = [System.Boolean]($Results[3] -eq 'Disabled')
- Value = [System.String]$Results[3]
- Name = 'Internet Printing Client is disabled'
+ Value = [System.String]$Results[3]
+ Name = 'Internet Printing Client is disabled'
Category = $CatName
Method = 'Optional Windows Features'
}
- # Verify the old Windows Media Player is disabled
+ # Verify the old Windows Media Player is disabled
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Windows Media Player (legacy) is disabled'
+ FriendlyName = 'Windows Media Player (legacy) is disabled'
Compliant = [System.Boolean]($Results[4] -eq 'NotPresent')
Value = [System.String]$Results[4]
- Name = 'Windows Media Player (legacy) is disabled'
+ Name = 'Windows Media Player (legacy) is disabled'
Category = $CatName
Method = 'Optional Windows Features'
}
- # Verify MDAG is enabled
+ # Verify MDAG is enabled
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Microsoft Defender Application Guard is enabled'
+ FriendlyName = 'Microsoft Defender Application Guard is enabled'
Compliant = [System.Boolean]($Results[5] -eq 'Enabled')
Value = [System.String]$Results[5]
- Name = 'Microsoft Defender Application Guard is enabled'
+ Name = 'Microsoft Defender Application Guard is enabled'
Category = $CatName
Method = 'Optional Windows Features'
}
- # Verify Windows Sandbox is enabled
+ # Verify Windows Sandbox is enabled
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Windows Sandbox is enabled'
+ FriendlyName = 'Windows Sandbox is enabled'
Compliant = [System.Boolean]($Results[6] -eq 'Enabled')
Value = [System.String]$Results[6]
- Name = 'Windows Sandbox is enabled'
+ Name = 'Windows Sandbox is enabled'
Category = $CatName
Method = 'Optional Windows Features'
}
-
- # Verify Hyper-V is enabled
+
+ # Verify Hyper-V is enabled
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Hyper-V is enabled'
+ FriendlyName = 'Hyper-V is enabled'
Compliant = [System.Boolean]($Results[7] -eq 'Enabled')
Value = [System.String]$Results[7]
- Name = 'Hyper-V is enabled'
+ Name = 'Hyper-V is enabled'
Category = $CatName
Method = 'Optional Windows Features'
}
# Verify Virtual Machine Platform is enabled
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Virtual Machine Platform is enabled'
+ FriendlyName = 'Virtual Machine Platform is enabled'
Compliant = [System.Boolean]($Results[8] -eq 'Enabled')
Value = [System.String]$Results[8]
- Name = 'Virtual Machine Platform is enabled'
+ Name = 'Virtual Machine Platform is enabled'
Category = $CatName
Method = 'Optional Windows Features'
}
# Verify WMIC is not present
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'WMIC is not present'
+ FriendlyName = 'WMIC is not present'
Compliant = [System.Boolean]($Results[9] -eq 'NotPresent')
- Value = [System.String]$Results[9]
- Name = 'WMIC is not present'
+ Value = [System.String]$Results[9]
+ Name = 'WMIC is not present'
Category = $CatName
Method = 'Optional Windows Features'
}
- # Verify Internet Explorer mode functionality for Edge is not present
+ # Verify Internet Explorer mode functionality for Edge is not present
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Internet Explorer mode functionality for Edge is not present'
+ FriendlyName = 'Internet Explorer mode functionality for Edge is not present'
Compliant = [System.Boolean]($Results[10] -eq 'NotPresent')
- Value = [System.String]$Results[10]
- Name = 'Internet Explorer mode functionality for Edge is not present'
+ Value = [System.String]$Results[10]
+ Name = 'Internet Explorer mode functionality for Edge is not present'
Category = $CatName
Method = 'Optional Windows Features'
}
- # Verify Legacy Notepad is not present
+ # Verify Legacy Notepad is not present
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Legacy Notepad is not present'
+ FriendlyName = 'Legacy Notepad is not present'
Compliant = [System.Boolean]($Results[11] -eq 'NotPresent')
- Value = [System.String]$Results[11]
- Name = 'Legacy Notepad is not present'
+ Value = [System.String]$Results[11]
+ Name = 'Legacy Notepad is not present'
Category = $CatName
Method = 'Optional Windows Features'
}
-
- # Verify Legacy WordPad is not present
+
+ # Verify Legacy WordPad is not present
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'WordPad is not present'
+ FriendlyName = 'WordPad is not present'
Compliant = [System.Boolean]($Results[12] -eq 'NotPresent')
- Value = [System.String]$Results[12]
- Name = 'WordPad is not present'
+ Value = [System.String]$Results[12]
+ Name = 'WordPad is not present'
Category = $CatName
Method = 'Optional Windows Features'
}
- # Verify PowerShell ISE is not present
+ # Verify PowerShell ISE is not present
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'PowerShell ISE is not present'
+ FriendlyName = 'PowerShell ISE is not present'
Compliant = [System.Boolean]($Results[13] -eq 'NotPresent')
- Value = [System.String]$Results[13]
- Name = 'PowerShell ISE is not present'
+ Value = [System.String]$Results[13]
+ Name = 'PowerShell ISE is not present'
Category = $CatName
Method = 'Optional Windows Features'
}
- # Verify Steps Recorder is not present
+ # Verify Steps Recorder is not present
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Steps Recorder is not present'
+ FriendlyName = 'Steps Recorder is not present'
Compliant = [System.Boolean]($Results[14] -eq 'NotPresent')
- Value = [System.String]$Results[14]
- Name = 'Steps Recorder is not present'
+ Value = [System.String]$Results[14]
+ Name = 'Steps Recorder is not present'
Category = $CatName
Method = 'Optional Windows Features'
}
-
+
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray
#EndRegion Optional-Windows-Features-Category
@@ -1081,36 +1081,36 @@ function Confirm-SystemCompliance {
Write-Progress -Activity 'Validating Windows Networking Category' -Status 'Processing...' -PercentComplete 80
[System.Object[]]$NestedObjectArray = @()
[System.String]$CatName = 'Windows Networking'
-
+
# Process items in Registry resources.csv file with "Group Policy" origin and add them to the $NestedObjectArray array as custom objects
$NestedObjectArray += [PSCustomObject](Invoke-CategoryProcessing -catname $CatName -Method 'Group Policy')
-
+
# Check network location of all connections to see if they are public
$Condition = Get-NetConnectionProfile | ForEach-Object { $_.NetworkCategory -eq 'public' }
- [System.Boolean]$IndividualItemResult = -not ($condition -contains $false) ? $True : $false
-
+ [System.Boolean]$IndividualItemResult = -not ($condition -contains $false) ? $True : $false
+
# Verify a Security setting using Cmdlet
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Network Location of all connections set to Public'
+ FriendlyName = 'Network Location of all connections set to Public'
Compliant = $IndividualItemResult
Value = $IndividualItemResult
- Name = 'Network Location of all connections set to Public'
+ Name = 'Network Location of all connections set to Public'
Category = $CatName
Method = 'Cmdlet'
}
-
+
# Verify a Security setting using registry
try {
$IndividualItemResult = [System.Boolean]((Get-ItemPropertyValue -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' -Name 'EnableLMHOSTS' -ErrorAction SilentlyContinue) -eq '0')
}
catch {
- # -ErrorAction SilentlyContinue wouldn't suppress the error if the path exists but property doesn't, so using try-catch
+ # -ErrorAction SilentlyContinue wouldn't suppress the error if the path exists but property doesn't, so using try-catch
}
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Disable LMHOSTS lookup protocol on all network adapters'
+ FriendlyName = 'Disable LMHOSTS lookup protocol on all network adapters'
Compliant = $IndividualItemResult
- Value = $IndividualItemResult
- Name = 'Disable LMHOSTS lookup protocol on all network adapters'
+ Value = $IndividualItemResult
+ Name = 'Disable LMHOSTS lookup protocol on all network adapters'
Category = $CatName
Method = 'Registry Key'
}
@@ -1118,7 +1118,7 @@ function Confirm-SystemCompliance {
# Verify a Security Group Policy setting
$IndividualItemResult = [System.Boolean]$($SecurityPoliciesIni.'Registry Values'['MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine'] -eq '7,') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Network access: Remotely accessible registry paths'
+ FriendlyName = 'Network access: Remotely accessible registry paths'
Compliant = $IndividualItemResult
Value = $IndividualItemResult
Name = 'Network access: Remotely accessible registry paths'
@@ -1126,29 +1126,29 @@ function Confirm-SystemCompliance {
Method = 'Security Group Policy'
}
- # Verify a Security Group Policy setting
+ # Verify a Security Group Policy setting
$IndividualItemResult = [System.Boolean]$($SecurityPoliciesIni.'Registry Values'['MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine'] -eq '7,') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Network access: Remotely accessible registry paths and subpaths'
+ FriendlyName = 'Network access: Remotely accessible registry paths and subpaths'
Compliant = $IndividualItemResult
- Value = $IndividualItemResult
- Name = 'Network access: Remotely accessible registry paths and subpaths'
+ Value = $IndividualItemResult
+ Name = 'Network access: Remotely accessible registry paths and subpaths'
Category = $CatName
Method = 'Security Group Policy'
}
-
+
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray
#EndRegion Windows-Networking-Category
-
+
#Region Miscellaneous-Category
Write-Progress -Activity 'Validating Miscellaneous Category' -Status 'Processing...' -PercentComplete 85
[System.Object[]]$NestedObjectArray = @()
[System.String]$CatName = 'Miscellaneous'
-
+
# Process items in Registry resources.csv file with "Group Policy" origin and add them to the $NestedObjectArray array as custom objects
- $NestedObjectArray += [PSCustomObject](Invoke-CategoryProcessing -catname $CatName -Method 'Group Policy')
-
+ $NestedObjectArray += [PSCustomObject](Invoke-CategoryProcessing -catname $CatName -Method 'Group Policy')
+
# Verify an Audit policy is enabled - only supports systems with English-US language
if ((Get-Culture).name -eq 'en-US') {
$IndividualItemResult = [System.Boolean](((auditpol /get /subcategory:"Other Logon/Logoff Events" /r | ConvertFrom-Csv).'Inclusion Setting' -eq 'Success and Failure') ? $True : $False)
@@ -1163,9 +1163,9 @@ function Confirm-SystemCompliance {
}
else {
$global:TotalNumberOfTrueCompliantValues--
- }
+ }
- # Checking if all user accounts are part of the Hyper-V security Group
+ # Checking if all user accounts are part of the Hyper-V security Group
# Get all the enabled user account SIDs
[System.Security.Principal.SecurityIdentifier[]]$EnabledUsers = (Get-LocalUser | Where-Object { $_.Enabled -eq 'True' }).SID
# Get the members of the Hyper-V Administrators security group using their SID
@@ -1183,73 +1183,73 @@ function Confirm-SystemCompliance {
# Saving the results of the Hyper-V administrators members group to the array as an object
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'All users are part of the Hyper-V Administrators group'
+ FriendlyName = 'All users are part of the Hyper-V Administrators group'
Compliant = $IndividualItemResult
Value = $IndividualItemResult
- Name = 'All users are part of the Hyper-V Administrators group'
+ Name = 'All users are part of the Hyper-V Administrators group'
Category = $CatName
Method = 'Cmdlet'
}
# Process items in Registry resources.csv file with "Registry Keys" origin and add them to the $NestedObjectArray array as custom objects
$NestedObjectArray += [PSCustomObject](Invoke-CategoryProcessing -catname $CatName -Method 'Registry Keys')
-
+
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray
#EndRegion Miscellaneous-Category
-
+
#Region Windows-Update-Category
Write-Progress -Activity 'Validating Windows Update Category' -Status 'Processing...' -PercentComplete 90
[System.Object[]]$NestedObjectArray = @()
[System.String]$CatName = 'Windows Update'
-
+
# Process items in Registry resources.csv file with "Group Policy" origin and add them to the $NestedObjectArray array as custom objects
$NestedObjectArray += [PSCustomObject](Invoke-CategoryProcessing -catname $CatName -Method 'Group Policy')
-
+
# Verify a Security setting using registry
try {
$IndividualItemResult = [System.Boolean]((Get-ItemPropertyValue -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings' -Name 'RestartNotificationsAllowed2' -ErrorAction SilentlyContinue) -eq '1')
}
catch {
- # -ErrorAction SilentlyContinue wouldn't suppress the error if the path exists but property doesn't, so using try-catch
+ # -ErrorAction SilentlyContinue wouldn't suppress the error if the path exists but property doesn't, so using try-catch
}
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'Enable restart notification for Windows update'
+ FriendlyName = 'Enable restart notification for Windows update'
Compliant = $IndividualItemResult
- Value = $IndividualItemResult
- Name = 'Enable restart notification for Windows update'
+ Value = $IndividualItemResult
+ Name = 'Enable restart notification for Windows update'
Category = $CatName
Method = 'Registry Key'
}
-
+
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray
#EndRegion Windows-Update-Category
-
+
#Region Edge-Category
Write-Progress -Activity 'Validating Edge Browser Category' -Status 'Processing...' -PercentComplete 95
[System.Object[]]$NestedObjectArray = @()
- [System.String]$CatName = 'Edge'
-
+ [System.String]$CatName = 'Edge'
+
# Process items in Registry resources.csv file with "Registry Keys" origin and add them to the $NestedObjectArray array as custom objects
$NestedObjectArray += [PSCustomObject](Invoke-CategoryProcessing -catname $CatName -Method 'Registry Keys')
-
+
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray
#EndRegion Edge-Category
-
+
#Region Non-Admin-Category
Write-Progress -Activity 'Validating Non-Admin Category' -Status 'Processing...' -PercentComplete 100
[System.Object[]]$NestedObjectArray = @()
[System.String]$CatName = 'Non-Admin'
-
+
# Process items in Registry resources.csv file with "Registry Keys" origin and add them to the $NestedObjectArray array as custom objects
$NestedObjectArray += [PSCustomObject](Invoke-CategoryProcessing -catname $CatName -Method 'Registry Keys')
-
+
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray
#EndRegion Non-Admin-Category
-
+
if ($ExportToCSV) {
# An array to store the content of each category
$CsvOutPutFileContent = @()
@@ -1258,12 +1258,12 @@ function Confirm-SystemCompliance {
# Convert the array to a CSV file and store it in the current working directory
$CsvOutPutFileContent | ConvertTo-Csv | Out-File '.\Compliance Check Output.CSV' -Force
}
-
+
if ($ShowAsObjectsOnly) {
# return the main object that contains multiple nested objects
return $FinalMegaObject
}
- else {
+ else {
#Region Colors
[scriptblock]$WritePlum = { Write-Output "$($PSStyle.Foreground.FromRGB(221,160,221))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
@@ -1277,11 +1277,11 @@ function Confirm-SystemCompliance {
[scriptblock]$WriteHotPink = { Write-Output "$($PSStyle.Foreground.FromRGB(255,105,180))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
[scriptblock]$WriteDeepPink = { Write-Output "$($PSStyle.Foreground.FromRGB(255,20,147))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
[scriptblock]$WriteMintGreen = { Write-Output "$($PSStyle.Foreground.FromRGB(152,255,152))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteOrange = { Write-Output "$($PSStyle.Foreground.FromRGB(255,165,0))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [scriptblock]$WriteOrange = { Write-Output "$($PSStyle.Foreground.FromRGB(255,165,0))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
[scriptblock]$WriteSkyBlue = { Write-Output "$($PSStyle.Foreground.FromRGB(135,206,235))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
[scriptblock]$Daffodil = { Write-Output "$($PSStyle.Foreground.FromRGB(255,255,49))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteRainbow1 = {
+ [scriptblock]$WriteRainbow1 = {
$text = $args[0]
$colors = @(
[System.Drawing.Color]::Pink,
@@ -1299,9 +1299,9 @@ function Confirm-SystemCompliance {
$Output += "$($PSStyle.Foreground.FromRGB($color.R, $color.G, $color.B))$($text[$i])$($PSStyle.Reset)"
}
Write-Output $Output
- }
-
- [scriptblock]$WriteRainbow2 = {
+ }
+
+ [scriptblock]$WriteRainbow2 = {
$text = $args[0]
[System.Object[]]$colors = @(
[System.Drawing.Color]::Pink,
@@ -1316,7 +1316,7 @@ function Confirm-SystemCompliance {
[System.Drawing.Color]::Plum,
[System.Drawing.Color]::Gold
)
-
+
[System.String]$Output = ''
for ($i = 0; $i -lt $text.Length; $i++) {
$color = $colors[$i % $colors.Length]
@@ -1325,16 +1325,16 @@ function Confirm-SystemCompliance {
Write-Output $Output
}
#Endregion Colors
-
+
# Show all properties in list
if ($DetailedDisplay) {
# Setting the List Format Accent the same color as the category's title
- $PSStyle.Formatting.FormatAccent = "$($PSStyle.Foreground.FromRGB(221,160,221))"
+ $PSStyle.Formatting.FormatAccent = "$($PSStyle.Foreground.FromRGB(221,160,221))"
& $WritePlum "`n-------------Microsoft Defender Category-------------"
$FinalMegaObject.'Microsoft Defender' | Format-List -Property FriendlyName, @{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(221,160,221))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1342,15 +1342,15 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
+
}, Value, Name, Category, Method
-
+
# Setting the List Format Accent the same color as the category's title
$PSStyle.Formatting.FormatAccent = "$($PSStyle.Foreground.FromRGB(218,112,214))"
& $WriteOrchid "`n-------------Attack Surface Reduction Rules Category-------------"
$FinalMegaObject.ASR | Format-List -Property FriendlyName, @{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(218,112,214))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1358,15 +1358,15 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
+
}, Value, Name, Category, Method
-
+
# Setting the List Format Accent the same color as the category's title
$PSStyle.Formatting.FormatAccent = "$($PSStyle.Foreground.FromRGB(255,0,255))"
& $WriteFuchsia "`n-------------Bitlocker Category-------------"
$FinalMegaObject.Bitlocker | Format-List -Property FriendlyName, @{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,0,255))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1374,15 +1374,15 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
+
}, Value, Name, Category, Method
-
+
# Setting the List Format Accent the same color as the category's title
$PSStyle.Formatting.FormatAccent = "$($PSStyle.Foreground.FromRGB(186,85,211))"
& $WriteMediumOrchid "`n-------------TLS Category-------------"
$FinalMegaObject.TLS | Format-List -Property FriendlyName, @{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(186,85,211))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1390,15 +1390,15 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
+
}, Value, Name, Category, Method
-
+
# Setting the List Format Accent the same color as the category's title
$PSStyle.Formatting.FormatAccent = "$($PSStyle.Foreground.FromRGB(147,112,219))"
& $WriteMediumPurple "`n-------------Lock Screen Category-------------"
$FinalMegaObject.LockScreen | Format-List -Property FriendlyName, @{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(147,112,219))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1406,15 +1406,15 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
+
}, Value, Name, Category, Method
-
+
# Setting the List Format Accent the same color as the category's title
$PSStyle.Formatting.FormatAccent = "$($PSStyle.Foreground.FromRGB(138,43,226))"
& $WriteBlueViolet "`n-------------User Account Control Category-------------"
$FinalMegaObject.UAC | Format-List -Property FriendlyName, @{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(138,43,226))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1422,15 +1422,15 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
+
}, Value, Name, Category, Method
-
+
# Setting the List Format Accent the same color as the category's title
$PSStyle.Formatting.FormatAccent = "$($PSStyle.Foreground.FromRGB(176,191,26))"
& $AndroidGreen "`n-------------Device Guard Category-------------"
$FinalMegaObject.'Device Guard' | Format-List -Property FriendlyName, @{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(176,191,26))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1438,15 +1438,15 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
+
}, Value, Name, Category, Method
-
+
# Setting the List Format Accent the same color as the category's title
$PSStyle.Formatting.FormatAccent = "$($PSStyle.Foreground.FromRGB(255,192,203))"
& $WritePink "`n-------------Windows Firewall Category-------------"
$FinalMegaObject.'Windows Firewall' | Format-List -Property FriendlyName, @{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,192,203))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1454,7 +1454,7 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
+
}, Value, Name, Category, Method
# Setting the List Format Accent the same color as the category's title
@@ -1462,7 +1462,7 @@ function Confirm-SystemCompliance {
& $WriteSkyBlue "`n-------------Optional Windows Features Category-------------"
$FinalMegaObject.'Optional Windows Features' | Format-List -Property FriendlyName, @{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(135,206,235))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1470,15 +1470,15 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
+
}, Value, Name, Category, Method
-
+
# Setting the List Format Accent the same color as the category's title
$PSStyle.Formatting.FormatAccent = "$($PSStyle.Foreground.FromRGB(255,105,180))"
& $WriteHotPink "`n-------------Windows Networking Category-------------"
$FinalMegaObject.'Windows Networking' | Format-List -Property FriendlyName, @{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,105,180))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1486,15 +1486,15 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
+
}, Value, Name, Category, Method
-
+
# Setting the List Format Accent the same color as the category's title
$PSStyle.Formatting.FormatAccent = "$($PSStyle.Foreground.FromRGB(255,20,147))"
& $WriteDeepPink "`n-------------Miscellaneous Category-------------"
$FinalMegaObject.Miscellaneous | Format-List -Property FriendlyName, @{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,20,147))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1502,15 +1502,15 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
+
}, Value, Name, Category, Method
-
+
# Setting the List Format Accent the same color as the category's title
$PSStyle.Formatting.FormatAccent = "$($PSStyle.Foreground.FromRGB(152,255,152))"
& $WriteMintGreen "`n-------------Windows Update Category-------------"
$FinalMegaObject.'Windows Update' | Format-List -Property FriendlyName, @{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(152,255,152))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1518,15 +1518,15 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
+
}, Value, Name, Category, Method
-
+
# Setting the List Format Accent the same color as the category's title
$PSStyle.Formatting.FormatAccent = "$($PSStyle.Foreground.FromRGB(255,165,0))"
& $WriteOrange "`n-------------Microsoft Edge Category-------------"
$FinalMegaObject.Edge | Format-List -Property FriendlyName, @{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,165,0))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1534,15 +1534,15 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
+
}, Value, Name, Category, Method
-
+
# Setting the List Format Accent the same color as the category's title
$PSStyle.Formatting.FormatAccent = "$($PSStyle.Foreground.FromRGB(255,255,49))"
& $Daffodil "`n-------------Non-Admin Category-------------"
$FinalMegaObject.'Non-Admin' | Format-List -Property FriendlyName, @{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,255,49))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1550,20 +1550,20 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
+
}, Value, Name, Category, Method
}
# Show properties that matter in a table
else {
-
+
# Setting the Table header the same color as the category's title
- $PSStyle.Formatting.TableHeader = "$($PSStyle.Foreground.FromRGB(221,160,221))"
+ $PSStyle.Formatting.TableHeader = "$($PSStyle.Foreground.FromRGB(221,160,221))"
& $WritePlum "`n-------------Microsoft Defender Category-------------"
- $FinalMegaObject.'Microsoft Defender' | Format-Table -Property FriendlyName,
+ $FinalMegaObject.'Microsoft Defender' | Format-Table -Property FriendlyName,
@{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(221,160,221))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1571,16 +1571,16 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
+
} , Value -AutoSize
-
+
# Setting the Table header the same color as the category's title
$PSStyle.Formatting.TableHeader = "$($PSStyle.Foreground.FromRGB(218,112,214))"
& $WriteOrchid "`n-------------Attack Surface Reduction Rules Category-------------"
- $FinalMegaObject.ASR | Format-Table -Property FriendlyName,
+ $FinalMegaObject.ASR | Format-Table -Property FriendlyName,
@{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(218,112,214))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1588,16 +1588,16 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
- } , Value -AutoSize
-
+
+ } , Value -AutoSize
+
# Setting the Table header the same color as the category's title
$PSStyle.Formatting.TableHeader = "$($PSStyle.Foreground.FromRGB(255,0,255))"
& $WriteFuchsia "`n-------------Bitlocker Category-------------"
- $FinalMegaObject.Bitlocker | Format-Table -Property FriendlyName,
+ $FinalMegaObject.Bitlocker | Format-Table -Property FriendlyName,
@{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,0,255))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1605,16 +1605,16 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
- } , Value -AutoSize
-
+
+ } , Value -AutoSize
+
# Setting the Table header the same color as the category's title
$PSStyle.Formatting.TableHeader = "$($PSStyle.Foreground.FromRGB(186,85,211))"
& $WriteMediumOrchid "`n-------------TLS Category-------------"
- $FinalMegaObject.TLS | Format-Table -Property FriendlyName,
+ $FinalMegaObject.TLS | Format-Table -Property FriendlyName,
@{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(186,85,211))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1622,16 +1622,16 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
- } , Value -AutoSize
-
+
+ } , Value -AutoSize
+
# Setting the Table header the same color as the category's title
$PSStyle.Formatting.TableHeader = "$($PSStyle.Foreground.FromRGB(147,112,219))"
& $WriteMediumPurple "`n-------------Lock Screen Category-------------"
- $FinalMegaObject.LockScreen | Format-Table -Property FriendlyName,
+ $FinalMegaObject.LockScreen | Format-Table -Property FriendlyName,
@{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(147,112,219))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1639,16 +1639,16 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
- } , Value -AutoSize
-
+
+ } , Value -AutoSize
+
# Setting the Table header the same color as the category's title
$PSStyle.Formatting.TableHeader = "$($PSStyle.Foreground.FromRGB(138,43,226))"
& $WriteBlueViolet "`n-------------User Account Control Category-------------"
- $FinalMegaObject.UAC | Format-Table -Property FriendlyName,
+ $FinalMegaObject.UAC | Format-Table -Property FriendlyName,
@{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(138,43,226))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1656,16 +1656,16 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
- } , Value -AutoSize
-
+
+ } , Value -AutoSize
+
# Setting the Table header the same color as the category's title
$PSStyle.Formatting.TableHeader = "$($PSStyle.Foreground.FromRGB(176,191,26))"
& $AndroidGreen "`n-------------Device Guard Category-------------"
- $FinalMegaObject.'Device Guard' | Format-Table -Property FriendlyName,
+ $FinalMegaObject.'Device Guard' | Format-Table -Property FriendlyName,
@{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(176,191,26))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1673,16 +1673,16 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
- } , Value -AutoSize
-
+
+ } , Value -AutoSize
+
# Setting the Table header the same color as the category's title
$PSStyle.Formatting.TableHeader = "$($PSStyle.Foreground.FromRGB(255,192,203))"
& $WritePink "`n-------------Windows Firewall Category-------------"
- $FinalMegaObject.'Windows Firewall' | Format-Table -Property FriendlyName,
+ $FinalMegaObject.'Windows Firewall' | Format-Table -Property FriendlyName,
@{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,192,203))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1690,16 +1690,16 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
- } , Value -AutoSize
-
+
+ } , Value -AutoSize
+
# Setting the Table header the same color as the category's title
$PSStyle.Formatting.TableHeader = "$($PSStyle.Foreground.FromRGB(135,206,235))"
& $WriteSkyBlue "`n-------------Optional Windows Features Category-------------"
- $FinalMegaObject.'Optional Windows Features' | Format-Table -Property FriendlyName,
+ $FinalMegaObject.'Optional Windows Features' | Format-Table -Property FriendlyName,
@{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(135,206,235))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1707,16 +1707,16 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
- } , Value -AutoSize
-
+
+ } , Value -AutoSize
+
# Setting the Table header the same color as the category's title
$PSStyle.Formatting.TableHeader = "$($PSStyle.Foreground.FromRGB(255,105,180))"
& $WriteHotPink "`n-------------Windows Networking Category-------------"
- $FinalMegaObject.'Windows Networking' | Format-Table -Property FriendlyName,
+ $FinalMegaObject.'Windows Networking' | Format-Table -Property FriendlyName,
@{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,105,180))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1724,16 +1724,16 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
- } , Value -AutoSize
-
+
+ } , Value -AutoSize
+
# Setting the Table header the same color as the category's title
$PSStyle.Formatting.TableHeader = "$($PSStyle.Foreground.FromRGB(255,20,147))"
& $WriteDeepPink "`n-------------Miscellaneous Category-------------"
- $FinalMegaObject.Miscellaneous | Format-Table -Property FriendlyName,
+ $FinalMegaObject.Miscellaneous | Format-Table -Property FriendlyName,
@{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,20,147))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1741,16 +1741,16 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
- } , Value -AutoSize
-
+
+ } , Value -AutoSize
+
# Setting the Table header the same color as the category's title
$PSStyle.Formatting.TableHeader = "$($PSStyle.Foreground.FromRGB(152,255,152))"
& $WriteMintGreen "`n-------------Windows Update Category-------------"
- $FinalMegaObject.'Windows Update' | Format-Table -Property FriendlyName,
+ $FinalMegaObject.'Windows Update' | Format-Table -Property FriendlyName,
@{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(152,255,152))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1758,16 +1758,16 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
- } , Value -AutoSize
-
+
+ } , Value -AutoSize
+
# Setting the Table header the same color as the category's title
$PSStyle.Formatting.TableHeader = "$($PSStyle.Foreground.FromRGB(255,165,0))"
& $WriteOrange "`n-------------Microsoft Edge Category-------------"
- $FinalMegaObject.Edge | Format-Table -Property FriendlyName,
+ $FinalMegaObject.Edge | Format-Table -Property FriendlyName,
@{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,165,0))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1775,16 +1775,16 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
- } , Value -AutoSize
-
+
+ } , Value -AutoSize
+
# Setting the Table header the same color as the category's title
$PSStyle.Formatting.TableHeader = "$($PSStyle.Foreground.FromRGB(255,255,49))"
& $Daffodil "`n-------------Non-Admin Category-------------"
- $FinalMegaObject.'Non-Admin' | Format-Table -Property FriendlyName,
+ $FinalMegaObject.'Non-Admin' | Format-Table -Property FriendlyName,
@{
Label = 'Compliant'
- Expression =
+ Expression =
{ switch ($_.Compliant) {
{ $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,255,49))"; break } # Use PSStyle to set the color
{ $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
@@ -1792,10 +1792,10 @@ function Confirm-SystemCompliance {
}
"$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
-
- } , Value -AutoSize
+
+ } , Value -AutoSize
}
-
+
# Counting the number of $True Compliant values in the Final Output Object
[System.Int64]$TotalTrueCompliantValuesInOutPut = ($FinalMegaObject.'Microsoft Defender' | Where-Object { $_.Compliant -eq $True }).Count + # 49 - 4x(N/A) = 45
[System.Int64]($FinalMegaObject.ASR | Where-Object { $_.Compliant -eq $True }).Count + # 17
@@ -1816,7 +1816,7 @@ function Confirm-SystemCompliance {
#Region ASCII-Arts
[System.String]$WhenValue1To20 = @'
OH
-
+
N
O
O
@@ -1830,10 +1830,10 @@ function Confirm-SystemCompliance {
.
.
.
-
+
'@
-
-
+
+
[System.String]$WhenValue21To40 = @'
⣿⣿⣷⡁⢆⠈⠕⢕⢂⢕⢂⢕⢂⢔⢂⢕⢄⠂⣂⠂⠆⢂⢕⢂⢕⢂⢕⢂⢕⢂
@@ -1852,10 +1852,10 @@ function Confirm-SystemCompliance {
⠄⠪⣂⠁⢕⠆⠄⠂⠄⠁⡀⠂⡀⠄⢈⠉⢍⢛⢛⢛⢋⢔⢕⢕⢕⣽⣿⣿⠠⠈
'@
-
-
+
+
[System.String]$WhenValue41To60 = @'
-
+
⣿⡟⠙⠛⠋⠩⠭⣉⡛⢛⠫⠭⠄⠒⠄⠄⠄⠈⠉⠛⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⡇⠄⠄⠄⠄⣠⠖⠋⣀⡤⠄⠒⠄⠄⠄⠄⠄⠄⠄⠄⠄⣈⡭⠭⠄⠄⠄⠉⠙
⣿⡇⠄⠄⢀⣞⣡⠴⠚⠁⠄⠄⢀⠠⠄⠄⠄⠄⠄⠄⠄⠉⠄⠄⠄⠄⠄⠄⠄⠄
@@ -1872,11 +1872,11 @@ function Confirm-SystemCompliance {
⣿⠃⠃⠄⠄⠄⠄⠄⠄⣀⢀⠄⠄⡀⡀⢀⣤⣴⣤⣤⣀⣀⠄⠄⠄⠄⠄⠄⠁⢹
'@
-
-
-
+
+
+
[System.String]$WhenValue61To80 = @'
-
+
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⣿⣿⡷⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⣿⡿⠋⠈⠻⣮⣳⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣴⣾⡿⠋⠀⠀⠀⠀⠙⣿⣿⣤⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
@@ -1897,12 +1897,12 @@ function Confirm-SystemCompliance {
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣀⠀⠀⠀⠀⠀⠀⢸⣧
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢻⣿⣆⠀⠀⠀⠀⠀⠀⢀⣀⣠⣤⣶⣾⣿⣿⣿⣿⣤⣄⣀⡀⠀⠀⠀⣿
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠻⢿⣻⣷⣶⣾⣿⣿⡿⢯⣛⣛⡋⠁⠀⠀⠉⠙⠛⠛⠿⣿⣿⡷⣶⣿
-
+
'@
-
-
+
+
[System.String]$WhenValue81To88 = @'
-
+
⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠔⠶⠒⠉⠈⠸⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠪⣦⢄⣀⡠⠁⠀⠀⠀⠀⠀⠀⠀⢀⣀⣠⣤⣤⣤⣤⣤⣄⣀⣀⣀⣀⣀⣀⣀⠀⠀⠀⠀⠀
@@ -1925,10 +1925,10 @@ function Confirm-SystemCompliance {
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢹⡟⡟⢻⡟⠛⢻⡄⠀⠀⣸⠇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⡄⠀⠀⠀⠈⠷⠧⠾⠀⠀⠀⠻⣦⡴⠏⠀⠀⠀⠀⠀⠀⡀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠁⠀⠀⠀⠀⠈⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-
+
'@
-
-
+
+
[System.String]$WhenValueAbove88 = @'
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⢠⣶⣶⣶⣦⣤⣀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⣿⠟⠛⢿⣶⡄⠀⢀⣀⣤⣤⣦⣤⡀⠀⠀⠀⠀⠀
@@ -1950,18 +1950,18 @@ function Confirm-SystemCompliance {
⠀⠀⠀⠀⠀⠀⠙⢿⣦⣄⣀⣀⣀⣀⣴⣾⣿⡁⠀⠀⠀⡉⣉⠁⠀⠀⣠⣾⠟⠉⠉⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠈⠙⠛⠛⠛⠛⠉⠀⠹⣿⣶⣤⣤⣷⣿⣧⣴⣾⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⠻⢦⣭⡽⣯⣡⡴⠟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-
+
'@
#Endregion ASCII-Arts
-
+
switch ($True) {
- ($TotalTrueCompliantValuesInOutPut -in 1..40) { & $WriteRainbow2 "$WhenValue1To20`nYour compliance score is $TotalTrueCompliantValuesInOutPut out of $global:TotalNumberOfTrueCompliantValues!" }
+ ($TotalTrueCompliantValuesInOutPut -in 1..40) { & $WriteRainbow2 "$WhenValue1To20`nYour compliance score is $TotalTrueCompliantValuesInOutPut out of $global:TotalNumberOfTrueCompliantValues!" }
($TotalTrueCompliantValuesInOutPut -in 41..80) { & $WriteRainbow1 "$WhenValue21To40`nYour compliance score is $TotalTrueCompliantValuesInOutPut out of $global:TotalNumberOfTrueCompliantValues!" }
($TotalTrueCompliantValuesInOutPut -in 81..120) { & $WriteRainbow1 "$WhenValue41To60`nYour compliance score is $TotalTrueCompliantValuesInOutPut out of $global:TotalNumberOfTrueCompliantValues!" }
($TotalTrueCompliantValuesInOutPut -in 121..160) { & $WriteRainbow2 "$WhenValue61To80`nYour compliance score is $TotalTrueCompliantValuesInOutPut out of $global:TotalNumberOfTrueCompliantValues!" }
($TotalTrueCompliantValuesInOutPut -in 161..200) { & $WriteRainbow1 "$WhenValue81To88`nYour compliance score is $TotalTrueCompliantValuesInOutPut out of $global:TotalNumberOfTrueCompliantValues!" }
($TotalTrueCompliantValuesInOutPut -gt 200) { & $WriteRainbow2 "$WhenValueAbove88`nYour compliance score is $TotalTrueCompliantValuesInOutPut out of $global:TotalNumberOfTrueCompliantValues!" }
- }
+ }
}
}
@@ -1971,14 +1971,14 @@ function Confirm-SystemCompliance {
foreach ($FilePath in (Get-ChildItem -Path "$PSHOME\*.exe" -File).FullName) {
Remove-MpPreference -ControlledFolderAccessAllowedApplications $FilePath
}
-
+
# restoring the original Controlled folder access allow list - if user already had added PowerShell executables to the list
# they will be restored as well, so user customization will remain intact
- if ($null -ne $CFAAllowedAppsBackup) {
+ if ($null -ne $CFAAllowedAppsBackup) {
Set-MpPreference -ControlledFolderAccessAllowedApplications $CFAAllowedAppsBackup
}
}
-
+
} # End of Process Block
end {
@@ -2021,7 +2021,7 @@ Returns a nested object instead of writing strings on the PowerShell console, it
.PARAMETER DetailedDisplay
Shows the output on the PowerShell console with more details and in the list format instead of table format
-#>
+#>
}
diff --git a/Harden-Windows-Security Module/Main files/Functions.ps1 b/Harden-Windows-Security Module/Main files/Functions.ps1
index 2fc53c256..a95759420 100644
--- a/Harden-Windows-Security Module/Main files/Functions.ps1
+++ b/Harden-Windows-Security Module/Main files/Functions.ps1
@@ -9,31 +9,31 @@ Function Test-IsAdmin {
}
# Make sure the latest version of the module is installed and if not, automatically update it, clean up any old versions
-function Update-self {
+function Update-self {
[System.Version]$CurrentVersion = (Test-ModuleManifest -Path "$psscriptroot\Harden-Windows-Security-Module.psd1").Version
-
+
try {
- [System.Version]$global:LatestVersion = Invoke-RestMethod -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/version.txt' -ProgressAction SilentlyContinue
+ [System.Version]$global:LatestVersion = Invoke-RestMethod -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/version.txt' -ProgressAction SilentlyContinue
}
- catch {
+ catch {
Write-Error -Message "Couldn't verify if the latest version of the module is installed, please check your Internet connection."
}
-
+
if ($CurrentVersion -lt $LatestVersion) {
Write-Output "$($PSStyle.Foreground.FromRGB(255,105,180))The currently installed module's version is $CurrentVersion while the latest version is $LatestVersion - Auto Updating the module... 💓$($PSStyle.Reset)"
-
+
# Only attempt to auto update the module if running as Admin, because Controlled Folder Access exclusion modification requires Admin privs
- if (Test-IsAdmin) {
-
+ if (Test-IsAdmin) {
+
Remove-Module -Name 'Harden-Windows-Security-Module' -Force
-
+
try {
# backup the current allowed apps list in Controlled folder access in order to restore them at the end of the script
# doing this so that when we Add and then Remove PowerShell executables in Controlled folder access exclusions
# no user customization will be affected
[System.String[]]$CFAAllowedAppsBackup = (Get-MpPreference).ControlledFolderAccessAllowedApplications
-
+
# Temporarily allow the currently running PowerShell executables to the Controlled Folder Access allowed apps
# so that the script can run without interruption. This change is reverted at the end.
foreach ($FilePath in (Get-ChildItem -Path "$PSHOME\*.exe" -File).FullNam) {
@@ -42,7 +42,7 @@ function Update-self {
# Do this if the module was installed properly using Install-moodule cmdlet
Uninstall-Module -Name 'Harden-Windows-Security-Module' -AllVersions -Force
- Install-Module -Name 'Harden-Windows-Security-Module' -RequiredVersion $LatestVersion -Force
+ Install-Module -Name 'Harden-Windows-Security-Module' -RequiredVersion $LatestVersion -Force
Import-Module -Name 'Harden-Windows-Security-Module' -RequiredVersion $LatestVersion -Force -Global
}
# Do this if module files/folder was just copied to Documents folder and not properly installed - Should rarely happen
@@ -58,16 +58,16 @@ function Update-self {
# restoring the original Controlled folder access allow list - if user already had added PowerShell executables to the list
# they will be restored as well, so user customization will remain intact
- if ($null -ne $CFAAllowedAppsBackup) {
+ if ($null -ne $CFAAllowedAppsBackup) {
Set-MpPreference -ControlledFolderAccessAllowedApplications $CFAAllowedAppsBackup
}
- }
+ }
# Make sure the old version isn't run after update
- Write-Output "$($PSStyle.Foreground.FromRGB(152,255,152))Update successful, please run the cmdlet again.$($PSStyle.Reset)"
+ Write-Output "$($PSStyle.Foreground.FromRGB(152,255,152))Update successful, please run the cmdlet again.$($PSStyle.Reset)"
break
- return
- }
- else {
+ return
+ }
+ else {
Write-Error -Message 'Please run the cmdlet as Admin to update the module.'
break
}
diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1
index e165b6b08..2ecc28618 100644
--- a/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1
+++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1
@@ -77,7 +77,7 @@ Harden Windows Safely, Securely, only with Official Microsoft methods
🏴 If you have any questions, requests, suggestions etc. about this script, please open a new Discussion or Issue on GitHub
🟡 The module generates a nice output on the screen as well as giving users an option to export the results in a CSV file.
-
+
'@
# Minimum version of the PowerShell engine required by this module
diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
index 15d1b19f2..aedc23df6 100644
--- a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
@@ -18,17 +18,17 @@
.ICONURI https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/PowerShellGalleryICONURI.png
-.EXTERNALMODULEDEPENDENCIES
+.EXTERNALMODULEDEPENDENCIES
-.REQUIREDSCRIPTS
+.REQUIREDSCRIPTS
-.EXTERNALSCRIPTDEPENDENCIES
+.EXTERNALSCRIPTDEPENDENCIES
.RELEASENOTES
#>
-<#
+<#
.SYNOPSIS
Harden Windows Safely, Securely, only with Official Microsoft methods
@@ -38,7 +38,7 @@
⭕ You need to read the GitHub's readme page before running this: https://github.com/HotCakeX/Harden-Windows-Security
⭕ This script is only for users that use the old PowerShell 5.1. It's highly recommended to use new PowerShell versions and the new Harden Windows Security Module that offers hardening + Auditing + Undoing hardening: https://www.powershellgallery.com/packages/Harden-Windows-Security-Module/
-
+
💠 Features of this Hardening script:
✅ Everything always stays up-to-date with the newest proactive security measures that are industry standards and scalable.
@@ -78,9 +78,9 @@
🏴 If you have any questions, requests, suggestions etc. about this script, please open a new Discussion or Issue on GitHub
-.EXAMPLE
+.EXAMPLE
-.NOTES
+.NOTES
Check out GitHub page for security recommendations: https://github.com/HotCakeX/Harden-Windows-Security
@@ -125,7 +125,7 @@ function Select-Option {
while ($null -eq $Selected) {
# Use this style if showing main categories only
- if (!$SubCategory) {
+ if (!$SubCategory) {
Write-SmartText -C Fuchsia -G Magenta -I $Message
}
# Use this style if showing sub-categories only that need additional confirmation
@@ -138,7 +138,7 @@ function Select-Option {
}
}
- for ($I = 0; $I -lt $Options.Length; $I++) {
+ for ($I = 0; $I -lt $Options.Length; $I++) {
Write-SmartText -C MintGreen -G White -I "$($I+1): $($Options[$I])"
}
@@ -146,16 +146,16 @@ function Select-Option {
[System.Int64]$SelectedIndex = 0
$IsValid = [System.Int64]::TryParse((Read-Host 'Select an option'), [ref]$SelectedIndex)
if ($IsValid) {
- if ($SelectedIndex -gt 0 -and $SelectedIndex -le $Options.Length) {
- $Selected = $Options[$SelectedIndex - 1]
+ if ($SelectedIndex -gt 0 -and $SelectedIndex -le $Options.Length) {
+ $Selected = $Options[$SelectedIndex - 1]
}
- else {
+ else {
Write-Warning -Message 'Invalid Option.'
}
}
else {
Write-Warning -Message 'Invalid input. Please only enter a positive number.'
- }
+ }
}
return $Selected
}
@@ -269,8 +269,8 @@ Function Write-SmartText {
[parameter(Mandatory = $false)]
[Alias('N')]
[System.Management.Automation.SwitchParameter]$NoNewLineLegacy # Only used with Legacy colors to write them on the same line, used by the function that gets the removable drives for BitLocker Enhanced security level encryption
- )
-
+ )
+
# Determining if PowerShell edition is Core to use modern styling
if ($PSVersionTable.PSEdition -eq 'Core') {
@@ -295,13 +295,13 @@ Function Write-SmartText {
[System.Drawing.Color]::SkyBlue,
[System.Drawing.Color]::HotPink,
[System.Drawing.Color]::SkyBlue,
- [System.Drawing.Color]::LightSkyBlue,
+ [System.Drawing.Color]::LightSkyBlue,
[System.Drawing.Color]::LightGreen,
[System.Drawing.Color]::Coral,
[System.Drawing.Color]::Plum,
[System.Drawing.Color]::Gold
)
-
+
[System.String]$Output = ''
for ($I = 0; $I -lt $InputText.Length; $I++) {
$Color = $Colors[$I % $Colors.Length]
@@ -322,12 +322,12 @@ Function Write-SmartText {
Write-Host $InputText -ForegroundColor $GenericColor
}
}
-
+
}
# Function to get a removable drive to be used by BitLocker category
-function Get-AvailableRemovableDrives {
-
+function Get-AvailableRemovableDrives {
+
# An empty array of objects that holds the final removable drives list
[System.Object[]]$AvailableRemovableDrives = @()
@@ -357,12 +357,12 @@ function Get-AvailableRemovableDrives {
Select-Object DriveLetter, FileSystemType, DriveType, @{Name = 'Size'; Expression = { '{0:N2}' -f ($_.Size / 1GB) + ' GB' } }
}
-
+
if (!$AvailableRemovableDrives) {
do {
switch (Select-Option -Options 'Check for removable flash drives again', 'Skip encryptions altogether', 'Exit' -Message "`nNo removable writable flash drives found. Please insert a USB flash drive. If it's already attached to the system, try ejecting it and inserting it back in.") {
'Check for removable flash drives again' {
-
+
# An empty array of objects that holds the final removable drives list
[System.Object[]]$AvailableRemovableDrives = @()
@@ -392,7 +392,7 @@ function Get-AvailableRemovableDrives {
Select-Object DriveLetter, FileSystemType, DriveType, @{Name = 'Size'; Expression = { '{0:N2}' -f ($_.Size / 1GB) + ' GB' } }
}
-
+
}
'Skip encryptions altogether' { break BitLockerCategoryLabel } # Breaks from the BitLocker category and won't process Non-OS Drives
'Exit' { &$CleanUp }
@@ -406,7 +406,7 @@ function Get-AvailableRemovableDrives {
[System.Int64]$FileSystemTypeLength = 13
[System.Int64]$DriveTypeLength = 8
[System.Int64]$SizeLength = 3
-
+
# Loop through each element in the array
foreach ($drive in $AvailableRemovableDrives) {
# Compare the length of the current element with the maximum length and update if needed
@@ -422,16 +422,16 @@ function Get-AvailableRemovableDrives {
if (($drive.Size | Measure-Object -Character).Characters -gt $SizeLength) {
# The method below is used to calculate size of the string that consists only number, but since it now has "GB" in it, it's no longer needed
# $SizeLength = ($drive.Size | Measure-Object -Character).Characters
- $SizeLength = $drive.Size.Length
+ $SizeLength = $drive.Size.Length
}
}
-
+
# Add 3 to each maximum length for spacing
$DriveLetterLength += 3
$FileSystemTypeLength += 3
$DriveTypeLength += 3
$SizeLength += 3
-
+
# Creating a heading for the columns
# Write the index of the drive
Write-SmartText -C LavenderNoNewLine -G Blue -N -I ('{0,-4}' -f '#')
@@ -442,7 +442,7 @@ function Get-AvailableRemovableDrives {
# Write the Drive Type of the drive
Write-SmartText -C VioletNoNewLine -G Green -N -I ("|{0,-$DriveTypeLength}" -f 'DriveType')
# Write the Size of the drive
- Write-SmartText -C Gold -G Cyan ("|{0,-$SizeLength}" -f 'Size')
+ Write-SmartText -C Gold -G Cyan ("|{0,-$SizeLength}" -f 'Size')
# Loop through the drives and display them in a table with colors
for ($I = 0; $I -lt $AvailableRemovableDrives.Count; $I++) {
@@ -477,24 +477,24 @@ function Get-AvailableRemovableDrives {
if ([System.Int64]::TryParse($Choice, [ref]$ParsedChoice)) {
if ($ParsedChoice -in 1..$ExitCodeRemovableDriveSelection) {
$IsValid = $true
- break
+ break
}
}
# Return the flag value
return $IsValid
}
-
+
# Prompt the user to enter the number of the drive they want to select, or exit value to exit, until they enter a valid input
do {
# Read the user input as a string
[System.String]$Choice = $(Write-Host "Enter the number of the drive you want to select or press $ExitCodeRemovableDriveSelection to Cancel" -ForegroundColor cyan; Read-Host)
-
+
# Check if the input is valid using the Confirm-Choice function
if (-not (Confirm-Choice $Choice)) {
# Write an error message in red if invalid
Write-Host "Invalid input. Please enter a number between 1 and $ExitCodeRemovableDriveSelection." -ForegroundColor Red
}
- } while (-not (Confirm-Choice $Choice))
+ } while (-not (Confirm-Choice $Choice))
# Check if the user entered the exit value to break out of the loop
if ($Choice -eq $ExitCodeRemovableDriveSelection) {
@@ -503,7 +503,7 @@ function Get-AvailableRemovableDrives {
else {
# Get the selected drive from the array and display it
return ($($AvailableRemovableDrives[$Choice - 1]).DriveLetter + ':')
- }
+ }
}
#endregion functions
@@ -512,11 +512,11 @@ if (Test-IsAdmin) {
# Get the current configurations and preferences of the Microsoft Defender
New-Variable -Name 'MDAVConfigCurrent' -Value (Get-MpComputerStatus) -Force
New-Variable -Name 'MDAVPreferencesCurrent' -Value (Get-MpPreference) -Force
-
+
# backup the current allowed apps list in Controlled folder access in order to restore them at the end of the script
# doing this so that when we Add and then Remove PowerShell executables in Controlled folder access exclusions
# no user customization will be affected
- [System.String[]]$CFAAllowedAppsBackup = $MDAVPreferencesCurrent.ControlledFolderAccessAllowedApplications
+ [System.String[]]$CFAAllowedAppsBackup = $MDAVPreferencesCurrent.ControlledFolderAccessAllowedApplications
# Temporarily allow the currently running PowerShell executables to the Controlled Folder Access allowed apps
# so that the script can run without interruption. This change is reverted at the end.
@@ -524,14 +524,14 @@ if (Test-IsAdmin) {
foreach ($FilePath in (((Get-ChildItem -Path "$PSHOME\*.exe" -File).FullName) + 'C:\Windows\System32\powercfg.exe')) {
Add-MpPreference -ControlledFolderAccessAllowedApplications $FilePath
}
-
+
}
# doing a try-finally block on the entire script so that when CTRL + C is pressed to forcefully exit the script,
# or break is passed, clean up will still happen for secure exit
try {
try {
- Invoke-WithoutProgress {
+ Invoke-WithoutProgress {
[System.DateTime]$global:LatestVersion = Invoke-RestMethod -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Version.txt'
}
}
@@ -545,16 +545,16 @@ try {
Write-Host "The currently installed script's version is $CurrentVersion while the latest version is $LatestVersion" -ForegroundColor Cyan
Write-Host 'Please update your script using:' -ForegroundColor Yellow
Write-Host "Update-Script -Name 'Harden-Windows-Security' -Force" -ForegroundColor Green
- Write-Host 'and run it again after that.' -ForegroundColor Yellow
+ Write-Host 'and run it again after that.' -ForegroundColor Yellow
Write-Host 'You can view the change log on GitHub: https://github.com/HotCakeX/Harden-Windows-Security/releases' -ForegroundColor Magenta
break
}
-
+
Write-Host "`r`n"
Write-SmartText -CustomColor Rainbow -GenericColor Cyan -InputText "############################################################################################################`r`n"
Write-SmartText -CustomColor MintGreen -GenericColor Cyan -InputText "### Please read the Readme in the GitHub repository: https://github.com/HotCakeX/Harden-Windows-Security ###`r`n"
Write-SmartText -CustomColor Rainbow -GenericColor Cyan -InputText "############################################################################################################`r`n"
-
+
# Show a prompt to the user if they're using the old PowerShell
if ($PSVersionTable.PSEdition -eq 'Desktop') { Write-Host "You're using old PowerShell. Please use the new PowerShell Core for much better styling and performance:`nhttps://apps.microsoft.com/detail/powershell/9MZ1SNWT0N5D" -ForegroundColor Yellow }
@@ -585,7 +585,7 @@ try {
# check to make sure Secure Boot is enabled
if (-NOT (Confirm-SecureBootUEFI)) {
Write-Error -Message 'Secure Boot is not enabled, please go to your UEFI settings to enable it and then try again.'
- break
+ break
}
# check to make sure TPM is available and enabled
@@ -594,26 +594,26 @@ try {
Write-Error -Message 'TPM is not available or enabled, please enable it in UEFI settings and try again.'
break
}
-
+
if (-NOT ($MDAVConfigCurrent.AMServiceEnabled -eq $true)) {
Write-Error -Message 'Microsoft Defender Anti Malware service is not enabled, please enable it and then try again.'
- break
- }
+ break
+ }
if (-NOT ($MDAVConfigCurrent.AntispywareEnabled -eq $true)) {
Write-Error -Message 'Microsoft Defender Anti Spyware is not enabled, please enable it and then try again.'
- break
- }
+ break
+ }
if (-NOT ($MDAVConfigCurrent.AntivirusEnabled -eq $true)) {
Write-Error -Message 'Microsoft Defender Anti Virus is not enabled, please enable it and then try again.'
- break
- }
+ break
+ }
if ($MDAVConfigCurrent.AMRunningMode -ne 'Normal') {
Write-Error -Message "Microsoft Defender is running in $($MDAVConfigCurrent.AMRunningMode) state, please remove any 3rd party AV and then try again."
break
- }
+ }
}
#endregion RequirementsCheck
@@ -630,23 +630,23 @@ try {
Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force
# Disable progress bars
0..6 | ForEach-Object { Write-Progress -Id $_ -Activity 'Done' -Completed }
- exit
+ exit
}
if (-NOT (Test-IsAdmin)) {
Write-SmartText -CustomColor NeonGreen -GenericColor Magenta -InputText 'Skipping commands that require Administrator privileges'
}
- else {
-
+ else {
+
[System.Int64]$CurrentMainStep = 0
Write-Progress -Id 0 -Activity 'Downloading the required files' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete 1
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'Downloading'
try {
-
+
# Create an array of files to download
[System.Object[]]$Files = @(
- # System.Net.WebClient requires absolute path instead of relative one
+ # System.Net.WebClient requires absolute path instead of relative one
@{url = 'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/Windows%2011%20v23H2%20Security%20Baseline.zip'; path = "$WorkingDir\MicrosoftSecurityBaseline.zip"; tag = 'MicrosoftSecurityBaseline' }
@{url = 'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/Microsoft%20365%20Apps%20for%20Enterprise%202306.zip'; path = "$WorkingDir\Microsoft365SecurityBaseline.zip"; tag = 'Microsoft365SecurityBaseline' }
@{url = 'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip'; path = "$WorkingDir\LGPO.zip"; tag = 'LGPO' }
@@ -655,18 +655,18 @@ try {
@{url = 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/ProcessMitigations.csv'; path = "$WorkingDir\ProcessMitigations.csv"; tag = 'ProcessMitigations' }
@{url = 'https://github.com/HotCakeX/Harden-Windows-Security/raw/main/Payload/EventViewerCustomViews.zip'; path = "$WorkingDir\EventViewerCustomViews.zip"; tag = 'EventViewerCustomViews' }
)
-
+
# Get the total number of files to download
[System.Int64]$TotalRequiredFiles = $Files.Count
-
+
# Initialize a counter for the progress bar
[System.Int64]$RequiredFilesCounter = 0
-
- # Start a job for each file download
- [System.Object[]]$Jobs = foreach ($File in $Files) {
-
+
+ # Start a job for each file download
+ [System.Object[]]$Jobs = foreach ($File in $Files) {
+
Start-Job -ErrorAction Stop -ScriptBlock {
-
+
param([System.Uri]$Url, [System.IO.FileInfo]$Path, [System.String]$Tag)
# Create a WebClient object
[System.Net.WebClient]$WC = New-Object System.Net.WebClient
@@ -676,63 +676,63 @@ try {
}
catch {
# a switch for when the original URLs are failing and to provide Alt URL
- switch ($Tag) {
+ switch ($Tag) {
'Security-Baselines-X' {
Write-Host 'Using Azure DevOps for Security-Baselines-X.zip' -ForegroundColor Yellow
[System.Uri]$AltURL = 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/Security-Baselines-X.zip'
$WC.DownloadFile($AltURL, $Path)
break
- }
+ }
'Registry' {
Write-Host 'Using Azure DevOps for Registry.csv' -ForegroundColor Yellow
[System.Uri]$AltURL = 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/Registry.csv'
$WC.DownloadFile($AltURL, $Path)
break
- }
- 'ProcessMitigations' {
+ }
+ 'ProcessMitigations' {
Write-Host 'Using Azure DevOps for ProcessMitigations.CSV' -ForegroundColor Yellow
[System.Uri]$AltURL = 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/ProcessMitigations.csv'
$WC.DownloadFile($AltURL, $Path)
break
- }
+ }
'EventViewerCustomViews' {
Write-Host 'Using Azure DevOps for EventViewerCustomViews.zip' -ForegroundColor Yellow
[System.Uri]$AltURL = 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/EventViewerCustomViews.zip'
$WC.DownloadFile($AltURL, $Path)
break
- }
+ }
default {
# Write an error if any other URL fails and stop the script
Write-Error $_
}
- }
- }
+ }
+ }
} -ArgumentList $File.url, $File.path, $File.tag
-
+
# Increment the counter by one
$RequiredFilesCounter++
-
+
# Write the progress of the download jobs
Write-Progress -Id 1 -ParentId 0 -Activity "Downloading $($file.tag)" -Status "$RequiredFilesCounter of $TotalRequiredFiles" -PercentComplete ($RequiredFilesCounter / $TotalRequiredFiles * 100)
- }
+ }
# Wait until all jobs are completed
while ($Jobs | Where-Object { $_.State -ne 'Completed' }) {
Start-Sleep -Milliseconds 700
}
-
+
# Receive the output or errors of each job and remove the job
foreach ($Job in $Jobs) {
Receive-Job -Job $Job -ErrorAction Stop
Remove-Job -Job $Job -ErrorAction Stop
- }
-
+ }
+
Write-Progress -Id 1 -ParentId 0 -Activity 'Downloading files completed.' -Completed
}
- catch {
+ catch {
Write-Error "The required files couldn't be downloaded, Make sure you have Internet connection."
- foreach ($Job in $Jobs) { Remove-Job -Job $Job -ErrorAction Stop }
+ foreach ($Job in $Jobs) { Remove-Job -Job $Job -ErrorAction Stop }
&$CleanUp
- }
+ }
# unzip Microsoft Security Baselines file
Expand-Archive -Path .\MicrosoftSecurityBaseline.zip -DestinationPath .\MicrosoftSecurityBaseline -Force -ErrorAction Stop
@@ -748,15 +748,15 @@ try {
# capturing the Microsoft 365 Security Baselines extracted path in a variable using wildcard and storing it in a variable so that we won't need to change anything in the code other than the download link when they are updated
[System.String]$Microsoft365SecurityBaselinePath = (Get-ChildItem -Directory -Path '.\Microsoft365SecurityBaseline\*\').FullName
- #region Windows-Boot-Manager-revocations-for-Secure-Boot KB5025885
+ #region Windows-Boot-Manager-revocations-for-Secure-Boot KB5025885
# ============================May 9 2023 Windows Boot Manager revocations for Secure Boot =================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = '🫶 Category 0'
-
+
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nApply May 9 2023 Windows Boot Manager Security measures ? (If you've already run this category, don't need to do it again)") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Windows Boot Manager revocations for Secure Boot' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x30 /f
@@ -765,21 +765,21 @@ try {
Write-Warning 'Make sure to restart your device once. After restart, wait for at least 5-10 minutes and perform a 2nd restart to finish applying security measures completely.'
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
# ============================End of May 9 2023 Windows Boot Manager revocations for Secure Boot===========================
#endregion Windows-Boot-Manager-revocations-for-Secure-Boot KB5025885
- #region Microsoft-Security-Baseline
+ #region Microsoft-Security-Baseline
# ================================================Microsoft Security Baseline==============================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
- $Host.UI.RawUI.WindowTitle = 'Security Baselines'
-
+ $Host.UI.RawUI.WindowTitle = 'Security Baselines'
+
:MicrosoftSecurityBaselinesCategoryLabel switch (Select-Option -Options 'Yes', 'Yes, With the Optional Overrides (Recommended)' , 'No', 'Exit' -Message "`nApply Microsoft Security Baseline ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Microsoft Security Baseline' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# Copy LGPO.exe from its folder to Microsoft Security Baseline folder in order to get it ready to be used by PowerShell script
Copy-Item -Path '.\LGPO_30\LGPO.exe' -Destination "$MicrosoftSecurityBaselinePath\Scripts\Tools"
@@ -787,10 +787,10 @@ try {
Set-Location "$MicrosoftSecurityBaselinePath\Scripts\"
# Run the official PowerShell script included in the Microsoft Security Baseline file we downloaded from Microsoft servers
- .\Baseline-LocalInstall.ps1 -Win11NonDomainJoined
- }
- 'Yes, With the Optional Overrides (Recommended)' {
-
+ .\Baseline-LocalInstall.ps1 -Win11NonDomainJoined
+ }
+ 'Yes, With the Optional Overrides (Recommended)' {
+
# Copy LGPO.exe from its folder to Microsoft Security Baseline folder in order to get it ready to be used by PowerShell script
Copy-Item -Path '.\LGPO_30\LGPO.exe' -Destination "$MicrosoftSecurityBaselinePath\Scripts\Tools"
@@ -806,27 +806,27 @@ try {
Set-Location "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Overrides for Microsoft Security Baseline\registry.pol'
.\LGPO.exe /q /s '..\Security-Baselines-X\Overrides for Microsoft Security Baseline\GptTmpl.inf'
-
+
# Re-enables the XblGameSave Standby Task that gets disabled by Microsoft Security Baselines
- SCHTASKS.EXE /Change /TN \Microsoft\XblGameSave\XblGameSaveTask /Enable
+ SCHTASKS.EXE /Change /TN \Microsoft\XblGameSave\XblGameSaveTask /Enable
}
'No' { break MicrosoftSecurityBaselinesCategoryLabel }
'Exit' { &$CleanUp }
- }
- # ==============================================End of Microsoft Security Baselines============================================
+ }
+ # ==============================================End of Microsoft Security Baselines============================================
#endregion Microsoft-Security-Baseline
-
+
#region Microsoft-365-Apps-Security-Baseline
# ================================================Microsoft 365 Apps Security Baseline==============================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'M365 Apps Security'
-
+
:Microsoft365AppsSecurityBaselinesCategoryLabel switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nApply Microsoft 365 Apps Security Baseline ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Microsoft 365 Apps Security Baseline' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
Set-Location $WorkingDir
# Copy LGPO.exe from its folder to Microsoft Office 365 Apps for Enterprise Security Baseline folder in order to get it ready to be used by PowerShell script
Copy-Item -Path '.\LGPO_30\LGPO.exe' -Destination "$Microsoft365SecurityBaselinePath\Scripts\Tools"
@@ -835,28 +835,28 @@ try {
Set-Location "$Microsoft365SecurityBaselinePath\Scripts\"
# Run the official PowerShell script included in the Microsoft Security Baseline file we downloaded from Microsoft servers
- .\Baseline-LocalInstall.ps1
+ .\Baseline-LocalInstall.ps1
} 'No' { break Microsoft365AppsSecurityBaselinesCategoryLabel }
'Exit' { &$CleanUp }
}
# ================================================End of Microsoft 365 Apps Security Baseline==============================================
#endregion Microsoft-365-Apps-Security-Baseline
-
+
#region Microsoft-Defender
# ================================================Microsoft Defender=======================================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'MSFT Defender'
-
+
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun Microsoft Defender category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Microsoft Defender' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# Change current working directory to the LGPO's folder
Set-Location "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Microsoft Defender Policies\registry.pol'
-
+
# Optimizing Network Protection Performance of Windows Defender
Set-MpPreference -AllowSwitchToAsyncInspection $True
@@ -892,29 +892,29 @@ try {
[System.Object[]]$AllAvailableMitigations = (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*')
# Loop through each group to remove the mitigations, this way we apply clean set of mitigations in the next step
- foreach ($Group in $GroupedMitigations) {
+ foreach ($Group in $GroupedMitigations) {
# To separate the filename from full path of the item in the CSV and then check whether it exists in the system registry
if ($Group.Name -match '\\([^\\]+)$') {
if ($Matches[1] -in $AllAvailableMitigations.pschildname) {
Remove-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$($Matches[1])" -Recurse -Force
- }
+ }
}
elseif ($Group.Name -in $AllAvailableMitigations.pschildname) {
Remove-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$($Group.Name)" -Recurse -Force
}
- }
+ }
# Loop through each group to add the mitigations
foreach ($Group in $GroupedMitigations) {
# Get the program name
$ProgramName = $Group.Name
-
+
# Get the list of mitigations to enable
$EnableMitigations = $Group.Group | Where-Object { $_.Action -eq 'Enable' } | Select-Object -ExpandProperty Mitigation
-
+
# Get the list of mitigations to disable
$DisableMitigations = $Group.Group | Where-Object { $_.Action -eq 'Disable' } | Select-Object -ExpandProperty Mitigation
-
+
# Call the Set-ProcessMitigation cmdlet with the lists of mitigations
if ($null -ne $EnableMitigations) {
if ($null -ne $DisableMitigations) {
@@ -927,11 +927,11 @@ try {
elseif ($null -ne $DisableMitigations) {
Set-ProcessMitigation -Name $ProgramName -Disable $DisableMitigations
}
- }
+ }
# Turn on Data Execution Prevention (DEP) for all applications, including 32-bit programs
# Old method
- # bcdedit.exe /set '{current}' nx AlwaysOn | Out-Null
+ # bcdedit.exe /set '{current}' nx AlwaysOn | Out-Null
# New method using PowerShell cmdlets added in Windows 11
Set-BcdElement -Element 'nx' -Type 'Integer' -Value '3'
@@ -955,9 +955,9 @@ try {
}
else {
# Ask user if they want to turn on optional diagnostic data only if Smart App Control is not already turned off
- if (-NOT ((Get-MpComputerStatus).SmartAppControlState -eq 'Off')) {
+ if (-NOT ((Get-MpComputerStatus).SmartAppControlState -eq 'Off')) {
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nEnable Optional Diagnostic Data ?" -ExtraMessage 'Required for Smart App Control usage and evaluation, read the GitHub Readme!') {
- 'Yes' {
+ 'Yes' {
# Change current working directory to the LGPO's folder
Set-Location "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Microsoft Defender Policies\Optional Diagnostic Data\registry.pol'
@@ -969,7 +969,7 @@ try {
# Get the state of fast weekly Microsoft recommended driver block list update scheduled task
[System.String]$BlockListScheduledTaskState = (Get-ScheduledTask -TaskName 'MSFT Driver Block list update' -TaskPath '\MSFT Driver Block list update\' -ErrorAction SilentlyContinue).State
-
+
# Create scheduled task for fast weekly Microsoft recommended driver block list update if it doesn't exist or exists but is not Ready/Running
if (-NOT (($BlockListScheduledTaskState -eq 'Ready' -or $BlockListScheduledTaskState -eq 'Running'))) {
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nCreate scheduled task for fast weekly Microsoft recommended driver block list update ?") {
@@ -977,26 +977,26 @@ try {
# Get the SID of the SYSTEM account. It is a well-known SID, but still querying it, going to use it to create the scheduled task
[System.Security.Principal.SecurityIdentifier]$SYSTEMSID = New-Object System.Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::LocalSystemSid, $null)
-
- # Create a scheduled task action, this defines how to download and install the latest Microsoft Recommended Driver Block Rules
+
+ # Create a scheduled task action, this defines how to download and install the latest Microsoft Recommended Driver Block Rules
[Microsoft.Management.Infrastructure.CimInstance]$Action = New-ScheduledTaskAction -Execute 'Powershell.exe' `
- -Argument '-NoProfile -WindowStyle Hidden -command "& {try {Invoke-WebRequest -Uri "https://aka.ms/VulnerableDriverBlockList" -OutFile VulnerableDriverBlockList.zip -ErrorAction Stop}catch{exit};Expand-Archive .\VulnerableDriverBlockList.zip -DestinationPath "VulnerableDriverBlockList" -Force;Rename-Item .\VulnerableDriverBlockList\SiPolicy_Enforced.p7b -NewName "SiPolicy.p7b" -Force;Copy-Item .\VulnerableDriverBlockList\SiPolicy.p7b -Destination "C:\Windows\System32\CodeIntegrity";citool --refresh -json;Remove-Item .\VulnerableDriverBlockList -Recurse -Force;Remove-Item .\VulnerableDriverBlockList.zip -Force;}"'
-
+ -Argument '-NoProfile -WindowStyle Hidden -command "& {try {Invoke-WebRequest -Uri "https://aka.ms/VulnerableDriverBlockList" -OutFile VulnerableDriverBlockList.zip -ErrorAction Stop}catch{exit};Expand-Archive .\VulnerableDriverBlockList.zip -DestinationPath "VulnerableDriverBlockList" -Force;Rename-Item .\VulnerableDriverBlockList\SiPolicy_Enforced.p7b -NewName "SiPolicy.p7b" -Force;Copy-Item .\VulnerableDriverBlockList\SiPolicy.p7b -Destination "C:\Windows\System32\CodeIntegrity";citool --refresh -json;Remove-Item .\VulnerableDriverBlockList -Recurse -Force;Remove-Item .\VulnerableDriverBlockList.zip -Force;}"'
+
# Create a scheduled task principal and assign the SYSTEM account's SID to it so that the task will run under its context
[Microsoft.Management.Infrastructure.CimInstance]$TaskPrincipal = New-ScheduledTaskPrincipal -LogonType S4U -UserId $($SYSTEMSID.Value) -RunLevel Highest
-
+
# Create a trigger for the scheduled task. The task will first run one hour after its creation and from then on will run every 7 days, indefinitely
- [Microsoft.Management.Infrastructure.CimInstance]$Time = New-ScheduledTaskTrigger -Once -At (Get-Date).AddHours(1) -RepetitionInterval (New-TimeSpan -Days 7)
-
+ [Microsoft.Management.Infrastructure.CimInstance]$Time = New-ScheduledTaskTrigger -Once -At (Get-Date).AddHours(1) -RepetitionInterval (New-TimeSpan -Days 7)
+
# Register the scheduled task
Register-ScheduledTask -Action $Action -Trigger $Time -Principal $TaskPrincipal -TaskPath 'MSFT Driver Block list update' -TaskName 'MSFT Driver Block list update' -Description 'Microsoft Recommended Driver Block List update'
-
+
# Define advanced settings for the scheduled task
[Microsoft.Management.Infrastructure.CimInstance]$TaskSettings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -Compatibility 'Win8' -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 3) -RestartCount 4 -RestartInterval (New-TimeSpan -Hours 6) -RunOnlyIfNetworkAvailable
-
+
# Add the advanced settings we defined above to the scheduled task
- Set-ScheduledTask -TaskName 'MSFT Driver Block list update' -TaskPath 'MSFT Driver Block list update' -Settings $TaskSettings
-
+ Set-ScheduledTask -TaskName 'MSFT Driver Block list update' -TaskPath 'MSFT Driver Block list update' -Settings $TaskSettings
+
} 'No' { break }
'Exit' { &$CleanUp }
}
@@ -1006,52 +1006,52 @@ try {
if ( ($MDAVPreferencesCurrent.EngineUpdatesChannel -ne '2') -or ($MDAVPreferencesCurrent.PlatformUpdatesChannel -ne '2') ) {
# Set Microsoft Defender engine and platform update channel to beta - Devices in the Windows Insider Program are subscribed to this channel by default.
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nSet Microsoft Defender engine and platform update channel to beta ?") {
- 'Yes' {
+ 'Yes' {
Set-MpPreference -EngineUpdatesChannel beta
Set-MpPreference -PlatformUpdatesChannel beta
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
}
} 'No' { break }
'Exit' { &$CleanUp }
- }
- # ============================================End of Microsoft Defender====================================================
+ }
+ # ============================================End of Microsoft Defender====================================================
#endregion Microsoft-Defender
- #region Attack-Surface-Reduction-Rules
+ #region Attack-Surface-Reduction-Rules
# =========================================Attack Surface Reduction Rules==================================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'ASR Rules'
-
+
:ASRRulesCategoryLabel switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun Attack Surface Reduction Rules category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Attack Surface Reduction Rules' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# Change current working directory to the LGPO's folder
Set-Location "$WorkingDir\LGPO_30"
-
+
.\LGPO.exe /q /m '..\Security-Baselines-X\Attack Surface Reduction Rules Policies\registry.pol'
} 'No' { break ASRRulesCategoryLabel }
'Exit' { &$CleanUp }
}
# =========================================End of Attack Surface Reduction Rules===========================================
#endregion Attack-Surface-Reduction-Rules
-
- #region Bitlocker-Settings
- # ==========================================Bitlocker Settings=============================================================
+
+ #region Bitlocker-Settings
+ # ==========================================Bitlocker Settings=============================================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'BitLocker'
-
+
:BitLockerCategoryLabel switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun Bitlocker category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Bitlocker Settings' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# Change current working directory to the LGPO's folder
Set-Location "$WorkingDir\LGPO_30"
@@ -1111,18 +1111,18 @@ try {
# Change current working directory to the LGPO's folder
Set-Location "$WorkingDir\LGPO_30"
-
+
# Enables or disables DMA protection from Bitlocker Countermeasures based on the status of Kernel DMA protection.
- if ($BootDMAProtection) {
+ if ($BootDMAProtection) {
Write-Host 'Kernel DMA protection is enabled on the system, disabling Bitlocker DMA protection.' -ForegroundColor Blue
- .\LGPO.exe /q /m '..\Security-Baselines-X\Overrides for Microsoft Security Baseline\Bitlocker DMA\Bitlocker DMA Countermeasure OFF\Registry.pol'
+ .\LGPO.exe /q /m '..\Security-Baselines-X\Overrides for Microsoft Security Baseline\Bitlocker DMA\Bitlocker DMA Countermeasure OFF\Registry.pol'
}
else {
Write-Host 'Kernel DMA protection is unavailable on the system, enabling Bitlocker DMA protection.' -ForegroundColor Blue
- .\LGPO.exe /q /m '..\Security-Baselines-X\Overrides for Microsoft Security Baseline\Bitlocker DMA\Bitlocker DMA Countermeasure ON\Registry.pol'
+ .\LGPO.exe /q /m '..\Security-Baselines-X\Overrides for Microsoft Security Baseline\Bitlocker DMA\Bitlocker DMA Countermeasure ON\Registry.pol'
}
- # Set-up Bitlocker encryption for OS Drive with TPMandPIN and recovery password keyprotectors and Verify its implementation
+ # Set-up Bitlocker encryption for OS Drive with TPMandPIN and recovery password keyprotectors and Verify its implementation
# check, make sure there is no CD/DVD drives in the system, because Bitlocker throws an error when there is
$CdDvdCheck = (Get-CimInstance -ClassName Win32_CDROMDrive -Property *).MediaLoaded
if ($CdDvdCheck) {
@@ -1130,7 +1130,7 @@ try {
# break from the entire BitLocker category and continue to the next category
break BitLockerCategoryLabel
}
-
+
# check make sure Bitlocker isn't in the middle of decryption/encryption operation (on System Drive)
if ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).EncryptionPercentage -ne '100' -and (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).EncryptionPercentage -ne '0') {
$EncryptionPercentageVar = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).EncryptionPercentage
@@ -1139,11 +1139,11 @@ try {
# break from the entire BitLocker category and continue to the next category
break BitLockerCategoryLabel
}
-
+
# A script block that generates recovery code just like the Windows does
- [scriptblock]$RecoveryPasswordContentGenerator = {
+ [scriptblock]$RecoveryPasswordContentGenerator = {
param ([System.Object[]]$KeyProtectorsInputFromScriptBlock)
-
+
return @"
BitLocker Drive Encryption recovery key
@@ -1151,25 +1151,25 @@ To verify that this is the correct recovery key, compare the start of the follow
Identifier:
- $(($KeyProtectorsInputFromScriptBlock | Where-Object { $_.keyprotectortype -eq 'RecoveryPassword' }).KeyProtectorId.Trim('{', '}'))
+ $(($KeyProtectorsInputFromScriptBlock | Where-Object { $_.keyprotectortype -eq 'RecoveryPassword' }).KeyProtectorId.Trim('{', '}'))
If the above identifier matches the one displayed by your PC, then use the following key to unlock your drive.
Recovery Key:
- $(($KeyProtectorsInputFromScriptBlock | Where-Object { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)
+ $(($KeyProtectorsInputFromScriptBlock | Where-Object { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)
If the above identifier doesn't match the one displayed by your PC, then this isn't the right key to unlock your drive.
Try another recovery key, or refer to https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview for additional assistance.
-
+
IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Vault which requires additional authentication to access.
-
+
"@
}
:OSDriveEncryptionLabel switch (Select-Option -SubCategory -Options 'Normal: TPM + Startup PIN + Recovery Password', 'Enhanced: TPM + Startup PIN + Startup Key + Recovery Password', 'Skip encryptions altogether', 'Exit' -Message "`nPlease select your desired security level" -ExtraMessage "If you are not sure, refer to the BitLocker category in the GitHub Readme`n") {
'Normal: TPM + Startup PIN + Recovery Password' {
-
+
# check if Bitlocker is enabled for the system drive with Normal security level
if ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).ProtectionStatus -eq 'on') {
@@ -1187,51 +1187,51 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
[System.String[]]$KeyProtectorTypesOSDrive = $KeyProtectorsOSDrive.keyprotectortype
if ($KeyProtectorTypesOSDrive -contains 'TpmPinStartupKey' -and $KeyProtectorTypesOSDrive -contains 'recoveryPassword') {
-
+
switch (Select-Option -SubCategory -Options 'Yes', 'Skip OS Drive' , 'Exit' -Message "`nThe OS Drive is already encrypted with Enhanced Security level." -ExtraMessage "Are you sure you want to change it to Normal Security level?`n" ) {
'Skip OS Drive' { break OSDriveEncryptionLabel }
- 'Exit' { &$CleanUp }
+ 'Exit' { &$CleanUp }
}
}
-
+
# check if TPM + PIN + recovery password are being used as key protectors for the OS Drive
if ($KeyProtectorTypesOSDrive -contains 'Tpmpin' -and $KeyProtectorTypesOSDrive -contains 'recoveryPassword') {
Write-SmartText -C MintGreen -G Green -I 'Bitlocker is already enabled for the OS drive with Normal security level.'
-
+
Write-SmartText -C Fuchsia -GenericColor Magenta -I 'Here is your 48-digits recovery password for the OS drive in case you were looking for it:'
Write-SmartText -C Rainbow -GenericColor Yellow -I "$(($KeyProtectorsOSDrive | Where-Object { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)"
-
+
}
else {
# If the OS Drive doesn't have recovery password key protector
if ($KeyProtectorTypesOSDrive -notcontains 'recoveryPassword') {
-
+
[System.String]$BitLockerMsg = "`nThe recovery password is missing, adding it now... `n" +
"It will be saved in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'"
Write-Host $BitLockerMsg -ForegroundColor Yellow
-
+
# Add RecoveryPasswordProtector key protector to the OS drive
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector *> $null
-
+
# Get the new key protectors of the OS Drive after adding RecoveryPasswordProtector to it
[System.Object[]]$KeyProtectorsOSDrive = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).KeyProtector
-
+
# Backup the recovery code of the OS drive in a file
New-Item -Path "$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsOSDrive) -ItemType File -Force | Out-Null
-
+
}
# If the OS Drive doesn't have (TPM + PIN) key protector
if ($KeyProtectorTypesOSDrive -notcontains 'Tpmpin') {
-
+
Write-Host "`nTPM and Start up PIN are missing, adding them now..." -ForegroundColor Cyan
-
- do {
+
+ do {
[securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I "`nEnter a Pin for Bitlocker startup (between 10 to 20 characters)"; Read-Host -AsSecureString)
[securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
-
+
# Compare the PINs and make sure they match
[System.Boolean]$TheyMatch = Compare-SecureString $Pin1 $Pin2
# If the PINs match and they are at least 10 characters long, max 20 characters
@@ -1240,15 +1240,15 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
else { Write-Host 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
- # Repeat this process until the entered PINs match and they are at least 10 characters long, max 20 characters
+ # Repeat this process until the entered PINs match and they are at least 10 characters long, max 20 characters
until ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) )
-
+
try {
# Add TPM + PIN key protectors to the OS Drive
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -TpmAndPinProtector -Pin $Pin -ErrorAction Stop | Out-Null
Write-SmartText -C MintGreen -G Green -I "`nPINs matched, enabling TPM and startup PIN now`n"
}
- catch {
+ catch {
Write-Host 'These errors occured, run Bitlocker category again after meeting the requirements' -ForegroundColor Red
$_
break BitLockerCategoryLabel
@@ -1256,14 +1256,14 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Get the key protectors of the OS Drive
[System.Object[]]$KeyProtectorsOSDrive = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).KeyProtector
-
+
# Backup the recovery code of the OS drive in a file just in case - This is for when the disk is automatically encrypted and using TPM + Recovery code by default
New-Item -Path "$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsOSDrive) -ItemType File -Force | Out-Null
-
+
Write-Host "The recovery password was backed up in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
-
- }
- }
+
+ }
+ }
}
# Do this if Bitlocker is not enabled for the OS drive at all
@@ -1272,16 +1272,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
do {
[securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I 'Enter a Pin for Bitlocker startup (between 10 to 20 characters)'; Read-Host -AsSecureString)
[securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
-
+
[System.Boolean]$TheyMatch = Compare-SecureString $Pin1 $Pin2
-
+
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
[securestring]$Pin = $Pin1
}
else { Write-Host 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
until ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) )
-
+
try {
# Enable BitLocker for the OS Drive with TPM + PIN key protectors
Enable-BitLocker -MountPoint $env:SystemDrive -EncryptionMethod 'XtsAes256' -Pin $Pin -TpmAndPinProtector -SkipHardwareTest -ErrorAction Stop *> $null
@@ -1290,25 +1290,25 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host 'These errors occured, run Bitlocker category again after meeting the requirements' -ForegroundColor Red
$_
break BitLockerCategoryLabel
- }
+ }
# Add recovery password key protector to the OS Drive
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector *> $null
-
+
# Get the new key protectors of the OS Drive after adding RecoveryPasswordProtector to it
[System.Object[]]$KeyProtectorsOSDrive = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).KeyProtector
-
+
# Backup the recovery code of the OS drive in a file
New-Item -Path "$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsOSDrive) -ItemType File -Force | Out-Null
-
+
Resume-BitLocker -MountPoint $env:SystemDrive | Out-Null
-
- Write-SmartText -C MintGreen -G Green -I "`nBitlocker is now enabled for the OS drive with Normal security level."
+
+ Write-SmartText -C MintGreen -G Green -I "`nBitlocker is now enabled for the OS drive with Normal security level."
Write-Host "The recovery password will be saved in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
}
}
'Enhanced: TPM + Startup PIN + Startup Key + Recovery Password' {
-
+
# check if Bitlocker is enabled for the system drive with Enhanced security level
if ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).ProtectionStatus -eq 'on') {
@@ -1324,55 +1324,55 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
[System.Object[]]$KeyProtectorsOSDrive = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).KeyProtector
# Get the key protector types of the OS Drive
[System.String[]]$KeyProtectorTypesOSDrive = $KeyProtectorsOSDrive.keyprotectortype
-
+
# check if TPM + PIN + recovery password are being used as key protectors for the OS Drive
if ($KeyProtectorTypesOSDrive -contains 'TpmPinStartupKey' -and $KeyProtectorTypesOSDrive -contains 'recoveryPassword') {
Write-SmartText -C MintGreen -G Green -I 'Bitlocker is already enabled for the OS drive with Enhanced security level.'
-
+
Write-SmartText -C Fuchsia -GenericColor Magenta -I 'Here is your 48-digits recovery password for the OS drive in case you were looking for it:'
Write-SmartText -C Rainbow -GenericColor Yellow -I "$(($KeyProtectorsOSDrive | Where-Object { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)"
-
+
}
else {
# If the OS Drive doesn't have recovery password key protector
if ($KeyProtectorTypesOSDrive -notcontains 'recoveryPassword') {
-
+
[System.String]$BitLockerMsg = "`nThe recovery password is missing, adding it now... `n" +
"It will be saved in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'"
Write-Host $BitLockerMsg -ForegroundColor Yellow
-
+
# Add RecoveryPasswordProtector key protector to the OS drive
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector *> $null
-
+
# Get the new key protectors of the OS Drive after adding RecoveryPasswordProtector to it
[System.Object[]]$KeyProtectorsOSDrive = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).KeyProtector
-
+
# Backup the recovery code of the OS drive in a file
New-Item -Path "$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsOSDrive) -ItemType File -Force | Out-Null
-
+
}
# If the OS Drive doesn't have (TpmPinStartupKey) key protector
if ($KeyProtectorTypesOSDrive -notcontains 'TpmPinStartupKey') {
-
+
Write-SmartText -C Violet -G Cyan -I "`nTpm And Pin And StartupKey Protector is missing from the OS Drive, adding it now"
# Check if the OS drive has ExternalKey key protector and if it does remove it
# It's the standalone Startup Key protector which isn't secure on its own for the OS Drive
- if ($KeyProtectorTypesOSDrive -contains 'ExternalKey') {
+ if ($KeyProtectorTypesOSDrive -contains 'ExternalKey') {
(Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).KeyProtector |
Where-Object { $_.keyprotectortype -eq 'ExternalKey' } |
ForEach-Object { Remove-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $_.KeyProtectorId | Out-Null }
-
- }
- do {
+ }
+
+ do {
[securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I "`nEnter a Pin for Bitlocker startup (between 10 to 20 characters)"; Read-Host -AsSecureString)
[securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
-
+
# Compare the PINs and make sure they match
[System.Boolean]$TheyMatch = Compare-SecureString $Pin1 $Pin2
# If the PINs match and they are at least 10 characters long, max 20 characters
@@ -1381,41 +1381,41 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
else { Write-Host 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
- # Repeat this process until the entered PINs match and they are at least 10 characters long, max 20 characters
+ # Repeat this process until the entered PINs match and they are at least 10 characters long, max 20 characters
until ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) )
-
+
Write-SmartText -C MintGreen -G Green -I "`nPINs matched, enabling TPM, Startup PIN and Startup Key protector now`n"
-
+
try {
# Add TpmAndPinAndStartupKeyProtector to the OS Drive
- Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -TpmAndPinAndStartupKeyProtector -StartupKeyPath (Get-AvailableRemovableDrives) -Pin $Pin -ErrorAction Stop | Out-Null
+ Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -TpmAndPinAndStartupKeyProtector -StartupKeyPath (Get-AvailableRemovableDrives) -Pin $Pin -ErrorAction Stop | Out-Null
}
- catch {
+ catch {
Write-Host 'There was a problem adding Startup Key to the removable drive, try ejecting and reinserting the flash drive into your device and run this category again.' -ForegroundColor Red
$_
break BitLockerCategoryLabel
}
-
+
# Get the key protectors of the OS Drive
[System.Object[]]$KeyProtectorsOSDrive = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).KeyProtector
-
+
# Backup the recovery code of the OS drive in a file just in case - This is for when the disk is automatically encrypted and using TPM + Recovery code by default
New-Item -Path "$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsOSDrive) -ItemType File -Force | Out-Null
-
+
Write-Host "The recovery password was backed up in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
-
- }
- }
+
+ }
+ }
}
# Do this if Bitlocker is not enabled for the OS drive at all
else {
Write-Host "`nBitlocker is not enabled for the OS Drive, activating it now..." -ForegroundColor Yellow
-
- do {
+
+ do {
[securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I "`nEnter a Pin for Bitlocker startup (between 10 to 20 characters)"; Read-Host -AsSecureString)
[securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
-
+
# Compare the PINs and make sure they match
[System.Boolean]$TheyMatch = Compare-SecureString $Pin1 $Pin2
# If the PINs match and they are at least 10 characters long, max 20 characters
@@ -1424,33 +1424,33 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
else { Write-Host 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
- # Repeat this process until the entered PINs match and they are at least 10 characters long, max 20 characters
+ # Repeat this process until the entered PINs match and they are at least 10 characters long, max 20 characters
until ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) )
-
+
Write-SmartText -C MintGreen -G Green -I "`nPINs matched, enabling TPM, Startup PIN and Startup Key protector now`n"
-
+
try {
# Add TpmAndPinAndStartupKeyProtector to the OS Drive
Enable-BitLocker -MountPoint $env:SystemDrive -EncryptionMethod 'XtsAes256' -TpmAndPinAndStartupKeyProtector -StartupKeyPath (Get-AvailableRemovableDrives) -Pin $Pin -SkipHardwareTest -ErrorAction Stop *> $null
}
- catch {
+ catch {
Write-Host 'There was a problem adding Startup Key to the removable drive, try ejecting and reinserting the flash drive into your device and run this category again.' -ForegroundColor Red
$_
break BitLockerCategoryLabel
}
-
+
# Add recovery password key protector to the OS Drive
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector *> $null
-
+
# Get the new key protectors of the OS Drive after adding RecoveryPasswordProtector to it
[System.Object[]]$KeyProtectorsOSDrive = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).KeyProtector
-
+
# Backup the recovery code of the OS drive in a file
New-Item -Path "$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsOSDrive) -ItemType File -Force | Out-Null
-
+
Resume-BitLocker -MountPoint $env:SystemDrive | Out-Null
-
- Write-SmartText -C MintGreen -G Green -I "`nBitlocker is now enabled for the OS drive with Enhanced security level."
+
+ Write-SmartText -C MintGreen -G Green -I "`nBitlocker is now enabled for the OS drive with Enhanced security level."
Write-Host "The recovery password will be saved in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
}
}
@@ -1470,12 +1470,12 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Do nothing if the key doesn't exist
}
if ($HiberFileType -ne 2) {
-
+
Write-Progress -Id 6 -ParentId 0 -Activity 'Hibernate' -Status 'Setting Hibernate file size to full' -PercentComplete 50
-
+
# Set Hibernate mode to full
&'C:\Windows\System32\powercfg.exe' /h /type full | Out-Null
-
+
Write-Progress -Id 6 -Activity 'Setting Hibernate file size to full' -Completed
}
else {
@@ -1484,7 +1484,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
#region Non-OS-BitLocker-Drives-Detection
-
+
# Get the list of non OS volumes
# Using -ErrorAction SilentlyContinue because after running the Microsoft Security baseline category, if there is a flash drive attached to the device, you "might" see this error: Device Id: \\?\Volume{83196d59-0000-0000-0000-107d00000000}\ does not have a corresponding volume.
# It only suppresses Non-terminating errors
@@ -1516,11 +1516,11 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Loop through each non-OS volume and prompt for encryption
foreach ($MountPoint in $($NonOSBitLockerVolumes | Sort-Object).MountPoint) {
-
+
# Prompt for confirmation before encrypting each drive
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nEncrypt $MountPoint drive ?") {
'Yes' {
-
+
# Check if the non-OS drive that the user selected to be encrypted is not in the middle of any encryption/decryption operation
if ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).EncryptionPercentage -ne '100' -and (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).EncryptionPercentage -ne '0') {
# Check if the drive isn't already encrypted and locked
@@ -1534,12 +1534,12 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host "Drive $MountPoint encryption is currently at $EncryptionPercentageVar percent." -ForegroundColor Magenta
break
}
- }
-
+ }
+
# Check to see if Bitlocker is already turned on for the user selected drive
# if it is, perform multiple checks on its key protectors
if ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).ProtectionStatus -eq 'on') {
-
+
# Get the OS Drive's encryption method
[System.String]$EncryptionMethodNonOSDrive = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).EncryptionMethod
@@ -1550,10 +1550,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Get the key protector types of the Non-OS Drive
[System.String[]]$KeyProtectorTypesNonOS = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector.keyprotectortype
-
+
# If Recovery Password and Auto Unlock key protectors are available on the drive
if ($KeyProtectorTypesNonOS -contains 'RecoveryPassword' -and $KeyProtectorTypesNonOS -contains 'ExternalKey') {
-
+
# Additional Check 1: if there are more than 1 ExternalKey key protector, try delete all of them and add a new one
# The external key protector that is being used to unlock the drive will not be deleted
((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector |
@@ -1563,50 +1563,50 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# and it's being used to unlock the drive
Remove-BitLockerKeyProtector -MountPoint $MountPoint -KeyProtectorId $_ -ErrorAction SilentlyContinue | Out-Null
}
-
+
# Renew the External key of the selected Non-OS Drive
Enable-BitLockerAutoUnlock -MountPoint $MountPoint | Out-Null
-
+
# Additional Check 2: if there are more than 1 Recovery Password, delete all of them and add a new one
[System.String[]]$RecoveryPasswordKeyProtectors = ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector |
Where-Object { $_.keyprotectortype -eq 'RecoveryPassword' }).KeyProtectorId
-
+
if ($RecoveryPasswordKeyProtectors.Count -gt 1) {
-
+
[System.String]$BitLockerMsg = "`nThere are more than 1 recovery password key protector associated with the drive $mountpoint `n" +
- "Removing all of them and adding a new one. `n" +
+ "Removing all of them and adding a new one. `n" +
"It will be saved in a text file in '$($MountPoint)\Drive $($MountPoint.Remove(1)) recovery password.txt'"
Write-Host $BitLockerMsg -ForegroundColor Yellow
-
+
# Remove all of the recovery password key protectors of the selected Non-OS Drive
$RecoveryPasswordKeyProtectors | ForEach-Object {
Remove-BitLockerKeyProtector -MountPoint $MountPoint -KeyProtectorId $_ | Out-Null
}
-
+
# Add a new Recovery Password key protector after removing all of the previous ones
Add-BitLockerKeyProtector -MountPoint $MountPoint -RecoveryPasswordProtector *> $null
-
+
# Get the new key protectors of the Non-OS Drive after adding RecoveryPasswordProtector to it
[System.Object[]]$KeyProtectorsNonOS = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector
-
+
# Backup the recovery code of the Non-OS drive in a file
New-Item -Path "$MountPoint\Drive $($MountPoint.Remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsNonOS) -ItemType File -Force | Out-Null
-
+
}
Write-SmartText -C MintGreen -G Green -I "`nBitlocker is already securely enabled for drive $MountPoint"
# Get the new key protectors of the Non-OS Drive after adding RecoveryPasswordProtector to it
# Just to simply display it on the console for the user
[System.Object[]]$KeyProtectorsNonOS = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector
-
+
Write-SmartText -C Fuchsia -GenericColor Magenta -I "Here is your 48-digits recovery password for drive $MountPoint in case you were looking for it:"
Write-SmartText -C Rainbow -GenericColor Yellow -I "$(($KeyProtectorsNonOS | Where-Object { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)"
-
+
}
-
+
# If the selected drive has Auto Unlock key protector but doesn't have Recovery Password
elseif ($KeyProtectorTypesNonOS -contains 'ExternalKey' -and $KeyProtectorTypesNonOS -notcontains 'RecoveryPassword' ) {
-
+
# if there are more than 1 ExternalKey key protector, try delete all of them and add a new one
# The external key protector that is being used to unlock the drive will not be deleted
((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector |
@@ -1616,75 +1616,75 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# and it's being used to unlock the drive
Remove-BitLockerKeyProtector -MountPoint $MountPoint -KeyProtectorId $_ -ErrorAction SilentlyContinue | Out-Null
}
-
+
# Renew the External key of the selected Non-OS Drive
Enable-BitLockerAutoUnlock -MountPoint $MountPoint | Out-Null
-
+
# Add Recovery Password Key protector and save it to a file inside the drive
Add-BitLockerKeyProtector -MountPoint $MountPoint -RecoveryPasswordProtector *> $null
-
+
# Get the new key protectors of the Non-OS Drive after adding RecoveryPasswordProtector to it
[System.Object[]]$KeyProtectorsNonOS = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector
-
+
# Backup the recovery code of the Non-OS drive in a file
New-Item -Path "$MountPoint\Drive $($MountPoint.Remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsNonOS) -ItemType File -Force | Out-Null
-
+
[System.String]$BitLockerMsg = "`nDrive $MountPoint is auto-unlocked but doesn't have Recovery Password, adding it now... `n" +
"It will be saved in a text file in '$($MountPoint)\Drive $($MountPoint.Remove(1)) recovery password.txt'"
Write-Host $BitLockerMsg -ForegroundColor Cyan
}
-
+
# Check 3: If the selected drive has Recovery Password key protector but doesn't have Auto Unlock enabled
elseif ($KeyProtectorTypesNonOS -contains 'RecoveryPassword' -and $KeyProtectorTypesNonOS -notcontains 'ExternalKey') {
-
+
# Add Auto-unlock (a.k.a ExternalKey key protector to the drive)
Enable-BitLockerAutoUnlock -MountPoint $MountPoint | Out-Null
-
+
# if there are more than 1 Recovery Password, delete all of them and add a new one
[System.String[]]$RecoveryPasswordKeyProtectors = ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector |
Where-Object { $_.keyprotectortype -eq 'RecoveryPassword' }).KeyProtectorId
-
+
if ($RecoveryPasswordKeyProtectors.Count -gt 1) {
-
+
[System.String]$BitLockerMsg = "`nThere are more than 1 recovery password key protector associated with the drive $mountpoint `n" +
'Removing all of them and adding a new one.' +
"It will be saved in a text file in '$($MountPoint)\Drive $($MountPoint.Remove(1)) recovery password.txt'"
Write-Host $BitLockerMsg -ForegroundColor Yellow
-
+
# Delete all Recovery Passwords because there were more than 1
$RecoveryPasswordKeyProtectors | ForEach-Object {
Remove-BitLockerKeyProtector -MountPoint $MountPoint -KeyProtectorId $_ | Out-Null
}
-
+
# Add a new Recovery Password
Add-BitLockerKeyProtector -MountPoint $MountPoint -RecoveryPasswordProtector *> $null
-
+
# Get the new key protectors of the Non-OS Drive after adding RecoveryPasswordProtector to it
[System.Object[]]$KeyProtectorsNonOS = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector
-
+
# Backup the recovery code of the Non-OS drive in a file
New-Item -Path "$MountPoint\Drive $($MountPoint.Remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsNonOS) -ItemType File -Force | Out-Null
}
}
}
-
+
# Do this if Bitlocker isn't turned on at all on the user selected drive
else {
# Enable BitLocker with RecoveryPassword key protector for the selected Non-OS drive
Enable-BitLocker -MountPoint $MountPoint -RecoveryPasswordProtector *> $null
-
+
# Add Auto-unlock (a.k.a ExternalKey key protector to the drive)
Enable-BitLockerAutoUnlock -MountPoint $MountPoint | Out-Null
-
+
# Get the new key protectors of the Non-OS Drive after adding RecoveryPasswordProtector to it
[System.Object[]]$KeyProtectorsNonOS = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector
-
+
# Backup the recovery code of the Non-OS drive in a file
New-Item -Path "$MountPoint\Drive $($MountPoint.Remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsNonOS) -ItemType File -Force | Out-Null
-
+
Write-SmartText -C MintGreen -G Green -I "`nBitLocker has started encrypting drive $MountPoint"
Write-Host "Recovery password will be saved in a text file in '$($MountPoint)\Drive $($MountPoint.Remove(1)) recovery password.txt'" -ForegroundColor Cyan
- }
+ }
} 'No' { break }
'Exit' { &$CleanUp }
}
@@ -1692,22 +1692,22 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
} 'No' { break }
'Exit' { &$CleanUp }
- }
- # ==========================================End of Bitlocker Settings======================================================
+ }
+ # ==========================================End of Bitlocker Settings======================================================
#endregion Bitlocker-Settings
- #region TLS-Security
- # ==============================================TLS Security===============================================================
+ #region TLS-Security
+ # ==============================================TLS Security===============================================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'TLS'
-
+
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun TLS Security category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'TLS Security' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
- # creating these registry keys that have forward slashes in them
+
+ # creating these registry keys that have forward slashes in them
@(
'DES 56/56', # DES 56-bit
'RC2 40/128', # RC2 40-bit
@@ -1733,24 +1733,24 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
# Change current working directory to the LGPO's folder
Set-Location "$WorkingDir\LGPO_30"
- .\LGPO.exe /q /m '..\Security-Baselines-X\TLS Security\registry.pol'
+ .\LGPO.exe /q /m '..\Security-Baselines-X\TLS Security\registry.pol'
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
# ==========================================End of TLS Security============================================================
#endregion TLS-Security
- #region Lock-Screen
+ #region Lock-Screen
# ==========================================Lock Screen====================================================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'Lock Screen'
-
+
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun Lock Screen category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Lock Screen' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# Change current working directory to the LGPO's folder
Set-Location "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Lock Screen Policies\registry.pol'
@@ -1760,42 +1760,42 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nDon't display last signed-in on logon screen ?" -ExtraMessage 'Read the GitHub Readme!') {
'Yes' {
Write-Progress -Id 2 -ParentId 0 -Activity 'Lock Screen' -Status "Applying the Don't display last signed-in policy" -PercentComplete 50
-
- .\LGPO.exe /q /s "..\Security-Baselines-X\Lock Screen Policies\Don't display last signed-in\GptTmpl.inf"
-
+
+ .\LGPO.exe /q /s "..\Security-Baselines-X\Lock Screen Policies\Don't display last signed-in\GptTmpl.inf"
+
Write-Progress -Id 2 -Activity "Applying the Don't display last signed-in policy" -Completed
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
# ==========================================End of Lock Screen=============================================================
#endregion Lock-Screen
#region User-Account-Control
# ==========================================User Account Control===========================================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'UAC'
-
+
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun User Account Control category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'User Account Control' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# Change current working directory to the LGPO's folder
Set-Location "$WorkingDir\LGPO_30"
.\LGPO.exe /q /s '..\Security-Baselines-X\User Account Control UAC Policies\GptTmpl.inf'
-
+
# Apply the Automatically deny all UAC prompts on Standard accounts policy
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nAutomatically deny all UAC prompts on Standard accounts ?") {
'Yes' {
Write-Progress -Id 3 -ParentId 0 -Activity 'User Account Control' -Status 'Automatically deny all UAC prompts on Standard accounts policy' -PercentComplete 50
-
- .\LGPO.exe /q /s '..\Security-Baselines-X\User Account Control UAC Policies\Automatically deny all UAC prompts on Standard accounts\GptTmpl.inf'
-
+
+ .\LGPO.exe /q /s '..\Security-Baselines-X\User Account Control UAC Policies\Automatically deny all UAC prompts on Standard accounts\GptTmpl.inf'
+
Write-Progress -Id 3 -Activity 'Automatically deny all UAC prompts on Standard accounts policy' -Completed
} 'No' { break }
'Exit' { &$CleanUp }
@@ -1806,12 +1806,12 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
'Yes' {
Write-Progress -Id 4 -ParentId 0 -Activity 'User Account Control' -Status 'Hide the entry points for Fast User Switching policy' -PercentComplete 50
- .\LGPO.exe /q /m '..\Security-Baselines-X\User Account Control UAC Policies\Hides the entry points for Fast User Switching\registry.pol'
-
+ .\LGPO.exe /q /m '..\Security-Baselines-X\User Account Control UAC Policies\Hides the entry points for Fast User Switching\registry.pol'
+
Write-Progress -Id 4 -Activity 'Hide the entry points for Fast User Switching policy' -Completed
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
# Apply the Only elevate executables that are signed and validated policy
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nOnly elevate executables that are signed and validated ?" -ExtraMessage 'Read the GitHub Readme!') {
@@ -1819,29 +1819,29 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Progress -Id 5 -ParentId 0 -Activity 'User Account Control' -Status 'Only elevate executables that are signed and validated' -PercentComplete 50
.\LGPO.exe /q /s '..\Security-Baselines-X\User Account Control UAC Policies\Only elevate executables that are signed and validated\GptTmpl.inf'
-
+
Write-Progress -Id 5 -Activity 'Only elevate executables that are signed and validated' -Completed
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
# ==========================================End of User Account Control====================================================
#endregion User-Account-Control
- #region Windows-Firewall
+ #region Windows-Firewall
# ====================================================Windows Firewall=====================================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = '🔥 Firewall'
-
+
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun Windows Firewall category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Windows Firewall' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# Change current working directory to the LGPO's folder
Set-Location "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Windows Firewall Policies\registry.pol'
@@ -1852,27 +1852,27 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
ForEach-Object { Disable-NetFirewallRule -DisplayName $_.DisplayName }
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
# =================================================End of Windows Firewall=================================================
#endregion Windows-Firewall
- #region Optional-Windows-Features
+ #region Optional-Windows-Features
# =================================================Optional Windows Features===============================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'Optional Features'
-
+
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun Optional Windows Features category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Optional Windows Features' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# since PowerShell Core (only if installed from Microsoft Store) has problem with these commands, making sure the built-in PowerShell handles them
# There are Github issues for it already: https://github.com/PowerShell/PowerShell/issues/13866
powershell.exe {
- # Disable PowerShell v2 (part 1)
+ # Disable PowerShell v2 (part 1)
Write-Host "`nDisabling PowerShellv2 1st part" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2).state -eq 'enabled') {
try {
@@ -1880,11 +1880,11 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
catch {
# show error
- $_
+ $_
}
}
else {
- Write-Host 'PowerShellv2 1st part is already disabled' -ForegroundColor Green
+ Write-Host 'PowerShellv2 1st part is already disabled' -ForegroundColor Green
}
# Disable PowerShell v2 (part 2)
@@ -1897,16 +1897,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
catch {
# show error
- $_
+ $_
}
}
else {
Write-Host 'PowerShellv2 2nd part is already disabled' -ForegroundColor Green
}
-
+
# Disable Work Folders client
Write-Host "`nDisabling Work Folders" -ForegroundColor Yellow
- if ((Get-WindowsOptionalFeature -Online -FeatureName WorkFolders-Client).state -eq 'enabled') {
+ if ((Get-WindowsOptionalFeature -Online -FeatureName WorkFolders-Client).state -eq 'enabled') {
try {
Disable-WindowsOptionalFeature -Online -FeatureName WorkFolders-Client -NoRestart -ErrorAction Stop
# Shows the successful message only if removal process was successful
@@ -1917,10 +1917,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
$_
}
}
- else {
- Write-Host 'Work Folders is already disabled' -ForegroundColor Green
+ else {
+ Write-Host 'Work Folders is already disabled' -ForegroundColor Green
}
-
+
# Disable Internet Printing Client
Write-Host "`nDisabling Internet Printing Client" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName Printing-Foundation-Features).state -eq 'enabled') {
@@ -1935,13 +1935,13 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'Internet Printing Client is already disabled' -ForegroundColor Green
- }
+ Write-Host 'Internet Printing Client is already disabled' -ForegroundColor Green
+ }
# Uninstall Windows Media Player (legacy)
Write-Host "`nUninstalling Windows Media Player (legacy)" -ForegroundColor Yellow
if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Media.WindowsMediaPlayer*' }).state -ne 'NotPresent') {
- try {
+ try {
Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Media.WindowsMediaPlayer*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
Write-Host 'Windows Media Player (legacy) has been uninstalled.' -ForegroundColor Green
@@ -1954,7 +1954,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
else {
Write-Host 'Windows Media Player (legacy) is already uninstalled.' -ForegroundColor Green
}
-
+
# Enable Microsoft Defender Application Guard
Write-Host "`nEnabling Microsoft Defender Application Guard" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard).state -eq 'disabled') {
@@ -1969,17 +1969,17 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'Microsoft Defender Application Guard is already enabled' -ForegroundColor Green
+ Write-Host 'Microsoft Defender Application Guard is already enabled' -ForegroundColor Green
}
}
# Need to split the commands in 2 scriptblocks so we don't get "program PowerShell.exe failed to run: The filename or extension is too long" error
powershell.exe {
-
+
# Enable Windows Sandbox
Write-Host "`nEnabling Windows Sandbox" -ForegroundColor Yellow
- if ((Get-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM).state -eq 'disabled') {
+ if ((Get-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM).state -eq 'disabled') {
try {
Enable-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM -All -NoRestart -ErrorAction Stop
# Shows the successful message only if enablement process was successful
@@ -1990,10 +1990,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
$_
}
}
- else {
- Write-Host 'Windows Sandbox is already enabled' -ForegroundColor Green
+ else {
+ Write-Host 'Windows Sandbox is already enabled' -ForegroundColor Green
}
-
+
# Enable Hyper-V
Write-Host "`nEnabling Hyper-V" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V).state -eq 'disabled') {
@@ -2010,7 +2010,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
else {
Write-Host 'Hyper-V is already enabled' -ForegroundColor Green
}
-
+
# Enable Virtual Machine Platform
Write-Host "`nEnabling Virtual Machine Platform" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform).state -eq 'disabled') {
@@ -2027,25 +2027,25 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
else {
Write-Host 'Virtual Machine Platform is already enabled' -ForegroundColor Green
}
-
- # Uninstall VBScript that is now uninstallable as an optional features since Windows 11 insider Dev build 25309 - Won't do anything in other builds
- if (Get-WindowsCapability -Online | Where-Object { $_.Name -like '*VBSCRIPT*' }) {
- try {
- Write-Host "`nUninstalling VBSCRIPT" -ForegroundColor Yellow
+
+ # Uninstall VBScript that is now uninstallable as an optional features since Windows 11 insider Dev build 25309 - Won't do anything in other builds
+ if (Get-WindowsCapability -Online | Where-Object { $_.Name -like '*VBSCRIPT*' }) {
+ try {
+ Write-Host "`nUninstalling VBSCRIPT" -ForegroundColor Yellow
Get-WindowsCapability -Online | Where-Object { $_.Name -like '*VBSCRIPT*' } | Remove-WindowsCapability -Online -ErrorAction Stop
- # Shows the successful message only if removal process was successful
+ # Shows the successful message only if removal process was successful
Write-Host 'VBSCRIPT has been uninstalled' -ForegroundColor Green
}
catch {
# show errors
$_
}
- }
-
+ }
+
# Uninstall Internet Explorer mode functionality for Edge
Write-Host "`nUninstalling Internet Explorer mode functionality for Edge" -ForegroundColor Yellow
if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Browser.InternetExplorer*' }).state -ne 'NotPresent') {
- try {
+ try {
Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Browser.InternetExplorer*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
Write-Host 'Internet Explorer mode functionality for Edge has been uninstalled' -ForegroundColor Green
@@ -2059,10 +2059,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host 'Internet Explorer mode functionality for Edge is already uninstalled.' -ForegroundColor Green
}
- # Uninstall WMIC
+ # Uninstall WMIC
Write-Host "`nUninstalling WMIC" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*wmic*' }).state -ne 'NotPresent') {
- try {
+ if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*wmic*' }).state -ne 'NotPresent') {
+ try {
Get-WindowsCapability -Online | Where-Object { $_.Name -like '*wmic*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
Write-Host 'WMIC has been uninstalled' -ForegroundColor Green
@@ -2079,7 +2079,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Uninstall Legacy Notepad
Write-Host "`nUninstalling Legacy Notepad" -ForegroundColor Yellow
if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.Notepad.System*' }).state -ne 'NotPresent') {
- try {
+ try {
Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.Notepad.System*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
Write-Host 'Legacy Notepad has been uninstalled. The modern multi-tabbed Notepad is unaffected.' -ForegroundColor Green
@@ -2096,7 +2096,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Uninstall WordPad
Write-Host "`nUninstalling WordPad" -ForegroundColor Yellow
if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.WordPad*' }).state -ne 'NotPresent') {
- try {
+ try {
Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.WordPad*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
Write-Host 'WordPad has been uninstalled.' -ForegroundColor Green
@@ -2108,12 +2108,12 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
else {
Write-Host 'WordPad is already uninstalled.' -ForegroundColor Green
- }
+ }
# Uninstall PowerShell ISE
Write-Host "`nUninstalling PowerShell ISE" -ForegroundColor Yellow
if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.PowerShell.ISE*' }).state -ne 'NotPresent') {
- try {
+ try {
Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.PowerShell.ISE*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
Write-Host 'PowerShell ISE has been uninstalled.' -ForegroundColor Green
@@ -2125,15 +2125,15 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
else {
Write-Host 'PowerShell ISE is already uninstalled.' -ForegroundColor Green
- }
+ }
}
powershell.exe {
-
+
# Uninstall Steps Recorder
Write-Host "`nUninstalling Steps Recorder" -ForegroundColor Yellow
if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*App.StepsRecorder*' }).state -ne 'NotPresent') {
- try {
+ try {
Get-WindowsCapability -Online | Where-Object { $_.Name -like '*App.StepsRecorder*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
Write-Host 'Steps Recorder has been uninstalled.' -ForegroundColor Green
@@ -2145,26 +2145,26 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
else {
Write-Host 'Steps Recorder is already uninstalled.' -ForegroundColor Green
- }
+ }
}
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
# ==============================================End of Optional Windows Features===========================================
#endregion Optional-Windows-Features
- #region Windows-Networking
+ #region Windows-Networking
# ====================================================Windows Networking===================================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'Networking'
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun Windows Networking category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Windows Networking' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# Change current working directory to the LGPO's folder
Set-Location "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Windows Networking Policies\registry.pol'
@@ -2181,22 +2181,22 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# =================================================End of Windows Networking===============================================
#endregion Windows-Networking
- #region Miscellaneous-Configurations
+ #region Miscellaneous-Configurations
# ==============================================Miscellaneous Configurations===============================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'Miscellaneous'
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun Miscellaneous Configurations category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Miscellaneous Configurations' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# Miscellaneous Registry section
Set-Location $WorkingDir
[System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
foreach ($Item in $Items) {
- if ($Item.category -eq 'Miscellaneous') {
+ if ($Item.category -eq 'Miscellaneous') {
Edit-Registry -path $Item.Path -key $Item.Key -value $Item.Value -type $Item.Type -Action $Item.Action
}
}
@@ -2208,27 +2208,27 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Apply the Blocking Untrusted Fonts policy
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nBlock Untrusted Fonts ?") {
'Yes' {
- .\LGPO.exe /q /m '..\Security-Baselines-X\Miscellaneous Policies\Blocking Untrusted Fonts\registry.pol'
+ .\LGPO.exe /q /m '..\Security-Baselines-X\Miscellaneous Policies\Blocking Untrusted Fonts\registry.pol'
} 'No' { break }
'Exit' { &$CleanUp }
}
-
+
# Allow all Windows users to use Hyper-V and Windows Sandbox by adding all Windows users to the "Hyper-V Administrators" security group using its SID
Get-LocalUser | Where-Object { $_.enabled -eq 'True' } | ForEach-Object { Add-LocalGroupMember -SID 'S-1-5-32-578' -Member "$($_.SID)" -ErrorAction SilentlyContinue }
-
+
# Makes sure auditing for the "Other Logon/Logoff Events" subcategory under the Logon/Logoff category is enabled, doesn't touch affect any other sub-category
# For tracking Lock screen unlocks and locks
# auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
# Using GUID
auditpol /set /subcategory:"{0CCE921C-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable | Out-Null
-
+
# Query all Audits status
# auditpol /get /category:*
# Get the list of subcategories and their associated GUIDs
# auditpol /list /subcategory:* /r
# Event Viewer custom views are saved in "C:\ProgramData\Microsoft\Event Viewer\Views". files in there can be backed up and restored on new Windows installations.
- New-Item -ItemType Directory -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script\' -Force | Out-Null
+ New-Item -ItemType Directory -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script\' -Force | Out-Null
# Due to change in event viewer custom log files, making sure no old file names exist
if (Test-Path -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script') {
@@ -2238,24 +2238,24 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
New-Item -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script' -ItemType Directory -Force | Out-Null
Expand-Archive -Path "$WorkingDir\EventViewerCustomViews.zip" -DestinationPath 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script' -Force -ErrorAction Stop
-
+
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
# ============================================End of Miscellaneous Configurations==========================================
#endregion Miscellaneous-Configurations
-
- #region Windows-Update-Configurations
+
+ #region Windows-Update-Configurations
# ====================================================Windows Update Configurations==============================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'Windows Update'
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nApply Windows Update Policies ?") {
'Yes' {
Write-Progress -Id 0 -Activity 'Windows Update Configurations' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# Enable restart notification for Windows update
Edit-Registry -path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings' -key 'RestartNotificationsAllowed2' -value '1' -type 'DWORD' -Action 'AddOrModify'
# Change current working directory to the LGPO's folder
@@ -2263,21 +2263,21 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
.\LGPO.exe /q /m '..\Security-Baselines-X\Windows Update Policies\registry.pol'
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
# ====================================================End of Windows Update Configurations=======================================
#endregion Windows-Update-Configurations
#region Edge-Browser-Configurations
# ====================================================Edge Browser Configurations====================================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'Edge'
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nApply Edge Browser Configurations ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Edge Browser Configurations' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# Edge Browser Configurations registry
Set-Location $WorkingDir
[System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
@@ -2288,33 +2288,33 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
# ====================================================End of Edge Browser Configurations==============================================
#endregion Edge-Browser-Configurations
-
- #region Certificate-Checking-Commands
+
+ #region Certificate-Checking-Commands
# ====================================================Certificate Checking Commands========================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'Certificates'
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun Certificate Checking category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Certificate Checking Commands' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
try {
- Invoke-WithoutProgress {
+ Invoke-WithoutProgress {
Invoke-WebRequest -Uri 'https://live.sysinternals.com/sigcheck64.exe' -OutFile 'sigcheck64.exe' -ErrorAction Stop
- }
+ }
}
- catch {
+ catch {
Write-Host "sigcheck64.exe couldn't be downloaded from https://live.sysinternals.com" -ForegroundColor Red
break
- }
+ }
Write-Host -NoNewline "`nListing valid certificates not rooted to the Microsoft Certificate Trust List in the" -ForegroundColor Yellow; Write-Host " User store`n" -ForegroundColor cyan
- .\sigcheck64.exe -tuv -accepteula -nobanner
-
+ .\sigcheck64.exe -tuv -accepteula -nobanner
+
Write-Host -NoNewline "`nListing valid certificates not rooted to the Microsoft Certificate Trust List in the" -ForegroundColor Yellow; Write-Host " Machine Store`n" -ForegroundColor Blue
.\sigcheck64.exe -tv -accepteula -nobanner
Remove-Item -Path .\sigcheck64.exe -Force
@@ -2324,40 +2324,40 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# ====================================================End of Certificate Checking Commands=================================
#endregion Certificate-Checking-Commands
- #region Country-IP-Blocking
+ #region Country-IP-Blocking
# ====================================================Country IP Blocking==================================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'Country IPs'
-
+
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun Country IP Blocking category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Country IP Blocking' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
- # -RemoteAddress in New-NetFirewallRule accepts array according to Microsoft Docs,
+
+ # -RemoteAddress in New-NetFirewallRule accepts array according to Microsoft Docs,
# so we use "[System.String[]]$IPList = $IPList -split '\r?\n' -ne ''" to convert the IP lists, which is a single multiline string, into an array
function Block-CountryIP {
param ([System.String[]]$IPList , [System.String]$ListName)
-
- # deletes previous rules (if any) to get new up-to-date IP ranges from the sources and set new rules
+
+ # deletes previous rules (if any) to get new up-to-date IP ranges from the sources and set new rules
Remove-NetFirewallRule -DisplayName "$ListName IP range blocking" -PolicyStore localhost -ErrorAction SilentlyContinue
-
+
# converts the list which is in string into array
[System.String[]]$IPList = $IPList -split '\r?\n' -ne ''
# makes sure the list isn't empty
if ($IPList.count -eq 0) {
Write-Host "The IP list was empty, skipping $ListName" -ForegroundColor Yellow
- break
- }
+ break
+ }
New-NetFirewallRule -DisplayName "$ListName IP range blocking" -Direction Inbound -Action Block -LocalAddress Any -RemoteAddress $IPList -Description "$ListName IP range blocking" -EdgeTraversalPolicy Block -PolicyStore localhost
- New-NetFirewallRule -DisplayName "$ListName IP range blocking" -Direction Outbound -Action Block -LocalAddress Any -RemoteAddress $IPList -Description "$ListName IP range blocking" -EdgeTraversalPolicy Block -PolicyStore localhost
+ New-NetFirewallRule -DisplayName "$ListName IP range blocking" -Direction Outbound -Action Block -LocalAddress Any -RemoteAddress $IPList -Description "$ListName IP range blocking" -EdgeTraversalPolicy Block -PolicyStore localhost
}
switch (Select-Option -SubCategory -Options 'Yes', 'No' -Message 'Add countries in the State Sponsors of Terrorism list to the Firewall block list?') {
'Yes' {
- Invoke-WithoutProgress {
+ Invoke-WithoutProgress {
$global:StateSponsorsofTerrorism = Invoke-RestMethod -Uri 'https://raw.githubusercontent.com/HotCakeX/Official-IANA-IP-blocks/main/Curated-Lists/StateSponsorsOfTerrorism.txt'
}
Block-CountryIP -IPList $StateSponsorsofTerrorism -ListName 'State Sponsors of Terrorism'
@@ -2365,8 +2365,8 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
switch (Select-Option -SubCategory -Options 'Yes', 'No' -Message 'Add OFAC Sanctioned Countries to the Firewall block list?') {
'Yes' {
- Invoke-WithoutProgress {
- $global:OFACSanctioned = Invoke-RestMethod -Uri 'https://raw.githubusercontent.com/HotCakeX/Official-IANA-IP-blocks/main/Curated-Lists/OFACSanctioned.txt'
+ Invoke-WithoutProgress {
+ $global:OFACSanctioned = Invoke-RestMethod -Uri 'https://raw.githubusercontent.com/HotCakeX/Official-IANA-IP-blocks/main/Curated-Lists/OFACSanctioned.txt'
}
Block-CountryIP -IPList $OFACSanctioned -ListName 'OFAC Sanctioned Countries'
} 'No' { break }
@@ -2374,46 +2374,46 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# how to query the number of IPs in each rule
# (Get-NetFirewallRule -DisplayName "OFAC Sanctioned Countries IP range blocking" -PolicyStore localhost | Get-NetFirewallAddressFilter).RemoteAddress.count
-
+
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
# ====================================================End of Country IP Blocking===========================================
#endregion Country-IP-Blocking
-
+
} # End of Admin test function
#region Non-Admin-Commands
# ====================================================Non-Admin Commands===================================================
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'Non-Admins'
-
+
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun Non-Admin category ?") {
'Yes' {
$CurrentMainStep = $TotalMainSteps
Write-Progress -Id 0 -Activity 'Non-Admin category' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
- # Non-Admin Registry section
- Set-Location $WorkingDir
- Invoke-WithoutProgress {
+
+ # Non-Admin Registry section
+ Set-Location $WorkingDir
+ Invoke-WithoutProgress {
# Download Registry CSV file from GitHub or Azure DevOps
try {
- Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/Registry.csv' -OutFile '.\Registry.csv' -ErrorAction Stop
+ Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/Registry.csv' -OutFile '.\Registry.csv' -ErrorAction Stop
}
catch {
Write-Host 'Using Azure DevOps...' -ForegroundColor Yellow
Invoke-WebRequest -Uri 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/Registry.csv' -OutFile '.\Registry.csv' -ErrorAction Stop
- }
+ }
}
[System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
foreach ($Item in $Items) {
- if ($Item.category -eq 'NonAdmin') {
+ if ($Item.category -eq 'NonAdmin') {
Edit-Registry -path $Item.Path -key $Item.Key -value $Item.Value -type $Item.Type -Action $Item.Action
}
- }
+ }
# Only suggest restarting the device if Admin related categories were run
- if (Test-IsAdmin) {
+ if (Test-IsAdmin) {
Write-Host "`r`n"
Write-SmartText -C Rainbow -G Cyan -I "################################################################################################`r`n"
Write-SmartText -C MintGreen -G Cyan -I "### Please Restart your device to completely apply the security measures and Group Policies ###`r`n"
@@ -2436,19 +2436,19 @@ finally {
# restoring the original Controlled folder access allow list - if user already had added PowerShell executables to the list
# they will be restored as well, so user customization will remain intact
- if ($null -ne $CFAAllowedAppsBackup) {
+ if ($null -ne $CFAAllowedAppsBackup) {
Set-MpPreference -ControlledFolderAccessAllowedApplications $CFAAllowedAppsBackup
}
}
- Set-Location $HOME; Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
+ Set-Location $HOME; Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
# Disable progress bars
0..6 | ForEach-Object { Write-Progress -Id $_ -Activity 'Done' -Completed }
# Restore the title of the PowerShell back to what it was prior to running the script/module
$Host.UI.RawUI.WindowTitle = $CurrentPowerShellTitle
-
+
# Set the execution policy back to what it was prior to running the script
Set-ExecutionPolicy -ExecutionPolicy "$CurrentExecutionPolicy" -Scope Process -Force
}
diff --git a/Harden-Windows-Security Module/Main files/Protect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Protect-WindowsSecurity.psm1
index 95c22f939..a377d5fab 100644
--- a/Harden-Windows-Security Module/Main files/Protect-WindowsSecurity.psm1
+++ b/Harden-Windows-Security Module/Main files/Protect-WindowsSecurity.psm1
@@ -1,7 +1,7 @@
-Function Protect-WindowsSecurity {
+Function Protect-WindowsSecurity {
# Import functions
- . "$psscriptroot\Functions.ps1"
-
+ . "$psscriptroot\Functions.ps1"
+
# Apply the hardening measures from the local file
& "$psscriptroot\Harden-Windows-Security.ps1"
@@ -21,5 +21,5 @@ PowerShell
.FUNCTIONALITY
Applies the hardening measures
-#>
+#>
}
diff --git a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
index 7078c53db..cf65aa5af 100644
--- a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
+++ b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
@@ -19,7 +19,7 @@ Function Unprotect-WindowsSecurity {
# Import functions
. "$psscriptroot\Functions.ps1"
-
+
# Custom colors
[scriptblock]$WriteFuchsia = { Write-Host "$($PSStyle.Foreground.FromRGB(236,68,155))$($args[0])$($PSStyle.Reset)" }
[scriptblock]$WriteOrange = { Write-Host "$($PSStyle.Foreground.FromRGB(255,165,0))$($args[0])$($PSStyle.Reset)" }
@@ -35,10 +35,10 @@ Function Unprotect-WindowsSecurity {
# Give user a chance to exit if they accidentally ran this
Pause
}
-
+
# doing a try-finally block on the entire script so that when CTRL + C is pressed to forcefully exit the script,
# or break is passed, clean up will still happen for secure exit
- try {
+ try {
Write-Progress -Activity 'Backing up Controlled Folder Access exclusion list' -Status 'Processing' -PercentComplete 10
@@ -81,7 +81,7 @@ Function Unprotect-WindowsSecurity {
# Download Process Mitigations CSV file from GitHub or Azure DevOps
try {
- Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/ProcessMitigations.csv' -OutFile '.\ProcessMitigations.csv' -ProgressAction SilentlyContinue
+ Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/ProcessMitigations.csv' -OutFile '.\ProcessMitigations.csv' -ProgressAction SilentlyContinue
}
catch {
Write-Host 'Using Azure DevOps...' -ForegroundColor Yellow
@@ -90,7 +90,7 @@ Function Unprotect-WindowsSecurity {
}
catch {
Write-Error "The required files couldn't be downloaded, Make sure you have Internet connection."
- &$CleanUp
+ &$CleanUp
}
# Only run this if -OnlyProcessMitigations parameter is NOT passed
@@ -103,28 +103,28 @@ Function Unprotect-WindowsSecurity {
}
Write-Progress -Activity 'Deleting all the registry keys created by the Protect-WindowsSecurity cmdlet' -Status 'Processing' -PercentComplete 60
-
+
[System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
- foreach ($Item in $Items) {
- if (Test-Path -Path $item.path) {
- Remove-ItemProperty -Path $Item.path -Name $Item.key -Force -ErrorAction SilentlyContinue
- }
- }
+ foreach ($Item in $Items) {
+ if (Test-Path -Path $item.path) {
+ Remove-ItemProperty -Path $Item.path -Name $Item.key -Force -ErrorAction SilentlyContinue
+ }
+ }
# To completely remove the Edge policy since only its sub-keys are removed by the command above
Remove-Item -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList' -Force -Recurse -ErrorAction SilentlyContinue
-
+
# Restore Security group policies back to their default states
Write-Progress -Activity 'Restoring the default Security group policies' -Status 'Processing' -PercentComplete 70
-
+
# Download LGPO program from Microsoft servers
Invoke-WebRequest -Uri 'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip' -OutFile '.\LGPO.zip' -ProgressAction SilentlyContinue
-
+
# unzip the LGPO file
- Expand-Archive -Path .\LGPO.zip -DestinationPath .\ -Force
+ Expand-Archive -Path .\LGPO.zip -DestinationPath .\ -Force
.\'LGPO_30\LGPO.exe' /q /s "$psscriptroot\Resources\Default Security Policy.inf"
-
+
# Enable LMHOSTS lookup protocol on all network adapters again
Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' -Name 'EnableLMHOSTS' -Value '1' -Type DWord
@@ -135,50 +135,50 @@ Function Unprotect-WindowsSecurity {
SCHTASKS.EXE /Change /TN \Microsoft\XblGameSave\XblGameSaveTask /Enable | Out-Null
Write-Progress -Activity 'Restoring Microsoft Defender configs back to their default states' -Status 'Processing' -PercentComplete 80
-
+
# Disable the advanced new security features of the Microsoft Defender
Set-MpPreference -AllowSwitchToAsyncInspection $False
Set-MpPreference -OobeEnableRtpAndSigUpdate $False
Set-MpPreference -IntelTDTEnabled $False
Set-MpPreference -DisableRestorePoint $True
Set-MpPreference -PerformanceModeStatus Enabled
- Set-MpPreference -EnableConvertWarnToBlock $False
- # Set Microsoft Defender engine and platform update channels to NotConfigured State
+ Set-MpPreference -EnableConvertWarnToBlock $False
+ # Set Microsoft Defender engine and platform update channels to NotConfigured State
Set-MpPreference -EngineUpdatesChannel NotConfigured
Set-MpPreference -PlatformUpdatesChannel NotConfigured
}
# Disable Mandatory ASLR
Set-ProcessMitigation -System -Disable ForceRelocateImages
-
+
# Remove Process Mitigations
[System.Object[]]$ProcessMitigations = Import-Csv '.\ProcessMitigations.csv' -Delimiter ','
# Group the data by ProgramName
[System.Object[]]$GroupedMitigations = $ProcessMitigations | Group-Object ProgramName
[System.Object[]]$AllAvailableMitigations = (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*')
-
+
Write-Progress -Activity 'Removing Process Mitigations for apps' -Status 'Processing' -PercentComplete 90
-
+
# Loop through each group
- foreach ($Group in $GroupedMitigations) {
+ foreach ($Group in $GroupedMitigations) {
# To separate the filename from full path of the item in the CSV and then check whether it exists in the system registry
if ($Group.Name -match '\\([^\\]+)$') {
if ($Matches[1] -in $AllAvailableMitigations.pschildname) {
Remove-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$($Matches[1])" -Recurse -Force
- }
+ }
}
elseif ($Group.Name -in $AllAvailableMitigations.pschildname) {
Remove-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$($Group.Name)" -Recurse -Force
}
- }
+ }
- # Only run this if -OnlyProcessMitigations parameter is NOT passed
+ # Only run this if -OnlyProcessMitigations parameter is NOT passed
if (!$OnlyProcessMitigations) {
-
+
# Set Data Execution Prevention (DEP) back to its default value
Set-BcdElement -Element 'nx' -Type 'Integer' -Value '0'
-
+
# Remove the scheduled task that keeps the Microsoft recommended driver block rules updated
# Define the name and path of the task
@@ -187,13 +187,13 @@ Function Unprotect-WindowsSecurity {
if (Get-ScheduledTask -TaskName $taskName -TaskPath $taskPath -ErrorAction SilentlyContinue) {
Unregister-ScheduledTask -TaskName $taskName -TaskPath $taskPath -Confirm:$false | Out-Null
- }
+ }
# Enables Multicast DNS (mDNS) UDP-in Firewall Rules for all 3 Firewall profiles
Get-NetFirewallRule |
Where-Object { $_.RuleGroup -eq '@%SystemRoot%\system32\firewallapi.dll,-37302' -and $_.Direction -eq 'inbound' } |
- ForEach-Object { Enable-NetFirewallRule -DisplayName $_.DisplayName }
-
+ ForEach-Object { Enable-NetFirewallRule -DisplayName $_.DisplayName }
+
# Remove any custom views added by this script for Event Viewer
if (Test-Path -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script') {
Remove-Item -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script' -Recurse -Force
@@ -204,7 +204,7 @@ Function Unprotect-WindowsSecurity {
# Set a tattooed Group policy for Svchost.exe process mitigations back to disabled state
Set-ItemProperty -Path 'Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SCMConfig' -Name 'EnableSvchostMitigationPolicy' -Value '0' -Force -Type 'DWord' -ErrorAction SilentlyContinue
- Write-Progress -Activity 'Complete' -Status 'Complete' -PercentComplete 100
+ Write-Progress -Activity 'Complete' -Status 'Complete' -PercentComplete 100
&$WriteFuchsia 'Operation Completed, please restart your computer.'
}
@@ -216,11 +216,11 @@ Function Unprotect-WindowsSecurity {
# restoring the original Controlled folder access allow list - if user already had added PowerShell executables to the list
# they will be restored as well, so user customization will remain intact
- if ($null -ne $CFAAllowedAppsBackup) {
+ if ($null -ne $CFAAllowedAppsBackup) {
Set-MpPreference -ControlledFolderAccessAllowedApplications $CFAAllowedAppsBackup
}
-
- Set-Location $HOME; Remove-Item -Recurse "$global:UserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
+
+ Set-Location $HOME; Remove-Item -Recurse "$global:UserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
}
<#
@@ -242,7 +242,7 @@ Removes the hardening measures applied by Protect-WindowsSecurity cmdlet
.PARAMETER OnlyProcessMitigations
Only removes the Process Mitigations / Exploit Protection settings and doesn't change anything else
-#>
+#>
}
# Set PSReadline tab completion to complete menu for easier access to available parameters - Only for the current session
From 36cde4c91c95021c823cddc9e1f3584584c0db53 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Sun, 10 Dec 2023 11:13:55 -0930
Subject: [PATCH 04/79] Version bump
---
Harden-Windows-Security Module/version.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Harden-Windows-Security Module/version.txt b/Harden-Windows-Security Module/version.txt
index a53741c09..967b33ffb 100644
--- a/Harden-Windows-Security Module/version.txt
+++ b/Harden-Windows-Security Module/version.txt
@@ -1 +1 @@
-0.2.6
\ No newline at end of file
+0.2.7
\ No newline at end of file
From 0875cc3cf5509fd9823190fa8b282116c104f780 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Sun, 10 Dec 2023 11:14:49 -0930
Subject: [PATCH 05/79] Adding the same changes from script to module
---
.../Main files/Harden-Windows-Security.ps1 | 326 +++----
Harden-Windows-Security.ps1 | 860 +++++++++---------
2 files changed, 593 insertions(+), 593 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
index aedc23df6..83690b282 100644
--- a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
@@ -275,19 +275,19 @@ Function Write-SmartText {
if ($PSVersionTable.PSEdition -eq 'Core') {
switch ($CustomColor) {
- 'Fuchsia' { Write-Host "$($PSStyle.Foreground.FromRGB(236,68,155))$InputText$($PSStyle.Reset)"; break }
- 'Orange' { Write-Host "$($PSStyle.Foreground.FromRGB(255,165,0))$InputText$($PSStyle.Reset)"; break }
- 'NeonGreen' { Write-Host "$($PSStyle.Foreground.FromRGB(153,244,67))$InputText$($PSStyle.Reset)"; break }
- 'MintGreen' { Write-Host "$($PSStyle.Foreground.FromRGB(152,255,152))$InputText$($PSStyle.Reset)"; break }
- 'PinkBoldBlink' { Write-Host "$($PSStyle.Foreground.FromRgb(255,192,203))$($PSStyle.Bold)$($PSStyle.Blink)$InputText$($PSStyle.Reset)"; break }
- 'PinkBold' { Write-Host "$($PSStyle.Foreground.FromRgb(255,192,203))$($PSStyle.Bold)$($PSStyle.Reverse)$InputText$($PSStyle.Reset)"; break }
- 'Gold' { Write-Host "$($PSStyle.Foreground.FromRgb(255,215,0))$InputText$($PSStyle.Reset)"; break }
- 'VioletNoNewLine' { Write-Host "$($PSStyle.Foreground.FromRGB(153,0,255))$InputText$($PSStyle.Reset)" -NoNewline; break }
- 'PinkNoNewLine' { Write-Host "$($PSStyle.Foreground.FromRGB(255,0,230))$InputText$($PSStyle.Reset)" -NoNewline; break }
- 'Violet' { Write-Host "$($PSStyle.Foreground.FromRGB(153,0,255))$InputText$($PSStyle.Reset)"; break }
- 'Pink' { Write-Host "$($PSStyle.Foreground.FromRGB(255,0,230))$InputText$($PSStyle.Reset)"; break }
- 'LavenderNoNewLine' { Write-Host "$($PSStyle.Foreground.FromRgb(255,179,255))$InputText$($PSStyle.Reset)" -NoNewline; break }
- 'TeaGreenNoNewLine' { Write-Host "$($PSStyle.Foreground.FromRgb(133, 222, 119))$InputText$($PSStyle.Reset)" -NoNewline; break }
+ 'Fuchsia' { Write-Host -Object "$($PSStyle.Foreground.FromRGB(236,68,155))$InputText$($PSStyle.Reset)"; break }
+ 'Orange' { Write-Host -Object "$($PSStyle.Foreground.FromRGB(255,165,0))$InputText$($PSStyle.Reset)"; break }
+ 'NeonGreen' { Write-Host -Object "$($PSStyle.Foreground.FromRGB(153,244,67))$InputText$($PSStyle.Reset)"; break }
+ 'MintGreen' { Write-Host -Object "$($PSStyle.Foreground.FromRGB(152,255,152))$InputText$($PSStyle.Reset)"; break }
+ 'PinkBoldBlink' { Write-Host -Object "$($PSStyle.Foreground.FromRgb(255,192,203))$($PSStyle.Bold)$($PSStyle.Blink)$InputText$($PSStyle.Reset)"; break }
+ 'PinkBold' { Write-Host -Object "$($PSStyle.Foreground.FromRgb(255,192,203))$($PSStyle.Bold)$($PSStyle.Reverse)$InputText$($PSStyle.Reset)"; break }
+ 'Gold' { Write-Host -Object "$($PSStyle.Foreground.FromRgb(255,215,0))$InputText$($PSStyle.Reset)"; break }
+ 'VioletNoNewLine' { Write-Host -Object "$($PSStyle.Foreground.FromRGB(153,0,255))$InputText$($PSStyle.Reset)" -NoNewline; break }
+ 'PinkNoNewLine' { Write-Host -Object "$($PSStyle.Foreground.FromRGB(255,0,230))$InputText$($PSStyle.Reset)" -NoNewline; break }
+ 'Violet' { Write-Host -Object "$($PSStyle.Foreground.FromRGB(153,0,255))$InputText$($PSStyle.Reset)"; break }
+ 'Pink' { Write-Host -Object "$($PSStyle.Foreground.FromRGB(255,0,230))$InputText$($PSStyle.Reset)"; break }
+ 'LavenderNoNewLine' { Write-Host -Object "$($PSStyle.Foreground.FromRgb(255,179,255))$InputText$($PSStyle.Reset)" -NoNewline; break }
+ 'TeaGreenNoNewLine' { Write-Host -Object "$($PSStyle.Foreground.FromRgb(133, 222, 119))$InputText$($PSStyle.Reset)" -NoNewline; break }
'Rainbow' {
[System.Object[]]$Colors = @(
[System.Drawing.Color]::Pink,
@@ -307,7 +307,7 @@ Function Write-SmartText {
$Color = $Colors[$I % $Colors.Length]
$Output += "$($PSStyle.Foreground.FromRGB($Color.R, $Color.G, $Color.B))$($PSStyle.Blink)$($InputText[$I])$($PSStyle.BlinkOff)$($PSStyle.Reset)"
}
- Write-Output $Output
+ Write-Output -InputObject $Output
break
}
@@ -316,10 +316,10 @@ Function Write-SmartText {
}
else {
if ($NoNewLineLegacy) {
- Write-Host $InputText -ForegroundColor $GenericColor -NoNewline
+ Write-Host -Object $InputText -ForegroundColor $GenericColor -NoNewline
}
else {
- Write-Host $InputText -ForegroundColor $GenericColor
+ Write-Host -Object $InputText -ForegroundColor $GenericColor
}
}
@@ -331,8 +331,8 @@ function Get-AvailableRemovableDrives {
# An empty array of objects that holds the final removable drives list
[System.Object[]]$AvailableRemovableDrives = @()
- Get-Volume | Where-Object { $_.DriveLetter -and $_.DriveType -eq 'Removable' } |
- ForEach-Object {
+ Get-Volume | Where-Object -FilterScript { $_.DriveLetter -and $_.DriveType -eq 'Removable' } |
+ ForEach-Object -Process {
# Prepare to create an extremely random file name
[System.String]$Path = "$($_.DriveLetter + ':')\$(New-Guid).$(Get-Random -Maximum 400)"
@@ -366,8 +366,8 @@ function Get-AvailableRemovableDrives {
# An empty array of objects that holds the final removable drives list
[System.Object[]]$AvailableRemovableDrives = @()
- Get-Volume | Where-Object { $_.DriveLetter -and $_.DriveType -eq 'Removable' } |
- ForEach-Object {
+ Get-Volume | Where-Object -FilterScript { $_.DriveLetter -and $_.DriveType -eq 'Removable' } |
+ ForEach-Object -Process {
# Prepare to create an extremely random file name
[System.String]$ExtremelyRandomPath = "$($_.DriveLetter + ':')\$(New-Guid).$(Get-Random -Maximum 400)"
@@ -463,7 +463,7 @@ function Get-AvailableRemovableDrives {
# Write an exit option at the end of the table
Write-Host ('{0,-4}' -f "$ExitCodeRemovableDriveSelection") -NoNewline -ForegroundColor DarkRed
- Write-Host '|Skip encryptions altogether' -ForegroundColor DarkRed
+ Write-Host -Object '|Skip encryptions altogether' -ForegroundColor DarkRed
# A function to validate the user input
function Confirm-Choice {
@@ -487,12 +487,12 @@ function Get-AvailableRemovableDrives {
# Prompt the user to enter the number of the drive they want to select, or exit value to exit, until they enter a valid input
do {
# Read the user input as a string
- [System.String]$Choice = $(Write-Host "Enter the number of the drive you want to select or press $ExitCodeRemovableDriveSelection to Cancel" -ForegroundColor cyan; Read-Host)
+ [System.String]$Choice = $(Write-Host -Object "Enter the number of the drive you want to select or press $ExitCodeRemovableDriveSelection to Cancel" -ForegroundColor cyan; Read-Host)
# Check if the input is valid using the Confirm-Choice function
if (-not (Confirm-Choice $Choice)) {
# Write an error message in red if invalid
- Write-Host "Invalid input. Please enter a number between 1 and $ExitCodeRemovableDriveSelection." -ForegroundColor Red
+ Write-Host -Object "Invalid input. Please enter a number between 1 and $ExitCodeRemovableDriveSelection." -ForegroundColor Red
}
} while (-not (Confirm-Choice $Choice))
@@ -542,21 +542,21 @@ try {
# Check the current hard-coded version against the latest version online
# the messages can technically only be seen if installing the script in standalone mode using old Windows PowerShell
if ($CurrentVersion -lt $LatestVersion) {
- Write-Host "The currently installed script's version is $CurrentVersion while the latest version is $LatestVersion" -ForegroundColor Cyan
- Write-Host 'Please update your script using:' -ForegroundColor Yellow
- Write-Host "Update-Script -Name 'Harden-Windows-Security' -Force" -ForegroundColor Green
- Write-Host 'and run it again after that.' -ForegroundColor Yellow
- Write-Host 'You can view the change log on GitHub: https://github.com/HotCakeX/Harden-Windows-Security/releases' -ForegroundColor Magenta
+ Write-Host -Object "The currently installed script's version is $CurrentVersion while the latest version is $LatestVersion" -ForegroundColor Cyan
+ Write-Host -Object 'Please update your script using:' -ForegroundColor Yellow
+ Write-Host -Object "Update-Script -Name 'Harden-Windows-Security' -Force" -ForegroundColor Green
+ Write-Host -Object 'and run it again after that.' -ForegroundColor Yellow
+ Write-Host -Object 'You can view the change log on GitHub: https://github.com/HotCakeX/Harden-Windows-Security/releases' -ForegroundColor Magenta
break
}
- Write-Host "`r`n"
+ Write-Host -Object "`r`n"
Write-SmartText -CustomColor Rainbow -GenericColor Cyan -InputText "############################################################################################################`r`n"
Write-SmartText -CustomColor MintGreen -GenericColor Cyan -InputText "### Please read the Readme in the GitHub repository: https://github.com/HotCakeX/Harden-Windows-Security ###`r`n"
Write-SmartText -CustomColor Rainbow -GenericColor Cyan -InputText "############################################################################################################`r`n"
# Show a prompt to the user if they're using the old PowerShell
- if ($PSVersionTable.PSEdition -eq 'Desktop') { Write-Host "You're using old PowerShell. Please use the new PowerShell Core for much better styling and performance:`nhttps://apps.microsoft.com/detail/powershell/9MZ1SNWT0N5D" -ForegroundColor Yellow }
+ if ($PSVersionTable.PSEdition -eq 'Desktop') { Write-Host -Object "You're using old PowerShell. Please use the new PowerShell Core for much better styling and performance:`nhttps://apps.microsoft.com/detail/powershell/9MZ1SNWT0N5D" -ForegroundColor Yellow }
#region RequirementsCheck
# check if user's OS is Windows Home edition
@@ -629,7 +629,7 @@ try {
Set-Location $HOME
Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force
# Disable progress bars
- 0..6 | ForEach-Object { Write-Progress -Id $_ -Activity 'Done' -Completed }
+ 0..6 | ForEach-Object -Process { Write-Progress -Id $_ -Activity 'Done' -Completed }
exit
}
@@ -678,25 +678,25 @@ try {
# a switch for when the original URLs are failing and to provide Alt URL
switch ($Tag) {
'Security-Baselines-X' {
- Write-Host 'Using Azure DevOps for Security-Baselines-X.zip' -ForegroundColor Yellow
+ Write-Host -Object 'Using Azure DevOps for Security-Baselines-X.zip' -ForegroundColor Yellow
[System.Uri]$AltURL = 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/Security-Baselines-X.zip'
$WC.DownloadFile($AltURL, $Path)
break
}
'Registry' {
- Write-Host 'Using Azure DevOps for Registry.csv' -ForegroundColor Yellow
+ Write-Host -Object 'Using Azure DevOps for Registry.csv' -ForegroundColor Yellow
[System.Uri]$AltURL = 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/Registry.csv'
$WC.DownloadFile($AltURL, $Path)
break
}
'ProcessMitigations' {
- Write-Host 'Using Azure DevOps for ProcessMitigations.CSV' -ForegroundColor Yellow
+ Write-Host -Object 'Using Azure DevOps for ProcessMitigations.CSV' -ForegroundColor Yellow
[System.Uri]$AltURL = 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/ProcessMitigations.csv'
$WC.DownloadFile($AltURL, $Path)
break
}
'EventViewerCustomViews' {
- Write-Host 'Using Azure DevOps for EventViewerCustomViews.zip' -ForegroundColor Yellow
+ Write-Host -Object 'Using Azure DevOps for EventViewerCustomViews.zip' -ForegroundColor Yellow
[System.Uri]$AltURL = 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/EventViewerCustomViews.zip'
$WC.DownloadFile($AltURL, $Path)
break
@@ -716,7 +716,7 @@ try {
Write-Progress -Id 1 -ParentId 0 -Activity "Downloading $($file.tag)" -Status "$RequiredFilesCounter of $TotalRequiredFiles" -PercentComplete ($RequiredFilesCounter / $TotalRequiredFiles * 100)
}
# Wait until all jobs are completed
- while ($Jobs | Where-Object { $_.State -ne 'Completed' }) {
+ while ($Jobs | Where-Object -FilterScript { $_.State -ne 'Completed' }) {
Start-Sleep -Milliseconds 700
}
@@ -761,7 +761,7 @@ try {
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x30 /f
- Write-Host 'The required security measures have been applied to the system' -ForegroundColor Green
+ Write-Host -Object 'The required security measures have been applied to the system' -ForegroundColor Green
Write-Warning 'Make sure to restart your device once. After restart, wait for at least 5-10 minutes and perform a 2nd restart to finish applying security measures completely.'
} 'No' { break }
'Exit' { &$CleanUp }
@@ -876,7 +876,7 @@ try {
Set-MpPreference -EnableConvertWarnToBlock $True
# Add OneDrive folders of all user accounts (personal and work accounts) to the Controlled Folder Access for Ransomware Protection
- Get-ChildItem 'C:\Users\*\OneDrive*\' -Directory | ForEach-Object { Add-MpPreference -ControlledFolderAccessProtectedFolders $_ }
+ Get-ChildItem 'C:\Users\*\OneDrive*\' -Directory | ForEach-Object -Process { Add-MpPreference -ControlledFolderAccessProtectedFolders $_ }
# Enable Mandatory ASLR Exploit Protection system-wide
Set-ProcessMitigation -System -Enable ForceRelocateImages
@@ -910,10 +910,10 @@ try {
$ProgramName = $Group.Name
# Get the list of mitigations to enable
- $EnableMitigations = $Group.Group | Where-Object { $_.Action -eq 'Enable' } | Select-Object -ExpandProperty Mitigation
+ $EnableMitigations = $Group.Group | Where-Object -FilterScript { $_.Action -eq 'Enable' } | Select-Object -ExpandProperty Mitigation
# Get the list of mitigations to disable
- $DisableMitigations = $Group.Group | Where-Object { $_.Action -eq 'Disable' } | Select-Object -ExpandProperty Mitigation
+ $DisableMitigations = $Group.Group | Where-Object -FilterScript { $_.Action -eq 'Disable' } | Select-Object -ExpandProperty Mitigation
# Call the Set-ProcessMitigation cmdlet with the lists of mitigations
if ($null -ne $EnableMitigations) {
@@ -1114,11 +1114,11 @@ try {
# Enables or disables DMA protection from Bitlocker Countermeasures based on the status of Kernel DMA protection.
if ($BootDMAProtection) {
- Write-Host 'Kernel DMA protection is enabled on the system, disabling Bitlocker DMA protection.' -ForegroundColor Blue
+ Write-Host -Object 'Kernel DMA protection is enabled on the system, disabling Bitlocker DMA protection.' -ForegroundColor Blue
.\LGPO.exe /q /m '..\Security-Baselines-X\Overrides for Microsoft Security Baseline\Bitlocker DMA\Bitlocker DMA Countermeasure OFF\Registry.pol'
}
else {
- Write-Host 'Kernel DMA protection is unavailable on the system, enabling Bitlocker DMA protection.' -ForegroundColor Blue
+ Write-Host -Object 'Kernel DMA protection is unavailable on the system, enabling Bitlocker DMA protection.' -ForegroundColor Blue
.\LGPO.exe /q /m '..\Security-Baselines-X\Overrides for Microsoft Security Baseline\Bitlocker DMA\Bitlocker DMA Countermeasure ON\Registry.pol'
}
@@ -1134,8 +1134,8 @@ try {
# check make sure Bitlocker isn't in the middle of decryption/encryption operation (on System Drive)
if ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).EncryptionPercentage -ne '100' -and (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).EncryptionPercentage -ne '0') {
$EncryptionPercentageVar = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).EncryptionPercentage
- Write-Host "`nPlease wait for Bitlocker to finish encrypting or decrypting the Operation System Drive." -ForegroundColor Yellow
- Write-Host "Drive $env:SystemDrive encryption is currently at $EncryptionPercentageVar percent." -ForegroundColor Yellow
+ Write-Host -Object "`nPlease wait for Bitlocker to finish encrypting or decrypting the Operation System Drive." -ForegroundColor Yellow
+ Write-Host -Object "Drive $env:SystemDrive encryption is currently at $EncryptionPercentageVar percent." -ForegroundColor Yellow
# break from the entire BitLocker category and continue to the next category
break BitLockerCategoryLabel
}
@@ -1151,13 +1151,13 @@ To verify that this is the correct recovery key, compare the start of the follow
Identifier:
- $(($KeyProtectorsInputFromScriptBlock | Where-Object { $_.keyprotectortype -eq 'RecoveryPassword' }).KeyProtectorId.Trim('{', '}'))
+ $(($KeyProtectorsInputFromScriptBlock | Where-Object -FilterScript { $_.keyprotectortype -eq 'RecoveryPassword' }).KeyProtectorId.Trim('{', '}'))
If the above identifier matches the one displayed by your PC, then use the following key to unlock your drive.
Recovery Key:
- $(($KeyProtectorsInputFromScriptBlock | Where-Object { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)
+ $(($KeyProtectorsInputFromScriptBlock | Where-Object -FilterScript { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)
If the above identifier doesn't match the one displayed by your PC, then this isn't the right key to unlock your drive.
Try another recovery key, or refer to https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview for additional assistance.
@@ -1200,7 +1200,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-SmartText -C MintGreen -G Green -I 'Bitlocker is already enabled for the OS drive with Normal security level.'
Write-SmartText -C Fuchsia -GenericColor Magenta -I 'Here is your 48-digits recovery password for the OS drive in case you were looking for it:'
- Write-SmartText -C Rainbow -GenericColor Yellow -I "$(($KeyProtectorsOSDrive | Where-Object { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)"
+ Write-SmartText -C Rainbow -GenericColor Yellow -I "$(($KeyProtectorsOSDrive | Where-Object -FilterScript { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)"
}
else {
@@ -1210,7 +1210,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
[System.String]$BitLockerMsg = "`nThe recovery password is missing, adding it now... `n" +
"It will be saved in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'"
- Write-Host $BitLockerMsg -ForegroundColor Yellow
+ Write-Host -Object $BitLockerMsg -ForegroundColor Yellow
# Add RecoveryPasswordProtector key protector to the OS drive
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector *> $null
@@ -1226,7 +1226,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# If the OS Drive doesn't have (TPM + PIN) key protector
if ($KeyProtectorTypesOSDrive -notcontains 'Tpmpin') {
- Write-Host "`nTPM and Start up PIN are missing, adding them now..." -ForegroundColor Cyan
+ Write-Host -Object "`nTPM and Start up PIN are missing, adding them now..." -ForegroundColor Cyan
do {
[securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I "`nEnter a Pin for Bitlocker startup (between 10 to 20 characters)"; Read-Host -AsSecureString)
@@ -1238,7 +1238,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
[securestring]$Pin = $Pin1
}
- else { Write-Host 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
+ else { Write-Host -Object 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
# Repeat this process until the entered PINs match and they are at least 10 characters long, max 20 characters
until ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) )
@@ -1249,7 +1249,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-SmartText -C MintGreen -G Green -I "`nPINs matched, enabling TPM and startup PIN now`n"
}
catch {
- Write-Host 'These errors occured, run Bitlocker category again after meeting the requirements' -ForegroundColor Red
+ Write-Host -Object 'These errors occured, run Bitlocker category again after meeting the requirements' -ForegroundColor Red
$_
break BitLockerCategoryLabel
}
@@ -1260,7 +1260,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Backup the recovery code of the OS drive in a file just in case - This is for when the disk is automatically encrypted and using TPM + Recovery code by default
New-Item -Path "$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsOSDrive) -ItemType File -Force | Out-Null
- Write-Host "The recovery password was backed up in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
+ Write-Host -Object "The recovery password was backed up in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
}
}
@@ -1268,7 +1268,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Do this if Bitlocker is not enabled for the OS drive at all
else {
- Write-Host "`nBitlocker is not enabled for the OS Drive, activating it now..." -ForegroundColor Yellow
+ Write-Host -Object "`nBitlocker is not enabled for the OS Drive, activating it now..." -ForegroundColor Yellow
do {
[securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I 'Enter a Pin for Bitlocker startup (between 10 to 20 characters)'; Read-Host -AsSecureString)
[securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
@@ -1278,7 +1278,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
[securestring]$Pin = $Pin1
}
- else { Write-Host 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
+ else { Write-Host -Object 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
until ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) )
@@ -1287,7 +1287,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Enable-BitLocker -MountPoint $env:SystemDrive -EncryptionMethod 'XtsAes256' -Pin $Pin -TpmAndPinProtector -SkipHardwareTest -ErrorAction Stop *> $null
}
catch {
- Write-Host 'These errors occured, run Bitlocker category again after meeting the requirements' -ForegroundColor Red
+ Write-Host -Object 'These errors occured, run Bitlocker category again after meeting the requirements' -ForegroundColor Red
$_
break BitLockerCategoryLabel
}
@@ -1303,7 +1303,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Resume-BitLocker -MountPoint $env:SystemDrive | Out-Null
Write-SmartText -C MintGreen -G Green -I "`nBitlocker is now enabled for the OS drive with Normal security level."
- Write-Host "The recovery password will be saved in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
+ Write-Host -Object "The recovery password will be saved in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
}
}
@@ -1331,7 +1331,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-SmartText -C MintGreen -G Green -I 'Bitlocker is already enabled for the OS drive with Enhanced security level.'
Write-SmartText -C Fuchsia -GenericColor Magenta -I 'Here is your 48-digits recovery password for the OS drive in case you were looking for it:'
- Write-SmartText -C Rainbow -GenericColor Yellow -I "$(($KeyProtectorsOSDrive | Where-Object { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)"
+ Write-SmartText -C Rainbow -GenericColor Yellow -I "$(($KeyProtectorsOSDrive | Where-Object -FilterScript { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)"
}
else {
@@ -1341,7 +1341,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
[System.String]$BitLockerMsg = "`nThe recovery password is missing, adding it now... `n" +
"It will be saved in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'"
- Write-Host $BitLockerMsg -ForegroundColor Yellow
+ Write-Host -Object $BitLockerMsg -ForegroundColor Yellow
# Add RecoveryPasswordProtector key protector to the OS drive
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector *> $null
@@ -1364,8 +1364,8 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
if ($KeyProtectorTypesOSDrive -contains 'ExternalKey') {
(Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).KeyProtector |
- Where-Object { $_.keyprotectortype -eq 'ExternalKey' } |
- ForEach-Object { Remove-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $_.KeyProtectorId | Out-Null }
+ Where-Object -FilterScript { $_.keyprotectortype -eq 'ExternalKey' } |
+ ForEach-Object -Process { Remove-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $_.KeyProtectorId | Out-Null }
}
@@ -1379,7 +1379,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
[securestring]$Pin = $Pin1
}
- else { Write-Host 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
+ else { Write-Host -Object 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
# Repeat this process until the entered PINs match and they are at least 10 characters long, max 20 characters
until ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) )
@@ -1391,7 +1391,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -TpmAndPinAndStartupKeyProtector -StartupKeyPath (Get-AvailableRemovableDrives) -Pin $Pin -ErrorAction Stop | Out-Null
}
catch {
- Write-Host 'There was a problem adding Startup Key to the removable drive, try ejecting and reinserting the flash drive into your device and run this category again.' -ForegroundColor Red
+ Write-Host -Object 'There was a problem adding Startup Key to the removable drive, try ejecting and reinserting the flash drive into your device and run this category again.' -ForegroundColor Red
$_
break BitLockerCategoryLabel
}
@@ -1402,7 +1402,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Backup the recovery code of the OS drive in a file just in case - This is for when the disk is automatically encrypted and using TPM + Recovery code by default
New-Item -Path "$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsOSDrive) -ItemType File -Force | Out-Null
- Write-Host "The recovery password was backed up in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
+ Write-Host -Object "The recovery password was backed up in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
}
}
@@ -1410,7 +1410,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Do this if Bitlocker is not enabled for the OS drive at all
else {
- Write-Host "`nBitlocker is not enabled for the OS Drive, activating it now..." -ForegroundColor Yellow
+ Write-Host -Object "`nBitlocker is not enabled for the OS Drive, activating it now..." -ForegroundColor Yellow
do {
[securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I "`nEnter a Pin for Bitlocker startup (between 10 to 20 characters)"; Read-Host -AsSecureString)
@@ -1422,7 +1422,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
[securestring]$Pin = $Pin1
}
- else { Write-Host 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
+ else { Write-Host -Object 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
# Repeat this process until the entered PINs match and they are at least 10 characters long, max 20 characters
until ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) )
@@ -1434,7 +1434,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Enable-BitLocker -MountPoint $env:SystemDrive -EncryptionMethod 'XtsAes256' -TpmAndPinAndStartupKeyProtector -StartupKeyPath (Get-AvailableRemovableDrives) -Pin $Pin -SkipHardwareTest -ErrorAction Stop *> $null
}
catch {
- Write-Host 'There was a problem adding Startup Key to the removable drive, try ejecting and reinserting the flash drive into your device and run this category again.' -ForegroundColor Red
+ Write-Host -Object 'There was a problem adding Startup Key to the removable drive, try ejecting and reinserting the flash drive into your device and run this category again.' -ForegroundColor Red
$_
break BitLockerCategoryLabel
}
@@ -1451,7 +1451,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Resume-BitLocker -MountPoint $env:SystemDrive | Out-Null
Write-SmartText -C MintGreen -G Green -I "`nBitlocker is now enabled for the OS drive with Enhanced security level."
- Write-Host "The recovery password will be saved in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
+ Write-Host -Object "The recovery password will be saved in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
}
}
'Skip encryptions altogether' { break BitLockerCategoryLabel } # Exit the entire BitLocker category, only
@@ -1489,12 +1489,12 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Using -ErrorAction SilentlyContinue because after running the Microsoft Security baseline category, if there is a flash drive attached to the device, you "might" see this error: Device Id: \\?\Volume{83196d59-0000-0000-0000-107d00000000}\ does not have a corresponding volume.
# It only suppresses Non-terminating errors
[System.Object[]]$NonOSBitLockerVolumes = Get-BitLockerVolume -ErrorAction SilentlyContinue |
- Where-Object { $_.volumeType -ne 'OperatingSystem' }
+ Where-Object -FilterScript { $_.volumeType -ne 'OperatingSystem' }
# Get all the volumes and filter out removable ones
[System.Object[]]$RemovableVolumes = Get-Volume |
- Where-Object { $_.DriveType -eq 'Removable' } |
- Where-Object { $_.DriveLetter }
+ Where-Object -FilterScript { $_.DriveType -eq 'Removable' } |
+ Where-Object -FilterScript { $_.DriveLetter }
# Check if there is any removable volumes
if ($RemovableVolumes) {
@@ -1506,7 +1506,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Filter out removable drives from BitLocker volumes to process
$NonOSBitLockerVolumes = $NonOSBitLockerVolumes |
- Where-Object { ($_.MountPoint -notin $RemovableVolumesLetters) }
+ Where-Object -FilterScript { ($_.MountPoint -notin $RemovableVolumesLetters) }
}
#endregion Non-OS-BitLocker-Drives-Detection
@@ -1525,13 +1525,13 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
if ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).EncryptionPercentage -ne '100' -and (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).EncryptionPercentage -ne '0') {
# Check if the drive isn't already encrypted and locked
if ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).lockstatus -eq 'Locked') {
- Write-Host "`nThe drive $MountPoint is already encrypted and locked." -ForegroundColor Magenta
+ Write-Host -Object "`nThe drive $MountPoint is already encrypted and locked." -ForegroundColor Magenta
break
}
else {
$EncryptionPercentageVar = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).EncryptionPercentage
- Write-Host "`nPlease wait for Bitlocker to finish encrypting or decrypting drive $MountPoint" -ForegroundColor Magenta
- Write-Host "Drive $MountPoint encryption is currently at $EncryptionPercentageVar percent." -ForegroundColor Magenta
+ Write-Host -Object "`nPlease wait for Bitlocker to finish encrypting or decrypting drive $MountPoint" -ForegroundColor Magenta
+ Write-Host -Object "Drive $MountPoint encryption is currently at $EncryptionPercentageVar percent." -ForegroundColor Magenta
break
}
}
@@ -1557,8 +1557,8 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Additional Check 1: if there are more than 1 ExternalKey key protector, try delete all of them and add a new one
# The external key protector that is being used to unlock the drive will not be deleted
((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector |
- Where-Object { $_.keyprotectortype -eq 'ExternalKey' }).KeyProtectorId |
- ForEach-Object {
+ Where-Object -FilterScript { $_.keyprotectortype -eq 'ExternalKey' }).KeyProtectorId |
+ ForEach-Object -Process {
# -ErrorAction SilentlyContinue makes sure no error is thrown if the drive only has 1 External key key protector
# and it's being used to unlock the drive
Remove-BitLockerKeyProtector -MountPoint $MountPoint -KeyProtectorId $_ -ErrorAction SilentlyContinue | Out-Null
@@ -1569,17 +1569,17 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Additional Check 2: if there are more than 1 Recovery Password, delete all of them and add a new one
[System.String[]]$RecoveryPasswordKeyProtectors = ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector |
- Where-Object { $_.keyprotectortype -eq 'RecoveryPassword' }).KeyProtectorId
+ Where-Object -FilterScript { $_.keyprotectortype -eq 'RecoveryPassword' }).KeyProtectorId
if ($RecoveryPasswordKeyProtectors.Count -gt 1) {
[System.String]$BitLockerMsg = "`nThere are more than 1 recovery password key protector associated with the drive $mountpoint `n" +
"Removing all of them and adding a new one. `n" +
"It will be saved in a text file in '$($MountPoint)\Drive $($MountPoint.Remove(1)) recovery password.txt'"
- Write-Host $BitLockerMsg -ForegroundColor Yellow
+ Write-Host -Object $BitLockerMsg -ForegroundColor Yellow
# Remove all of the recovery password key protectors of the selected Non-OS Drive
- $RecoveryPasswordKeyProtectors | ForEach-Object {
+ $RecoveryPasswordKeyProtectors | ForEach-Object -Process {
Remove-BitLockerKeyProtector -MountPoint $MountPoint -KeyProtectorId $_ | Out-Null
}
@@ -1600,7 +1600,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
[System.Object[]]$KeyProtectorsNonOS = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector
Write-SmartText -C Fuchsia -GenericColor Magenta -I "Here is your 48-digits recovery password for drive $MountPoint in case you were looking for it:"
- Write-SmartText -C Rainbow -GenericColor Yellow -I "$(($KeyProtectorsNonOS | Where-Object { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)"
+ Write-SmartText -C Rainbow -GenericColor Yellow -I "$(($KeyProtectorsNonOS | Where-Object -FilterScript { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)"
}
@@ -1610,8 +1610,8 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# if there are more than 1 ExternalKey key protector, try delete all of them and add a new one
# The external key protector that is being used to unlock the drive will not be deleted
((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector |
- Where-Object { $_.keyprotectortype -eq 'ExternalKey' }).KeyProtectorId |
- ForEach-Object {
+ Where-Object -FilterScript { $_.keyprotectortype -eq 'ExternalKey' }).KeyProtectorId |
+ ForEach-Object -Process {
# -ErrorAction SilentlyContinue makes sure no error is thrown if the drive only has 1 External key key protector
# and it's being used to unlock the drive
Remove-BitLockerKeyProtector -MountPoint $MountPoint -KeyProtectorId $_ -ErrorAction SilentlyContinue | Out-Null
@@ -1631,7 +1631,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
[System.String]$BitLockerMsg = "`nDrive $MountPoint is auto-unlocked but doesn't have Recovery Password, adding it now... `n" +
"It will be saved in a text file in '$($MountPoint)\Drive $($MountPoint.Remove(1)) recovery password.txt'"
- Write-Host $BitLockerMsg -ForegroundColor Cyan
+ Write-Host -Object $BitLockerMsg -ForegroundColor Cyan
}
# Check 3: If the selected drive has Recovery Password key protector but doesn't have Auto Unlock enabled
@@ -1642,17 +1642,17 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# if there are more than 1 Recovery Password, delete all of them and add a new one
[System.String[]]$RecoveryPasswordKeyProtectors = ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector |
- Where-Object { $_.keyprotectortype -eq 'RecoveryPassword' }).KeyProtectorId
+ Where-Object -FilterScript { $_.keyprotectortype -eq 'RecoveryPassword' }).KeyProtectorId
if ($RecoveryPasswordKeyProtectors.Count -gt 1) {
[System.String]$BitLockerMsg = "`nThere are more than 1 recovery password key protector associated with the drive $mountpoint `n" +
'Removing all of them and adding a new one.' +
"It will be saved in a text file in '$($MountPoint)\Drive $($MountPoint.Remove(1)) recovery password.txt'"
- Write-Host $BitLockerMsg -ForegroundColor Yellow
+ Write-Host -Object $BitLockerMsg -ForegroundColor Yellow
# Delete all Recovery Passwords because there were more than 1
- $RecoveryPasswordKeyProtectors | ForEach-Object {
+ $RecoveryPasswordKeyProtectors | ForEach-Object -Process {
Remove-BitLockerKeyProtector -MountPoint $MountPoint -KeyProtectorId $_ | Out-Null
}
@@ -1683,7 +1683,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
New-Item -Path "$MountPoint\Drive $($MountPoint.Remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsNonOS) -ItemType File -Force | Out-Null
Write-SmartText -C MintGreen -G Green -I "`nBitLocker has started encrypting drive $MountPoint"
- Write-Host "Recovery password will be saved in a text file in '$($MountPoint)\Drive $($MountPoint.Remove(1)) recovery password.txt'" -ForegroundColor Cyan
+ Write-Host -Object "Recovery password will be saved in a text file in '$($MountPoint)\Drive $($MountPoint.Remove(1)) recovery password.txt'" -ForegroundColor Cyan
}
} 'No' { break }
'Exit' { &$CleanUp }
@@ -1718,7 +1718,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
'RC4 64/128', # RC4 64-bit
'RC4 128/128', # RC4 128-bit
'Triple DES 168' # 3DES 168-bit (Triple DES 168)
- ) | ForEach-Object {
+ ) | ForEach-Object -Process {
[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, $env:COMPUTERNAME).CreateSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$_") | Out-Null
}
@@ -1848,8 +1848,8 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Disables Multicast DNS (mDNS) UDP-in Firewall Rules for all 3 Firewall profiles - disables only 3 rules
Get-NetFirewallRule |
- Where-Object { $_.RuleGroup -eq '@%SystemRoot%\system32\firewallapi.dll,-37302' -and $_.Direction -eq 'inbound' } |
- ForEach-Object { Disable-NetFirewallRule -DisplayName $_.DisplayName }
+ Where-Object -FilterScript { $_.RuleGroup -eq '@%SystemRoot%\system32\firewallapi.dll,-37302' -and $_.Direction -eq 'inbound' } |
+ ForEach-Object -Process { Disable-NetFirewallRule -DisplayName $_.DisplayName }
} 'No' { break }
'Exit' { &$CleanUp }
}
@@ -1870,10 +1870,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# since PowerShell Core (only if installed from Microsoft Store) has problem with these commands, making sure the built-in PowerShell handles them
# There are Github issues for it already: https://github.com/PowerShell/PowerShell/issues/13866
- powershell.exe {
+ powershell.exe -Command {
# Disable PowerShell v2 (part 1)
- Write-Host "`nDisabling PowerShellv2 1st part" -ForegroundColor Yellow
+ Write-Host -Object "`nDisabling PowerShellv2 1st part" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2).state -eq 'enabled') {
try {
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 -NoRestart -ErrorAction Stop
@@ -1884,16 +1884,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'PowerShellv2 1st part is already disabled' -ForegroundColor Green
+ Write-Host -Object 'PowerShellv2 1st part is already disabled' -ForegroundColor Green
}
# Disable PowerShell v2 (part 2)
- Write-Host "`nDisabling PowerShellv2 2nd part" -ForegroundColor Yellow
+ Write-Host -Object "`nDisabling PowerShellv2 2nd part" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root).state -eq 'enabled') {
try {
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -NoRestart -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host 'PowerShellv2 2nd part was successfully disabled' -ForegroundColor Green
+ Write-Host -Object 'PowerShellv2 2nd part was successfully disabled' -ForegroundColor Green
}
catch {
# show error
@@ -1901,16 +1901,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'PowerShellv2 2nd part is already disabled' -ForegroundColor Green
+ Write-Host -Object 'PowerShellv2 2nd part is already disabled' -ForegroundColor Green
}
# Disable Work Folders client
- Write-Host "`nDisabling Work Folders" -ForegroundColor Yellow
+ Write-Host -Object "`nDisabling Work Folders" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName WorkFolders-Client).state -eq 'enabled') {
try {
Disable-WindowsOptionalFeature -Online -FeatureName WorkFolders-Client -NoRestart -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host 'Work Folders was successfully disabled' -ForegroundColor Green
+ Write-Host -Object 'Work Folders was successfully disabled' -ForegroundColor Green
}
catch {
#show error
@@ -1918,16 +1918,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'Work Folders is already disabled' -ForegroundColor Green
+ Write-Host -Object 'Work Folders is already disabled' -ForegroundColor Green
}
# Disable Internet Printing Client
- Write-Host "`nDisabling Internet Printing Client" -ForegroundColor Yellow
+ Write-Host -Object "`nDisabling Internet Printing Client" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName Printing-Foundation-Features).state -eq 'enabled') {
try {
Disable-WindowsOptionalFeature -Online -FeatureName Printing-Foundation-Features -NoRestart -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host 'Internet Printing Client was successfully disabled' -ForegroundColor Green
+ Write-Host -Object 'Internet Printing Client was successfully disabled' -ForegroundColor Green
}
catch {
# show errors
@@ -1935,16 +1935,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'Internet Printing Client is already disabled' -ForegroundColor Green
+ Write-Host -Object 'Internet Printing Client is already disabled' -ForegroundColor Green
}
# Uninstall Windows Media Player (legacy)
- Write-Host "`nUninstalling Windows Media Player (legacy)" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Media.WindowsMediaPlayer*' }).state -ne 'NotPresent') {
+ Write-Host -Object "`nUninstalling Windows Media Player (legacy)" -ForegroundColor Yellow
+ if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Media.WindowsMediaPlayer*' }).state -ne 'NotPresent') {
try {
- Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Media.WindowsMediaPlayer*' } | Remove-WindowsCapability -Online -ErrorAction Stop
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Media.WindowsMediaPlayer*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host 'Windows Media Player (legacy) has been uninstalled.' -ForegroundColor Green
+ Write-Host -Object 'Windows Media Player (legacy) has been uninstalled.' -ForegroundColor Green
}
catch {
# show error
@@ -1952,16 +1952,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'Windows Media Player (legacy) is already uninstalled.' -ForegroundColor Green
+ Write-Host -Object 'Windows Media Player (legacy) is already uninstalled.' -ForegroundColor Green
}
# Enable Microsoft Defender Application Guard
- Write-Host "`nEnabling Microsoft Defender Application Guard" -ForegroundColor Yellow
+ Write-Host -Object "`nEnabling Microsoft Defender Application Guard" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard).state -eq 'disabled') {
try {
Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard -NoRestart -ErrorAction Stop
# Shows the successful message only if enablement process was successful
- Write-Host 'Microsoft Defender Application Guard was successfully enabled' -ForegroundColor Green
+ Write-Host -Object 'Microsoft Defender Application Guard was successfully enabled' -ForegroundColor Green
}
catch {
# show errors
@@ -1969,21 +1969,21 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'Microsoft Defender Application Guard is already enabled' -ForegroundColor Green
+ Write-Host -Object 'Microsoft Defender Application Guard is already enabled' -ForegroundColor Green
}
}
# Need to split the commands in 2 scriptblocks so we don't get "program PowerShell.exe failed to run: The filename or extension is too long" error
- powershell.exe {
+ powershell.exe -Command {
# Enable Windows Sandbox
- Write-Host "`nEnabling Windows Sandbox" -ForegroundColor Yellow
+ Write-Host -Object "`nEnabling Windows Sandbox" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM).state -eq 'disabled') {
try {
Enable-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM -All -NoRestart -ErrorAction Stop
# Shows the successful message only if enablement process was successful
- Write-Host 'Windows Sandbox was successfully enabled' -ForegroundColor Green
+ Write-Host -Object 'Windows Sandbox was successfully enabled' -ForegroundColor Green
}
catch {
# show errors
@@ -1991,16 +1991,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'Windows Sandbox is already enabled' -ForegroundColor Green
+ Write-Host -Object 'Windows Sandbox is already enabled' -ForegroundColor Green
}
# Enable Hyper-V
- Write-Host "`nEnabling Hyper-V" -ForegroundColor Yellow
+ Write-Host -Object "`nEnabling Hyper-V" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V).state -eq 'disabled') {
try {
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -NoRestart -ErrorAction Stop
# Shows the successful message only if enablement process was successful
- Write-Host 'Hyper-V was successfully enabled' -ForegroundColor Green
+ Write-Host -Object 'Hyper-V was successfully enabled' -ForegroundColor Green
}
catch {
# show errors
@@ -2008,16 +2008,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'Hyper-V is already enabled' -ForegroundColor Green
+ Write-Host -Object 'Hyper-V is already enabled' -ForegroundColor Green
}
# Enable Virtual Machine Platform
- Write-Host "`nEnabling Virtual Machine Platform" -ForegroundColor Yellow
+ Write-Host -Object "`nEnabling Virtual Machine Platform" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform).state -eq 'disabled') {
try {
Enable-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform -NoRestart -ErrorAction Stop
# Shows the successful message only if enablement process was successful
- Write-Host 'Virtual Machine Platform was successfully enabled' -ForegroundColor Green
+ Write-Host -Object 'Virtual Machine Platform was successfully enabled' -ForegroundColor Green
}
catch {
# show errors
@@ -2025,16 +2025,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'Virtual Machine Platform is already enabled' -ForegroundColor Green
+ Write-Host -Object 'Virtual Machine Platform is already enabled' -ForegroundColor Green
}
# Uninstall VBScript that is now uninstallable as an optional features since Windows 11 insider Dev build 25309 - Won't do anything in other builds
- if (Get-WindowsCapability -Online | Where-Object { $_.Name -like '*VBSCRIPT*' }) {
+ if (Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*VBSCRIPT*' }) {
try {
- Write-Host "`nUninstalling VBSCRIPT" -ForegroundColor Yellow
- Get-WindowsCapability -Online | Where-Object { $_.Name -like '*VBSCRIPT*' } | Remove-WindowsCapability -Online -ErrorAction Stop
+ Write-Host -Object "`nUninstalling VBSCRIPT" -ForegroundColor Yellow
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*VBSCRIPT*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host 'VBSCRIPT has been uninstalled' -ForegroundColor Green
+ Write-Host -Object 'VBSCRIPT has been uninstalled' -ForegroundColor Green
}
catch {
# show errors
@@ -2043,12 +2043,12 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
# Uninstall Internet Explorer mode functionality for Edge
- Write-Host "`nUninstalling Internet Explorer mode functionality for Edge" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Browser.InternetExplorer*' }).state -ne 'NotPresent') {
+ Write-Host -Object "`nUninstalling Internet Explorer mode functionality for Edge" -ForegroundColor Yellow
+ if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Browser.InternetExplorer*' }).state -ne 'NotPresent') {
try {
- Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Browser.InternetExplorer*' } | Remove-WindowsCapability -Online -ErrorAction Stop
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Browser.InternetExplorer*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host 'Internet Explorer mode functionality for Edge has been uninstalled' -ForegroundColor Green
+ Write-Host -Object 'Internet Explorer mode functionality for Edge has been uninstalled' -ForegroundColor Green
}
catch {
# show errors
@@ -2056,16 +2056,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'Internet Explorer mode functionality for Edge is already uninstalled.' -ForegroundColor Green
+ Write-Host -Object 'Internet Explorer mode functionality for Edge is already uninstalled.' -ForegroundColor Green
}
# Uninstall WMIC
- Write-Host "`nUninstalling WMIC" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*wmic*' }).state -ne 'NotPresent') {
+ Write-Host -Object "`nUninstalling WMIC" -ForegroundColor Yellow
+ if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*wmic*' }).state -ne 'NotPresent') {
try {
- Get-WindowsCapability -Online | Where-Object { $_.Name -like '*wmic*' } | Remove-WindowsCapability -Online -ErrorAction Stop
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*wmic*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host 'WMIC has been uninstalled' -ForegroundColor Green
+ Write-Host -Object 'WMIC has been uninstalled' -ForegroundColor Green
}
catch {
# show error
@@ -2073,16 +2073,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'WMIC is already uninstalled.' -ForegroundColor Green
+ Write-Host -Object 'WMIC is already uninstalled.' -ForegroundColor Green
}
# Uninstall Legacy Notepad
- Write-Host "`nUninstalling Legacy Notepad" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.Notepad.System*' }).state -ne 'NotPresent') {
+ Write-Host -Object "`nUninstalling Legacy Notepad" -ForegroundColor Yellow
+ if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.Notepad.System*' }).state -ne 'NotPresent') {
try {
- Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.Notepad.System*' } | Remove-WindowsCapability -Online -ErrorAction Stop
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.Notepad.System*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host 'Legacy Notepad has been uninstalled. The modern multi-tabbed Notepad is unaffected.' -ForegroundColor Green
+ Write-Host -Object 'Legacy Notepad has been uninstalled. The modern multi-tabbed Notepad is unaffected.' -ForegroundColor Green
}
catch {
# show error
@@ -2090,16 +2090,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'Legacy Notepad is already uninstalled.' -ForegroundColor Green
+ Write-Host -Object 'Legacy Notepad is already uninstalled.' -ForegroundColor Green
}
# Uninstall WordPad
- Write-Host "`nUninstalling WordPad" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.WordPad*' }).state -ne 'NotPresent') {
+ Write-Host -Object "`nUninstalling WordPad" -ForegroundColor Yellow
+ if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.WordPad*' }).state -ne 'NotPresent') {
try {
- Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.WordPad*' } | Remove-WindowsCapability -Online -ErrorAction Stop
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.WordPad*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host 'WordPad has been uninstalled.' -ForegroundColor Green
+ Write-Host -Object 'WordPad has been uninstalled.' -ForegroundColor Green
}
catch {
# show error
@@ -2107,16 +2107,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'WordPad is already uninstalled.' -ForegroundColor Green
+ Write-Host -Object 'WordPad is already uninstalled.' -ForegroundColor Green
}
# Uninstall PowerShell ISE
- Write-Host "`nUninstalling PowerShell ISE" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.PowerShell.ISE*' }).state -ne 'NotPresent') {
+ Write-Host -Object "`nUninstalling PowerShell ISE" -ForegroundColor Yellow
+ if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.PowerShell.ISE*' }).state -ne 'NotPresent') {
try {
- Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.PowerShell.ISE*' } | Remove-WindowsCapability -Online -ErrorAction Stop
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.PowerShell.ISE*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host 'PowerShell ISE has been uninstalled.' -ForegroundColor Green
+ Write-Host -Object 'PowerShell ISE has been uninstalled.' -ForegroundColor Green
}
catch {
# show error
@@ -2124,19 +2124,19 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'PowerShell ISE is already uninstalled.' -ForegroundColor Green
+ Write-Host -Object 'PowerShell ISE is already uninstalled.' -ForegroundColor Green
}
}
- powershell.exe {
+ powershell.exe -Command {
# Uninstall Steps Recorder
- Write-Host "`nUninstalling Steps Recorder" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object { $_.Name -like '*App.StepsRecorder*' }).state -ne 'NotPresent') {
+ Write-Host -Object "`nUninstalling Steps Recorder" -ForegroundColor Yellow
+ if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*App.StepsRecorder*' }).state -ne 'NotPresent') {
try {
- Get-WindowsCapability -Online | Where-Object { $_.Name -like '*App.StepsRecorder*' } | Remove-WindowsCapability -Online -ErrorAction Stop
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*App.StepsRecorder*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host 'Steps Recorder has been uninstalled.' -ForegroundColor Green
+ Write-Host -Object 'Steps Recorder has been uninstalled.' -ForegroundColor Green
}
catch {
# show error
@@ -2144,7 +2144,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host 'Steps Recorder is already uninstalled.' -ForegroundColor Green
+ Write-Host -Object 'Steps Recorder is already uninstalled.' -ForegroundColor Green
}
}
@@ -2214,7 +2214,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
# Allow all Windows users to use Hyper-V and Windows Sandbox by adding all Windows users to the "Hyper-V Administrators" security group using its SID
- Get-LocalUser | Where-Object { $_.enabled -eq 'True' } | ForEach-Object { Add-LocalGroupMember -SID 'S-1-5-32-578' -Member "$($_.SID)" -ErrorAction SilentlyContinue }
+ Get-LocalUser | Where-Object -FilterScript { $_.enabled -eq 'True' } | ForEach-Object -Process { Add-LocalGroupMember -SID 'S-1-5-32-578' -Member "$($_.SID)" -ErrorAction SilentlyContinue }
# Makes sure auditing for the "Other Logon/Logoff Events" subcategory under the Logon/Logoff category is enabled, doesn't touch affect any other sub-category
# For tracking Lock screen unlocks and locks
@@ -2309,13 +2309,13 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
catch {
- Write-Host "sigcheck64.exe couldn't be downloaded from https://live.sysinternals.com" -ForegroundColor Red
+ Write-Host -Object "sigcheck64.exe couldn't be downloaded from https://live.sysinternals.com" -ForegroundColor Red
break
}
- Write-Host -NoNewline "`nListing valid certificates not rooted to the Microsoft Certificate Trust List in the" -ForegroundColor Yellow; Write-Host " User store`n" -ForegroundColor cyan
+ Write-Host -NoNewline "`nListing valid certificates not rooted to the Microsoft Certificate Trust List in the" -ForegroundColor Yellow; Write-Host -Object " User store`n" -ForegroundColor cyan
.\sigcheck64.exe -tuv -accepteula -nobanner
- Write-Host -NoNewline "`nListing valid certificates not rooted to the Microsoft Certificate Trust List in the" -ForegroundColor Yellow; Write-Host " Machine Store`n" -ForegroundColor Blue
+ Write-Host -NoNewline "`nListing valid certificates not rooted to the Microsoft Certificate Trust List in the" -ForegroundColor Yellow; Write-Host -Object " Machine Store`n" -ForegroundColor Blue
.\sigcheck64.exe -tv -accepteula -nobanner
Remove-Item -Path .\sigcheck64.exe -Force
} 'No' { break }
@@ -2348,7 +2348,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# makes sure the list isn't empty
if ($IPList.count -eq 0) {
- Write-Host "The IP list was empty, skipping $ListName" -ForegroundColor Yellow
+ Write-Host -Object "The IP list was empty, skipping $ListName" -ForegroundColor Yellow
break
}
@@ -2401,7 +2401,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/Registry.csv' -OutFile '.\Registry.csv' -ErrorAction Stop
}
catch {
- Write-Host 'Using Azure DevOps...' -ForegroundColor Yellow
+ Write-Host -Object 'Using Azure DevOps...' -ForegroundColor Yellow
Invoke-WebRequest -Uri 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/Registry.csv' -OutFile '.\Registry.csv' -ErrorAction Stop
}
}
@@ -2414,7 +2414,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Only suggest restarting the device if Admin related categories were run
if (Test-IsAdmin) {
- Write-Host "`r`n"
+ Write-Host -Object "`r`n"
Write-SmartText -C Rainbow -G Cyan -I "################################################################################################`r`n"
Write-SmartText -C MintGreen -G Cyan -I "### Please Restart your device to completely apply the security measures and Group Policies ###`r`n"
Write-SmartText -C Rainbow -G Cyan -I "################################################################################################`r`n"
@@ -2444,7 +2444,7 @@ finally {
Set-Location $HOME; Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
# Disable progress bars
- 0..6 | ForEach-Object { Write-Progress -Id $_ -Activity 'Done' -Completed }
+ 0..6 | ForEach-Object -Process { Write-Progress -Id $_ -Activity 'Done' -Completed }
# Restore the title of the PowerShell back to what it was prior to running the script/module
$Host.UI.RawUI.WindowTitle = $CurrentPowerShellTitle
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index 9ce3ed16a..cf807a575 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -18,17 +18,17 @@
.ICONURI https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/PowerShellGalleryICONURI.png
-.EXTERNALMODULEDEPENDENCIES
+.EXTERNALMODULEDEPENDENCIES
-.REQUIREDSCRIPTS
+.REQUIREDSCRIPTS
-.EXTERNALSCRIPTDEPENDENCIES
+.EXTERNALSCRIPTDEPENDENCIES
.RELEASENOTES
#>
-<#
+<#
.SYNOPSIS
Harden Windows Safely, Securely, only with Official Microsoft methods
@@ -38,7 +38,7 @@
⭕ You need to read the GitHub's readme page before running this: https://github.com/HotCakeX/Harden-Windows-Security
⭕ This script is only for users that use the old PowerShell 5.1. It's highly recommended to use new PowerShell versions and the new Harden Windows Security Module that offers hardening + Auditing + Undoing hardening: https://www.powershellgallery.com/packages/Harden-Windows-Security-Module/
-
+
💠 Features of this Hardening script:
✅ Everything always stays up-to-date with the newest proactive security measures that are industry standards and scalable.
@@ -78,9 +78,9 @@
🏴 If you have any questions, requests, suggestions etc. about this script, please open a new Discussion or Issue on GitHub
-.EXAMPLE
+.EXAMPLE
-.NOTES
+.NOTES
Check out GitHub page for security recommendations: https://github.com/HotCakeX/Harden-Windows-Security
@@ -125,7 +125,7 @@ function Select-Option {
while ($null -eq $Selected) {
# Use this style if showing main categories only
- if (!$SubCategory) {
+ if (!$SubCategory) {
Write-SmartText -C Fuchsia -G Magenta -I $Message
}
# Use this style if showing sub-categories only that need additional confirmation
@@ -138,7 +138,7 @@ function Select-Option {
}
}
- for ($I = 0; $I -lt $Options.Length; $I++) {
+ for ($I = 0; $I -lt $Options.Length; $I++) {
Write-SmartText -C MintGreen -G White -I "$($I+1): $($Options[$I])"
}
@@ -146,16 +146,16 @@ function Select-Option {
[System.Int64]$SelectedIndex = 0
$IsValid = [System.Int64]::TryParse((Read-Host 'Select an option'), [ref]$SelectedIndex)
if ($IsValid) {
- if ($SelectedIndex -gt 0 -and $SelectedIndex -le $Options.Length) {
- $Selected = $Options[$SelectedIndex - 1]
+ if ($SelectedIndex -gt 0 -and $SelectedIndex -le $Options.Length) {
+ $Selected = $Options[$SelectedIndex - 1]
}
- else {
+ else {
Write-Warning -Message 'Invalid Option.'
}
}
else {
Write-Warning -Message 'Invalid input. Please only enter a positive number.'
- }
+ }
}
return $Selected
}
@@ -269,8 +269,8 @@ Function Write-SmartText {
[parameter(Mandatory = $false)]
[Alias('N')]
[System.Management.Automation.SwitchParameter]$NoNewLineLegacy # Only used with Legacy colors to write them on the same line, used by the function that gets the removable drives for BitLocker Enhanced security level encryption
- )
-
+ )
+
# Determining if PowerShell edition is Core to use modern styling
if ($PSVersionTable.PSEdition -eq 'Core') {
@@ -295,13 +295,13 @@ Function Write-SmartText {
[System.Drawing.Color]::SkyBlue,
[System.Drawing.Color]::HotPink,
[System.Drawing.Color]::SkyBlue,
- [System.Drawing.Color]::LightSkyBlue,
+ [System.Drawing.Color]::LightSkyBlue,
[System.Drawing.Color]::LightGreen,
[System.Drawing.Color]::Coral,
[System.Drawing.Color]::Plum,
[System.Drawing.Color]::Gold
)
-
+
[System.String]$Output = ''
for ($I = 0; $I -lt $InputText.Length; $I++) {
$Color = $Colors[$I % $Colors.Length]
@@ -322,12 +322,12 @@ Function Write-SmartText {
Write-Host -Object $InputText -ForegroundColor $GenericColor
}
}
-
+
}
# Function to get a removable drive to be used by BitLocker category
-function Get-AvailableRemovableDrives {
-
+function Get-AvailableRemovableDrives {
+
# An empty array of objects that holds the final removable drives list
[System.Object[]]$AvailableRemovableDrives = @()
@@ -357,12 +357,12 @@ function Get-AvailableRemovableDrives {
Select-Object DriveLetter, FileSystemType, DriveType, @{Name = 'Size'; Expression = { '{0:N2}' -f ($_.Size / 1GB) + ' GB' } }
}
-
+
if (!$AvailableRemovableDrives) {
do {
switch (Select-Option -Options 'Check for removable flash drives again', 'Skip encryptions altogether', 'Exit' -Message "`nNo removable writable flash drives found. Please insert a USB flash drive. If it's already attached to the system, try ejecting it and inserting it back in.") {
'Check for removable flash drives again' {
-
+
# An empty array of objects that holds the final removable drives list
[System.Object[]]$AvailableRemovableDrives = @()
@@ -392,7 +392,7 @@ function Get-AvailableRemovableDrives {
Select-Object DriveLetter, FileSystemType, DriveType, @{Name = 'Size'; Expression = { '{0:N2}' -f ($_.Size / 1GB) + ' GB' } }
}
-
+
}
'Skip encryptions altogether' { break BitLockerCategoryLabel } # Breaks from the BitLocker category and won't process Non-OS Drives
'Exit' { &$CleanUp }
@@ -406,7 +406,7 @@ function Get-AvailableRemovableDrives {
[System.Int64]$FileSystemTypeLength = 13
[System.Int64]$DriveTypeLength = 8
[System.Int64]$SizeLength = 3
-
+
# Loop through each element in the array
foreach ($drive in $AvailableRemovableDrives) {
# Compare the length of the current element with the maximum length and update if needed
@@ -422,16 +422,16 @@ function Get-AvailableRemovableDrives {
if (($drive.Size | Measure-Object -Character).Characters -gt $SizeLength) {
# The method below is used to calculate size of the string that consists only number, but since it now has "GB" in it, it's no longer needed
# $SizeLength = ($drive.Size | Measure-Object -Character).Characters
- $SizeLength = $drive.Size.Length
+ $SizeLength = $drive.Size.Length
}
}
-
+
# Add 3 to each maximum length for spacing
$DriveLetterLength += 3
$FileSystemTypeLength += 3
$DriveTypeLength += 3
$SizeLength += 3
-
+
# Creating a heading for the columns
# Write the index of the drive
Write-SmartText -C LavenderNoNewLine -G Blue -N -I ('{0,-4}' -f '#')
@@ -442,7 +442,7 @@ function Get-AvailableRemovableDrives {
# Write the Drive Type of the drive
Write-SmartText -C VioletNoNewLine -G Green -N -I ("|{0,-$DriveTypeLength}" -f 'DriveType')
# Write the Size of the drive
- Write-SmartText -C Gold -G Cyan ("|{0,-$SizeLength}" -f 'Size')
+ Write-SmartText -C Gold -G Cyan ("|{0,-$SizeLength}" -f 'Size')
# Loop through the drives and display them in a table with colors
for ($I = 0; $I -lt $AvailableRemovableDrives.Count; $I++) {
@@ -477,24 +477,24 @@ function Get-AvailableRemovableDrives {
if ([System.Int64]::TryParse($Choice, [ref]$ParsedChoice)) {
if ($ParsedChoice -in 1..$ExitCodeRemovableDriveSelection) {
$IsValid = $true
- break
+ break
}
}
# Return the flag value
return $IsValid
}
-
+
# Prompt the user to enter the number of the drive they want to select, or exit value to exit, until they enter a valid input
do {
# Read the user input as a string
[System.String]$Choice = $(Write-Host -Object "Enter the number of the drive you want to select or press $ExitCodeRemovableDriveSelection to Cancel" -ForegroundColor cyan; Read-Host)
-
+
# Check if the input is valid using the Confirm-Choice function
if (-not (Confirm-Choice $Choice)) {
# Write an error message in red if invalid
Write-Host -Object "Invalid input. Please enter a number between 1 and $ExitCodeRemovableDriveSelection." -ForegroundColor Red
}
- } while (-not (Confirm-Choice $Choice))
+ } while (-not (Confirm-Choice $Choice))
# Check if the user entered the exit value to break out of the loop
if ($Choice -eq $ExitCodeRemovableDriveSelection) {
@@ -503,7 +503,7 @@ function Get-AvailableRemovableDrives {
else {
# Get the selected drive from the array and display it
return ($($AvailableRemovableDrives[$Choice - 1]).DriveLetter + ':')
- }
+ }
}
#endregion functions
@@ -512,11 +512,11 @@ if (Test-IsAdmin) {
# Get the current configurations and preferences of the Microsoft Defender
New-Variable -Name 'MDAVConfigCurrent' -Value (Get-MpComputerStatus) -Force
New-Variable -Name 'MDAVPreferencesCurrent' -Value (Get-MpPreference) -Force
-
+
# backup the current allowed apps list in Controlled folder access in order to restore them at the end of the script
# doing this so that when we Add and then Remove PowerShell executables in Controlled folder access exclusions
# no user customization will be affected
- [System.String[]]$CFAAllowedAppsBackup = $MDAVPreferencesCurrent.ControlledFolderAccessAllowedApplications
+ [System.String[]]$CFAAllowedAppsBackup = $MDAVPreferencesCurrent.ControlledFolderAccessAllowedApplications
# Temporarily allow the currently running PowerShell executables to the Controlled Folder Access allowed apps
# so that the script can run without interruption. This change is reverted at the end.
@@ -524,14 +524,14 @@ if (Test-IsAdmin) {
foreach ($FilePath in (((Get-ChildItem -Path "$PSHOME\*.exe" -File).FullName) + 'C:\Windows\System32\powercfg.exe')) {
Add-MpPreference -ControlledFolderAccessAllowedApplications $FilePath
}
-
+
}
# doing a try-finally block on the entire script so that when CTRL + C is pressed to forcefully exit the script,
# or break is passed, clean up will still happen for secure exit
try {
try {
- Invoke-WithoutProgress {
+ Invoke-WithoutProgress {
[System.DateTime]$global:LatestVersion = Invoke-RestMethod -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Version.txt'
}
}
@@ -545,16 +545,16 @@ try {
Write-Host -Object "The currently installed script's version is $CurrentVersion while the latest version is $LatestVersion" -ForegroundColor Cyan
Write-Host -Object 'Please update your script using:' -ForegroundColor Yellow
Write-Host -Object "Update-Script -Name 'Harden-Windows-Security' -Force" -ForegroundColor Green
- Write-Host -Object 'and run it again after that.' -ForegroundColor Yellow
+ Write-Host -Object 'and run it again after that.' -ForegroundColor Yellow
Write-Host -Object 'You can view the change log on GitHub: https://github.com/HotCakeX/Harden-Windows-Security/releases' -ForegroundColor Magenta
break
}
-
+
Write-Host -Object "`r`n"
Write-SmartText -CustomColor Rainbow -GenericColor Cyan -InputText "############################################################################################################`r`n"
Write-SmartText -CustomColor MintGreen -GenericColor Cyan -InputText "### Please read the Readme in the GitHub repository: https://github.com/HotCakeX/Harden-Windows-Security ###`r`n"
Write-SmartText -CustomColor Rainbow -GenericColor Cyan -InputText "############################################################################################################`r`n"
-
+
# Show a prompt to the user if they're using the old PowerShell
if ($PSVersionTable.PSEdition -eq 'Desktop') { Write-Host -Object "You're using old PowerShell. Please use the new PowerShell Core for much better styling and performance:`nhttps://apps.microsoft.com/detail/powershell/9MZ1SNWT0N5D" -ForegroundColor Yellow }
@@ -585,7 +585,7 @@ try {
# check to make sure Secure Boot is enabled
if (-NOT (Confirm-SecureBootUEFI)) {
Write-Error -Message 'Secure Boot is not enabled, please go to your UEFI settings to enable it and then try again.'
- break
+ break
}
# check to make sure TPM is available and enabled
@@ -594,26 +594,26 @@ try {
Write-Error -Message 'TPM is not available or enabled, please enable it in UEFI settings and try again.'
break
}
-
+
if (-NOT ($MDAVConfigCurrent.AMServiceEnabled -eq $true)) {
Write-Error -Message 'Microsoft Defender Anti Malware service is not enabled, please enable it and then try again.'
- break
- }
+ break
+ }
if (-NOT ($MDAVConfigCurrent.AntispywareEnabled -eq $true)) {
Write-Error -Message 'Microsoft Defender Anti Spyware is not enabled, please enable it and then try again.'
- break
- }
+ break
+ }
if (-NOT ($MDAVConfigCurrent.AntivirusEnabled -eq $true)) {
Write-Error -Message 'Microsoft Defender Anti Virus is not enabled, please enable it and then try again.'
- break
- }
+ break
+ }
if ($MDAVConfigCurrent.AMRunningMode -ne 'Normal') {
Write-Error -Message "Microsoft Defender is running in $($MDAVConfigCurrent.AMRunningMode) state, please remove any 3rd party AV and then try again."
break
- }
+ }
}
#endregion RequirementsCheck
@@ -630,23 +630,23 @@ try {
Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force
# Disable progress bars
0..6 | ForEach-Object -Process { Write-Progress -Id $_ -Activity 'Done' -Completed }
- exit
+ exit
}
if (-NOT (Test-IsAdmin)) {
Write-SmartText -CustomColor NeonGreen -GenericColor Magenta -InputText 'Skipping commands that require Administrator privileges'
}
- else {
-
+ else {
+
[System.Int64]$CurrentMainStep = 0
Write-Progress -Id 0 -Activity 'Downloading the required files' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete 1
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'Downloading'
try {
-
+
# Create an array of files to download
[System.Object[]]$Files = @(
- # System.Net.WebClient requires absolute path instead of relative one
+ # System.Net.WebClient requires absolute path instead of relative one
@{url = 'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/Windows%2011%20v23H2%20Security%20Baseline.zip'; path = "$WorkingDir\MicrosoftSecurityBaseline.zip"; tag = 'MicrosoftSecurityBaseline' }
@{url = 'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/Microsoft%20365%20Apps%20for%20Enterprise%202306.zip'; path = "$WorkingDir\Microsoft365SecurityBaseline.zip"; tag = 'Microsoft365SecurityBaseline' }
@{url = 'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip'; path = "$WorkingDir\LGPO.zip"; tag = 'LGPO' }
@@ -655,18 +655,18 @@ try {
@{url = 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/ProcessMitigations.csv'; path = "$WorkingDir\ProcessMitigations.csv"; tag = 'ProcessMitigations' }
@{url = 'https://github.com/HotCakeX/Harden-Windows-Security/raw/main/Payload/EventViewerCustomViews.zip'; path = "$WorkingDir\EventViewerCustomViews.zip"; tag = 'EventViewerCustomViews' }
)
-
+
# Get the total number of files to download
[System.Int64]$TotalRequiredFiles = $Files.Count
-
+
# Initialize a counter for the progress bar
[System.Int64]$RequiredFilesCounter = 0
-
- # Start a job for each file download
- [System.Object[]]$Jobs = foreach ($File in $Files) {
-
+
+ # Start a job for each file download
+ [System.Object[]]$Jobs = foreach ($File in $Files) {
+
Start-Job -ErrorAction Stop -ScriptBlock {
-
+
param([System.Uri]$Url, [System.IO.FileInfo]$Path, [System.String]$Tag)
# Create a WebClient object
[System.Net.WebClient]$WC = New-Object System.Net.WebClient
@@ -676,63 +676,63 @@ try {
}
catch {
# a switch for when the original URLs are failing and to provide Alt URL
- switch ($Tag) {
+ switch ($Tag) {
'Security-Baselines-X' {
Write-Host -Object 'Using Azure DevOps for Security-Baselines-X.zip' -ForegroundColor Yellow
[System.Uri]$AltURL = 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/Security-Baselines-X.zip'
$WC.DownloadFile($AltURL, $Path)
break
- }
+ }
'Registry' {
Write-Host -Object 'Using Azure DevOps for Registry.csv' -ForegroundColor Yellow
[System.Uri]$AltURL = 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/Registry.csv'
$WC.DownloadFile($AltURL, $Path)
break
- }
- 'ProcessMitigations' {
+ }
+ 'ProcessMitigations' {
Write-Host -Object 'Using Azure DevOps for ProcessMitigations.CSV' -ForegroundColor Yellow
[System.Uri]$AltURL = 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/ProcessMitigations.csv'
$WC.DownloadFile($AltURL, $Path)
break
- }
+ }
'EventViewerCustomViews' {
Write-Host -Object 'Using Azure DevOps for EventViewerCustomViews.zip' -ForegroundColor Yellow
[System.Uri]$AltURL = 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/EventViewerCustomViews.zip'
$WC.DownloadFile($AltURL, $Path)
break
- }
+ }
default {
# Write an error if any other URL fails and stop the script
Write-Error $_
}
- }
- }
+ }
+ }
} -ArgumentList $File.url, $File.path, $File.tag
-
+
# Increment the counter by one
$RequiredFilesCounter++
-
+
# Write the progress of the download jobs
Write-Progress -Id 1 -ParentId 0 -Activity "Downloading $($file.tag)" -Status "$RequiredFilesCounter of $TotalRequiredFiles" -PercentComplete ($RequiredFilesCounter / $TotalRequiredFiles * 100)
- }
+ }
# Wait until all jobs are completed
while ($Jobs | Where-Object -FilterScript { $_.State -ne 'Completed' }) {
Start-Sleep -Milliseconds 700
}
-
+
# Receive the output or errors of each job and remove the job
foreach ($Job in $Jobs) {
Receive-Job -Job $Job -ErrorAction Stop
Remove-Job -Job $Job -ErrorAction Stop
- }
-
+ }
+
Write-Progress -Id 1 -ParentId 0 -Activity 'Downloading files completed.' -Completed
}
- catch {
+ catch {
Write-Error "The required files couldn't be downloaded, Make sure you have Internet connection."
- foreach ($Job in $Jobs) { Remove-Job -Job $Job -ErrorAction Stop }
+ foreach ($Job in $Jobs) { Remove-Job -Job $Job -ErrorAction Stop }
&$CleanUp
- }
+ }
# unzip Microsoft Security Baselines file
Expand-Archive -Path .\MicrosoftSecurityBaseline.zip -DestinationPath .\MicrosoftSecurityBaseline -Force -ErrorAction Stop
@@ -748,15 +748,15 @@ try {
# capturing the Microsoft 365 Security Baselines extracted path in a variable using wildcard and storing it in a variable so that we won't need to change anything in the code other than the download link when they are updated
[System.String]$Microsoft365SecurityBaselinePath = (Get-ChildItem -Directory -Path '.\Microsoft365SecurityBaseline\*\').FullName
- #region Windows-Boot-Manager-revocations-for-Secure-Boot KB5025885
+ #region Windows-Boot-Manager-revocations-for-Secure-Boot KB5025885
# ============================May 9 2023 Windows Boot Manager revocations for Secure Boot =================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = '🫶 Category 0'
-
+
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nApply May 9 2023 Windows Boot Manager Security measures ? (If you've already run this category, don't need to do it again)") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Windows Boot Manager revocations for Secure Boot' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x30 /f
@@ -765,21 +765,21 @@ try {
Write-Warning 'Make sure to restart your device once. After restart, wait for at least 5-10 minutes and perform a 2nd restart to finish applying security measures completely.'
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
# ============================End of May 9 2023 Windows Boot Manager revocations for Secure Boot===========================
#endregion Windows-Boot-Manager-revocations-for-Secure-Boot KB5025885
- #region Microsoft-Security-Baseline
+ #region Microsoft-Security-Baseline
# ================================================Microsoft Security Baseline==============================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
- $Host.UI.RawUI.WindowTitle = 'Security Baselines'
-
+ $Host.UI.RawUI.WindowTitle = 'Security Baselines'
+
:MicrosoftSecurityBaselinesCategoryLabel switch (Select-Option -Options 'Yes', 'Yes, With the Optional Overrides (Recommended)' , 'No', 'Exit' -Message "`nApply Microsoft Security Baseline ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Microsoft Security Baseline' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# Copy LGPO.exe from its folder to Microsoft Security Baseline folder in order to get it ready to be used by PowerShell script
Copy-Item -Path '.\LGPO_30\LGPO.exe' -Destination "$MicrosoftSecurityBaselinePath\Scripts\Tools"
@@ -787,10 +787,10 @@ try {
Set-Location "$MicrosoftSecurityBaselinePath\Scripts\"
# Run the official PowerShell script included in the Microsoft Security Baseline file we downloaded from Microsoft servers
- .\Baseline-LocalInstall.ps1 -Win11NonDomainJoined
- }
- 'Yes, With the Optional Overrides (Recommended)' {
-
+ .\Baseline-LocalInstall.ps1 -Win11NonDomainJoined
+ }
+ 'Yes, With the Optional Overrides (Recommended)' {
+
# Copy LGPO.exe from its folder to Microsoft Security Baseline folder in order to get it ready to be used by PowerShell script
Copy-Item -Path '.\LGPO_30\LGPO.exe' -Destination "$MicrosoftSecurityBaselinePath\Scripts\Tools"
@@ -806,27 +806,27 @@ try {
Set-Location "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Overrides for Microsoft Security Baseline\registry.pol'
.\LGPO.exe /q /s '..\Security-Baselines-X\Overrides for Microsoft Security Baseline\GptTmpl.inf'
-
+
# Re-enables the XblGameSave Standby Task that gets disabled by Microsoft Security Baselines
- SCHTASKS.EXE /Change /TN \Microsoft\XblGameSave\XblGameSaveTask /Enable
+ SCHTASKS.EXE /Change /TN \Microsoft\XblGameSave\XblGameSaveTask /Enable
}
'No' { break MicrosoftSecurityBaselinesCategoryLabel }
'Exit' { &$CleanUp }
- }
- # ==============================================End of Microsoft Security Baselines============================================
+ }
+ # ==============================================End of Microsoft Security Baselines============================================
#endregion Microsoft-Security-Baseline
-
+
#region Microsoft-365-Apps-Security-Baseline
# ================================================Microsoft 365 Apps Security Baseline==============================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'M365 Apps Security'
-
+
:Microsoft365AppsSecurityBaselinesCategoryLabel switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nApply Microsoft 365 Apps Security Baseline ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Microsoft 365 Apps Security Baseline' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
Set-Location $WorkingDir
# Copy LGPO.exe from its folder to Microsoft Office 365 Apps for Enterprise Security Baseline folder in order to get it ready to be used by PowerShell script
Copy-Item -Path '.\LGPO_30\LGPO.exe' -Destination "$Microsoft365SecurityBaselinePath\Scripts\Tools"
@@ -835,28 +835,28 @@ try {
Set-Location "$Microsoft365SecurityBaselinePath\Scripts\"
# Run the official PowerShell script included in the Microsoft Security Baseline file we downloaded from Microsoft servers
- .\Baseline-LocalInstall.ps1
+ .\Baseline-LocalInstall.ps1
} 'No' { break Microsoft365AppsSecurityBaselinesCategoryLabel }
'Exit' { &$CleanUp }
}
# ================================================End of Microsoft 365 Apps Security Baseline==============================================
#endregion Microsoft-365-Apps-Security-Baseline
-
+
#region Microsoft-Defender
# ================================================Microsoft Defender=======================================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'MSFT Defender'
-
+
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun Microsoft Defender category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Microsoft Defender' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# Change current working directory to the LGPO's folder
Set-Location "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Microsoft Defender Policies\registry.pol'
-
+
# Optimizing Network Protection Performance of Windows Defender
Set-MpPreference -AllowSwitchToAsyncInspection $True
@@ -892,29 +892,29 @@ try {
[System.Object[]]$AllAvailableMitigations = (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*')
# Loop through each group to remove the mitigations, this way we apply clean set of mitigations in the next step
- foreach ($Group in $GroupedMitigations) {
+ foreach ($Group in $GroupedMitigations) {
# To separate the filename from full path of the item in the CSV and then check whether it exists in the system registry
if ($Group.Name -match '\\([^\\]+)$') {
if ($Matches[1] -in $AllAvailableMitigations.pschildname) {
Remove-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$($Matches[1])" -Recurse -Force
- }
+ }
}
elseif ($Group.Name -in $AllAvailableMitigations.pschildname) {
Remove-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$($Group.Name)" -Recurse -Force
}
- }
+ }
# Loop through each group to add the mitigations
foreach ($Group in $GroupedMitigations) {
# Get the program name
$ProgramName = $Group.Name
-
+
# Get the list of mitigations to enable
$EnableMitigations = $Group.Group | Where-Object -FilterScript { $_.Action -eq 'Enable' } | Select-Object -ExpandProperty Mitigation
-
+
# Get the list of mitigations to disable
$DisableMitigations = $Group.Group | Where-Object -FilterScript { $_.Action -eq 'Disable' } | Select-Object -ExpandProperty Mitigation
-
+
# Call the Set-ProcessMitigation cmdlet with the lists of mitigations
if ($null -ne $EnableMitigations) {
if ($null -ne $DisableMitigations) {
@@ -927,11 +927,11 @@ try {
elseif ($null -ne $DisableMitigations) {
Set-ProcessMitigation -Name $ProgramName -Disable $DisableMitigations
}
- }
+ }
# Turn on Data Execution Prevention (DEP) for all applications, including 32-bit programs
# Old method
- # bcdedit.exe /set '{current}' nx AlwaysOn | Out-Null
+ # bcdedit.exe /set '{current}' nx AlwaysOn | Out-Null
# New method using PowerShell cmdlets added in Windows 11
Set-BcdElement -Element 'nx' -Type 'Integer' -Value '3'
@@ -955,9 +955,9 @@ try {
}
else {
# Ask user if they want to turn on optional diagnostic data only if Smart App Control is not already turned off
- if (-NOT ((Get-MpComputerStatus).SmartAppControlState -eq 'Off')) {
+ if (-NOT ((Get-MpComputerStatus).SmartAppControlState -eq 'Off')) {
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nEnable Optional Diagnostic Data ?" -ExtraMessage 'Required for Smart App Control usage and evaluation, read the GitHub Readme!') {
- 'Yes' {
+ 'Yes' {
# Change current working directory to the LGPO's folder
Set-Location "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Microsoft Defender Policies\Optional Diagnostic Data\registry.pol'
@@ -969,7 +969,7 @@ try {
# Get the state of fast weekly Microsoft recommended driver block list update scheduled task
[System.String]$BlockListScheduledTaskState = (Get-ScheduledTask -TaskName 'MSFT Driver Block list update' -TaskPath '\MSFT Driver Block list update\' -ErrorAction SilentlyContinue).State
-
+
# Create scheduled task for fast weekly Microsoft recommended driver block list update if it doesn't exist or exists but is not Ready/Running
if (-NOT (($BlockListScheduledTaskState -eq 'Ready' -or $BlockListScheduledTaskState -eq 'Running'))) {
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nCreate scheduled task for fast weekly Microsoft recommended driver block list update ?") {
@@ -977,26 +977,26 @@ try {
# Get the SID of the SYSTEM account. It is a well-known SID, but still querying it, going to use it to create the scheduled task
[System.Security.Principal.SecurityIdentifier]$SYSTEMSID = New-Object System.Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::LocalSystemSid, $null)
-
- # Create a scheduled task action, this defines how to download and install the latest Microsoft Recommended Driver Block Rules
+
+ # Create a scheduled task action, this defines how to download and install the latest Microsoft Recommended Driver Block Rules
[Microsoft.Management.Infrastructure.CimInstance]$Action = New-ScheduledTaskAction -Execute 'Powershell.exe' `
- -Argument '-NoProfile -WindowStyle Hidden -command "& {try {Invoke-WebRequest -Uri "https://aka.ms/VulnerableDriverBlockList" -OutFile VulnerableDriverBlockList.zip -ErrorAction Stop}catch{exit};Expand-Archive .\VulnerableDriverBlockList.zip -DestinationPath "VulnerableDriverBlockList" -Force;Rename-Item .\VulnerableDriverBlockList\SiPolicy_Enforced.p7b -NewName "SiPolicy.p7b" -Force;Copy-Item .\VulnerableDriverBlockList\SiPolicy.p7b -Destination "C:\Windows\System32\CodeIntegrity";citool --refresh -json;Remove-Item .\VulnerableDriverBlockList -Recurse -Force;Remove-Item .\VulnerableDriverBlockList.zip -Force;}"'
-
+ -Argument '-NoProfile -WindowStyle Hidden -command "& {try {Invoke-WebRequest -Uri "https://aka.ms/VulnerableDriverBlockList" -OutFile VulnerableDriverBlockList.zip -ErrorAction Stop}catch{exit};Expand-Archive .\VulnerableDriverBlockList.zip -DestinationPath "VulnerableDriverBlockList" -Force;Rename-Item .\VulnerableDriverBlockList\SiPolicy_Enforced.p7b -NewName "SiPolicy.p7b" -Force;Copy-Item .\VulnerableDriverBlockList\SiPolicy.p7b -Destination "C:\Windows\System32\CodeIntegrity";citool --refresh -json;Remove-Item .\VulnerableDriverBlockList -Recurse -Force;Remove-Item .\VulnerableDriverBlockList.zip -Force;}"'
+
# Create a scheduled task principal and assign the SYSTEM account's SID to it so that the task will run under its context
[Microsoft.Management.Infrastructure.CimInstance]$TaskPrincipal = New-ScheduledTaskPrincipal -LogonType S4U -UserId $($SYSTEMSID.Value) -RunLevel Highest
-
+
# Create a trigger for the scheduled task. The task will first run one hour after its creation and from then on will run every 7 days, indefinitely
- [Microsoft.Management.Infrastructure.CimInstance]$Time = New-ScheduledTaskTrigger -Once -At (Get-Date).AddHours(1) -RepetitionInterval (New-TimeSpan -Days 7)
-
+ [Microsoft.Management.Infrastructure.CimInstance]$Time = New-ScheduledTaskTrigger -Once -At (Get-Date).AddHours(1) -RepetitionInterval (New-TimeSpan -Days 7)
+
# Register the scheduled task
Register-ScheduledTask -Action $Action -Trigger $Time -Principal $TaskPrincipal -TaskPath 'MSFT Driver Block list update' -TaskName 'MSFT Driver Block list update' -Description 'Microsoft Recommended Driver Block List update'
-
+
# Define advanced settings for the scheduled task
[Microsoft.Management.Infrastructure.CimInstance]$TaskSettings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -Compatibility 'Win8' -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 3) -RestartCount 4 -RestartInterval (New-TimeSpan -Hours 6) -RunOnlyIfNetworkAvailable
-
+
# Add the advanced settings we defined above to the scheduled task
- Set-ScheduledTask -TaskName 'MSFT Driver Block list update' -TaskPath 'MSFT Driver Block list update' -Settings $TaskSettings
-
+ Set-ScheduledTask -TaskName 'MSFT Driver Block list update' -TaskPath 'MSFT Driver Block list update' -Settings $TaskSettings
+
} 'No' { break }
'Exit' { &$CleanUp }
}
@@ -1006,52 +1006,52 @@ try {
if ( ($MDAVPreferencesCurrent.EngineUpdatesChannel -ne '2') -or ($MDAVPreferencesCurrent.PlatformUpdatesChannel -ne '2') ) {
# Set Microsoft Defender engine and platform update channel to beta - Devices in the Windows Insider Program are subscribed to this channel by default.
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nSet Microsoft Defender engine and platform update channel to beta ?") {
- 'Yes' {
+ 'Yes' {
Set-MpPreference -EngineUpdatesChannel beta
Set-MpPreference -PlatformUpdatesChannel beta
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
}
} 'No' { break }
'Exit' { &$CleanUp }
- }
- # ============================================End of Microsoft Defender====================================================
+ }
+ # ============================================End of Microsoft Defender====================================================
#endregion Microsoft-Defender
- #region Attack-Surface-Reduction-Rules
+ #region Attack-Surface-Reduction-Rules
# =========================================Attack Surface Reduction Rules==================================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'ASR Rules'
-
+
:ASRRulesCategoryLabel switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun Attack Surface Reduction Rules category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Attack Surface Reduction Rules' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# Change current working directory to the LGPO's folder
Set-Location "$WorkingDir\LGPO_30"
-
+
.\LGPO.exe /q /m '..\Security-Baselines-X\Attack Surface Reduction Rules Policies\registry.pol'
} 'No' { break ASRRulesCategoryLabel }
'Exit' { &$CleanUp }
}
# =========================================End of Attack Surface Reduction Rules===========================================
#endregion Attack-Surface-Reduction-Rules
-
- #region Bitlocker-Settings
- # ==========================================Bitlocker Settings=============================================================
+
+ #region Bitlocker-Settings
+ # ==========================================Bitlocker Settings=============================================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'BitLocker'
-
+
:BitLockerCategoryLabel switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun Bitlocker category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Bitlocker Settings' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# Change current working directory to the LGPO's folder
Set-Location "$WorkingDir\LGPO_30"
@@ -1111,18 +1111,18 @@ try {
# Change current working directory to the LGPO's folder
Set-Location "$WorkingDir\LGPO_30"
-
+
# Enables or disables DMA protection from Bitlocker Countermeasures based on the status of Kernel DMA protection.
- if ($BootDMAProtection) {
+ if ($BootDMAProtection) {
Write-Host -Object 'Kernel DMA protection is enabled on the system, disabling Bitlocker DMA protection.' -ForegroundColor Blue
- .\LGPO.exe /q /m '..\Security-Baselines-X\Overrides for Microsoft Security Baseline\Bitlocker DMA\Bitlocker DMA Countermeasure OFF\Registry.pol'
+ .\LGPO.exe /q /m '..\Security-Baselines-X\Overrides for Microsoft Security Baseline\Bitlocker DMA\Bitlocker DMA Countermeasure OFF\Registry.pol'
}
else {
Write-Host -Object 'Kernel DMA protection is unavailable on the system, enabling Bitlocker DMA protection.' -ForegroundColor Blue
- .\LGPO.exe /q /m '..\Security-Baselines-X\Overrides for Microsoft Security Baseline\Bitlocker DMA\Bitlocker DMA Countermeasure ON\Registry.pol'
+ .\LGPO.exe /q /m '..\Security-Baselines-X\Overrides for Microsoft Security Baseline\Bitlocker DMA\Bitlocker DMA Countermeasure ON\Registry.pol'
}
- # Set-up Bitlocker encryption for OS Drive with TPMandPIN and recovery password keyprotectors and Verify its implementation
+ # Set-up Bitlocker encryption for OS Drive with TPMandPIN and recovery password keyprotectors and Verify its implementation
# check, make sure there is no CD/DVD drives in the system, because Bitlocker throws an error when there is
$CdDvdCheck = (Get-CimInstance -ClassName Win32_CDROMDrive -Property *).MediaLoaded
if ($CdDvdCheck) {
@@ -1130,7 +1130,7 @@ try {
# break from the entire BitLocker category and continue to the next category
break BitLockerCategoryLabel
}
-
+
# check make sure Bitlocker isn't in the middle of decryption/encryption operation (on System Drive)
if ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).EncryptionPercentage -ne '100' -and (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).EncryptionPercentage -ne '0') {
$EncryptionPercentageVar = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).EncryptionPercentage
@@ -1139,11 +1139,11 @@ try {
# break from the entire BitLocker category and continue to the next category
break BitLockerCategoryLabel
}
-
+
# A script block that generates recovery code just like the Windows does
- [scriptblock]$RecoveryPasswordContentGenerator = {
+ [scriptblock]$RecoveryPasswordContentGenerator = {
param ([System.Object[]]$KeyProtectorsInputFromScriptBlock)
-
+
return @"
BitLocker Drive Encryption recovery key
@@ -1151,25 +1151,25 @@ To verify that this is the correct recovery key, compare the start of the follow
Identifier:
- $(($KeyProtectorsInputFromScriptBlock | Where-Object -FilterScript { $_.keyprotectortype -eq 'RecoveryPassword' }).KeyProtectorId.Trim('{', '}'))
+ $(($KeyProtectorsInputFromScriptBlock | Where-Object -FilterScript { $_.keyprotectortype -eq 'RecoveryPassword' }).KeyProtectorId.Trim('{', '}'))
If the above identifier matches the one displayed by your PC, then use the following key to unlock your drive.
Recovery Key:
- $(($KeyProtectorsInputFromScriptBlock | Where-Object -FilterScript { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)
+ $(($KeyProtectorsInputFromScriptBlock | Where-Object -FilterScript { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)
If the above identifier doesn't match the one displayed by your PC, then this isn't the right key to unlock your drive.
Try another recovery key, or refer to https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview for additional assistance.
-
+
IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Vault which requires additional authentication to access.
-
+
"@
}
:OSDriveEncryptionLabel switch (Select-Option -SubCategory -Options 'Normal: TPM + Startup PIN + Recovery Password', 'Enhanced: TPM + Startup PIN + Startup Key + Recovery Password', 'Skip encryptions altogether', 'Exit' -Message "`nPlease select your desired security level" -ExtraMessage "If you are not sure, refer to the BitLocker category in the GitHub Readme`n") {
'Normal: TPM + Startup PIN + Recovery Password' {
-
+
# check if Bitlocker is enabled for the system drive with Normal security level
if ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).ProtectionStatus -eq 'on') {
@@ -1187,51 +1187,51 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
[System.String[]]$KeyProtectorTypesOSDrive = $KeyProtectorsOSDrive.keyprotectortype
if ($KeyProtectorTypesOSDrive -contains 'TpmPinStartupKey' -and $KeyProtectorTypesOSDrive -contains 'recoveryPassword') {
-
+
switch (Select-Option -SubCategory -Options 'Yes', 'Skip OS Drive' , 'Exit' -Message "`nThe OS Drive is already encrypted with Enhanced Security level." -ExtraMessage "Are you sure you want to change it to Normal Security level?`n" ) {
'Skip OS Drive' { break OSDriveEncryptionLabel }
- 'Exit' { &$CleanUp }
+ 'Exit' { &$CleanUp }
}
}
-
+
# check if TPM + PIN + recovery password are being used as key protectors for the OS Drive
if ($KeyProtectorTypesOSDrive -contains 'Tpmpin' -and $KeyProtectorTypesOSDrive -contains 'recoveryPassword') {
Write-SmartText -C MintGreen -G Green -I 'Bitlocker is already enabled for the OS drive with Normal security level.'
-
+
Write-SmartText -C Fuchsia -GenericColor Magenta -I 'Here is your 48-digits recovery password for the OS drive in case you were looking for it:'
Write-SmartText -C Rainbow -GenericColor Yellow -I "$(($KeyProtectorsOSDrive | Where-Object -FilterScript { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)"
-
+
}
else {
# If the OS Drive doesn't have recovery password key protector
if ($KeyProtectorTypesOSDrive -notcontains 'recoveryPassword') {
-
+
[System.String]$BitLockerMsg = "`nThe recovery password is missing, adding it now... `n" +
"It will be saved in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'"
Write-Host -Object $BitLockerMsg -ForegroundColor Yellow
-
+
# Add RecoveryPasswordProtector key protector to the OS drive
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector *> $null
-
+
# Get the new key protectors of the OS Drive after adding RecoveryPasswordProtector to it
[System.Object[]]$KeyProtectorsOSDrive = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).KeyProtector
-
+
# Backup the recovery code of the OS drive in a file
New-Item -Path "$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsOSDrive) -ItemType File -Force | Out-Null
-
+
}
# If the OS Drive doesn't have (TPM + PIN) key protector
if ($KeyProtectorTypesOSDrive -notcontains 'Tpmpin') {
-
+
Write-Host -Object "`nTPM and Start up PIN are missing, adding them now..." -ForegroundColor Cyan
-
- do {
+
+ do {
[securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I "`nEnter a Pin for Bitlocker startup (between 10 to 20 characters)"; Read-Host -AsSecureString)
[securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
-
+
# Compare the PINs and make sure they match
[System.Boolean]$TheyMatch = Compare-SecureString $Pin1 $Pin2
# If the PINs match and they are at least 10 characters long, max 20 characters
@@ -1240,15 +1240,15 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
else { Write-Host -Object 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
- # Repeat this process until the entered PINs match and they are at least 10 characters long, max 20 characters
+ # Repeat this process until the entered PINs match and they are at least 10 characters long, max 20 characters
until ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) )
-
+
try {
# Add TPM + PIN key protectors to the OS Drive
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -TpmAndPinProtector -Pin $Pin -ErrorAction Stop | Out-Null
Write-SmartText -C MintGreen -G Green -I "`nPINs matched, enabling TPM and startup PIN now`n"
}
- catch {
+ catch {
Write-Host -Object 'These errors occured, run Bitlocker category again after meeting the requirements' -ForegroundColor Red
$_
break BitLockerCategoryLabel
@@ -1256,14 +1256,14 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Get the key protectors of the OS Drive
[System.Object[]]$KeyProtectorsOSDrive = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).KeyProtector
-
+
# Backup the recovery code of the OS drive in a file just in case - This is for when the disk is automatically encrypted and using TPM + Recovery code by default
New-Item -Path "$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsOSDrive) -ItemType File -Force | Out-Null
-
+
Write-Host -Object "The recovery password was backed up in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
-
- }
- }
+
+ }
+ }
}
# Do this if Bitlocker is not enabled for the OS drive at all
@@ -1272,16 +1272,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
do {
[securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I 'Enter a Pin for Bitlocker startup (between 10 to 20 characters)'; Read-Host -AsSecureString)
[securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
-
+
[System.Boolean]$TheyMatch = Compare-SecureString $Pin1 $Pin2
-
+
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
[securestring]$Pin = $Pin1
}
else { Write-Host -Object 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
until ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) )
-
+
try {
# Enable BitLocker for the OS Drive with TPM + PIN key protectors
Enable-BitLocker -MountPoint $env:SystemDrive -EncryptionMethod 'XtsAes256' -Pin $Pin -TpmAndPinProtector -SkipHardwareTest -ErrorAction Stop *> $null
@@ -1290,25 +1290,25 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'These errors occured, run Bitlocker category again after meeting the requirements' -ForegroundColor Red
$_
break BitLockerCategoryLabel
- }
+ }
# Add recovery password key protector to the OS Drive
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector *> $null
-
+
# Get the new key protectors of the OS Drive after adding RecoveryPasswordProtector to it
[System.Object[]]$KeyProtectorsOSDrive = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).KeyProtector
-
+
# Backup the recovery code of the OS drive in a file
New-Item -Path "$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsOSDrive) -ItemType File -Force | Out-Null
-
+
Resume-BitLocker -MountPoint $env:SystemDrive | Out-Null
-
- Write-SmartText -C MintGreen -G Green -I "`nBitlocker is now enabled for the OS drive with Normal security level."
+
+ Write-SmartText -C MintGreen -G Green -I "`nBitlocker is now enabled for the OS drive with Normal security level."
Write-Host -Object "The recovery password will be saved in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
}
}
'Enhanced: TPM + Startup PIN + Startup Key + Recovery Password' {
-
+
# check if Bitlocker is enabled for the system drive with Enhanced security level
if ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).ProtectionStatus -eq 'on') {
@@ -1324,55 +1324,55 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
[System.Object[]]$KeyProtectorsOSDrive = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).KeyProtector
# Get the key protector types of the OS Drive
[System.String[]]$KeyProtectorTypesOSDrive = $KeyProtectorsOSDrive.keyprotectortype
-
+
# check if TPM + PIN + recovery password are being used as key protectors for the OS Drive
if ($KeyProtectorTypesOSDrive -contains 'TpmPinStartupKey' -and $KeyProtectorTypesOSDrive -contains 'recoveryPassword') {
Write-SmartText -C MintGreen -G Green -I 'Bitlocker is already enabled for the OS drive with Enhanced security level.'
-
+
Write-SmartText -C Fuchsia -GenericColor Magenta -I 'Here is your 48-digits recovery password for the OS drive in case you were looking for it:'
Write-SmartText -C Rainbow -GenericColor Yellow -I "$(($KeyProtectorsOSDrive | Where-Object -FilterScript { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)"
-
+
}
else {
# If the OS Drive doesn't have recovery password key protector
if ($KeyProtectorTypesOSDrive -notcontains 'recoveryPassword') {
-
+
[System.String]$BitLockerMsg = "`nThe recovery password is missing, adding it now... `n" +
"It will be saved in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'"
Write-Host -Object $BitLockerMsg -ForegroundColor Yellow
-
+
# Add RecoveryPasswordProtector key protector to the OS drive
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector *> $null
-
+
# Get the new key protectors of the OS Drive after adding RecoveryPasswordProtector to it
[System.Object[]]$KeyProtectorsOSDrive = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).KeyProtector
-
+
# Backup the recovery code of the OS drive in a file
New-Item -Path "$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsOSDrive) -ItemType File -Force | Out-Null
-
+
}
# If the OS Drive doesn't have (TpmPinStartupKey) key protector
if ($KeyProtectorTypesOSDrive -notcontains 'TpmPinStartupKey') {
-
+
Write-SmartText -C Violet -G Cyan -I "`nTpm And Pin And StartupKey Protector is missing from the OS Drive, adding it now"
# Check if the OS drive has ExternalKey key protector and if it does remove it
# It's the standalone Startup Key protector which isn't secure on its own for the OS Drive
- if ($KeyProtectorTypesOSDrive -contains 'ExternalKey') {
+ if ($KeyProtectorTypesOSDrive -contains 'ExternalKey') {
(Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).KeyProtector |
Where-Object -FilterScript { $_.keyprotectortype -eq 'ExternalKey' } |
ForEach-Object -Process { Remove-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $_.KeyProtectorId | Out-Null }
-
- }
- do {
+ }
+
+ do {
[securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I "`nEnter a Pin for Bitlocker startup (between 10 to 20 characters)"; Read-Host -AsSecureString)
[securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
-
+
# Compare the PINs and make sure they match
[System.Boolean]$TheyMatch = Compare-SecureString $Pin1 $Pin2
# If the PINs match and they are at least 10 characters long, max 20 characters
@@ -1381,41 +1381,41 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
else { Write-Host -Object 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
- # Repeat this process until the entered PINs match and they are at least 10 characters long, max 20 characters
+ # Repeat this process until the entered PINs match and they are at least 10 characters long, max 20 characters
until ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) )
-
+
Write-SmartText -C MintGreen -G Green -I "`nPINs matched, enabling TPM, Startup PIN and Startup Key protector now`n"
-
+
try {
# Add TpmAndPinAndStartupKeyProtector to the OS Drive
- Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -TpmAndPinAndStartupKeyProtector -StartupKeyPath (Get-AvailableRemovableDrives) -Pin $Pin -ErrorAction Stop | Out-Null
+ Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -TpmAndPinAndStartupKeyProtector -StartupKeyPath (Get-AvailableRemovableDrives) -Pin $Pin -ErrorAction Stop | Out-Null
}
- catch {
+ catch {
Write-Host -Object 'There was a problem adding Startup Key to the removable drive, try ejecting and reinserting the flash drive into your device and run this category again.' -ForegroundColor Red
$_
break BitLockerCategoryLabel
}
-
+
# Get the key protectors of the OS Drive
[System.Object[]]$KeyProtectorsOSDrive = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).KeyProtector
-
+
# Backup the recovery code of the OS drive in a file just in case - This is for when the disk is automatically encrypted and using TPM + Recovery code by default
New-Item -Path "$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsOSDrive) -ItemType File -Force | Out-Null
-
+
Write-Host -Object "The recovery password was backed up in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
-
- }
- }
+
+ }
+ }
}
# Do this if Bitlocker is not enabled for the OS drive at all
else {
Write-Host -Object "`nBitlocker is not enabled for the OS Drive, activating it now..." -ForegroundColor Yellow
-
- do {
+
+ do {
[securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I "`nEnter a Pin for Bitlocker startup (between 10 to 20 characters)"; Read-Host -AsSecureString)
[securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
-
+
# Compare the PINs and make sure they match
[System.Boolean]$TheyMatch = Compare-SecureString $Pin1 $Pin2
# If the PINs match and they are at least 10 characters long, max 20 characters
@@ -1424,33 +1424,33 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
else { Write-Host -Object 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
- # Repeat this process until the entered PINs match and they are at least 10 characters long, max 20 characters
+ # Repeat this process until the entered PINs match and they are at least 10 characters long, max 20 characters
until ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) )
-
+
Write-SmartText -C MintGreen -G Green -I "`nPINs matched, enabling TPM, Startup PIN and Startup Key protector now`n"
-
+
try {
# Add TpmAndPinAndStartupKeyProtector to the OS Drive
Enable-BitLocker -MountPoint $env:SystemDrive -EncryptionMethod 'XtsAes256' -TpmAndPinAndStartupKeyProtector -StartupKeyPath (Get-AvailableRemovableDrives) -Pin $Pin -SkipHardwareTest -ErrorAction Stop *> $null
}
- catch {
+ catch {
Write-Host -Object 'There was a problem adding Startup Key to the removable drive, try ejecting and reinserting the flash drive into your device and run this category again.' -ForegroundColor Red
$_
break BitLockerCategoryLabel
}
-
+
# Add recovery password key protector to the OS Drive
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector *> $null
-
+
# Get the new key protectors of the OS Drive after adding RecoveryPasswordProtector to it
[System.Object[]]$KeyProtectorsOSDrive = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $env:SystemDrive).KeyProtector
-
+
# Backup the recovery code of the OS drive in a file
New-Item -Path "$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsOSDrive) -ItemType File -Force | Out-Null
-
+
Resume-BitLocker -MountPoint $env:SystemDrive | Out-Null
-
- Write-SmartText -C MintGreen -G Green -I "`nBitlocker is now enabled for the OS drive with Enhanced security level."
+
+ Write-SmartText -C MintGreen -G Green -I "`nBitlocker is now enabled for the OS drive with Enhanced security level."
Write-Host -Object "The recovery password will be saved in a text file in '$env:SystemDrive\Drive $($env:SystemDrive.remove(1)) recovery password.txt'" -ForegroundColor Cyan
}
}
@@ -1470,12 +1470,12 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Do nothing if the key doesn't exist
}
if ($HiberFileType -ne 2) {
-
+
Write-Progress -Id 6 -ParentId 0 -Activity 'Hibernate' -Status 'Setting Hibernate file size to full' -PercentComplete 50
-
+
# Set Hibernate mode to full
&'C:\Windows\System32\powercfg.exe' /h /type full | Out-Null
-
+
Write-Progress -Id 6 -Activity 'Setting Hibernate file size to full' -Completed
}
else {
@@ -1484,7 +1484,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
#region Non-OS-BitLocker-Drives-Detection
-
+
# Get the list of non OS volumes
# Using -ErrorAction SilentlyContinue because after running the Microsoft Security baseline category, if there is a flash drive attached to the device, you "might" see this error: Device Id: \\?\Volume{83196d59-0000-0000-0000-107d00000000}\ does not have a corresponding volume.
# It only suppresses Non-terminating errors
@@ -1516,11 +1516,11 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Loop through each non-OS volume and prompt for encryption
foreach ($MountPoint in $($NonOSBitLockerVolumes | Sort-Object).MountPoint) {
-
+
# Prompt for confirmation before encrypting each drive
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nEncrypt $MountPoint drive ?") {
'Yes' {
-
+
# Check if the non-OS drive that the user selected to be encrypted is not in the middle of any encryption/decryption operation
if ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).EncryptionPercentage -ne '100' -and (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).EncryptionPercentage -ne '0') {
# Check if the drive isn't already encrypted and locked
@@ -1534,12 +1534,12 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object "Drive $MountPoint encryption is currently at $EncryptionPercentageVar percent." -ForegroundColor Magenta
break
}
- }
-
+ }
+
# Check to see if Bitlocker is already turned on for the user selected drive
# if it is, perform multiple checks on its key protectors
if ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).ProtectionStatus -eq 'on') {
-
+
# Get the OS Drive's encryption method
[System.String]$EncryptionMethodNonOSDrive = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).EncryptionMethod
@@ -1550,10 +1550,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Get the key protector types of the Non-OS Drive
[System.String[]]$KeyProtectorTypesNonOS = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector.keyprotectortype
-
+
# If Recovery Password and Auto Unlock key protectors are available on the drive
if ($KeyProtectorTypesNonOS -contains 'RecoveryPassword' -and $KeyProtectorTypesNonOS -contains 'ExternalKey') {
-
+
# Additional Check 1: if there are more than 1 ExternalKey key protector, try delete all of them and add a new one
# The external key protector that is being used to unlock the drive will not be deleted
((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector |
@@ -1563,50 +1563,50 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# and it's being used to unlock the drive
Remove-BitLockerKeyProtector -MountPoint $MountPoint -KeyProtectorId $_ -ErrorAction SilentlyContinue | Out-Null
}
-
+
# Renew the External key of the selected Non-OS Drive
Enable-BitLockerAutoUnlock -MountPoint $MountPoint | Out-Null
-
+
# Additional Check 2: if there are more than 1 Recovery Password, delete all of them and add a new one
[System.String[]]$RecoveryPasswordKeyProtectors = ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector |
Where-Object -FilterScript { $_.keyprotectortype -eq 'RecoveryPassword' }).KeyProtectorId
-
+
if ($RecoveryPasswordKeyProtectors.Count -gt 1) {
-
+
[System.String]$BitLockerMsg = "`nThere are more than 1 recovery password key protector associated with the drive $mountpoint `n" +
- "Removing all of them and adding a new one. `n" +
+ "Removing all of them and adding a new one. `n" +
"It will be saved in a text file in '$($MountPoint)\Drive $($MountPoint.Remove(1)) recovery password.txt'"
Write-Host -Object $BitLockerMsg -ForegroundColor Yellow
-
+
# Remove all of the recovery password key protectors of the selected Non-OS Drive
$RecoveryPasswordKeyProtectors | ForEach-Object -Process {
Remove-BitLockerKeyProtector -MountPoint $MountPoint -KeyProtectorId $_ | Out-Null
}
-
+
# Add a new Recovery Password key protector after removing all of the previous ones
Add-BitLockerKeyProtector -MountPoint $MountPoint -RecoveryPasswordProtector *> $null
-
+
# Get the new key protectors of the Non-OS Drive after adding RecoveryPasswordProtector to it
[System.Object[]]$KeyProtectorsNonOS = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector
-
+
# Backup the recovery code of the Non-OS drive in a file
New-Item -Path "$MountPoint\Drive $($MountPoint.Remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsNonOS) -ItemType File -Force | Out-Null
-
+
}
Write-SmartText -C MintGreen -G Green -I "`nBitlocker is already securely enabled for drive $MountPoint"
# Get the new key protectors of the Non-OS Drive after adding RecoveryPasswordProtector to it
# Just to simply display it on the console for the user
[System.Object[]]$KeyProtectorsNonOS = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector
-
+
Write-SmartText -C Fuchsia -GenericColor Magenta -I "Here is your 48-digits recovery password for drive $MountPoint in case you were looking for it:"
Write-SmartText -C Rainbow -GenericColor Yellow -I "$(($KeyProtectorsNonOS | Where-Object -FilterScript { $_.keyprotectortype -eq 'RecoveryPassword' }).RecoveryPassword)"
-
+
}
-
+
# If the selected drive has Auto Unlock key protector but doesn't have Recovery Password
elseif ($KeyProtectorTypesNonOS -contains 'ExternalKey' -and $KeyProtectorTypesNonOS -notcontains 'RecoveryPassword' ) {
-
+
# if there are more than 1 ExternalKey key protector, try delete all of them and add a new one
# The external key protector that is being used to unlock the drive will not be deleted
((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector |
@@ -1616,75 +1616,75 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# and it's being used to unlock the drive
Remove-BitLockerKeyProtector -MountPoint $MountPoint -KeyProtectorId $_ -ErrorAction SilentlyContinue | Out-Null
}
-
+
# Renew the External key of the selected Non-OS Drive
Enable-BitLockerAutoUnlock -MountPoint $MountPoint | Out-Null
-
+
# Add Recovery Password Key protector and save it to a file inside the drive
Add-BitLockerKeyProtector -MountPoint $MountPoint -RecoveryPasswordProtector *> $null
-
+
# Get the new key protectors of the Non-OS Drive after adding RecoveryPasswordProtector to it
[System.Object[]]$KeyProtectorsNonOS = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector
-
+
# Backup the recovery code of the Non-OS drive in a file
New-Item -Path "$MountPoint\Drive $($MountPoint.Remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsNonOS) -ItemType File -Force | Out-Null
-
+
[System.String]$BitLockerMsg = "`nDrive $MountPoint is auto-unlocked but doesn't have Recovery Password, adding it now... `n" +
"It will be saved in a text file in '$($MountPoint)\Drive $($MountPoint.Remove(1)) recovery password.txt'"
Write-Host -Object $BitLockerMsg -ForegroundColor Cyan
}
-
+
# Check 3: If the selected drive has Recovery Password key protector but doesn't have Auto Unlock enabled
elseif ($KeyProtectorTypesNonOS -contains 'RecoveryPassword' -and $KeyProtectorTypesNonOS -notcontains 'ExternalKey') {
-
+
# Add Auto-unlock (a.k.a ExternalKey key protector to the drive)
Enable-BitLockerAutoUnlock -MountPoint $MountPoint | Out-Null
-
+
# if there are more than 1 Recovery Password, delete all of them and add a new one
[System.String[]]$RecoveryPasswordKeyProtectors = ((Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector |
Where-Object -FilterScript { $_.keyprotectortype -eq 'RecoveryPassword' }).KeyProtectorId
-
+
if ($RecoveryPasswordKeyProtectors.Count -gt 1) {
-
+
[System.String]$BitLockerMsg = "`nThere are more than 1 recovery password key protector associated with the drive $mountpoint `n" +
'Removing all of them and adding a new one.' +
"It will be saved in a text file in '$($MountPoint)\Drive $($MountPoint.Remove(1)) recovery password.txt'"
Write-Host -Object $BitLockerMsg -ForegroundColor Yellow
-
+
# Delete all Recovery Passwords because there were more than 1
$RecoveryPasswordKeyProtectors | ForEach-Object -Process {
Remove-BitLockerKeyProtector -MountPoint $MountPoint -KeyProtectorId $_ | Out-Null
}
-
+
# Add a new Recovery Password
Add-BitLockerKeyProtector -MountPoint $MountPoint -RecoveryPasswordProtector *> $null
-
+
# Get the new key protectors of the Non-OS Drive after adding RecoveryPasswordProtector to it
[System.Object[]]$KeyProtectorsNonOS = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector
-
+
# Backup the recovery code of the Non-OS drive in a file
New-Item -Path "$MountPoint\Drive $($MountPoint.Remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsNonOS) -ItemType File -Force | Out-Null
}
}
}
-
+
# Do this if Bitlocker isn't turned on at all on the user selected drive
else {
# Enable BitLocker with RecoveryPassword key protector for the selected Non-OS drive
Enable-BitLocker -MountPoint $MountPoint -RecoveryPasswordProtector *> $null
-
+
# Add Auto-unlock (a.k.a ExternalKey key protector to the drive)
Enable-BitLockerAutoUnlock -MountPoint $MountPoint | Out-Null
-
+
# Get the new key protectors of the Non-OS Drive after adding RecoveryPasswordProtector to it
[System.Object[]]$KeyProtectorsNonOS = (Get-BitLockerVolume -ErrorAction SilentlyContinue -MountPoint $MountPoint).KeyProtector
-
+
# Backup the recovery code of the Non-OS drive in a file
New-Item -Path "$MountPoint\Drive $($MountPoint.Remove(1)) recovery password.txt" -Value $(&$RecoveryPasswordContentGenerator $KeyProtectorsNonOS) -ItemType File -Force | Out-Null
-
+
Write-SmartText -C MintGreen -G Green -I "`nBitLocker has started encrypting drive $MountPoint"
Write-Host -Object "Recovery password will be saved in a text file in '$($MountPoint)\Drive $($MountPoint.Remove(1)) recovery password.txt'" -ForegroundColor Cyan
- }
+ }
} 'No' { break }
'Exit' { &$CleanUp }
}
@@ -1692,22 +1692,22 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
} 'No' { break }
'Exit' { &$CleanUp }
- }
- # ==========================================End of Bitlocker Settings======================================================
+ }
+ # ==========================================End of Bitlocker Settings======================================================
#endregion Bitlocker-Settings
- #region TLS-Security
- # ==============================================TLS Security===============================================================
+ #region TLS-Security
+ # ==============================================TLS Security===============================================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'TLS'
-
+
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun TLS Security category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'TLS Security' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
- # creating these registry keys that have forward slashes in them
+
+ # creating these registry keys that have forward slashes in them
@(
'DES 56/56', # DES 56-bit
'RC2 40/128', # RC2 40-bit
@@ -1733,24 +1733,24 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
# Change current working directory to the LGPO's folder
Set-Location "$WorkingDir\LGPO_30"
- .\LGPO.exe /q /m '..\Security-Baselines-X\TLS Security\registry.pol'
+ .\LGPO.exe /q /m '..\Security-Baselines-X\TLS Security\registry.pol'
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
# ==========================================End of TLS Security============================================================
#endregion TLS-Security
- #region Lock-Screen
+ #region Lock-Screen
# ==========================================Lock Screen====================================================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'Lock Screen'
-
+
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun Lock Screen category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Lock Screen' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# Change current working directory to the LGPO's folder
Set-Location "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Lock Screen Policies\registry.pol'
@@ -1760,42 +1760,42 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nDon't display last signed-in on logon screen ?" -ExtraMessage 'Read the GitHub Readme!') {
'Yes' {
Write-Progress -Id 2 -ParentId 0 -Activity 'Lock Screen' -Status "Applying the Don't display last signed-in policy" -PercentComplete 50
-
- .\LGPO.exe /q /s "..\Security-Baselines-X\Lock Screen Policies\Don't display last signed-in\GptTmpl.inf"
-
+
+ .\LGPO.exe /q /s "..\Security-Baselines-X\Lock Screen Policies\Don't display last signed-in\GptTmpl.inf"
+
Write-Progress -Id 2 -Activity "Applying the Don't display last signed-in policy" -Completed
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
# ==========================================End of Lock Screen=============================================================
#endregion Lock-Screen
#region User-Account-Control
# ==========================================User Account Control===========================================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'UAC'
-
+
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun User Account Control category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'User Account Control' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# Change current working directory to the LGPO's folder
Set-Location "$WorkingDir\LGPO_30"
.\LGPO.exe /q /s '..\Security-Baselines-X\User Account Control UAC Policies\GptTmpl.inf'
-
+
# Apply the Automatically deny all UAC prompts on Standard accounts policy
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nAutomatically deny all UAC prompts on Standard accounts ?") {
'Yes' {
Write-Progress -Id 3 -ParentId 0 -Activity 'User Account Control' -Status 'Automatically deny all UAC prompts on Standard accounts policy' -PercentComplete 50
-
- .\LGPO.exe /q /s '..\Security-Baselines-X\User Account Control UAC Policies\Automatically deny all UAC prompts on Standard accounts\GptTmpl.inf'
-
+
+ .\LGPO.exe /q /s '..\Security-Baselines-X\User Account Control UAC Policies\Automatically deny all UAC prompts on Standard accounts\GptTmpl.inf'
+
Write-Progress -Id 3 -Activity 'Automatically deny all UAC prompts on Standard accounts policy' -Completed
} 'No' { break }
'Exit' { &$CleanUp }
@@ -1806,12 +1806,12 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
'Yes' {
Write-Progress -Id 4 -ParentId 0 -Activity 'User Account Control' -Status 'Hide the entry points for Fast User Switching policy' -PercentComplete 50
- .\LGPO.exe /q /m '..\Security-Baselines-X\User Account Control UAC Policies\Hides the entry points for Fast User Switching\registry.pol'
-
+ .\LGPO.exe /q /m '..\Security-Baselines-X\User Account Control UAC Policies\Hides the entry points for Fast User Switching\registry.pol'
+
Write-Progress -Id 4 -Activity 'Hide the entry points for Fast User Switching policy' -Completed
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
# Apply the Only elevate executables that are signed and validated policy
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nOnly elevate executables that are signed and validated ?" -ExtraMessage 'Read the GitHub Readme!') {
@@ -1819,29 +1819,29 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Progress -Id 5 -ParentId 0 -Activity 'User Account Control' -Status 'Only elevate executables that are signed and validated' -PercentComplete 50
.\LGPO.exe /q /s '..\Security-Baselines-X\User Account Control UAC Policies\Only elevate executables that are signed and validated\GptTmpl.inf'
-
+
Write-Progress -Id 5 -Activity 'Only elevate executables that are signed and validated' -Completed
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
# ==========================================End of User Account Control====================================================
#endregion User-Account-Control
- #region Windows-Firewall
+ #region Windows-Firewall
# ====================================================Windows Firewall=====================================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = '🔥 Firewall'
-
+
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun Windows Firewall category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Windows Firewall' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# Change current working directory to the LGPO's folder
Set-Location "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Windows Firewall Policies\registry.pol'
@@ -1852,27 +1852,27 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
ForEach-Object -Process { Disable-NetFirewallRule -DisplayName $_.DisplayName }
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
# =================================================End of Windows Firewall=================================================
#endregion Windows-Firewall
- #region Optional-Windows-Features
+ #region Optional-Windows-Features
# =================================================Optional Windows Features===============================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'Optional Features'
-
+
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun Optional Windows Features category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Optional Windows Features' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# since PowerShell Core (only if installed from Microsoft Store) has problem with these commands, making sure the built-in PowerShell handles them
# There are Github issues for it already: https://github.com/PowerShell/PowerShell/issues/13866
powershell.exe -Command {
- # Disable PowerShell v2 (part 1)
+ # Disable PowerShell v2 (part 1)
Write-Host -Object "`nDisabling PowerShellv2 1st part" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2).state -eq 'enabled') {
try {
@@ -1880,11 +1880,11 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
catch {
# show error
- $_
+ $_
}
}
else {
- Write-Host -Object 'PowerShellv2 1st part is already disabled' -ForegroundColor Green
+ Write-Host -Object 'PowerShellv2 1st part is already disabled' -ForegroundColor Green
}
# Disable PowerShell v2 (part 2)
@@ -1897,16 +1897,16 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
catch {
# show error
- $_
+ $_
}
}
else {
Write-Host -Object 'PowerShellv2 2nd part is already disabled' -ForegroundColor Green
}
-
+
# Disable Work Folders client
Write-Host -Object "`nDisabling Work Folders" -ForegroundColor Yellow
- if ((Get-WindowsOptionalFeature -Online -FeatureName WorkFolders-Client).state -eq 'enabled') {
+ if ((Get-WindowsOptionalFeature -Online -FeatureName WorkFolders-Client).state -eq 'enabled') {
try {
Disable-WindowsOptionalFeature -Online -FeatureName WorkFolders-Client -NoRestart -ErrorAction Stop
# Shows the successful message only if removal process was successful
@@ -1917,10 +1917,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
$_
}
}
- else {
- Write-Host -Object 'Work Folders is already disabled' -ForegroundColor Green
+ else {
+ Write-Host -Object 'Work Folders is already disabled' -ForegroundColor Green
}
-
+
# Disable Internet Printing Client
Write-Host -Object "`nDisabling Internet Printing Client" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName Printing-Foundation-Features).state -eq 'enabled') {
@@ -1935,13 +1935,13 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host -Object 'Internet Printing Client is already disabled' -ForegroundColor Green
- }
+ Write-Host -Object 'Internet Printing Client is already disabled' -ForegroundColor Green
+ }
# Uninstall Windows Media Player (legacy)
Write-Host -Object "`nUninstalling Windows Media Player (legacy)" -ForegroundColor Yellow
if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Media.WindowsMediaPlayer*' }).state -ne 'NotPresent') {
- try {
+ try {
Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Media.WindowsMediaPlayer*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
Write-Host -Object 'Windows Media Player (legacy) has been uninstalled.' -ForegroundColor Green
@@ -1954,7 +1954,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
else {
Write-Host -Object 'Windows Media Player (legacy) is already uninstalled.' -ForegroundColor Green
}
-
+
# Enable Microsoft Defender Application Guard
Write-Host -Object "`nEnabling Microsoft Defender Application Guard" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard).state -eq 'disabled') {
@@ -1969,17 +1969,17 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host -Object 'Microsoft Defender Application Guard is already enabled' -ForegroundColor Green
+ Write-Host -Object 'Microsoft Defender Application Guard is already enabled' -ForegroundColor Green
}
}
# Need to split the commands in 2 scriptblocks so we don't get "program PowerShell.exe failed to run: The filename or extension is too long" error
powershell.exe -Command {
-
+
# Enable Windows Sandbox
Write-Host -Object "`nEnabling Windows Sandbox" -ForegroundColor Yellow
- if ((Get-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM).state -eq 'disabled') {
+ if ((Get-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM).state -eq 'disabled') {
try {
Enable-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM -All -NoRestart -ErrorAction Stop
# Shows the successful message only if enablement process was successful
@@ -1990,10 +1990,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
$_
}
}
- else {
- Write-Host -Object 'Windows Sandbox is already enabled' -ForegroundColor Green
+ else {
+ Write-Host -Object 'Windows Sandbox is already enabled' -ForegroundColor Green
}
-
+
# Enable Hyper-V
Write-Host -Object "`nEnabling Hyper-V" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V).state -eq 'disabled') {
@@ -2010,7 +2010,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
else {
Write-Host -Object 'Hyper-V is already enabled' -ForegroundColor Green
}
-
+
# Enable Virtual Machine Platform
Write-Host -Object "`nEnabling Virtual Machine Platform" -ForegroundColor Yellow
if ((Get-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform).state -eq 'disabled') {
@@ -2027,25 +2027,25 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
else {
Write-Host -Object 'Virtual Machine Platform is already enabled' -ForegroundColor Green
}
-
- # Uninstall VBScript that is now uninstallable as an optional features since Windows 11 insider Dev build 25309 - Won't do anything in other builds
- if (Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*VBSCRIPT*' }) {
- try {
- Write-Host -Object "`nUninstalling VBSCRIPT" -ForegroundColor Yellow
+
+ # Uninstall VBScript that is now uninstallable as an optional features since Windows 11 insider Dev build 25309 - Won't do anything in other builds
+ if (Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*VBSCRIPT*' }) {
+ try {
+ Write-Host -Object "`nUninstalling VBSCRIPT" -ForegroundColor Yellow
Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*VBSCRIPT*' } | Remove-WindowsCapability -Online -ErrorAction Stop
- # Shows the successful message only if removal process was successful
+ # Shows the successful message only if removal process was successful
Write-Host -Object 'VBSCRIPT has been uninstalled' -ForegroundColor Green
}
catch {
# show errors
$_
}
- }
-
+ }
+
# Uninstall Internet Explorer mode functionality for Edge
Write-Host -Object "`nUninstalling Internet Explorer mode functionality for Edge" -ForegroundColor Yellow
if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Browser.InternetExplorer*' }).state -ne 'NotPresent') {
- try {
+ try {
Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Browser.InternetExplorer*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
Write-Host -Object 'Internet Explorer mode functionality for Edge has been uninstalled' -ForegroundColor Green
@@ -2059,10 +2059,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'Internet Explorer mode functionality for Edge is already uninstalled.' -ForegroundColor Green
}
- # Uninstall WMIC
+ # Uninstall WMIC
Write-Host -Object "`nUninstalling WMIC" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*wmic*' }).state -ne 'NotPresent') {
- try {
+ if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*wmic*' }).state -ne 'NotPresent') {
+ try {
Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*wmic*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
Write-Host -Object 'WMIC has been uninstalled' -ForegroundColor Green
@@ -2079,7 +2079,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Uninstall Legacy Notepad
Write-Host -Object "`nUninstalling Legacy Notepad" -ForegroundColor Yellow
if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.Notepad.System*' }).state -ne 'NotPresent') {
- try {
+ try {
Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.Notepad.System*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
Write-Host -Object 'Legacy Notepad has been uninstalled. The modern multi-tabbed Notepad is unaffected.' -ForegroundColor Green
@@ -2096,7 +2096,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Uninstall WordPad
Write-Host -Object "`nUninstalling WordPad" -ForegroundColor Yellow
if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.WordPad*' }).state -ne 'NotPresent') {
- try {
+ try {
Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.WordPad*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
Write-Host -Object 'WordPad has been uninstalled.' -ForegroundColor Green
@@ -2108,12 +2108,12 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
else {
Write-Host -Object 'WordPad is already uninstalled.' -ForegroundColor Green
- }
+ }
# Uninstall PowerShell ISE
Write-Host -Object "`nUninstalling PowerShell ISE" -ForegroundColor Yellow
if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.PowerShell.ISE*' }).state -ne 'NotPresent') {
- try {
+ try {
Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.PowerShell.ISE*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
Write-Host -Object 'PowerShell ISE has been uninstalled.' -ForegroundColor Green
@@ -2125,15 +2125,15 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
else {
Write-Host -Object 'PowerShell ISE is already uninstalled.' -ForegroundColor Green
- }
+ }
}
powershell.exe -Command {
-
+
# Uninstall Steps Recorder
Write-Host -Object "`nUninstalling Steps Recorder" -ForegroundColor Yellow
if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*App.StepsRecorder*' }).state -ne 'NotPresent') {
- try {
+ try {
Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*App.StepsRecorder*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
Write-Host -Object 'Steps Recorder has been uninstalled.' -ForegroundColor Green
@@ -2145,26 +2145,26 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
else {
Write-Host -Object 'Steps Recorder is already uninstalled.' -ForegroundColor Green
- }
+ }
}
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
# ==============================================End of Optional Windows Features===========================================
#endregion Optional-Windows-Features
- #region Windows-Networking
+ #region Windows-Networking
# ====================================================Windows Networking===================================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'Networking'
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun Windows Networking category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Windows Networking' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# Change current working directory to the LGPO's folder
Set-Location "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Windows Networking Policies\registry.pol'
@@ -2181,22 +2181,22 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# =================================================End of Windows Networking===============================================
#endregion Windows-Networking
- #region Miscellaneous-Configurations
+ #region Miscellaneous-Configurations
# ==============================================Miscellaneous Configurations===============================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'Miscellaneous'
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun Miscellaneous Configurations category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Miscellaneous Configurations' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# Miscellaneous Registry section
Set-Location $WorkingDir
[System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
foreach ($Item in $Items) {
- if ($Item.category -eq 'Miscellaneous') {
+ if ($Item.category -eq 'Miscellaneous') {
Edit-Registry -path $Item.Path -key $Item.Key -value $Item.Value -type $Item.Type -Action $Item.Action
}
}
@@ -2208,27 +2208,27 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Apply the Blocking Untrusted Fonts policy
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nBlock Untrusted Fonts ?") {
'Yes' {
- .\LGPO.exe /q /m '..\Security-Baselines-X\Miscellaneous Policies\Blocking Untrusted Fonts\registry.pol'
+ .\LGPO.exe /q /m '..\Security-Baselines-X\Miscellaneous Policies\Blocking Untrusted Fonts\registry.pol'
} 'No' { break }
'Exit' { &$CleanUp }
}
-
+
# Allow all Windows users to use Hyper-V and Windows Sandbox by adding all Windows users to the "Hyper-V Administrators" security group using its SID
Get-LocalUser | Where-Object -FilterScript { $_.enabled -eq 'True' } | ForEach-Object -Process { Add-LocalGroupMember -SID 'S-1-5-32-578' -Member "$($_.SID)" -ErrorAction SilentlyContinue }
-
+
# Makes sure auditing for the "Other Logon/Logoff Events" subcategory under the Logon/Logoff category is enabled, doesn't touch affect any other sub-category
# For tracking Lock screen unlocks and locks
# auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
# Using GUID
auditpol /set /subcategory:"{0CCE921C-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable | Out-Null
-
+
# Query all Audits status
# auditpol /get /category:*
# Get the list of subcategories and their associated GUIDs
# auditpol /list /subcategory:* /r
# Event Viewer custom views are saved in "C:\ProgramData\Microsoft\Event Viewer\Views". files in there can be backed up and restored on new Windows installations.
- New-Item -ItemType Directory -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script\' -Force | Out-Null
+ New-Item -ItemType Directory -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script\' -Force | Out-Null
# Due to change in event viewer custom log files, making sure no old file names exist
if (Test-Path -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script') {
@@ -2238,24 +2238,24 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
New-Item -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script' -ItemType Directory -Force | Out-Null
Expand-Archive -Path "$WorkingDir\EventViewerCustomViews.zip" -DestinationPath 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script' -Force -ErrorAction Stop
-
+
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
# ============================================End of Miscellaneous Configurations==========================================
#endregion Miscellaneous-Configurations
-
- #region Windows-Update-Configurations
+
+ #region Windows-Update-Configurations
# ====================================================Windows Update Configurations==============================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'Windows Update'
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nApply Windows Update Policies ?") {
'Yes' {
Write-Progress -Id 0 -Activity 'Windows Update Configurations' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# Enable restart notification for Windows update
Edit-Registry -path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings' -key 'RestartNotificationsAllowed2' -value '1' -type 'DWORD' -Action 'AddOrModify'
# Change current working directory to the LGPO's folder
@@ -2263,21 +2263,21 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
.\LGPO.exe /q /m '..\Security-Baselines-X\Windows Update Policies\registry.pol'
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
# ====================================================End of Windows Update Configurations=======================================
#endregion Windows-Update-Configurations
#region Edge-Browser-Configurations
# ====================================================Edge Browser Configurations====================================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'Edge'
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nApply Edge Browser Configurations ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Edge Browser Configurations' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
# Edge Browser Configurations registry
Set-Location $WorkingDir
[System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
@@ -2288,33 +2288,33 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
# ====================================================End of Edge Browser Configurations==============================================
#endregion Edge-Browser-Configurations
-
- #region Certificate-Checking-Commands
+
+ #region Certificate-Checking-Commands
# ====================================================Certificate Checking Commands========================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'Certificates'
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun Certificate Checking category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Certificate Checking Commands' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
+
try {
- Invoke-WithoutProgress {
+ Invoke-WithoutProgress {
Invoke-WebRequest -Uri 'https://live.sysinternals.com/sigcheck64.exe' -OutFile 'sigcheck64.exe' -ErrorAction Stop
- }
+ }
}
- catch {
+ catch {
Write-Host -Object "sigcheck64.exe couldn't be downloaded from https://live.sysinternals.com" -ForegroundColor Red
break
- }
+ }
Write-Host -NoNewline "`nListing valid certificates not rooted to the Microsoft Certificate Trust List in the" -ForegroundColor Yellow; Write-Host -Object " User store`n" -ForegroundColor cyan
- .\sigcheck64.exe -tuv -accepteula -nobanner
-
+ .\sigcheck64.exe -tuv -accepteula -nobanner
+
Write-Host -NoNewline "`nListing valid certificates not rooted to the Microsoft Certificate Trust List in the" -ForegroundColor Yellow; Write-Host -Object " Machine Store`n" -ForegroundColor Blue
.\sigcheck64.exe -tv -accepteula -nobanner
Remove-Item -Path .\sigcheck64.exe -Force
@@ -2324,40 +2324,40 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# ====================================================End of Certificate Checking Commands=================================
#endregion Certificate-Checking-Commands
- #region Country-IP-Blocking
+ #region Country-IP-Blocking
# ====================================================Country IP Blocking==================================================
$CurrentMainStep++
-
+
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'Country IPs'
-
+
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun Country IP Blocking category ?") {
- 'Yes' {
+ 'Yes' {
Write-Progress -Id 0 -Activity 'Country IP Blocking' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
- # -RemoteAddress in New-NetFirewallRule accepts array according to Microsoft Docs,
+
+ # -RemoteAddress in New-NetFirewallRule accepts array according to Microsoft Docs,
# so we use "[System.String[]]$IPList = $IPList -split '\r?\n' -ne ''" to convert the IP lists, which is a single multiline string, into an array
function Block-CountryIP {
param ([System.String[]]$IPList , [System.String]$ListName)
-
- # deletes previous rules (if any) to get new up-to-date IP ranges from the sources and set new rules
+
+ # deletes previous rules (if any) to get new up-to-date IP ranges from the sources and set new rules
Remove-NetFirewallRule -DisplayName "$ListName IP range blocking" -PolicyStore localhost -ErrorAction SilentlyContinue
-
+
# converts the list which is in string into array
[System.String[]]$IPList = $IPList -split '\r?\n' -ne ''
# makes sure the list isn't empty
if ($IPList.count -eq 0) {
Write-Host -Object "The IP list was empty, skipping $ListName" -ForegroundColor Yellow
- break
- }
+ break
+ }
New-NetFirewallRule -DisplayName "$ListName IP range blocking" -Direction Inbound -Action Block -LocalAddress Any -RemoteAddress $IPList -Description "$ListName IP range blocking" -EdgeTraversalPolicy Block -PolicyStore localhost
- New-NetFirewallRule -DisplayName "$ListName IP range blocking" -Direction Outbound -Action Block -LocalAddress Any -RemoteAddress $IPList -Description "$ListName IP range blocking" -EdgeTraversalPolicy Block -PolicyStore localhost
+ New-NetFirewallRule -DisplayName "$ListName IP range blocking" -Direction Outbound -Action Block -LocalAddress Any -RemoteAddress $IPList -Description "$ListName IP range blocking" -EdgeTraversalPolicy Block -PolicyStore localhost
}
switch (Select-Option -SubCategory -Options 'Yes', 'No' -Message 'Add countries in the State Sponsors of Terrorism list to the Firewall block list?') {
'Yes' {
- Invoke-WithoutProgress {
+ Invoke-WithoutProgress {
$global:StateSponsorsofTerrorism = Invoke-RestMethod -Uri 'https://raw.githubusercontent.com/HotCakeX/Official-IANA-IP-blocks/main/Curated-Lists/StateSponsorsOfTerrorism.txt'
}
Block-CountryIP -IPList $StateSponsorsofTerrorism -ListName 'State Sponsors of Terrorism'
@@ -2365,8 +2365,8 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
switch (Select-Option -SubCategory -Options 'Yes', 'No' -Message 'Add OFAC Sanctioned Countries to the Firewall block list?') {
'Yes' {
- Invoke-WithoutProgress {
- $global:OFACSanctioned = Invoke-RestMethod -Uri 'https://raw.githubusercontent.com/HotCakeX/Official-IANA-IP-blocks/main/Curated-Lists/OFACSanctioned.txt'
+ Invoke-WithoutProgress {
+ $global:OFACSanctioned = Invoke-RestMethod -Uri 'https://raw.githubusercontent.com/HotCakeX/Official-IANA-IP-blocks/main/Curated-Lists/OFACSanctioned.txt'
}
Block-CountryIP -IPList $OFACSanctioned -ListName 'OFAC Sanctioned Countries'
} 'No' { break }
@@ -2374,46 +2374,46 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# how to query the number of IPs in each rule
# (Get-NetFirewallRule -DisplayName "OFAC Sanctioned Countries IP range blocking" -PolicyStore localhost | Get-NetFirewallAddressFilter).RemoteAddress.count
-
+
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
# ====================================================End of Country IP Blocking===========================================
#endregion Country-IP-Blocking
-
+
} # End of Admin test function
#region Non-Admin-Commands
# ====================================================Non-Admin Commands===================================================
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'Non-Admins'
-
+
switch (Select-Option -Options 'Yes', 'No', 'Exit' -Message "`nRun Non-Admin category ?") {
'Yes' {
$CurrentMainStep = $TotalMainSteps
Write-Progress -Id 0 -Activity 'Non-Admin category' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
- # Non-Admin Registry section
- Set-Location $WorkingDir
- Invoke-WithoutProgress {
+
+ # Non-Admin Registry section
+ Set-Location $WorkingDir
+ Invoke-WithoutProgress {
# Download Registry CSV file from GitHub or Azure DevOps
try {
- Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/Registry.csv' -OutFile '.\Registry.csv' -ErrorAction Stop
+ Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/Registry.csv' -OutFile '.\Registry.csv' -ErrorAction Stop
}
catch {
Write-Host -Object 'Using Azure DevOps...' -ForegroundColor Yellow
Invoke-WebRequest -Uri 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/Registry.csv' -OutFile '.\Registry.csv' -ErrorAction Stop
- }
+ }
}
[System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
foreach ($Item in $Items) {
- if ($Item.category -eq 'NonAdmin') {
+ if ($Item.category -eq 'NonAdmin') {
Edit-Registry -path $Item.Path -key $Item.Key -value $Item.Value -type $Item.Type -Action $Item.Action
}
- }
+ }
# Only suggest restarting the device if Admin related categories were run
- if (Test-IsAdmin) {
+ if (Test-IsAdmin) {
Write-Host -Object "`r`n"
Write-SmartText -C Rainbow -G Cyan -I "################################################################################################`r`n"
Write-SmartText -C MintGreen -G Cyan -I "### Please Restart your device to completely apply the security measures and Group Policies ###`r`n"
@@ -2436,19 +2436,19 @@ finally {
# restoring the original Controlled folder access allow list - if user already had added PowerShell executables to the list
# they will be restored as well, so user customization will remain intact
- if ($null -ne $CFAAllowedAppsBackup) {
+ if ($null -ne $CFAAllowedAppsBackup) {
Set-MpPreference -ControlledFolderAccessAllowedApplications $CFAAllowedAppsBackup
}
}
- Set-Location $HOME; Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
+ Set-Location $HOME; Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
# Disable progress bars
0..6 | ForEach-Object -Process { Write-Progress -Id $_ -Activity 'Done' -Completed }
# Restore the title of the PowerShell back to what it was prior to running the script/module
$Host.UI.RawUI.WindowTitle = $CurrentPowerShellTitle
-
+
# Set the execution policy back to what it was prior to running the script
Set-ExecutionPolicy -ExecutionPolicy "$CurrentExecutionPolicy" -Scope Process -Force
}
From 7f9565c34698cb7dd72d90631f7b6ed1d5b8285e Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Sun, 10 Dec 2023 11:16:20 -0930
Subject: [PATCH 06/79] More trailing whitespace removal
---
.../Misc/ADMX as XML parsing.ps1 | 8 +-
.../Confirm-SystemCompliance.psm1 | 910 +++++++++---------
.../Misc/Only Show Group Policy Data.ps1 | 16 +-
.../only show Registry count and content.ps1 | 6 +-
.../Protect-WindowsSecurity.psm1 | 6 +-
5 files changed, 473 insertions(+), 473 deletions(-)
diff --git a/Harden-Windows-Security Module/Misc/ADMX as XML parsing.ps1 b/Harden-Windows-Security Module/Misc/ADMX as XML parsing.ps1
index 11d6781d0..db909e498 100644
--- a/Harden-Windows-Security Module/Misc/ADMX as XML parsing.ps1
+++ b/Harden-Windows-Security Module/Misc/ADMX as XML parsing.ps1
@@ -17,7 +17,7 @@ foreach ($policy in $xmlContent.policyDefinitions.policies.policy) {
# Check if the policy's class is class="Machine"
if ($policy.class -eq "Machine") {
# Add HKEY_LOCAL_MACHINE to the beginning of the key
- $key = "HKLM:\" + $policy.key
+ $key = "HKLM:\" + $policy.key
}
else {
# Use the key as it is
@@ -28,13 +28,13 @@ foreach ($policy in $xmlContent.policyDefinitions.policies.policy) {
$result = [PSCustomObject]@{
Category = "Microsoft Defender"
RegistryKey = $key
- RegistryName = $policy.valueName
+ RegistryName = $policy.valueName
}
# Check if the registry key exists and get its value
- try {
+ try {
$regValue = Get-ItemPropertyValue -Path $key -Name $policy.valueName -ErrorAction Stop
-
+
# Add the value as a property of the PSCustomObject
$result | Add-Member -MemberType NoteProperty -Name 'RegValue' -Value $regValue
}
diff --git a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Confirm-SystemCompliance.psm1
index ef3709b29..4c13891c9 100644
--- a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Confirm-SystemCompliance.psm1
+++ b/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Confirm-SystemCompliance.psm1
@@ -2,10 +2,10 @@
function ConvertFrom-IniFile {
[CmdletBinding()]
Param ([string]$IniFile)
-
+
# Don't prompt to continue if '-Debug' is specified.
$DebugPreference = 'Continue'
-
+
[hashtable]$IniObject = @{}
[string]$SectionName = ''
switch -regex -file $IniFile {
@@ -33,49 +33,49 @@ function ConvertFrom-IniFile {
}
# Main function that also parses the output of "gpresult /Scope Computer /x GPResult.xml"
-function Confirm-SystemCompliance {
+function Confirm-SystemCompliance {
[CmdletBinding()]
param (
- [parameter(Mandatory = $false)]
+ [parameter(Mandatory = $false)]
[switch]$ExportToCSV,
- [parameter(Mandatory = $false)]
+ [parameter(Mandatory = $false)]
[switch]$ShowAsObjectsOnly,
- [parameter(Mandatory = $false)]
- [switch]$DetailedDisplay
+ [parameter(Mandatory = $false)]
+ [switch]$DetailedDisplay
)
begin {
Write-Progress -Activity 'Starting' -Status 'Processing...' -PercentComplete 5
-
+
# Make sure the latest version of the module is installed and if not, automatically update it, clean up any old versions
- function Update-self {
+ function Update-self {
[version]$CurrentVersion = (Test-modulemanifest "$psscriptroot\Harden-Windows-Security-Module.psd1" -ErrorAction Stop).Version
-
- try {
- [version]$LatestVersion = Invoke-RestMethod -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/version.txt'
+
+ try {
+ [version]$LatestVersion = Invoke-RestMethod -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/version.txt'
}
- catch {
+ catch {
Write-Error -Message "Couldn't verify if the latest version of the module is installed, please check your Internet connection." -ErrorAction Stop
}
-
+
if ($CurrentVersion -lt $LatestVersion) {
Write-Output "$($PSStyle.Foreground.FromRGB(255,105,180))The currently installed module's version is $CurrentVersion while the latest version is $LatestVersion - Auto Updating the module... 💓$($PSStyle.Reset)"
Remove-Module -Name 'Harden-Windows-Security-Module' -Force
# Do this if the module was installed properly using Install-moodule cmdlet
try {
Uninstall-Module -Name 'Harden-Windows-Security-Module' -AllVersions -Force -ErrorAction Stop
- Install-Module -Name 'Harden-Windows-Security-Module' -RequiredVersion $LatestVersion -Force -ErrorAction Stop
+ Install-Module -Name 'Harden-Windows-Security-Module' -RequiredVersion $LatestVersion -Force -ErrorAction Stop
Import-Module -Name 'Harden-Windows-Security-Module' -RequiredVersion $LatestVersion -Force -Global -ErrorAction Stop
}
# Do this if module files/folder was just copied to Documents folder and not properly installed - Should rarely happen
catch {
Install-Module -Name 'Harden-Windows-Security-Module' -RequiredVersion $LatestVersion -Force -ErrorAction Stop
Import-Module -Name 'Harden-Windows-Security-Module' -RequiredVersion $LatestVersion -Force -Global -ErrorAction Stop
- }
+ }
# Make sure the old version isn't run after update
- Write-Output "$($PSStyle.Foreground.FromRGB(152,255,152))Update successful, please run the Confirm-SystemCompliance cmdlet again.$($PSStyle.Reset)"
+ Write-Output "$($PSStyle.Foreground.FromRGB(152,255,152))Update successful, please run the Confirm-SystemCompliance cmdlet again.$($PSStyle.Reset)"
break
- return
+ return
}
}
@@ -91,18 +91,18 @@ function Confirm-SystemCompliance {
# Stop operation as soon as there is an error anywhere, unless explicitly specified otherwise
$ErrorActionPreference = 'SilentlyContinue'
-
+
Write-Progress -Activity 'Gathering Security Policy Information' -Status 'Processing...' -PercentComplete 15
Secedit /export /cfg .\security_policy.inf | Out-Null
# Storing the output of the ini file parsing function
[PSCustomObject]$SecurityPoliciesIni = ConvertFrom-IniFile -IniFile .\security_policy.inf
-
+
Write-Progress -Activity 'Downloading Registry CSV File from GitHub or Azure DevOps' -Status 'Processing...' -PercentComplete 20
# Download Registry CSV file from GitHub or Azure DevOps
try {
- Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/Registry.csv' -OutFile '.\Registry.csv' -ErrorAction Stop
+ Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/Registry.csv' -OutFile '.\Registry.csv' -ErrorAction Stop
}
catch {
Write-Host 'Using Azure DevOps...' -ForegroundColor Yellow
@@ -118,23 +118,23 @@ function Confirm-SystemCompliance {
Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/Group-Policies.json' -OutFile ".\Group-Policies.json" -ErrorAction Stop
}
catch {
- Write-Error -Message "Group-Policies.json file couldn't be downloaded, exitting..."
+ Write-Error -Message "Group-Policies.json file couldn't be downloaded, exitting..."
}
# Hash table to store Hardening Script's Policy Categories and Names
- # Importing it from the JSON file as hashtable
+ # Importing it from the JSON file as hashtable
[System.Collections.Hashtable]$HashPol = Get-Content -Path '.\Group-Policies.json' -ErrorAction Stop | ConvertFrom-Json -Depth 100 -AsHashtable -ErrorAction Stop
-
+
Write-Progress -Activity 'Gathering Group Policy Information' -Status 'Processing...' -PercentComplete 30
Gpresult /Scope Computer /x .\GPResult.xml /f
# Load the xml file into a variable
[System.Xml.XmlDocument]$GroupPolicyXmlContent = Get-Content -Path .\GPResult.xml -ErrorAction Stop
-
+
# An array to store each Group Policy "<q6:Policy>" element as a separate object
[System.Array]$PoliciesOutput = @()
# Use dot notation to access the Group Policy elements
- $GroupPolicyXmlContent.Rsop.ComputerResults.ExtensionData.Extension.Policy | Where-Object { $null -ne $_.name } | ForEach-Object {
+ $GroupPolicyXmlContent.Rsop.ComputerResults.ExtensionData.Extension.Policy | Where-Object { $null -ne $_.name } | ForEach-Object {
# All the sub-elements of the "<q6:Policy>" that we need to verify
$PoliciesOutput += [PSCustomObject]@{
Name = $_.Name
@@ -168,7 +168,7 @@ function Confirm-SystemCompliance {
# An array to store Group Policy Firewall settings as an object
[System.Array]$FirewallPoliciesOutput = @()
# Use dot notation to access the Group Policy elements - sometimes the type is q4 or q3 or q7, so using wildcard for the number
- [System.Xml.XmlLinkedNode]$FirewallGroupPolicySettings = $GroupPolicyXmlContent.Rsop.ComputerResults.ExtensionData.Extension | Where-Object { $_.type -like 'q*:WindowsFirewallSettings' }
+ [System.Xml.XmlLinkedNode]$FirewallGroupPolicySettings = $GroupPolicyXmlContent.Rsop.ComputerResults.ExtensionData.Extension | Where-Object { $_.type -like 'q*:WindowsFirewallSettings' }
$FirewallPoliciesOutput += [PSCustomObject]@{
@@ -180,7 +180,7 @@ function Confirm-SystemCompliance {
DomainDoNotAllowExceptions = $FirewallGroupPolicySettings.DomainProfile.DoNotAllowExceptions.value
DomainEnableFirewall = $FirewallGroupPolicySettings.DomainProfile.EnableFirewall.value
DomainLogFilePath = $FirewallGroupPolicySettings.DomainProfile.LogFilePath.value
- DomainLogFileSize = $FirewallGroupPolicySettings.DomainProfile.LogFileSize.value
+ DomainLogFileSize = $FirewallGroupPolicySettings.DomainProfile.LogFileSize.value
DomainLogDroppedPackets = $FirewallGroupPolicySettings.DomainProfile.LogDroppedPackets.value
DomainLogSuccessfulConnections = $FirewallGroupPolicySettings.DomainProfile.LogSuccessfulConnections.value
# Public profile policies
@@ -192,16 +192,16 @@ function Confirm-SystemCompliance {
PublicDoNotAllowExceptions = $FirewallGroupPolicySettings.PublicProfile.DoNotAllowExceptions.value
PublicEnableFirewall = $FirewallGroupPolicySettings.PublicProfile.EnableFirewall.value
PublicLogFilePath = $FirewallGroupPolicySettings.PublicProfile.LogFilePath.value
- PublicLogFileSize = $FirewallGroupPolicySettings.PublicProfile.LogFileSize.value
+ PublicLogFileSize = $FirewallGroupPolicySettings.PublicProfile.LogFileSize.value
PublicLogDroppedPackets = $FirewallGroupPolicySettings.PublicProfile.LogDroppedPackets.value
- PublicLogSuccessfulConnections = $FirewallGroupPolicySettings.PublicProfile.LogSuccessfulConnections.value
+ PublicLogSuccessfulConnections = $FirewallGroupPolicySettings.PublicProfile.LogSuccessfulConnections.value
# Private profile policies
PrivateDefaultInboundAction = $FirewallGroupPolicySettings.PrivateProfile.DefaultInboundAction.value
PrivateDefaultOutboundAction = $FirewallGroupPolicySettings.PrivateProfile.DefaultOutboundAction.value
- PrivateDisableNotifications = $FirewallGroupPolicySettings.PrivateProfile.DisableNotifications.value
+ PrivateDisableNotifications = $FirewallGroupPolicySettings.PrivateProfile.DisableNotifications.value
PrivateEnableFirewall = $FirewallGroupPolicySettings.PrivateProfile.EnableFirewall.value
PrivateLogFilePath = $FirewallGroupPolicySettings.PrivateProfile.LogFilePath.value
- PrivateLogFileSize = $FirewallGroupPolicySettings.PrivateProfile.LogFileSize.value
+ PrivateLogFileSize = $FirewallGroupPolicySettings.PrivateProfile.LogFileSize.value
PrivateLogDroppedPackets = $FirewallGroupPolicySettings.PrivateProfile.LogDroppedPackets.value
PrivateLogSuccessfulConnections = $FirewallGroupPolicySettings.PrivateProfile.LogSuccessfulConnections.value
}
@@ -211,18 +211,18 @@ function Confirm-SystemCompliance {
[System.Array]$RegistriesOutput = @()
# Use dot notation to access the Policy element
$GroupPolicyXmlContent.Rsop.ComputerResults.ExtensionData.Extension.RegistrySetting | Where-Object { $null -ne $_.Value.Name } | ForEach-Object {
-
+
$RegistriesOutput += [PSCustomObject]@{
KeyPath = $_.KeyPath
Name = $_.Value.Name
- Number = $_.Value.Number
- }
+ Number = $_.Value.Number
+ }
}
-
+
# An object to store the FINAL results
$FinalMegaObject = [PSCustomObject]@{}
-
+
# Hash table to store Hardening Script's Registry Policy Categories and Names
# They are still Group Policies but instead of being in "<q6:Policy>" element they are in "<q6:RegistrySetting>"
[System.Collections.Hashtable]$HashReg = @{
@@ -230,139 +230,139 @@ function Confirm-SystemCompliance {
'Device Guard' = @{
1 = @{
KeyPath = 'Software\Policies\Microsoft\Windows\System'
- Name = 'RunAsPPL'
+ Name = 'RunAsPPL'
}
}
}
}
process {
-
+
#Region Microsoft-Defender-Category
Write-Progress -Activity 'Validating Microsoft Defender Category' -Status 'Processing...' -PercentComplete 35
# An array to store the nested custom objects (Results of the foreach loop), inside the main output object
[System.Array]$NestedObjectArray = @()
[String]$CatName = 'Microsoft Defender'
- # Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
+ # Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
foreach ($Key in $HashPol[$CatName].Keys) {
# Get the correct object from the PoliciesOutput Object that contains all the group policies in the xml file
$Item = $PoliciesOutput | Where-object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
switch ($Key) {
- 1 {
+ 1 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.DropDownListState -eq 'NotConfigured') ? $True : $False # It's actually Enabled but Gpresult shows NotConfigured!
}
2 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
3 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.DropDownListState -eq 'Enabled' `
- -and $Item.DropDownListValue -eq 'Advanced MAPS') ? $True : $False
+ -and $Item.DropDownListValue -eq 'Advanced MAPS') ? $True : $False
}
4 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.DropDownListName -eq 'Send file samples when further analysis is required' `
-and $Item.DropDownListState -eq 'Enabled' `
-and $Item.DropDownListValue -eq 'Send all samples'
- ) ? $True : $False
+ ) ? $True : $False
}
5 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.DropDownListName -eq 'Configure the guard my folders feature' `
-and $Item.DropDownListState -eq 'NotConfigured' ` # It's actually Enabled but Gpresult shows NotConfigured!
- ) ? $True : $False
+ ) ? $True : $False
}
6 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.DropDownListState -eq 'NotConfigured' # It's actually Enabled but Gpresult shows NotConfigured!
- ) ? $True : $False
+ ) ? $True : $False
}
- 7 {
+ 7 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.NumericName -eq 'Specify the extended cloud check time in seconds' `
-and $Item.NumericState -eq 'Enabled' `
- -and $Item.NumericValue -eq '50'
- ) ? $True : $False
+ -and $Item.NumericValue -eq '50'
+ ) ? $True : $False
}
8 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
9 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.DropDownListName -eq 'Select cloud blocking level' `
-and $Item.DropDownListState -eq 'Enabled' `
- -and $Item.DropDownListValue -eq 'Zero tolerance blocking level'
+ -and $Item.DropDownListValue -eq 'Zero tolerance blocking level'
) ? $True : $False
}
10 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.NumericName -eq 'Configure removal of items from Quarantine folder' `
-and $Item.NumericState -eq 'Enabled' `
- -and $Item.NumericValue -eq '3'
+ -and $Item.NumericValue -eq '3'
) ? $True : $False
}
11 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.NumericName -eq 'Define the maximum size of downloaded files and attachments to be scanned' `
-and $Item.NumericState -eq 'Enabled' `
- -and $Item.NumericValue -eq '10000000'
- ) ? $True : $False
+ -and $Item.NumericValue -eq '10000000'
+ ) ? $True : $False
}
12 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
13 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
14 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
15 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
16 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.NumericName -eq 'Specify the maximum depth to scan archive files' `
-and $Item.NumericState -eq 'Enabled' `
- -and $Item.NumericValue -eq '4294967295'
- ) ? $True : $False
+ -and $Item.NumericValue -eq '4294967295'
+ ) ? $True : $False
}
17 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
18 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
19 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
20 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
21 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
22 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.NumericName -eq 'Define the number of days before spyware security intelligence is considered out of date' `
-and $Item.NumericState -eq 'Enabled' `
- -and $Item.NumericValue -eq '2'
- ) ? $True : $False
+ -and $Item.NumericValue -eq '2'
+ ) ? $True : $False
}
23 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.NumericName -eq 'Define the number of days before virus security intelligence is considered out of date' `
-and $Item.NumericState -eq 'Enabled' `
- -and $Item.NumericValue -eq '2'
- ) ? $True : $False
+ -and $Item.NumericValue -eq '2'
+ ) ? $True : $False
}
24 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.NumericName -eq 'Specify the interval to check for security intelligence updates' `
-and $Item.NumericState -eq 'Enabled' `
- -and $Item.NumericValue -eq '3'
- ) ? $True : $False
+ -and $Item.NumericValue -eq '3'
+ ) ? $True : $False
}
25 {
# ListBox 1
@@ -370,25 +370,25 @@ function Confirm-SystemCompliance {
# Write-Host "$1index" -ForegroundColor Yellow
$1ListData = $Item.ListBoxValue.element.Data[$1index]
# Write-Host "$1ListData" -ForegroundColor Yellow
-
+
# ListBox 2
$2index = $Item.ListBoxValue.element.Name.IndexOf("2")
# Write-Host "$2index" -ForegroundColor Yellow
$2ListData = $Item.ListBoxValue.element.Data[$2index]
# Write-Host "$2ListData" -ForegroundColor Yellow
-
+
# ListBox 3
$3index = $Item.ListBoxValue.element.Name.IndexOf("1")
# Write-Host "$3index" -ForegroundColor Yellow
$3ListData = $Item.ListBoxValue.element.Data[$3index]
# Write-Host "$3ListData" -ForegroundColor Yellow
-
+
# ListBox 4
$4index = $Item.ListBoxValue.element.Name.IndexOf("5")
# Write-Host "$4index" -ForegroundColor Yellow
$4ListData = $Item.ListBoxValue.element.Data[$4index]
# Write-Host "$4ListData" -ForegroundColor Yellow
-
+
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.ListBoxName -eq 'Specify threat alert levels at which default action should not be taken when detected' `
-and $Item.ListBoxState -eq 'Enabled' `
@@ -398,32 +398,32 @@ function Confirm-SystemCompliance {
-and $2ListData -eq '2' `
-and $3ListData -eq '2' `
-and $4ListData -eq '3' `
- ) ? $True : $False
+ ) ? $True : $False
}
26 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
27 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
28 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
29 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ }
}
-
+
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
Name = $HashPol[$CatName][$Key].Name
Value = $ItemState
Compliant = $ItemState
Category = $CatName
- Method = 'Group Policy'
- }
+ Method = 'Group Policy'
+ }
}
-
+
# For PowerShell Cmdlet
$IndividualItemResult = $((Get-MpPreference).AllowSwitchToAsyncInspection)
$NestedObjectArray += [PSCustomObject]@{
@@ -431,9 +431,9 @@ function Confirm-SystemCompliance {
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
- Method = 'Cmdlet'
+ Method = 'Cmdlet'
}
-
+
# For PowerShell Cmdlet
$IndividualItemResult = $((Get-MpPreference).oobeEnableRtpAndSigUpdate)
$NestedObjectArray += [PSCustomObject]@{
@@ -441,9 +441,9 @@ function Confirm-SystemCompliance {
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
- Method = 'Cmdlet'
+ Method = 'Cmdlet'
}
-
+
# For PowerShell Cmdlet
$IndividualItemResult = $((Get-MpPreference).IntelTDTEnabled)
$NestedObjectArray += [PSCustomObject]@{
@@ -451,9 +451,9 @@ function Confirm-SystemCompliance {
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
- Method = 'Cmdlet'
+ Method = 'Cmdlet'
}
-
+
# For PowerShell Cmdlet
$IndividualItemResult = $((Get-ProcessMitigation -System -ErrorAction Stop).aslr.ForceRelocateImages)
$NestedObjectArray += [PSCustomObject]@{
@@ -461,21 +461,21 @@ function Confirm-SystemCompliance {
Value = $IndividualItemResult
Compliant = $IndividualItemResult -eq 'on' ? $True : $false
Category = $CatName
- Method = 'Cmdlet'
+ Method = 'Cmdlet'
}
-
+
# For BCDEDIT NX value verification
# IMPORTANT: bcdedit /enum requires an ELEVATED session.
# Answer by mklement0: https://stackoverflow.com/a/50949849
$bcdOutput = (bcdedit /enum) -join "`n" # collect bcdedit's output as a *single* string
-
+
# Initialize the output list.
$entries = New-Object System.Collections.Generic.List[PSCustomObject] -ErrorAction Stop
-
+
# Parse bcdedit's output.
($bcdOutput -split '(?m)^(.+\n-)-+\n' -ne '').ForEach({
if ($_.EndsWith("`n-")) {
- # entry header
+ # entry header
$entries.Add([PSCustomObject] @{ Name = ($_ -split '\n')[0]; Properties = [ordered] @{} })
}
else {
@@ -491,26 +491,26 @@ function Confirm-SystemCompliance {
})
}
})
-
+
# For PowerShell Cmdlet
$IndividualItemResult = $(($entries | Where-Object { $_.properties.identifier -eq "{current}" }).properties.nx)
$NestedObjectArray += [PSCustomObject]@{
Name = 'BCDEDIT NX Value'
Value = $IndividualItemResult
- Compliant = $IndividualItemResult -eq 'AlwaysOn' ? $True : $false
+ Compliant = $IndividualItemResult -eq 'AlwaysOn' ? $True : $false
Category = $CatName
- Method = 'Cmdlet'
+ Method = 'Cmdlet'
}
-
+
# For PowerShell Cmdlet
$NestedObjectArray += [PSCustomObject]@{
Name = 'Smart App Control State'
Value = $((Get-MpComputerStatus).SmartAppControlState)
Compliant = 'N/A'
Category = $CatName
- Method = 'Cmdlet'
+ Method = 'Cmdlet'
}
-
+
# For PowerShell Cmdlet
$IndividualItemResult = $((Get-ScheduledTask -TaskPath "\MSFT Driver Block list update\" -TaskName "MSFT Driver Block list update" -ErrorAction SilentlyContinue) ? $True : $false)
$NestedObjectArray += [PSCustomObject]@{
@@ -518,10 +518,10 @@ function Confirm-SystemCompliance {
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
- Method = 'Cmdlet'
+ Method = 'Cmdlet'
}
-
-
+
+
$DefenderPlatformUpdatesChannels = @{
0 = 'NotConfigured'
2 = 'Beta'
@@ -536,10 +536,10 @@ function Confirm-SystemCompliance {
Value = $($DefenderPlatformUpdatesChannels[[int](get-mppreference).PlatformUpdatesChannel])
Compliant = 'N/A'
Category = $CatName
- Method = 'Cmdlet'
+ Method = 'Cmdlet'
}
-
-
+
+
$DefenderEngineUpdatesChannels = @{
0 = 'NotConfigured'
2 = 'Beta'
@@ -554,21 +554,21 @@ function Confirm-SystemCompliance {
Value = $($DefenderEngineUpdatesChannels[[int](get-mppreference).EngineUpdatesChannel])
Compliant = 'N/A'
Category = $CatName
- Method = 'Cmdlet'
+ Method = 'Cmdlet'
}
-
+
# For PowerShell Cmdlet
$NestedObjectArray += [PSCustomObject]@{
Name = 'Controlled Folder Access Exclusions'
Value = [PSCustomObject]@{Count = $((Get-MpPreference).ControlledFolderAccessAllowedApplications.count); Programs = $((Get-MpPreference).ControlledFolderAccessAllowedApplications) }
Compliant = 'N/A'
Category = $CatName
- Method = 'Cmdlet'
- }
+ Method = 'Cmdlet'
+ }
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
#EndRegion Microsoft-Defender-Category
-
+
#Region Attack-Surface-Reduction-Rules-Category
Write-Progress -Activity 'Validating Attack Surface Reduction Rules Category' -Status 'Processing...' -PercentComplete 40
[System.Array]$NestedObjectArray = @()
@@ -579,53 +579,53 @@ function Confirm-SystemCompliance {
switch ($Key) {
1 {
$1index = $Item.ListBoxValue.element.Name.IndexOf('92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B')
- $1ListData = $Item.ListBoxValue.element.Data[$1index]
-
+ $1ListData = $Item.ListBoxValue.element.Data[$1index]
+
$2index = $Item.ListBoxValue.element.Name.IndexOf('e6db77e5-3df2-4cf1-b95a-636979351e5b')
$2ListData = $Item.ListBoxValue.element.Data[$2index]
-
+
$3index = $Item.ListBoxValue.element.Name.IndexOf('d1e49aac-8f56-4280-b9ba-993a6d77406c')
- $3ListData = $Item.ListBoxValue.element.Data[$3index]
-
+ $3ListData = $Item.ListBoxValue.element.Data[$3index]
+
$4index = $Item.ListBoxValue.element.Name.IndexOf('3b576869-a4ec-4529-8536-b80a7769e899')
$4ListData = $Item.ListBoxValue.element.Data[$4index]
-
+
$5index = $Item.ListBoxValue.element.Name.IndexOf('be9ba2d9-53ea-4cdc-84e5-9b1eeee46550')
$5ListData = $Item.ListBoxValue.element.Data[$5index]
-
+
$6index = $Item.ListBoxValue.element.Name.IndexOf('75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84')
$6ListData = $Item.ListBoxValue.element.Data[$6index]
-
+
$7index = $Item.ListBoxValue.element.Name.IndexOf('56a863a9-875e-4185-98a7-b882c64b5ce5')
$7ListData = $Item.ListBoxValue.element.Data[$7index]
-
+
$8index = $Item.ListBoxValue.element.Name.IndexOf('01443614-cd74-433a-b99e-2ecdc07bfc25')
$8ListData = $Item.ListBoxValue.element.Data[$8index]
-
+
$9index = $Item.ListBoxValue.element.Name.IndexOf('b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4')
$9ListData = $Item.ListBoxValue.element.Data[$9index]
-
+
$10index = $Item.ListBoxValue.element.Name.IndexOf('d4f940ab-401b-4efc-aadc-ad5f3c50688a')
$10ListData = $Item.ListBoxValue.element.Data[$10index]
-
+
$11index = $Item.ListBoxValue.element.Name.IndexOf('5beb7efe-fd9a-4556-801d-275e5ffc04cc')
$11ListData = $Item.ListBoxValue.element.Data[$11index]
-
+
$12index = $Item.ListBoxValue.element.Name.IndexOf('c1db55ab-c21a-4637-bb3f-a12568109d35')
$12ListData = $Item.ListBoxValue.element.Data[$12index]
-
+
$13index = $Item.ListBoxValue.element.Name.IndexOf('9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2')
$13ListData = $Item.ListBoxValue.element.Data[$13index]
-
+
$14index = $Item.ListBoxValue.element.Name.IndexOf('7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c')
$14ListData = $Item.ListBoxValue.element.Data[$14index]
-
+
$15index = $Item.ListBoxValue.element.Name.IndexOf('26190899-1602-49e8-8b27-eb1d0a1ce869')
$15ListData = $Item.ListBoxValue.element.Data[$15index]
-
+
$16index = $Item.ListBoxValue.element.Name.IndexOf('d3e037e1-3eb8-44c8-a917-57927947596d')
$16ListData = $Item.ListBoxValue.element.Data[$16index]
-
+
# Use ternary operator instead of if-else statements
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.ListBoxName -eq 'Set the state for each ASR rule:' `
@@ -648,7 +648,7 @@ function Confirm-SystemCompliance {
-and $14ListData -eq 1 `
-and $15ListData -eq 1 `
-and $16ListData -eq 1 `
- ) ? $True : $False
+ ) ? $True : $False
}
}
# Create a custom object with 5 properties to store them as nested objects inside the main output object
@@ -657,13 +657,13 @@ function Confirm-SystemCompliance {
Value = $ItemState
Compliant = $ItemState
Category = $CatName
- Method = 'Group Policy'
- }
+ Method = 'Group Policy'
+ }
}
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
#EndRegion Attack-Surface-Reduction-Rules-Category
-
+
#Region Bitlocker-Category
Write-Progress -Activity 'Validating Bitlocker Category' -Status 'Processing...' -PercentComplete 45
[System.Array]$NestedObjectArray = @()
@@ -721,34 +721,34 @@ function Confirm-SystemCompliance {
Add-Type -TypeDefinition $BootDMAProtectionCheck
# returns true or false depending on whether Kernel DMA Protection is on or off
[bool]$BootDMAProtection = ([SystemInfo.NativeMethods]::BootDmaCheck()) -ne 0
-
+
# Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
foreach ($Key in $HashPol[$CatName].Keys) {
$Item = $PoliciesOutput | Where-object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
switch ($Key) {
- 1 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ 1 {
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
2 {
- $1index = $Item.DropDownListName.IndexOf('Configure TPM startup:')
- $1DropDownState = $Item.DropDownListState[$1index]
+ $1index = $Item.DropDownListName.IndexOf('Configure TPM startup:')
+ $1DropDownState = $Item.DropDownListState[$1index]
$1DropDownValue = $Item.DropDownListValue[$1index]
-
- $2index = $Item.DropDownListName.IndexOf('Configure TPM startup PIN:')
- $2DropDownState = $Item.DropDownListState[$2index]
+
+ $2index = $Item.DropDownListName.IndexOf('Configure TPM startup PIN:')
+ $2DropDownState = $Item.DropDownListState[$2index]
$2DropDownValue = $Item.DropDownListValue[$2index]
-
- $3index = $Item.DropDownListName.IndexOf('Configure TPM startup key:')
- $3DropDownState = $Item.DropDownListState[$3index]
+
+ $3index = $Item.DropDownListName.IndexOf('Configure TPM startup key:')
+ $3DropDownState = $Item.DropDownListState[$3index]
$3DropDownValue = $Item.DropDownListValue[$3index]
-
- $4index = $Item.DropDownListName.IndexOf('Configure TPM startup key and PIN:')
- $4DropDownState = $Item.DropDownListState[$4index]
+
+ $4index = $Item.DropDownListName.IndexOf('Configure TPM startup key and PIN:')
+ $4DropDownState = $Item.DropDownListState[$4index]
$4DropDownValue = $Item.DropDownListValue[$4index]
-
-
+
+
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.CheckboxName -eq 'Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)' `
-and $Item.CheckboxState -eq 'Disabled' `
@@ -760,22 +760,22 @@ function Confirm-SystemCompliance {
-and $3DropDownValue -eq 'Allow startup key with TPM' `
-and $4DropDownState -eq 'Enabled' `
-and $4DropDownValue -eq 'Allow startup key and PIN with TPM' `
- ) ? $True : $False
+ ) ? $True : $False
}
3 {
- $1index = $Item.DropDownListName.IndexOf("Select the encryption method for operating system drives:")
- $1DropDownState = $Item.DropDownListState[$1index]
+ $1index = $Item.DropDownListName.IndexOf("Select the encryption method for operating system drives:")
+ $1DropDownState = $Item.DropDownListState[$1index]
$1DropDownValue = $Item.DropDownListValue[$1index]
-
- $2index = $Item.DropDownListName.IndexOf("Select the encryption method for fixed data drives:")
- $2DropDownState = $Item.DropDownListState[$2index]
+
+ $2index = $Item.DropDownListName.IndexOf("Select the encryption method for fixed data drives:")
+ $2DropDownState = $Item.DropDownListState[$2index]
$2DropDownValue = $Item.DropDownListValue[$2index]
-
- $3index = $Item.DropDownListName.IndexOf("Select the encryption method for removable data drives:")
- $3DropDownState = $Item.DropDownListState[$3index]
+
+ $3index = $Item.DropDownListName.IndexOf("Select the encryption method for removable data drives:")
+ $3DropDownState = $Item.DropDownListState[$3index]
$3DropDownValue = $Item.DropDownListValue[$3index]
-
-
+
+
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $1DropDownState -eq 'Enabled' `
-and $1DropDownValue -eq 'XTS-AES 256-bit' `
@@ -783,47 +783,47 @@ function Confirm-SystemCompliance {
-and $2DropDownValue -eq 'XTS-AES 256-bit' `
-and $3DropDownState -eq 'Enabled' `
-and $3DropDownValue -eq 'XTS-AES 256-bit'
- ) ? $True : $False
+ ) ? $True : $False
}
4 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.DropDownListName -eq 'Select the encryption type:' `
-and $Item.DropDownListState -eq 'NotConfigured' # It's actually set to "Full Encryption" but Gpresult shows NotConfigured!
- ) ? $True : $False
+ ) ? $True : $False
}
5 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.NumericName -eq 'Minimum characters:' `
-and $Item.NumericState -eq 'Enabled' `
-and $Item.NumericValue -eq '10'
- ) ? $True : $False
+ ) ? $True : $False
}
6 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.DropDownListName -eq 'Select the encryption type:' `
-and $Item.DropDownListState -eq 'NotConfigured' # NotConfigured actually means "Full Encryption" but Gpresult reports it NotConfigured
- ) ? $True : $False
+ ) ? $True : $False
}
7 {
- [bool]$ItemState = ($Item.State -eq 'Disabled') ? $True : $False
+ [bool]$ItemState = ($Item.State -eq 'Disabled') ? $True : $False
}
8 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.DropDownListName -eq 'Select the encryption type:' `
-and $Item.DropDownListState -eq 'NotConfigured' # It's actually set to "Full Encryption" but Gpresult shows NotConfigured!
- ) ? $True : $False
+ ) ? $True : $False
}
9 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
10 {
- [bool]$ItemState = ($Item.State -eq 'Disabled') ? $True : $False
+ [bool]$ItemState = ($Item.State -eq 'Disabled') ? $True : $False
}
11 {
- [bool]$ItemState = ($Item.State -eq 'Disabled') ? $True : $False
+ [bool]$ItemState = ($Item.State -eq 'Disabled') ? $True : $False
}
12 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
13 {
# Bitlocker DMA counter measure status
@@ -832,17 +832,17 @@ function Confirm-SystemCompliance {
[bool]$ItemState = ($bootDMAProtection -xor ($Item.State -eq 'Enabled')) ? $True : $False
}
}
-
+
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
Name = $HashPol[$CatName][$Key].Name
Value = $ItemState
Compliant = $ItemState
Category = $CatName
- Method = 'Group Policy'
- }
+ Method = 'Group Policy'
+ }
}
-
+
# For PowerShell Cmdlet
$IndividualItemResult = $($((Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Power -name HibernateEnabled).hibernateEnabled) -eq 1 ? $True : $False)
$NestedObjectArray += [PSCustomObject]@{
@@ -851,11 +851,11 @@ function Confirm-SystemCompliance {
Compliant = $IndividualItemResult
Category = $CatName
Method = 'Cmdlet'
- }
+ }
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
#EndRegion Bitlocker-Category
-
+
#Region TLS-Category
Write-Progress -Activity 'Validating TLS Category' -Status 'Processing...' -PercentComplete 50
[System.Array]$NestedObjectArray = @()
@@ -863,33 +863,33 @@ function Confirm-SystemCompliance {
# Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
foreach ($Key in $HashPol[$CatName].Keys) {
$Item = $PoliciesOutput | Where-object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
- switch ($Key) {
+ switch ($Key) {
1 {
# Write-Host "$($Item.MultiTextValue.string)" -ForegroundColor Yellow
# Make sure the content and their exact order is present in Group Policy
[System.Array]$ExpectedOrderAndContent = @('nistP521', 'curve25519', 'NistP384', 'NistP256')
-
+
# Loop through the array and compare each element with the expected value
foreach ($i in 0..3) {
# Use a ternary operator to set the result to false and break the loop if the element does not match
$ItemStateAux = $Item.MultiTextValue.string[$i] -eq $ExpectedOrderAndContent[$i] ? $True : $false
}
# Write-Host "$ItemStateAux" -ForegroundColor Red
-
-
+
+
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.MultiTextName -eq 'ECC Curve Order:' `
-and $Item.MultiTextState -eq 'Enabled' `
-and $ItemStateAux -eq $True
- ) ? $True : $False
+ ) ? $True : $False
}
2 {
-
+
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.EditTextName -eq 'SSL Cipher Suites' `
-and $Item.EditTextState -eq 'Enabled' `
-and $Item.EditTextValue -eq 'TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256' # Checks the exact values and order
- ) ? $True : $False
+ ) ? $True : $False
}
}
# Create a custom object with 5 properties to store them as nested objects inside the main output object
@@ -898,24 +898,24 @@ function Confirm-SystemCompliance {
Value = $ItemState
Compliant = $ItemState
Category = $CatName
- Method = 'Group Policy'
+ Method = 'Group Policy'
}
}
-
-
+
+
$MatchRegistryKeys = @() # initialize the variable to false - an array that is going to hold only bool values
foreach ($Item in $CSVFileContent) {
if ($Item.category -eq 'TLS' -and $Item.Action -eq 'AddOrModify') {
$path = $Item.Path
$key = $Item.Key
$value = $Item.value
-
+
$regValue = Get-ItemPropertyValue -Path $path -Name $key
# Store only boolean values in the $MatchRegistryKeys
- $MatchRegistryKeys += [bool]($regValue -eq $value)
+ $MatchRegistryKeys += [bool]($regValue -eq $value)
<#
- Testing the key's value type
-
+ Testing the key's value type
+
Reg Type PS Type
-------- -------
REG_DWORD System.Int32
@@ -924,29 +924,29 @@ function Confirm-SystemCompliance {
REG_BINARY System.Byte[]
REG_MULTI_SZ System.String[]
REG_EXPAND_SZ System.String
-
+
(Get-ItemPropertyValue -Path $path -Name $key).GetType().name -eq $type
- (Get-ItemPropertyValue -Path $path -Name $key) -is [System.Int32]
-
+ (Get-ItemPropertyValue -Path $path -Name $key) -is [System.Int32]
+
#>
}
- }
+ }
# Create a custom object with 5 properties to store them as nested objects inside the main output object
# Make sure the boolean array doesn't contain any $false values
$IndividualItemResult = ($MatchRegistryKeys -notcontains $false)
$NestedObjectArray += [PSCustomObject]@{
- Name = 'Registry Keys All correct'
+ Name = 'Registry Keys All correct'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
Method = 'Registry Keys'
}
-
+
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
#EndRegion TLS-Category
-
+
#Region LockScreen-Category
Write-Progress -Activity 'Validating Lock Screen Category' -Status 'Processing...' -PercentComplete 55
[System.Array]$NestedObjectArray = @()
@@ -955,40 +955,40 @@ function Confirm-SystemCompliance {
foreach ($Key in $HashPol[$CatName].Keys) {
$Item = $PoliciesOutput | Where-object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
switch ($Key) {
- 1 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ 1 {
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
- 2 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ 2 {
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
- 3 {
+ 3 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.NumericName -eq 'PIN Expiration' `
-and $Item.NumericState -eq 'Enabled' `
-and $Item.NumericValue -eq '180'
- ) ? $True : $False
+ ) ? $True : $False
}
- 4 {
+ 4 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.NumericName -eq 'PIN History' `
-and $Item.NumericState -eq 'Enabled' `
-and $Item.NumericValue -eq '3'
- ) ? $True : $False
+ ) ? $True : $False
}
- 5 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ 5 {
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
- 6 {
+ 6 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.EditTextName -eq 'Exclude the following credential providers:' `
-and $Item.EditTextState -eq 'Enabled' `
- -and $item.EditTextValue -eq '{60b78e88-ead8-445c-9cfd-0b87f74ea6cd},{F8A0B131-5F68-486c-8040-7E8FC3C85BB6},{8FD7E19C-3BF7-489B-A72C-846AB3678C96},{1ee7337f-85ac-45e2-a23c-37c753209769},{1b283861-754f-4022-ad47-a5eaaa618894}' ) ? $True : $False
+ -and $item.EditTextValue -eq '{60b78e88-ead8-445c-9cfd-0b87f74ea6cd},{F8A0B131-5F68-486c-8040-7E8FC3C85BB6},{8FD7E19C-3BF7-489B-A72C-846AB3678C96},{1ee7337f-85ac-45e2-a23c-37c753209769},{1b283861-754f-4022-ad47-a5eaaa618894}' ) ? $True : $False
}
- 7 {
+ 7 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.EditTextName -eq 'Assign the following credential provider as the default credential provider:' `
-and $Item.EditTextState -eq 'Enabled' `
- -and $item.EditTextValue -eq '{D6886603-9D2F-4EB2-B667-1971041FA96B}' ) ? $True : $False
+ -and $item.EditTextValue -eq '{D6886603-9D2F-4EB2-B667-1971041FA96B}' ) ? $True : $False
}
}
# Create a custom object with 5 properties to store them as nested objects inside the main output object
@@ -997,12 +997,12 @@ function Confirm-SystemCompliance {
Value = $ItemState
Compliant = $ItemState
Category = $CatName
- Method = 'Group Policy'
+ Method = 'Group Policy'
}
}
-
+
# Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs'] -eq '4,120') ? $True : $False
+ $IndividualItemResult = [bool]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs'] -eq '4,120') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
Name = 'Machine inactivity limit'
Value = $IndividualItemResult
@@ -1010,8 +1010,8 @@ function Confirm-SystemCompliance {
Category = $CatName
Method = 'Security Group Policy'
}
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
+
+ # Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD'] -eq '4,0') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
Name = 'Interactive logon: Do not require CTRL+ALT+DEL'
@@ -1020,8 +1020,8 @@ function Confirm-SystemCompliance {
Category = $CatName
Method = 'Security Group Policy'
}
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
+
+ # Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\MaxDevicePasswordFailedAttempts'] -eq '4,5') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
Name = 'Interactive logon: Machine account lockout threshold'
@@ -1030,8 +1030,8 @@ function Confirm-SystemCompliance {
Category = $CatName
Method = 'Security Group Policy'
}
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
+
+ # Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLockedUserId'] -eq '4,4') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
Name = 'Interactive logon: Display user information when the session is locked'
@@ -1040,8 +1040,8 @@ function Confirm-SystemCompliance {
Category = $CatName
Method = 'Security Group Policy'
}
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
+
+ # Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayUserName'] -eq '4,1') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
Name = "Interactive logon: Don't display username at sign-in"
@@ -1051,7 +1051,7 @@ function Confirm-SystemCompliance {
Method = 'Security Group Policy'
}
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
+ # Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool]$($SecurityPoliciesIni.'System Access'['LockoutBadCount'] -eq '5') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
Name = "Account lockout threshold"
@@ -1061,7 +1061,7 @@ function Confirm-SystemCompliance {
Method = 'Security Group Policy'
}
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
+ # Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool]$($SecurityPoliciesIni.'System Access'['LockoutDuration'] -eq '1440') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
Name = "Account lockout duration"
@@ -1071,7 +1071,7 @@ function Confirm-SystemCompliance {
Method = 'Security Group Policy'
}
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
+ # Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool]$($SecurityPoliciesIni.'System Access'['ResetLockoutCount'] -eq '1440') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
Name = "Reset account lockout counter after"
@@ -1081,7 +1081,7 @@ function Confirm-SystemCompliance {
Method = 'Security Group Policy'
}
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
+ # Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName'] -eq '4,1') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
Name = "Interactive logon: Don't display last signed-in"
@@ -1090,22 +1090,22 @@ function Confirm-SystemCompliance {
Category = $CatName
Method = 'Security Group Policy'
}
-
+
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
#EndRegion LockScreen-Category
-
+
#Region User-Account-Control-Category
Write-Progress -Activity 'Validating User Account Control Category' -Status 'Processing...' -PercentComplete 60
[System.Array]$NestedObjectArray = @()
- [String]$CatName = "UAC"
+ [String]$CatName = "UAC"
# Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
foreach ($Key in $HashPol[$CatName].Keys) {
$Item = $PoliciesOutput | Where-object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
- switch ($Key) {
- 1 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
+ switch ($Key) {
+ 1 {
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ }
}
# Create a custom object with 5 properties to store them as nested objects inside the main output object
@@ -1114,7 +1114,7 @@ function Confirm-SystemCompliance {
Value = $ItemState
Compliant = $ItemState
Category = $CatName
- Method = 'Group Policy'
+ Method = 'Group Policy'
}
}
@@ -1128,12 +1128,12 @@ function Confirm-SystemCompliance {
Category = $CatName
Method = 'Security Group Policy'
}
-
-
- # This particular policy can have 2 values and they are both acceptable depending on whichever user selects
+
+
+ # This particular policy can have 2 values and they are both acceptable depending on whichever user selects
[string]$ConsentPromptBehaviorUserValue = $SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser']
# This option is automatically applied when UAC category is run
- if ($ConsentPromptBehaviorUserValue -eq '4,1') {
+ if ($ConsentPromptBehaviorUserValue -eq '4,1') {
$ConsentPromptBehaviorUserCompliance = $true
$IndividualItemResult = 'Prompt for credentials on the secure desktop'
}
@@ -1155,9 +1155,9 @@ function Confirm-SystemCompliance {
Compliant = $ConsentPromptBehaviorUserCompliance
Category = $CatName
Method = 'Security Group Policy'
- }
+ }
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
+ # Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool]($($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures'] -eq '4,1') ? $True : $False)
$NestedObjectArray += [PSCustomObject]@{
Name = 'UAC: Only elevate executables that are signed and validated'
@@ -1166,11 +1166,11 @@ function Confirm-SystemCompliance {
Category = $CatName
Method = 'Security Group Policy'
}
-
+
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
#EndRegion User-Account-Control-Category
-
+
#Region Device-Guard-Category
Write-Progress -Activity 'Validating Device Guard Category' -Status 'Processing...' -PercentComplete 65
[System.Array]$NestedObjectArray = @()
@@ -1184,54 +1184,54 @@ function Confirm-SystemCompliance {
# DropDown 1
$1index = $Item.DropDownListName.IndexOf("Select Platform Security Level:")
#Write-Host "$1index" -ForegroundColor Yellow
-
+
$1DropDownState = $Item.DropDownListState[$1index]
#Write-Host "$1DropDownState" -ForegroundColor Yellow
-
+
$1DropDownValue = $Item.DropDownListValue[$1index]
#Write-Host "$1DropDownValue" -ForegroundColor Yellow
-
+
# DropDown 2
$2index = $Item.DropDownListName.IndexOf("Virtualization Based Protection of Code Integrity:")
# Write-Host "$2index" -ForegroundColor Yellow
-
+
$2DropDownState = $Item.DropDownListState[$2index]
# Write-Host "$2DropDownState" -ForegroundColor Yellow
-
+
$2DropDownValue = $Item.DropDownListValue[$2index]
# Write-Host "$2DropDownValue" -ForegroundColor Yellow
-
+
# DropDown 3
$3index = $Item.DropDownListName.IndexOf("Credential Guard Configuration:")
# Write-Host "$3index" -ForegroundColor Yellow
-
+
$3DropDownState = $Item.DropDownListState[$3index]
# Write-Host "$3DropDownState" -ForegroundColor Yellow
-
+
$3DropDownValue = $Item.DropDownListValue[$3index]
# Write-Host "$3DropDownValue" -ForegroundColor Yellow
-
+
# DropDown 4
$4index = $Item.DropDownListName.IndexOf("Secure Launch Configuration:")
# Write-Host "$4index" -ForegroundColor Yellow
-
+
$4DropDownState = $Item.DropDownListState[$4index]
# Write-Host "$4DropDownState" -ForegroundColor Yellow
-
+
$4DropDownValue = $Item.DropDownListValue[$4index]
# Write-Host "$4DropDownValue" -ForegroundColor Yellow
-
+
# DropDown 5
$5index = $Item.DropDownListName.IndexOf("Kernel-mode Hardware-enforced Stack Protection:")
# Write-Host "$5index" -ForegroundColor Yellow
-
+
$5DropDownState = $Item.DropDownListState[$5index]
# Write-Host "$5DropDownState" -ForegroundColor Yellow
-
+
$5DropDownValue = $Item.DropDownListValue[$5index]
# Write-Host "$5DropDownValue" -ForegroundColor Yellow
-
-
+
+
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $1DropDownState -eq 'Enabled' `
-and $1DropDownValue -eq 'Secure Boot' `
@@ -1244,8 +1244,8 @@ function Confirm-SystemCompliance {
-and $4DropDownState -eq 'Enabled' `
-and $4DropDownValue -eq 'Enabled' `
-and $5DropDownState -eq 'Enabled' `
- -and $5DropDownValue -eq 'Enabled in enforcement mode'
- ) ? $True : $False
+ -and $5DropDownValue -eq 'Enabled in enforcement mode'
+ ) ? $True : $False
}
}
# Create a custom object with 5 properties to store them as nested objects inside the main output object
@@ -1254,18 +1254,18 @@ function Confirm-SystemCompliance {
Value = $ItemState
Compliant = $ItemState
Category = $CatName
- Method = 'Group Policy'
- }
+ Method = 'Group Policy'
+ }
}
-
-
+
+
# Loop through each nested hash table inside the main Registeries hash table and check the item state using a switch statement
foreach ($Key in $HashReg[$CatName].Keys) {
# Get the correct object from the RegistriesOutput Object that contains all the group policies in the xml file
$Item = $RegistriesOutput | Where-object { $_.Name -eq $HashReg[$CatName][$Key].Name -and $_.KeyPath -eq $HashReg[$CatName][$Key].KeyPath }
switch ($Key) {
1 {
- [bool]$ItemState = ($Item.Number -eq '1') ? $True : $False
+ [bool]$ItemState = ($Item.Number -eq '1') ? $True : $False
}
}
# Create a custom object with 5 properties to store them as nested objects inside the main output object
@@ -1274,19 +1274,19 @@ function Confirm-SystemCompliance {
Value = $ItemState
Compliant = $ItemState
Category = $CatName
- Method = 'Group Policy'
- }
+ Method = 'Group Policy'
+ }
}
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
#EndRegion Device-Guard-Category
-
+
#Region Windows-Firewall-Category
Write-Progress -Activity 'Validating Windows Firewall Category' -Status 'Processing...' -PercentComplete 70
[System.Array]$NestedObjectArray = @()
[String]$CatName = 'Windows Firewall'
-
-
+
+
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
Name = "Domain Profile Default Inbound Action"
@@ -1294,8 +1294,8 @@ function Confirm-SystemCompliance {
Compliant = [bool]($FirewallPoliciesOutput.DomainDefaultInboundAction -eq $True ? $True : $False)
Category = $CatName
Method = 'Firewall Group Policy'
- }
-
+ }
+
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
Name = "Domain Profile Default Outbound Action"
@@ -1448,23 +1448,23 @@ function Confirm-SystemCompliance {
Category = $CatName
Method = 'Firewall Group Policy'
}
-
+
# Disables Multicast DNS (mDNS) UDP-in Firewall Rules for all 3 Firewall profiles - disables only 3 rules
$RulesToDisable = get-NetFirewallRule -ErrorAction Stop |
- Where-Object { $_.RuleGroup -eq "@%SystemRoot%\system32\firewallapi.dll,-37302" -and $_.Direction -eq "inbound" }
+ Where-Object { $_.RuleGroup -eq "@%SystemRoot%\system32\firewallapi.dll,-37302" -and $_.Direction -eq "inbound" }
# Check if the number of detected rules that need to be disabled match the number of rules with the same criteria that are disabled
$RulesTarget = $RulesToDisable | Where-Object { $_.Enabled -eq 'False' }
-
+
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool](($RulesTarget.count -eq $RulesToDisable.Count) ? $True : $false)
$NestedObjectArray += [PSCustomObject]@{
Name = "Firewall rules disabled for Multicast DNS (mDNS) UDP-in"
Value = $IndividualItemResult
- Compliant = $IndividualItemResult
+ Compliant = $IndividualItemResult
Category = $CatName
Method = 'Firewall Group Policy'
- }
-
+ }
+
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
#EndRegion Windows-Firewall-Category
@@ -1473,11 +1473,11 @@ function Confirm-SystemCompliance {
Write-Progress -Activity 'Validating Optional Windows Features Category' -Status 'Processing...' -PercentComplete 75
[System.Array]$NestedObjectArray = @()
[String]$CatName = 'Optional Windows Features'
-
+
# Disable PowerShell v2 (needs 2 commands)
[bool]$IndividualItemResult = ((get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 -ErrorAction Stop).state -eq 'disabled') `
-and [bool]((get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -ErrorAction Stop).state -eq 'disabled') ? $True : $false
-
+
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
Name = "PowerShell v2 is disabled"
@@ -1536,7 +1536,7 @@ function Confirm-SystemCompliance {
Category = $CatName
Method = 'Optional Windows Features'
}
-
+
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool]((get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -ErrorAction Stop).state -eq 'enabled')
$NestedObjectArray += [PSCustomObject]@{
@@ -1572,7 +1572,7 @@ function Confirm-SystemCompliance {
$NestedObjectArray += [PSCustomObject]@{
Name = "Internet Explorer mode functionality for Edge is not present"
Value = $IndividualItemResult
- Compliant = $IndividualItemResult
+ Compliant = $IndividualItemResult
Category = $CatName
Method = 'Optional Windows Features'
}
@@ -1582,11 +1582,11 @@ function Confirm-SystemCompliance {
$NestedObjectArray += [PSCustomObject]@{
Name = "Legacy Notepad is not present"
Value = $IndividualItemResult
- Compliant = $IndividualItemResult
+ Compliant = $IndividualItemResult
Category = $CatName
Method = 'Optional Windows Features'
}
-
+
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
#EndRegion Optional-Windows-Features-Category
@@ -1599,24 +1599,24 @@ function Confirm-SystemCompliance {
foreach ($Key in $HashPol[$CatName].Keys) {
$Item = $PoliciesOutput | Where-object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
switch ($Key) {
- 1 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ 1 {
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
- 2 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ 2 {
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
- 3 {
+ 3 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.DropDownListName -eq 'Configure NetBIOS options:' `
-and $Item.DropDownListState -eq 'Enabled' `
-and $Item.DropDownListValue -eq 'Disable NetBIOS name resolution'
- ) ? $True : $False
+ ) ? $True : $False
}
- 4 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ 4 {
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
- 5 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ 5 {
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
}
# Create a custom object with 5 properties to store them as nested objects inside the main output object
@@ -1625,15 +1625,15 @@ function Confirm-SystemCompliance {
Value = $ItemState
Compliant = $ItemState
Category = $CatName
- Method = 'Group Policy'
+ Method = 'Group Policy'
}
}
-
-
+
+
# Check network location of all connections to see if they are public
$Condition = Get-NetConnectionProfile -ErrorAction Stop | ForEach-Object { $_.NetworkCategory -eq 'public' }
- [bool]$IndividualItemResult = -not ($condition -contains $false) ? $True : $false
-
+ [bool]$IndividualItemResult = -not ($condition -contains $false) ? $True : $false
+
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
Name = "Network Location of all connections set to Public"
@@ -1642,7 +1642,7 @@ function Confirm-SystemCompliance {
Category = $CatName
Method = 'Cmdlet'
}
-
+
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool]((Get-ItemPropertyValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters" -Name "EnableLMHOSTS") -eq '0')
$NestedObjectArray += [PSCustomObject]@{
@@ -1653,7 +1653,7 @@ function Confirm-SystemCompliance {
Method = "Registry Key"
}
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
+ # Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool]$($SecurityPoliciesIni.'Registry Values'['MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine'] -eq '7,') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
Name = 'Network access: Remotely accessible registry paths'
@@ -1663,7 +1663,7 @@ function Confirm-SystemCompliance {
Method = 'Security Group Policy'
}
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
+ # Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool]$($SecurityPoliciesIni.'Registry Values'['MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine'] -eq '7,') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
Name = 'Network access: Remotely accessible registry paths and subpaths'
@@ -1672,11 +1672,11 @@ function Confirm-SystemCompliance {
Category = $CatName
Method = 'Security Group Policy'
}
-
+
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
#EndRegion Windows-Networking-Category
-
+
#Region Miscellaneous-Category
Write-Progress -Activity 'Validating Miscellaneous Category' -Status 'Processing...' -PercentComplete 85
[System.Array]$NestedObjectArray = @()
@@ -1685,51 +1685,51 @@ function Confirm-SystemCompliance {
foreach ($Key in $HashPol[$CatName].Keys) {
$Item = $PoliciesOutput | Where-object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
switch ($Key) {
- 1 {
+ 1 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.DropDownListState -eq 'Enabled' `
- -and $Item.DropDownListValue -eq 'Send optional diagnostic data'
- ) ? $True : $False
+ -and $Item.DropDownListValue -eq 'Send optional diagnostic data'
+ ) ? $True : $False
}
- 2 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ 2 {
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
- 3 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ 3 {
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
- 4 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ 4 {
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
- 5 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ 5 {
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
- 6 {
+ 6 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.DropDownListName -eq 'Choose the boot-start drivers that can be initialized:' `
-and $Item.DropDownListState -eq 'Enabled' `
- -and $Item.DropDownListValue -eq 'Good only'
- ) ? $True : $False
+ -and $Item.DropDownListValue -eq 'Good only'
+ ) ? $True : $False
}
7 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
8 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
9 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.DropDownListName -eq 'RPC Runtime Unauthenticated Client Restriction to Apply:' `
-and $Item.DropDownListState -eq 'Enabled' `
- -and $Item.DropDownListValue -eq 'Authenticated without exceptions'
- ) ? $True : $False
+ -and $Item.DropDownListValue -eq 'Authenticated without exceptions'
+ ) ? $True : $False
}
- 10 {
+ 10 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $Item.DropDownListName -eq 'Mitigation Options' `
-and $Item.DropDownListState -eq 'Enabled' `
- -and $Item.DropDownListValue -eq 'Block untrusted fonts and log events'
- ) ? $True : $False
- }
+ -and $Item.DropDownListValue -eq 'Block untrusted fonts and log events'
+ ) ? $True : $False
+ }
}
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
@@ -1737,10 +1737,10 @@ function Confirm-SystemCompliance {
Value = $ItemState
Compliant = $ItemState
Category = $CatName
- Method = 'Group Policy'
+ Method = 'Group Policy'
}
}
-
+
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool]((Get-SmbServerConfiguration -ErrorAction Stop).encryptdata)
$NestedObjectArray += [PSCustomObject]@{
@@ -1750,7 +1750,7 @@ function Confirm-SystemCompliance {
Category = $CatName
Method = 'Cmdlet'
}
-
+
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool](((auditpol /get /subcategory:"Other Logon/Logoff Events" /r | ConvertFrom-Csv -ErrorAction Stop).'Inclusion Setting' -eq 'Success and Failure') ? $True : $False)
$NestedObjectArray += [PSCustomObject]@{
@@ -1760,9 +1760,9 @@ function Confirm-SystemCompliance {
Category = $CatName
Method = 'Cmdlet'
}
-
- # Checking if all user accounts are part of the Hyper-V security Group
+
+ # Checking if all user accounts are part of the Hyper-V security Group
# Get all the enabled user accounts
[string[]]$enabledUsers = (Get-LocalUser -ErrorAction Stop | Where-Object { $_.Enabled -eq 'True' }).Name | Sort-Object
# Get the members of the Hyper-V Administrators security group using their SID
@@ -1782,18 +1782,18 @@ function Confirm-SystemCompliance {
Category = $CatName
Method = 'Cmdlet'
}
-
-
+
+
$MatchRegistryKeys = @() # initialize the variable to false - an array that is going to hold only bool values
foreach ($Item in $CSVFileContent) {
if ($Item.category -eq 'Miscellaneous' -and $Item.Action -eq 'AddOrModify') {
$path = $Item.Path
$key = $Item.Key
$value = $Item.value
-
+
$regValue = Get-ItemPropertyValue -Path $path -Name $key
# Store only boolean values in the $MatchRegistryKeys
- $MatchRegistryKeys += [bool]($regValue -eq $value)
+ $MatchRegistryKeys += [bool]($regValue -eq $value)
}
}
# Create a custom object with 5 properties to store them as nested objects inside the main output object
@@ -1806,11 +1806,11 @@ function Confirm-SystemCompliance {
Category = $CatName
Method = 'Registry Keys'
}
-
+
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
#EndRegion Miscellaneous-Category
-
+
#Region Windows-Update-Category
Write-Progress -Activity 'Validating Windows Update Category' -Status 'Processing...' -PercentComplete 90
[System.Array]$NestedObjectArray = @()
@@ -1819,68 +1819,68 @@ function Confirm-SystemCompliance {
foreach ($Key in $HashPol[$CatName].Keys) {
$Item = $PoliciesOutput | Where-object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
switch ($Key) {
- 1 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ 1 {
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
- 2 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
+ 2 {
+ [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
}
3 {
# 2 Check boxes with the same name exists, but both of their States and Values are the same that's why this works
- $1index = $Item.DropDownListName.IndexOf("Deadline (days):")
- $1DropDownState = $Item.DropDownListState[$1index]
+ $1index = $Item.DropDownListName.IndexOf("Deadline (days):")
+ $1DropDownState = $Item.DropDownListState[$1index]
$1DropDownValue = $Item.DropDownListValue[$1index]
-
- $2index = $Item.DropDownListName.IndexOf("Grace period (days):")
- $2DropDownState = $Item.DropDownListState[$2index]
+
+ $2index = $Item.DropDownListName.IndexOf("Grace period (days):")
+ $2DropDownState = $Item.DropDownListState[$2index]
$2DropDownValue = $Item.DropDownListValue[$2index]
-
-
+
+
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $1DropDownState -eq 'Enabled' `
-and $1DropDownValue -eq '0' `
-and $2DropDownState -eq 'Enabled' `
-and $2DropDownValue -eq '1' `
-and $Item.CheckboxName -eq "Don't auto-restart until end of grace period" `
- -and $Item.CheckboxState -eq 'Disabled'
- ) ? $True : $False
+ -and $Item.CheckboxState -eq 'Disabled'
+ ) ? $True : $False
}
4 {
# 2 Check boxes with the same name exists, but both of their States and Values are the same that's why this works
- $1index = $Item.DropDownListName.IndexOf('Configure automatic updating:')
- $1DropDownState = $Item.DropDownListState[$1index]
+ $1index = $Item.DropDownListName.IndexOf('Configure automatic updating:')
+ $1DropDownState = $Item.DropDownListState[$1index]
$1DropDownValue = $Item.DropDownListValue[$1index]
-
+
$2index = $Item.CheckboxName.IndexOf('Install during automatic maintenance')
$2CheckBoxState = $Item.CheckboxState[$2index]
-
- $3index = $Item.DropDownListName.IndexOf('Scheduled install day: ') # Has an extra space in the xml!
- $3DropDownState = $Item.DropDownListState[$3index]
+
+ $3index = $Item.DropDownListName.IndexOf('Scheduled install day: ') # Has an extra space in the xml!
+ $3DropDownState = $Item.DropDownListState[$3index]
$3DropDownValue = $Item.DropDownListValue[$3index]
-
- $4index = $Item.DropDownListName.IndexOf('Scheduled install time:')
- $4DropDownState = $Item.DropDownListState[$4index]
+
+ $4index = $Item.DropDownListName.IndexOf('Scheduled install time:')
+ $4DropDownState = $Item.DropDownListState[$4index]
$4DropDownValue = $Item.DropDownListValue[$4index]
-
+
$5index = $Item.CheckboxName.IndexOf('Every week')
$5CheckBoxState = $Item.CheckboxState[$5index]
-
+
$6index = $Item.CheckboxName.IndexOf('First week of the month')
$6CheckBoxState = $Item.CheckboxState[$6index]
-
+
$7index = $Item.CheckboxName.IndexOf('Second week of the month')
$7CheckBoxState = $Item.CheckboxState[$7index]
-
+
$8index = $Item.CheckboxName.IndexOf('Third week of the month')
$8CheckBoxState = $Item.CheckboxState[$8index]
-
+
$9index = $Item.CheckboxName.IndexOf('Fourth week of the month')
$9CheckBoxState = $Item.CheckboxState[$9index]
-
+
$10index = $Item.CheckboxName.IndexOf('Install updates for other Microsoft products')
$10CheckBoxState = $Item.CheckboxState[$10index]
-
-
+
+
[bool]$ItemState = ($Item.State -eq 'Enabled' `
-and $1DropDownState -eq 'Enabled' `
-and $1DropDownValue -eq '4 - Auto download and schedule the install' `
@@ -1895,9 +1895,9 @@ function Confirm-SystemCompliance {
-and $8CheckBoxState -eq 'Disabled' `
-and $9CheckBoxState -eq 'Disabled' `
-and $10CheckBoxState -eq 'Enabled' `
- ) ? $True : $False
+ ) ? $True : $False
}
-
+
}
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
@@ -1905,10 +1905,10 @@ function Confirm-SystemCompliance {
Value = $ItemState
Compliant = $ItemState
Category = $CatName
- Method = 'Group Policy'
+ Method = 'Group Policy'
}
}
-
+
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool]((Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" -Name "RestartNotificationsAllowed2") -eq '1')
$NestedObjectArray += [PSCustomObject]@{
@@ -1918,76 +1918,76 @@ function Confirm-SystemCompliance {
Category = $CatName
Method = "Registry Key"
}
-
+
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
#EndRegion Windows-Update-Category
-
+
#Region Edge-Category
Write-Progress -Activity 'Validating Edge Browser Category' -Status 'Processing...' -PercentComplete 95
[System.Array]$NestedObjectArray = @()
- [String]$CatName = "Edge"
+ [String]$CatName = "Edge"
$MatchRegistryKeys = @() # initialize the variable to false - an array that is going to hold only bool values
foreach ($Item in $CSVFileContent) {
if ($Item.category -eq 'Edge' -and $Item.Action -eq 'AddOrModify') {
$path = $Item.Path
$key = $Item.Key
$value = $Item.value
-
+
$regValue = Get-ItemPropertyValue -Path $path -Name $key
# Store only boolean values in the $MatchRegistryKeys
- $MatchRegistryKeys += [bool]($regValue -eq $value)
-
+ $MatchRegistryKeys += [bool]($regValue -eq $value)
+
}
- }
+ }
# Create a custom object with 5 properties to store them as nested objects inside the main output object
# Make sure the boolean array doesn't contain any $false values
$IndividualItemResult = [bool]($MatchRegistryKeys -notcontains $false)
$NestedObjectArray += [PSCustomObject]@{
- Name = 'Registry Keys All correct'
+ Name = 'Registry Keys All correct'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
Method = 'Registry Keys'
}
-
+
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
#EndRegion Edge-Category
-
+
#Region Non-Admin-Category
Write-Progress -Activity 'Validating Non-Admin Category' -Status 'Processing...' -PercentComplete 100
[System.Array]$NestedObjectArray = @()
[String]$CatName = 'Non-Admin'
-
+
$MatchRegistryKeys = @() # initialize the variable to false - an array that is going to hold only bool values
foreach ($Item in $CSVFileContent) {
if ($Item.category -eq 'NonAdmin' -and $Item.Action -eq 'AddOrModify') {
$path = $Item.Path
$key = $Item.Key
$value = $Item.value
-
+
$regValue = Get-ItemPropertyValue -Path $path -Name $key
# Store only boolean values in the $MatchRegistryKeys
- $MatchRegistryKeys += [bool]($regValue -eq $value)
-
+ $MatchRegistryKeys += [bool]($regValue -eq $value)
+
}
- }
+ }
# Create a custom object with 5 properties to store them as nested objects inside the main output object
# Make sure the boolean array doesn't contain any $false values
$IndividualItemResult = ($MatchRegistryKeys -notcontains $false)
$NestedObjectArray += [PSCustomObject]@{
- Name = 'Registry Keys All correct'
+ Name = 'Registry Keys All correct'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
Method = 'Registry Keys'
}
-
+
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
#EndRegion Non-Admin-Category
-
+
if ($ExportToCSV) {
# An array to store the content of each category
@@ -2007,14 +2007,14 @@ function Confirm-SystemCompliance {
$CsvOutPutFileContent += $FinalMegaObject.Edge
$CsvOutPutFileContent += $FinalMegaObject.'Non-Admin'
# Convert the array to CSV and store it in the Output.CSV file in the current working directory
- $CsvOutPutFileContent | ConvertTo-Csv -ErrorAction Stop | Out-File '.\Output.CSV' -Force -ErrorAction Stop
+ $CsvOutPutFileContent | ConvertTo-Csv -ErrorAction Stop | Out-File '.\Output.CSV' -Force -ErrorAction Stop
}
-
+
if ($ShowAsObjectsOnly) {
# return the main object that contains multiple nested objects
return $FinalMegaObject
}
- else {
+ else {
#Region Colors
[scriptblock]$WritePlum = { Write-Output "$($PSStyle.Foreground.FromRGB(221,160,221))$($args[0])$($PSStyle.Reset)" }
@@ -2028,10 +2028,10 @@ function Confirm-SystemCompliance {
[scriptblock]$WriteHotPink = { Write-Output "$($PSStyle.Foreground.FromRGB(255,105,180))$($args[0])$($PSStyle.Reset)" }
[scriptblock]$WriteDeepPink = { Write-Output "$($PSStyle.Foreground.FromRGB(255,20,147))$($args[0])$($PSStyle.Reset)" }
[scriptblock]$WriteMintGreen = { Write-Output "$($PSStyle.Foreground.FromRGB(152,255,152))$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteOrange = { Write-Output "$($PSStyle.Foreground.FromRGB(255,165,0))$($args[0])$($PSStyle.Reset)" }
+ [scriptblock]$WriteOrange = { Write-Output "$($PSStyle.Foreground.FromRGB(255,165,0))$($args[0])$($PSStyle.Reset)" }
[scriptblock]$WriteSkyBlue = { Write-Output "$($PSStyle.Foreground.FromRGB(135,206,235))$($args[0])$($PSStyle.Reset)" }
-
- [scriptblock]$WriteRainbow1 = {
+
+ [scriptblock]$WriteRainbow1 = {
$text = $args[0]
$colors = @(
[System.Drawing.Color]::Pink,
@@ -2049,9 +2049,9 @@ function Confirm-SystemCompliance {
$output += "$($PSStyle.Foreground.FromRGB($color.R, $color.G, $color.B))$($text[$i])$($PSStyle.Reset)"
}
Write-Output $output
- }
-
- [scriptblock]$WriteRainbow2 = {
+ }
+
+ [scriptblock]$WriteRainbow2 = {
$text = $args[0]
$colors = @(
[System.Drawing.Color]::Pink,
@@ -2066,7 +2066,7 @@ function Confirm-SystemCompliance {
[System.Drawing.Color]::Plum,
[System.Drawing.Color]::Gold
)
-
+
$output = ""
for ($i = 0; $i -lt $text.Length; $i++) {
$color = $colors[$i % $colors.Length]
@@ -2075,98 +2075,98 @@ function Confirm-SystemCompliance {
Write-Output $output
}
#Endregion Colors
-
+
# Show all properties in list
if ($DetailedDisplay) {
& $WritePlum "`n-------------Microsoft Defender Category-------------"
$FinalMegaObject.'Microsoft Defender' | Format-list * -ErrorAction Stop
-
+
& $WriteOrchid "`n-------------Attack Surface Reduction Rules Category-------------"
$FinalMegaObject.ASR | Format-list * -ErrorAction Stop
-
+
& $WriteFuchsia "`n-------------Bitlocker Category-------------"
$FinalMegaObject.Bitlocker | Format-list * -ErrorAction Stop
-
+
& $WriteMediumOrchid "`n-------------TLS Category-------------"
$FinalMegaObject.TLS | Format-list * -ErrorAction Stop
-
+
& $WriteMediumPurple "`n-------------Lock Screen Category-------------"
$FinalMegaObject.LockScreen | Format-list * -ErrorAction Stop
-
+
& $WriteBlueViolet "`n-------------User Account Control Category-------------"
$FinalMegaObject.UAC | Format-list * -ErrorAction Stop
-
+
& $WriteDarkViolet "`n-------------Device Guard Category-------------"
$FinalMegaObject.'Device Guard' | Format-list * -ErrorAction Stop
-
+
& $WritePink "`n-------------Windows Firewall Category-------------"
$FinalMegaObject.'Windows Firewall' | Format-list * -ErrorAction Stop
& $WriteSkyBlue "`n-------------Optional Windows Features Category-------------"
$FinalMegaObject.'Optional Windows Features' | Format-list * -ErrorAction Stop
-
+
& $WriteHotPink "`n-------------Windows Networking Category-------------"
$FinalMegaObject.'Windows Networking' | Format-list * -ErrorAction Stop
-
+
& $WriteDeepPink "`n-------------Miscellaneous Category-------------"
$FinalMegaObject.Miscellaneous | Format-list * -ErrorAction Stop
-
+
& $WriteMintGreen "`n-------------Windows Update Category-------------"
$FinalMegaObject.'Windows Update' | Format-list * -ErrorAction Stop
-
+
& $WriteOrange "`n-------------Microsoft Edge Category-------------"
$FinalMegaObject.Edge | Format-list * -ErrorAction Stop
-
+
& $WriteSkyBlue "`n-------------Non-Admin Category-------------"
$FinalMegaObject.'Non-Admin' | Format-list * -ErrorAction Stop
}
# Show properties that matter in a table
else {
-
+
& $WritePlum "`n-------------Microsoft Defender Category-------------"
$FinalMegaObject.'Microsoft Defender' | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
+
& $WriteOrchid "`n-------------Attack Surface Reduction Rules Category-------------"
$FinalMegaObject.ASR | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
+
& $WriteFuchsia "`n-------------Bitlocker Category-------------"
$FinalMegaObject.Bitlocker | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
+
& $WriteMediumOrchid "`n-------------TLS Category-------------"
$FinalMegaObject.TLS | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
+
& $WriteMediumPurple "`n-------------Lock Screen Category-------------"
$FinalMegaObject.LockScreen | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
+
& $WriteBlueViolet "`n-------------User Account Control Category-------------"
$FinalMegaObject.UAC | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
+
& $WriteDarkViolet "`n-------------Device Guard Category-------------"
$FinalMegaObject.'Device Guard' | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
+
& $WritePink "`n-------------Windows Firewall Category-------------"
$FinalMegaObject.'Windows Firewall' | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
+
& $WriteSkyBlue "`n-------------Optional Windows Features Category-------------"
$FinalMegaObject.'Optional Windows Features' | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
+
& $WriteHotPink "`n-------------Windows Networking Category-------------"
$FinalMegaObject.'Windows Networking' | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
+
& $WriteDeepPink "`n-------------Miscellaneous Category-------------"
$FinalMegaObject.Miscellaneous | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
+
& $WriteMintGreen "`n-------------Windows Update Category-------------"
$FinalMegaObject.'Windows Update' | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
+
& $WriteOrange "`n-------------Microsoft Edge Category-------------"
$FinalMegaObject.Edge | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
+
& $WriteSkyBlue "`n-------------Non-Admin Category-------------"
- $FinalMegaObject.'Non-Admin' | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
+ $FinalMegaObject.'Non-Admin' | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
}
-
+
# Counting the number of $True Compliant values in the Final Output Object
[int]$TotalTrueValuesInOutPut = ($FinalMegaObject.'Microsoft Defender' | Where-Object { $_.Compliant -eq $True }).value.Count + `
[int]($FinalMegaObject.ASR | Where-Object { $_.Compliant -eq $True }).value.Count + `
@@ -2187,7 +2187,7 @@ function Confirm-SystemCompliance {
#Region ASCII-Arts
[string]$WhenValue1To20 = @"
OH
-
+
N
O
O
@@ -2201,10 +2201,10 @@ function Confirm-SystemCompliance {
.
.
.
-
+
"@
-
-
+
+
[string]$WhenValue21To40 = @"
⣿⣿⣷⡁⢆⠈⠕⢕⢂⢕⢂⢕⢂⢔⢂⢕⢄⠂⣂⠂⠆⢂⢕⢂⢕⢂⢕⢂⢕⢂
@@ -2223,10 +2223,10 @@ function Confirm-SystemCompliance {
⠄⠪⣂⠁⢕⠆⠄⠂⠄⠁⡀⠂⡀⠄⢈⠉⢍⢛⢛⢛⢋⢔⢕⢕⢕⣽⣿⣿⠠⠈
"@
-
-
+
+
[string]$WhenValue41To60 = @"
-
+
⣿⡟⠙⠛⠋⠩⠭⣉⡛⢛⠫⠭⠄⠒⠄⠄⠄⠈⠉⠛⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⡇⠄⠄⠄⠄⣠⠖⠋⣀⡤⠄⠒⠄⠄⠄⠄⠄⠄⠄⠄⠄⣈⡭⠭⠄⠄⠄⠉⠙
⣿⡇⠄⠄⢀⣞⣡⠴⠚⠁⠄⠄⢀⠠⠄⠄⠄⠄⠄⠄⠄⠉⠄⠄⠄⠄⠄⠄⠄⠄
@@ -2243,11 +2243,11 @@ function Confirm-SystemCompliance {
⣿⠃⠃⠄⠄⠄⠄⠄⠄⣀⢀⠄⠄⡀⡀⢀⣤⣴⣤⣤⣀⣀⠄⠄⠄⠄⠄⠄⠁⢹
"@
-
-
-
+
+
+
[string]$WhenValue61To80 = @"
-
+
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⣿⣿⡷⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⣿⡿⠋⠈⠻⣮⣳⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣴⣾⡿⠋⠀⠀⠀⠀⠙⣿⣿⣤⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
@@ -2268,12 +2268,12 @@ function Confirm-SystemCompliance {
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣀⠀⠀⠀⠀⠀⠀⢸⣧
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢻⣿⣆⠀⠀⠀⠀⠀⠀⢀⣀⣠⣤⣶⣾⣿⣿⣿⣿⣤⣄⣀⡀⠀⠀⠀⣿
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠻⢿⣻⣷⣶⣾⣿⣿⡿⢯⣛⣛⡋⠁⠀⠀⠉⠙⠛⠛⠿⣿⣿⡷⣶⣿
-
+
"@
-
-
+
+
[string]$WhenValue81To88 = @"
-
+
⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠔⠶⠒⠉⠈⠸⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠪⣦⢄⣀⡠⠁⠀⠀⠀⠀⠀⠀⠀⢀⣀⣠⣤⣤⣤⣤⣤⣄⣀⣀⣀⣀⣀⣀⣀⠀⠀⠀⠀⠀
@@ -2296,10 +2296,10 @@ function Confirm-SystemCompliance {
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢹⡟⡟⢻⡟⠛⢻⡄⠀⠀⣸⠇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⡄⠀⠀⠀⠈⠷⠧⠾⠀⠀⠀⠻⣦⡴⠏⠀⠀⠀⠀⠀⠀⡀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠁⠀⠀⠀⠀⠈⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-
+
"@
-
-
+
+
[string]$WhenValueAbove88 = @"
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⢠⣶⣶⣶⣦⣤⣀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⣿⠟⠛⢿⣶⡄⠀⢀⣀⣤⣤⣦⣤⡀⠀⠀⠀⠀⠀
@@ -2321,23 +2321,23 @@ function Confirm-SystemCompliance {
⠀⠀⠀⠀⠀⠀⠙⢿⣦⣄⣀⣀⣀⣀⣴⣾⣿⡁⠀⠀⠀⡉⣉⠁⠀⠀⣠⣾⠟⠉⠉⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠈⠙⠛⠛⠛⠛⠉⠀⠹⣿⣶⣤⣤⣷⣿⣧⣴⣾⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⠻⢦⣭⡽⣯⣡⡴⠟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-
+
"@
#Endregion ASCII-Arts
- # Total number of Compliant values not equal to N/A
+ # Total number of Compliant values not equal to N/A
[int]$TotalNumberOfTrueCompliantValues = 135
-
+
switch ($True) {
- ($TotalTrueValuesInOutPut -in 1..20) { & $WriteRainbow2 "$WhenValue1To20`nYour compliance score is $TotalTrueValuesInOutPut out of $TotalNumberOfTrueCompliantValues!" }
+ ($TotalTrueValuesInOutPut -in 1..20) { & $WriteRainbow2 "$WhenValue1To20`nYour compliance score is $TotalTrueValuesInOutPut out of $TotalNumberOfTrueCompliantValues!" }
($TotalTrueValuesInOutPut -in 21..40) { & $WriteRainbow1 "$WhenValue21To40`nYour compliance score is $TotalTrueValuesInOutPut out of $TotalNumberOfTrueCompliantValues!" }
($TotalTrueValuesInOutPut -in 41..60) { & $WriteRainbow1 "$WhenValue41To60`nYour compliance score is $TotalTrueValuesInOutPut out of $TotalNumberOfTrueCompliantValues!" }
($TotalTrueValuesInOutPut -in 61..80) { & $WriteRainbow2 "$WhenValue61To80`nYour compliance score is $TotalTrueValuesInOutPut out of $TotalNumberOfTrueCompliantValues!" }
($TotalTrueValuesInOutPut -in 81..100) { & $WriteRainbow1 "$WhenValue81To88`nYour compliance score is $TotalTrueValuesInOutPut out of $TotalNumberOfTrueCompliantValues!" }
($TotalTrueValuesInOutPut -gt 100) { & $WriteRainbow2 "$WhenValueAbove88`nYour compliance score is $TotalTrueValuesInOutPut out of $TotalNumberOfTrueCompliantValues!" }
- }
+ }
}
-
+
} # End of Process Block
end {
@@ -2383,7 +2383,7 @@ Returns a nested object instead of writing strings on the PowerShell console, it
.PARAMETER DetailedDisplay
Shows the output on the PowerShell console with more details and in the list format instead of table format
-#>
+#>
}
diff --git a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Misc/Only Show Group Policy Data.ps1 b/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Misc/Only Show Group Policy Data.ps1
index 64d26fb29..483e5011b 100644
--- a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Misc/Only Show Group Policy Data.ps1
+++ b/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Misc/Only Show Group Policy Data.ps1
@@ -6,7 +6,7 @@ $GroupPolicyXmlContent = [xml](Get-Content -Path ".\GPResult.xml" -ErrorAction S
# An array to store each Group Policy "<q6:Policy>" element as a separate object
$PoliciesOutput = @()
# Use dot notation to access the Group Policy elements
-$GroupPolicyXmlContent.Rsop.ComputerResults.ExtensionData.Extension.Policy | Where-Object { $null -ne $_.name } | ForEach-Object {
+$GroupPolicyXmlContent.Rsop.ComputerResults.ExtensionData.Extension.Policy | Where-Object { $null -ne $_.name } | ForEach-Object {
# All the sub-elements of the "<q6:Policy>" that we need to verify
$PoliciesOutput += [PSCustomObject]@{
Name = $_.Name
@@ -43,7 +43,7 @@ $GroupPolicyXmlContent.Rsop.ComputerResults.ExtensionData.Extension.Policy | Whe
# An array to store Group Policy Firewall settings as an object
$FirewallPoliciesOutput = @()
# Use dot notation to access the Group Policy elements - sometimes the type is q4 or q3 or q7, so using wildcard for the number
-$FirewallGroupPolicySettings = $GroupPolicyXmlContent.Rsop.ComputerResults.ExtensionData.Extension | Where-Object { $_.type -like 'q*:WindowsFirewallSettings' }
+$FirewallGroupPolicySettings = $GroupPolicyXmlContent.Rsop.ComputerResults.ExtensionData.Extension | Where-Object { $_.type -like 'q*:WindowsFirewallSettings' }
$FirewallPoliciesOutput += [PSCustomObject]@{
GlobalSettingsPolicyVersion = $FirewallGroupPolicySettings.GlobalSettings.PolicyVersion.Value
@@ -54,10 +54,10 @@ $FirewallPoliciesOutput += [PSCustomObject]@{
DomainDoNotAllowExceptions = $FirewallGroupPolicySettings.DomainProfile.DoNotAllowExceptions.value
DomainEnableFirewall = $FirewallGroupPolicySettings.DomainProfile.EnableFirewall.value
DomainLogFilePath = $FirewallGroupPolicySettings.DomainProfile.LogFilePath.value
- DomainLogFileSize = $FirewallGroupPolicySettings.DomainProfile.LogFileSize.value
+ DomainLogFileSize = $FirewallGroupPolicySettings.DomainProfile.LogFileSize.value
DomainLogDroppedPackets = $FirewallGroupPolicySettings.DomainProfile.LogDroppedPackets.value
DomainLogSuccessfulConnections = $FirewallGroupPolicySettings.DomainProfile.LogSuccessfulConnections.value
-
+
PublicAllowLocalIPsecPolicyMerge = $FirewallGroupPolicySettings.PublicProfile.AllowLocalIPsecPolicyMerge.value
PublicAllowLocalPolicyMerge = $FirewallGroupPolicySettings.PublicProfile.AllowLocalPolicyMerge.value
PublicDefaultInboundAction = $FirewallGroupPolicySettings.PublicProfile.DefaultInboundAction.value
@@ -66,9 +66,9 @@ $FirewallPoliciesOutput += [PSCustomObject]@{
PublicDoNotAllowExceptions = $FirewallGroupPolicySettings.PublicProfile.DoNotAllowExceptions.value
PublicEnableFirewall = $FirewallGroupPolicySettings.PublicProfile.EnableFirewall.value
PublicLogFilePath = $FirewallGroupPolicySettings.PublicProfile.LogFilePath.value
- PublicLogFileSize = $FirewallGroupPolicySettings.PublicProfile.LogFileSize.value
+ PublicLogFileSize = $FirewallGroupPolicySettings.PublicProfile.LogFileSize.value
PublicLogDroppedPackets = $FirewallGroupPolicySettings.PublicProfile.LogDroppedPackets.value
- PublicLogSuccessfulConnections = $FirewallGroupPolicySettings.PublicProfile.LogSuccessfulConnections.value
+ PublicLogSuccessfulConnections = $FirewallGroupPolicySettings.PublicProfile.LogSuccessfulConnections.value
#PrivateAllowLocalIPsecPolicyMerge = $FirewallGroupPolicySettings.PrivateProfile.AllowLocalIPsecPolicyMerge.value
# PrivateAllowLocalPolicyMerge = $FirewallGroupPolicySettings.PrivateProfile.AllowLocalPolicyMerge.value
@@ -78,11 +78,11 @@ $FirewallPoliciesOutput += [PSCustomObject]@{
# PrivateDoNotAllowExceptions = $FirewallGroupPolicySettings.PrivateProfile.DoNotAllowExceptions.value
PrivateEnableFirewall = $FirewallGroupPolicySettings.PrivateProfile.EnableFirewall.value
PrivateLogFilePath = $FirewallGroupPolicySettings.PrivateProfile.LogFilePath.value
- PrivateLogFileSize = $FirewallGroupPolicySettings.PrivateProfile.LogFileSize.value
+ PrivateLogFileSize = $FirewallGroupPolicySettings.PrivateProfile.LogFileSize.value
PrivateLogDroppedPackets = $FirewallGroupPolicySettings.PrivateProfile.LogDroppedPackets.value
PrivateLogSuccessfulConnections = $FirewallGroupPolicySettings.PrivateProfile.LogSuccessfulConnections.value
}
# Shows the Group Policies Firewall settings/policies
-$FirewallPoliciesOutput
+$FirewallPoliciesOutput
diff --git a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Misc/only show Registry count and content.ps1 b/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Misc/only show Registry count and content.ps1
index 6a0d4d9d7..35f7fd94a 100644
--- a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Misc/only show Registry count and content.ps1
+++ b/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Misc/only show Registry count and content.ps1
@@ -7,12 +7,12 @@ $xml = [xml](Get-Content -Path ".\GPResult.xml")
$RegistryOutput = @()
# Use dot notation to access the Policy element
$xml.Rsop.ComputerResults.ExtensionData.Extension.RegistrySetting | Where-Object { $null -ne $_.Value.Name } | ForEach-Object {
-
+
$RegistryOutput += [PSCustomObject]@{
KeyPath = $_.KeyPath
Name = $_.Value.Name
- Number = $_.Value.Number
- }
+ Number = $_.Value.Number
+ }
}
$RegistryOutput
diff --git a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Protect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Protect-WindowsSecurity.psm1
index cf7d041be..694e4ea86 100644
--- a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Protect-WindowsSecurity.psm1
+++ b/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Protect-WindowsSecurity.psm1
@@ -1,7 +1,7 @@
Function Protect-WindowsSecurity {
-
+
Invoke-RestMethod 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1' -OutFile .\Harden-Windows-Security.ps1
- try {
+ try {
.\Harden-Windows-Security.ps1
}
finally {
@@ -25,5 +25,5 @@ PowerShell
.FUNCTIONALITY
Downloads and runs the Harden Windows Security PowerShell script from the official repository
-#>
+#>
}
From c0f2298359acd61a62d7574adf2350940baa086d Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Sun, 10 Dec 2023 11:40:29 -0930
Subject: [PATCH 07/79] Improved position 0 parameters
---
.../Main files/Confirm-SystemCompliance.psm1 | 28 +++++++++----------
.../Main files/Functions.ps1 | 4 +--
.../Main files/Unprotect-WindowsSecurity.psm1 | 10 +++----
3 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
index e2275ffda..0143ceb7d 100644
--- a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
+++ b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
@@ -1266,20 +1266,20 @@ function Confirm-SystemCompliance {
else {
#Region Colors
- [scriptblock]$WritePlum = { Write-Output "$($PSStyle.Foreground.FromRGB(221,160,221))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteOrchid = { Write-Output "$($PSStyle.Foreground.FromRGB(218,112,214))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteFuchsia = { Write-Output "$($PSStyle.Foreground.FromRGB(255,0,255))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteMediumOrchid = { Write-Output "$($PSStyle.Foreground.FromRGB(186,85,211))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteMediumPurple = { Write-Output "$($PSStyle.Foreground.FromRGB(147,112,219))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteBlueViolet = { Write-Output "$($PSStyle.Foreground.FromRGB(138,43,226))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$AndroidGreen = { Write-Output "$($PSStyle.Foreground.FromRGB(176,191,26))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WritePink = { Write-Output "$($PSStyle.Foreground.FromRGB(255,192,203))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteHotPink = { Write-Output "$($PSStyle.Foreground.FromRGB(255,105,180))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteDeepPink = { Write-Output "$($PSStyle.Foreground.FromRGB(255,20,147))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteMintGreen = { Write-Output "$($PSStyle.Foreground.FromRGB(152,255,152))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteOrange = { Write-Output "$($PSStyle.Foreground.FromRGB(255,165,0))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteSkyBlue = { Write-Output "$($PSStyle.Foreground.FromRGB(135,206,235))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$Daffodil = { Write-Output "$($PSStyle.Foreground.FromRGB(255,255,49))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [scriptblock]$WritePlum = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(221,160,221))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [scriptblock]$WriteOrchid = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(218,112,214))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [scriptblock]$WriteFuchsia = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,0,255))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [scriptblock]$WriteMediumOrchid = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(186,85,211))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [scriptblock]$WriteMediumPurple = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(147,112,219))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [scriptblock]$WriteBlueViolet = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(138,43,226))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [scriptblock]$AndroidGreen = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(176,191,26))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [scriptblock]$WritePink = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,192,203))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [scriptblock]$WriteHotPink = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,105,180))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [scriptblock]$WriteDeepPink = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,20,147))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [scriptblock]$WriteMintGreen = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(152,255,152))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [scriptblock]$WriteOrange = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,165,0))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [scriptblock]$WriteSkyBlue = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(135,206,235))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [scriptblock]$Daffodil = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,255,49))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
[scriptblock]$WriteRainbow1 = {
$text = $args[0]
diff --git a/Harden-Windows-Security Module/Main files/Functions.ps1 b/Harden-Windows-Security Module/Main files/Functions.ps1
index a95759420..de9bd250a 100644
--- a/Harden-Windows-Security Module/Main files/Functions.ps1
+++ b/Harden-Windows-Security Module/Main files/Functions.ps1
@@ -21,7 +21,7 @@ function Update-self {
}
if ($CurrentVersion -lt $LatestVersion) {
- Write-Output "$($PSStyle.Foreground.FromRGB(255,105,180))The currently installed module's version is $CurrentVersion while the latest version is $LatestVersion - Auto Updating the module... 💓$($PSStyle.Reset)"
+ Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,105,180))The currently installed module's version is $CurrentVersion while the latest version is $LatestVersion - Auto Updating the module... 💓$($PSStyle.Reset)"
# Only attempt to auto update the module if running as Admin, because Controlled Folder Access exclusion modification requires Admin privs
if (Test-IsAdmin) {
@@ -63,7 +63,7 @@ function Update-self {
}
}
# Make sure the old version isn't run after update
- Write-Output "$($PSStyle.Foreground.FromRGB(152,255,152))Update successful, please run the cmdlet again.$($PSStyle.Reset)"
+ Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(152,255,152))Update successful, please run the cmdlet again.$($PSStyle.Reset)"
break
return
}
diff --git a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
index cf65aa5af..fcd025672 100644
--- a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
+++ b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
@@ -21,9 +21,9 @@ Function Unprotect-WindowsSecurity {
. "$psscriptroot\Functions.ps1"
# Custom colors
- [scriptblock]$WriteFuchsia = { Write-Host "$($PSStyle.Foreground.FromRGB(236,68,155))$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteOrange = { Write-Host "$($PSStyle.Foreground.FromRGB(255,165,0))$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteMintGreen = { Write-Host "$($PSStyle.Foreground.FromRGB(152,255,152))$($args[0])$($PSStyle.Reset)" }
+ [scriptblock]$WriteFuchsia = { Write-Host -Object "$($PSStyle.Foreground.FromRGB(236,68,155))$($args[0])$($PSStyle.Reset)" }
+ [scriptblock]$WriteOrange = { Write-Host -Object "$($PSStyle.Foreground.FromRGB(255,165,0))$($args[0])$($PSStyle.Reset)" }
+ [scriptblock]$WriteMintGreen = { Write-Host -Object "$($PSStyle.Foreground.FromRGB(152,255,152))$($args[0])$($PSStyle.Reset)" }
# Only run this if -OnlyProcessMitigations parameter is passed
if (!$OnlyProcessMitigations) {
@@ -75,7 +75,7 @@ Function Unprotect-WindowsSecurity {
Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/Registry.csv' -OutFile '.\Registry.csv' -ProgressAction SilentlyContinue
}
catch {
- Write-Host 'Using Azure DevOps...' -ForegroundColor Yellow
+ Write-Host -Object 'Using Azure DevOps...' -ForegroundColor Yellow
Invoke-WebRequest -Uri 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/Registry.csv' -OutFile '.\Registry.csv' -ProgressAction SilentlyContinue
}
@@ -84,7 +84,7 @@ Function Unprotect-WindowsSecurity {
Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/ProcessMitigations.csv' -OutFile '.\ProcessMitigations.csv' -ProgressAction SilentlyContinue
}
catch {
- Write-Host 'Using Azure DevOps...' -ForegroundColor Yellow
+ Write-Host -Object 'Using Azure DevOps...' -ForegroundColor Yellow
Invoke-WebRequest -Uri 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/ProcessMitigations.csv' -OutFile '.\ProcessMitigations.csv' -ProgressAction SilentlyContinue
}
}
From b4f2d3cb23c1dcf9aa3fc795c94cacbf2d994fea Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Sun, 10 Dec 2023 11:43:51 -0930
Subject: [PATCH 08/79] Parameter position 0 improvements
---
.../Main files/Confirm-SystemCompliance.psm1 | 62 +++++++++----------
.../Main files/Unprotect-WindowsSecurity.psm1 | 4 +-
2 files changed, 33 insertions(+), 33 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
index 0143ceb7d..6d69bbfec 100644
--- a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
+++ b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
@@ -113,7 +113,7 @@ function Confirm-SystemCompliance {
# an array to hold the output
[System.Object[]]$Output = @()
- foreach ($Item in $AllRegistryItems | Where-Object { $_.category -eq $CatName } | Where-Object { $_.Method -eq $Method }) {
+ foreach ($Item in $AllRegistryItems | Where-Object -FilterScript { $_.category -eq $CatName } | Where-Object -FilterScript { $_.Method -eq $Method }) {
# Initialize a flag to indicate if the key exists
[System.Boolean]$keyExists = $false
@@ -247,8 +247,8 @@ function Confirm-SystemCompliance {
# Verify the NX bit as shown in bcdedit /enum or Get-BcdEntry, info about numbers and values correlation: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/bcd/bcdosloader-nxpolicy
$NestedObjectArray += [PSCustomObject]@{
FriendlyName = 'Boot Configuration Data (BCD) No-eXecute (NX) Value'
- Compliant = (((Get-BcdEntry).elements | Where-Object { $_.name -eq 'nx' }).value -eq '3')
- Value = (((Get-BcdEntry).elements | Where-Object { $_.name -eq 'nx' }).value -eq '3')
+ Compliant = (((Get-BcdEntry).elements | Where-Object -FilterScript { $_.name -eq 'nx' }).value -eq '3')
+ Value = (((Get-BcdEntry).elements | Where-Object -FilterScript { $_.name -eq 'nx' }).value -eq '3')
Name = 'Boot Configuration Data (BCD) No-eXecute (NX) Value'
Category = $CatName
Method = 'Cmdlet'
@@ -601,14 +601,14 @@ function Confirm-SystemCompliance {
}
#region Non-OS-Drive-BitLocker-Drives-Encryption-Verification
# Get the list of non OS volumes
- [System.Object[]]$NonOSBitLockerVolumes = Get-BitLockerVolume | Where-Object {
+ [System.Object[]]$NonOSBitLockerVolumes = Get-BitLockerVolume | Where-Object -FilterScript {
($_.volumeType -ne 'OperatingSystem')
}
# Get all the volumes and filter out removable ones
[System.Object[]]$RemovableVolumes = Get-Volume |
- Where-Object { $_.DriveType -eq 'Removable' } |
- Where-Object { $_.DriveLetter }
+ Where-Object -FilterScript { $_.DriveType -eq 'Removable' } |
+ Where-Object -FilterScript { $_.DriveLetter }
# Check if there is any removable volumes
if ($RemovableVolumes) {
@@ -619,7 +619,7 @@ function Confirm-SystemCompliance {
}
# Filter out removable drives from BitLocker volumes to process
- $NonOSBitLockerVolumes = $NonOSBitLockerVolumes | Where-Object {
+ $NonOSBitLockerVolumes = $NonOSBitLockerVolumes | Where-Object -FilterScript {
($_.MountPoint -notin $RemovableVolumesLetters)
}
}
@@ -919,17 +919,17 @@ function Confirm-SystemCompliance {
[System.Boolean]$PowerShell2 = (Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root).State -eq 'Disabled'
[System.String]$WorkFoldersClient = (Get-WindowsOptionalFeature -Online -FeatureName WorkFolders-Client).state
[System.String]$InternetPrintingClient = (Get-WindowsOptionalFeature -Online -FeatureName Printing-Foundation-Features).state
- [System.String]$WindowsMediaPlayer = (Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Media.WindowsMediaPlayer*' }).state
+ [System.String]$WindowsMediaPlayer = (Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Media.WindowsMediaPlayer*' }).state
[System.String]$MDAG = (Get-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard).state
[System.String]$WindowsSandbox = (Get-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM).state
[System.String]$HyperV = (Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V).state
[System.String]$VMPlatform = (Get-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform).state
- [System.String]$WMIC = (Get-WindowsCapability -Online | Where-Object { $_.Name -like '*wmic*' }).state
- [System.String]$IEMode = (Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Browser.InternetExplorer*' }).state
- [System.String]$LegacyNotepad = (Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.Notepad.System*' }).state
- [System.String]$LegacyWordPad = (Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.WordPad*' }).state
- [System.String]$PowerShellISE = (Get-WindowsCapability -Online | Where-Object { $_.Name -like '*Microsoft.Windows.PowerShell.ISE*' }).state
- [System.String]$StepsRecorder = (Get-WindowsCapability -Online | Where-Object { $_.Name -like '*App.StepsRecorder*' }).state
+ [System.String]$WMIC = (Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*wmic*' }).state
+ [System.String]$IEMode = (Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Browser.InternetExplorer*' }).state
+ [System.String]$LegacyNotepad = (Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.Notepad.System*' }).state
+ [System.String]$LegacyWordPad = (Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.WordPad*' }).state
+ [System.String]$PowerShellISE = (Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.PowerShell.ISE*' }).state
+ [System.String]$StepsRecorder = (Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*App.StepsRecorder*' }).state
# returning the output of the script block as an array
Return $PowerShell1, $PowerShell2, $WorkFoldersClient, $InternetPrintingClient, $WindowsMediaPlayer, $MDAG, $WindowsSandbox, $HyperV, $VMPlatform, $WMIC, $IEMode, $LegacyNotepad, $LegacyWordPad, $PowerShellISE, $StepsRecorder
}
@@ -1086,7 +1086,7 @@ function Confirm-SystemCompliance {
$NestedObjectArray += [PSCustomObject](Invoke-CategoryProcessing -catname $CatName -Method 'Group Policy')
# Check network location of all connections to see if they are public
- $Condition = Get-NetConnectionProfile | ForEach-Object { $_.NetworkCategory -eq 'public' }
+ $Condition = Get-NetConnectionProfile | ForEach-Object -Process { $_.NetworkCategory -eq 'public' }
[System.Boolean]$IndividualItemResult = -not ($condition -contains $false) ? $True : $false
# Verify a Security setting using Cmdlet
@@ -1167,7 +1167,7 @@ function Confirm-SystemCompliance {
# Checking if all user accounts are part of the Hyper-V security Group
# Get all the enabled user account SIDs
- [System.Security.Principal.SecurityIdentifier[]]$EnabledUsers = (Get-LocalUser | Where-Object { $_.Enabled -eq 'True' }).SID
+ [System.Security.Principal.SecurityIdentifier[]]$EnabledUsers = (Get-LocalUser | Where-Object -FilterScript { $_.Enabled -eq 'True' }).SID
# Get the members of the Hyper-V Administrators security group using their SID
[System.Security.Principal.SecurityIdentifier[]]$GroupMembers = (Get-LocalGroupMember -SID 'S-1-5-32-578').SID
@@ -1797,20 +1797,20 @@ function Confirm-SystemCompliance {
}
# Counting the number of $True Compliant values in the Final Output Object
- [System.Int64]$TotalTrueCompliantValuesInOutPut = ($FinalMegaObject.'Microsoft Defender' | Where-Object { $_.Compliant -eq $True }).Count + # 49 - 4x(N/A) = 45
- [System.Int64]($FinalMegaObject.ASR | Where-Object { $_.Compliant -eq $True }).Count + # 17
- [System.Int64]($FinalMegaObject.Bitlocker | Where-Object { $_.Compliant -eq $True }).Count + # 22 + Number of Non-OS drives which are dynamicly increased
- [System.Int64]($FinalMegaObject.TLS | Where-Object { $_.Compliant -eq $True }).Count + # 21
- [System.Int64]($FinalMegaObject.LockScreen | Where-Object { $_.Compliant -eq $True }).Count + # 14
- [System.Int64]($FinalMegaObject.UAC | Where-Object { $_.Compliant -eq $True }).Count + # 4
- [System.Int64]($FinalMegaObject.'Device Guard' | Where-Object { $_.Compliant -eq $True }).Count + # 8
- [System.Int64]($FinalMegaObject.'Windows Firewall' | Where-Object { $_.Compliant -eq $True }).Count + # 19
- [System.Int64]($FinalMegaObject.'Optional Windows Features' | Where-Object { $_.Compliant -eq $True }).Count + # 14
- [System.Int64]($FinalMegaObject.'Windows Networking' | Where-Object { $_.Compliant -eq $True }).Count + # 9
- [System.Int64]($FinalMegaObject.Miscellaneous | Where-Object { $_.Compliant -eq $True }).Count + # 18
- [System.Int64]($FinalMegaObject.'Windows Update' | Where-Object { $_.Compliant -eq $True }).Count + # 14
- [System.Int64]($FinalMegaObject.Edge | Where-Object { $_.Compliant -eq $True }).Count + # 15
- [System.Int64]($FinalMegaObject.'Non-Admin' | Where-Object { $_.Compliant -eq $True }).Count # 11
+ [System.Int64]$TotalTrueCompliantValuesInOutPut = ($FinalMegaObject.'Microsoft Defender' | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 49 - 4x(N/A) = 45
+ [System.Int64]($FinalMegaObject.ASR | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 17
+ [System.Int64]($FinalMegaObject.Bitlocker | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 22 + Number of Non-OS drives which are dynamicly increased
+ [System.Int64]($FinalMegaObject.TLS | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 21
+ [System.Int64]($FinalMegaObject.LockScreen | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 14
+ [System.Int64]($FinalMegaObject.UAC | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 4
+ [System.Int64]($FinalMegaObject.'Device Guard' | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 8
+ [System.Int64]($FinalMegaObject.'Windows Firewall' | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 19
+ [System.Int64]($FinalMegaObject.'Optional Windows Features' | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 14
+ [System.Int64]($FinalMegaObject.'Windows Networking' | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 9
+ [System.Int64]($FinalMegaObject.Miscellaneous | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 18
+ [System.Int64]($FinalMegaObject.'Windows Update' | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 14
+ [System.Int64]($FinalMegaObject.Edge | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 15
+ [System.Int64]($FinalMegaObject.'Non-Admin' | Where-Object -FilterScript { $_.Compliant -eq $True }).Count # 11
#Region ASCII-Arts
@@ -2003,7 +2003,7 @@ Gpresult, Secedit, PowerShell, Registry
Uses Gpresult and Secedit to first export the effective Group policies and Security policies, then goes through them and checks them against the Harden Windows Security's guidelines.
.EXAMPLE
-($result.Microsoft Defender | Where-Object {$_.name -eq 'Controlled Folder Access Exclusions'}).value.programs
+($result.Microsoft Defender | Where-Object -FilterScript {$_.name -eq 'Controlled Folder Access Exclusions'}).value.programs
# Do this to get the Controlled Folder Access Programs list when using ShowAsObjectsOnly optional parameter to output an object
diff --git a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
index fcd025672..b3222a32f 100644
--- a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
+++ b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
@@ -191,8 +191,8 @@ Function Unprotect-WindowsSecurity {
# Enables Multicast DNS (mDNS) UDP-in Firewall Rules for all 3 Firewall profiles
Get-NetFirewallRule |
- Where-Object { $_.RuleGroup -eq '@%SystemRoot%\system32\firewallapi.dll,-37302' -and $_.Direction -eq 'inbound' } |
- ForEach-Object { Enable-NetFirewallRule -DisplayName $_.DisplayName }
+ Where-Object -FilterScript { $_.RuleGroup -eq '@%SystemRoot%\system32\firewallapi.dll,-37302' -and $_.Direction -eq 'inbound' } |
+ ForEach-Object -Process { Enable-NetFirewallRule -DisplayName $_.DisplayName }
# Remove any custom views added by this script for Event Viewer
if (Test-Path -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script') {
From ffd1cf04b66fa90d475273da32aabaa4649cbbe0 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Sun, 10 Dec 2023 11:52:12 -0930
Subject: [PATCH 09/79] Parameter improvements
---
.../Main files/Harden-Windows-Security.ps1 | 58 +++++++++----------
.../Main files/Unprotect-WindowsSecurity.psm1 | 4 +-
2 files changed, 31 insertions(+), 31 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
index 83690b282..d40e419a8 100644
--- a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
@@ -622,11 +622,11 @@ try {
# working directory assignment
[System.IO.DirectoryInfo]$WorkingDir = "$global:UserTempDirectoryPath\HardeningXStuff\"
# change location to the new directory
- Set-Location $WorkingDir
+ Set-Location -Path $WorkingDir
# Clean up script block
[scriptblock]$CleanUp = {
- Set-Location $HOME
+ Set-Location -Path $HOME
Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force
# Disable progress bars
0..6 | ForEach-Object -Process { Write-Progress -Id $_ -Activity 'Done' -Completed }
@@ -669,7 +669,7 @@ try {
param([System.Uri]$Url, [System.IO.FileInfo]$Path, [System.String]$Tag)
# Create a WebClient object
- [System.Net.WebClient]$WC = New-Object System.Net.WebClient
+ [System.Net.WebClient]$WC = New-Object -TypeName System.Net.WebClient
try {
# Try to download the file from the original URL
$WC.DownloadFile($Url, $Path)
@@ -784,7 +784,7 @@ try {
Copy-Item -Path '.\LGPO_30\LGPO.exe' -Destination "$MicrosoftSecurityBaselinePath\Scripts\Tools"
# Change directory to the Security Baselines folder
- Set-Location "$MicrosoftSecurityBaselinePath\Scripts\"
+ Set-Location -Path "$MicrosoftSecurityBaselinePath\Scripts\"
# Run the official PowerShell script included in the Microsoft Security Baseline file we downloaded from Microsoft servers
.\Baseline-LocalInstall.ps1 -Win11NonDomainJoined
@@ -795,7 +795,7 @@ try {
Copy-Item -Path '.\LGPO_30\LGPO.exe' -Destination "$MicrosoftSecurityBaselinePath\Scripts\Tools"
# Change directory to the Security Baselines folder
- Set-Location "$MicrosoftSecurityBaselinePath\Scripts\"
+ Set-Location -Path "$MicrosoftSecurityBaselinePath\Scripts\"
# Run the official PowerShell script included in the Microsoft Security Baseline file we downloaded from Microsoft servers
.\Baseline-LocalInstall.ps1 -Win11NonDomainJoined
@@ -803,7 +803,7 @@ try {
Start-Sleep -Seconds 1
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Overrides for Microsoft Security Baseline\registry.pol'
.\LGPO.exe /q /s '..\Security-Baselines-X\Overrides for Microsoft Security Baseline\GptTmpl.inf'
@@ -827,12 +827,12 @@ try {
'Yes' {
Write-Progress -Id 0 -Activity 'Microsoft 365 Apps Security Baseline' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
- Set-Location $WorkingDir
+ Set-Location -Path $WorkingDir
# Copy LGPO.exe from its folder to Microsoft Office 365 Apps for Enterprise Security Baseline folder in order to get it ready to be used by PowerShell script
Copy-Item -Path '.\LGPO_30\LGPO.exe' -Destination "$Microsoft365SecurityBaselinePath\Scripts\Tools"
# Change directory to the M365 Security Baselines folder
- Set-Location "$Microsoft365SecurityBaselinePath\Scripts\"
+ Set-Location -Path "$Microsoft365SecurityBaselinePath\Scripts\"
# Run the official PowerShell script included in the Microsoft Security Baseline file we downloaded from Microsoft servers
.\Baseline-LocalInstall.ps1
@@ -854,7 +854,7 @@ try {
Write-Progress -Id 0 -Activity 'Microsoft Defender' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Microsoft Defender Policies\registry.pol'
# Optimizing Network Protection Performance of Windows Defender
@@ -881,7 +881,7 @@ try {
# Enable Mandatory ASLR Exploit Protection system-wide
Set-ProcessMitigation -System -Enable ForceRelocateImages
- Set-Location $WorkingDir
+ Set-Location -Path $WorkingDir
# Apply Process Mitigations
[System.Object[]]$ProcessMitigations = Import-Csv 'ProcessMitigations.csv' -Delimiter ','
@@ -950,7 +950,7 @@ try {
# If Smart App Control is on or user selected to turn it on then automatically enable optional diagnostic data
if (($ShouldEnableOptionalDiagnosticData -eq $True) -or ((Get-MpComputerStatus).SmartAppControlState -eq 'On')) {
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Microsoft Defender Policies\Optional Diagnostic Data\registry.pol'
}
else {
@@ -959,7 +959,7 @@ try {
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nEnable Optional Diagnostic Data ?" -ExtraMessage 'Required for Smart App Control usage and evaluation, read the GitHub Readme!') {
'Yes' {
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Microsoft Defender Policies\Optional Diagnostic Data\registry.pol'
} 'No' { break }
'Exit' { &$CleanUp }
@@ -976,7 +976,7 @@ try {
'Yes' {
# Get the SID of the SYSTEM account. It is a well-known SID, but still querying it, going to use it to create the scheduled task
- [System.Security.Principal.SecurityIdentifier]$SYSTEMSID = New-Object System.Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::LocalSystemSid, $null)
+ [System.Security.Principal.SecurityIdentifier]$SYSTEMSID = New-Object -TypeName System.Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::LocalSystemSid, $null)
# Create a scheduled task action, this defines how to download and install the latest Microsoft Recommended Driver Block Rules
[Microsoft.Management.Infrastructure.CimInstance]$Action = New-ScheduledTaskAction -Execute 'Powershell.exe' `
@@ -989,7 +989,7 @@ try {
[Microsoft.Management.Infrastructure.CimInstance]$Time = New-ScheduledTaskTrigger -Once -At (Get-Date).AddHours(1) -RepetitionInterval (New-TimeSpan -Days 7)
# Register the scheduled task
- Register-ScheduledTask -Action $Action -Trigger $Time -Principal $TaskPrincipal -TaskPath 'MSFT Driver Block list update' -TaskName 'MSFT Driver Block list update' -Description 'Microsoft Recommended Driver Block List update'
+ Register-ScheduledTask -Action $Action -Trigger $Time -Principal $TaskPrincipal -TaskPath 'MSFT Driver Block list update' -TaskName 'MSFT Driver Block list update' -Description 'Microsoft Recommended Driver Block List update' -Force
# Define advanced settings for the scheduled task
[Microsoft.Management.Infrastructure.CimInstance]$TaskSettings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -Compatibility 'Win8' -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 3) -RestartCount 4 -RestartInterval (New-TimeSpan -Hours 6) -RunOnlyIfNetworkAvailable
@@ -1032,7 +1032,7 @@ try {
Write-Progress -Id 0 -Activity 'Attack Surface Reduction Rules' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Attack Surface Reduction Rules Policies\registry.pol'
} 'No' { break ASRRulesCategoryLabel }
@@ -1053,7 +1053,7 @@ try {
Write-Progress -Id 0 -Activity 'Bitlocker Settings' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Bitlocker Policies\registry.pol'
@@ -1110,7 +1110,7 @@ try {
[System.Boolean]$BootDMAProtection = ([SystemInfo.NativeMethods]::BootDmaCheck()) -ne 0
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
# Enables or disables DMA protection from Bitlocker Countermeasures based on the status of Kernel DMA protection.
if ($BootDMAProtection) {
@@ -1723,7 +1723,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
# TLS Registry section
- Set-Location $WorkingDir
+ Set-Location -Path $WorkingDir
[System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
foreach ($Item in $Items) {
@@ -1732,7 +1732,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\TLS Security\registry.pol'
} 'No' { break }
'Exit' { &$CleanUp }
@@ -1752,7 +1752,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Progress -Id 0 -Activity 'Lock Screen' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Lock Screen Policies\registry.pol'
.\LGPO.exe /q /s '..\Security-Baselines-X\Lock Screen Policies\GptTmpl.inf'
@@ -1786,7 +1786,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Progress -Id 0 -Activity 'User Account Control' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /s '..\Security-Baselines-X\User Account Control UAC Policies\GptTmpl.inf'
# Apply the Automatically deny all UAC prompts on Standard accounts policy
@@ -1843,7 +1843,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Progress -Id 0 -Activity 'Windows Firewall' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Windows Firewall Policies\registry.pol'
# Disables Multicast DNS (mDNS) UDP-in Firewall Rules for all 3 Firewall profiles - disables only 3 rules
@@ -2166,7 +2166,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Progress -Id 0 -Activity 'Windows Networking' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Windows Networking Policies\registry.pol'
.\LGPO.exe /q /s '..\Security-Baselines-X\Windows Networking Policies\GptTmpl.inf'
@@ -2193,7 +2193,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Progress -Id 0 -Activity 'Miscellaneous Configurations' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
# Miscellaneous Registry section
- Set-Location $WorkingDir
+ Set-Location -Path $WorkingDir
[System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
foreach ($Item in $Items) {
if ($Item.category -eq 'Miscellaneous') {
@@ -2201,7 +2201,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Miscellaneous Policies\registry.pol'
.\LGPO.exe /q /s '..\Security-Baselines-X\Miscellaneous Policies\GptTmpl.inf'
@@ -2259,7 +2259,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Enable restart notification for Windows update
Edit-Registry -path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings' -key 'RestartNotificationsAllowed2' -value '1' -type 'DWORD' -Action 'AddOrModify'
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Windows Update Policies\registry.pol'
} 'No' { break }
'Exit' { &$CleanUp }
@@ -2279,7 +2279,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Progress -Id 0 -Activity 'Edge Browser Configurations' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
# Edge Browser Configurations registry
- Set-Location $WorkingDir
+ Set-Location -Path $WorkingDir
[System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
foreach ($Item in $Items) {
if ($Item.category -eq 'Edge') {
@@ -2394,7 +2394,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Progress -Id 0 -Activity 'Non-Admin category' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
# Non-Admin Registry section
- Set-Location $WorkingDir
+ Set-Location -Path $WorkingDir
Invoke-WithoutProgress {
# Download Registry CSV file from GitHub or Azure DevOps
try {
@@ -2441,7 +2441,7 @@ finally {
}
}
- Set-Location $HOME; Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
+ Set-Location -Path $HOME; Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
# Disable progress bars
0..6 | ForEach-Object -Process { Write-Progress -Id $_ -Activity 'Done' -Completed }
diff --git a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
index b3222a32f..d4c7f460b 100644
--- a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
+++ b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
@@ -65,7 +65,7 @@ Function Unprotect-WindowsSecurity {
Set-Location -Path $WorkingDir
# Clean up script block
- [scriptblock]$CleanUp = { Set-Location $HOME; Remove-Item -Recurse "$global:UserTempDirectoryPath\HardeningXStuff\" -Force; exit }
+ [scriptblock]$CleanUp = { Set-Location -Path $HOME; Remove-Item -Recurse "$global:UserTempDirectoryPath\HardeningXStuff\" -Force; exit }
Write-Progress -Activity 'Downloading the required files' -Status 'Processing' -PercentComplete 30
@@ -220,7 +220,7 @@ Function Unprotect-WindowsSecurity {
Set-MpPreference -ControlledFolderAccessAllowedApplications $CFAAllowedAppsBackup
}
- Set-Location $HOME; Remove-Item -Recurse "$global:UserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
+ Set-Location -Path $HOME; Remove-Item -Recurse "$global:UserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
}
<#
From f6dde74d51a487c8f373d70d4cb1b098b491d0cf Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Sun, 10 Dec 2023 11:53:24 -0930
Subject: [PATCH 10/79] Update Harden-Windows-Security.ps1
---
Harden-Windows-Security.ps1 | 58 ++++++++++++++++++-------------------
1 file changed, 29 insertions(+), 29 deletions(-)
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index cf807a575..e53ec1a86 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -622,11 +622,11 @@ try {
# working directory assignment
[System.IO.DirectoryInfo]$WorkingDir = "$global:UserTempDirectoryPath\HardeningXStuff\"
# change location to the new directory
- Set-Location $WorkingDir
+ Set-Location -Path $WorkingDir
# Clean up script block
[scriptblock]$CleanUp = {
- Set-Location $HOME
+ Set-Location -Path $HOME
Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force
# Disable progress bars
0..6 | ForEach-Object -Process { Write-Progress -Id $_ -Activity 'Done' -Completed }
@@ -669,7 +669,7 @@ try {
param([System.Uri]$Url, [System.IO.FileInfo]$Path, [System.String]$Tag)
# Create a WebClient object
- [System.Net.WebClient]$WC = New-Object System.Net.WebClient
+ [System.Net.WebClient]$WC = New-Object -TypeName System.Net.WebClient
try {
# Try to download the file from the original URL
$WC.DownloadFile($Url, $Path)
@@ -784,7 +784,7 @@ try {
Copy-Item -Path '.\LGPO_30\LGPO.exe' -Destination "$MicrosoftSecurityBaselinePath\Scripts\Tools"
# Change directory to the Security Baselines folder
- Set-Location "$MicrosoftSecurityBaselinePath\Scripts\"
+ Set-Location -Path "$MicrosoftSecurityBaselinePath\Scripts\"
# Run the official PowerShell script included in the Microsoft Security Baseline file we downloaded from Microsoft servers
.\Baseline-LocalInstall.ps1 -Win11NonDomainJoined
@@ -795,7 +795,7 @@ try {
Copy-Item -Path '.\LGPO_30\LGPO.exe' -Destination "$MicrosoftSecurityBaselinePath\Scripts\Tools"
# Change directory to the Security Baselines folder
- Set-Location "$MicrosoftSecurityBaselinePath\Scripts\"
+ Set-Location -Path "$MicrosoftSecurityBaselinePath\Scripts\"
# Run the official PowerShell script included in the Microsoft Security Baseline file we downloaded from Microsoft servers
.\Baseline-LocalInstall.ps1 -Win11NonDomainJoined
@@ -803,7 +803,7 @@ try {
Start-Sleep -Seconds 1
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Overrides for Microsoft Security Baseline\registry.pol'
.\LGPO.exe /q /s '..\Security-Baselines-X\Overrides for Microsoft Security Baseline\GptTmpl.inf'
@@ -827,12 +827,12 @@ try {
'Yes' {
Write-Progress -Id 0 -Activity 'Microsoft 365 Apps Security Baseline' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
- Set-Location $WorkingDir
+ Set-Location -Path $WorkingDir
# Copy LGPO.exe from its folder to Microsoft Office 365 Apps for Enterprise Security Baseline folder in order to get it ready to be used by PowerShell script
Copy-Item -Path '.\LGPO_30\LGPO.exe' -Destination "$Microsoft365SecurityBaselinePath\Scripts\Tools"
# Change directory to the M365 Security Baselines folder
- Set-Location "$Microsoft365SecurityBaselinePath\Scripts\"
+ Set-Location -Path "$Microsoft365SecurityBaselinePath\Scripts\"
# Run the official PowerShell script included in the Microsoft Security Baseline file we downloaded from Microsoft servers
.\Baseline-LocalInstall.ps1
@@ -854,7 +854,7 @@ try {
Write-Progress -Id 0 -Activity 'Microsoft Defender' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Microsoft Defender Policies\registry.pol'
# Optimizing Network Protection Performance of Windows Defender
@@ -881,7 +881,7 @@ try {
# Enable Mandatory ASLR Exploit Protection system-wide
Set-ProcessMitigation -System -Enable ForceRelocateImages
- Set-Location $WorkingDir
+ Set-Location -Path $WorkingDir
# Apply Process Mitigations
[System.Object[]]$ProcessMitigations = Import-Csv 'ProcessMitigations.csv' -Delimiter ','
@@ -950,7 +950,7 @@ try {
# If Smart App Control is on or user selected to turn it on then automatically enable optional diagnostic data
if (($ShouldEnableOptionalDiagnosticData -eq $True) -or ((Get-MpComputerStatus).SmartAppControlState -eq 'On')) {
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Microsoft Defender Policies\Optional Diagnostic Data\registry.pol'
}
else {
@@ -959,7 +959,7 @@ try {
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nEnable Optional Diagnostic Data ?" -ExtraMessage 'Required for Smart App Control usage and evaluation, read the GitHub Readme!') {
'Yes' {
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Microsoft Defender Policies\Optional Diagnostic Data\registry.pol'
} 'No' { break }
'Exit' { &$CleanUp }
@@ -976,7 +976,7 @@ try {
'Yes' {
# Get the SID of the SYSTEM account. It is a well-known SID, but still querying it, going to use it to create the scheduled task
- [System.Security.Principal.SecurityIdentifier]$SYSTEMSID = New-Object System.Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::LocalSystemSid, $null)
+ [System.Security.Principal.SecurityIdentifier]$SYSTEMSID = New-Object -TypeName System.Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::LocalSystemSid, $null)
# Create a scheduled task action, this defines how to download and install the latest Microsoft Recommended Driver Block Rules
[Microsoft.Management.Infrastructure.CimInstance]$Action = New-ScheduledTaskAction -Execute 'Powershell.exe' `
@@ -989,7 +989,7 @@ try {
[Microsoft.Management.Infrastructure.CimInstance]$Time = New-ScheduledTaskTrigger -Once -At (Get-Date).AddHours(1) -RepetitionInterval (New-TimeSpan -Days 7)
# Register the scheduled task
- Register-ScheduledTask -Action $Action -Trigger $Time -Principal $TaskPrincipal -TaskPath 'MSFT Driver Block list update' -TaskName 'MSFT Driver Block list update' -Description 'Microsoft Recommended Driver Block List update'
+ Register-ScheduledTask -Action $Action -Trigger $Time -Principal $TaskPrincipal -TaskPath 'MSFT Driver Block list update' -TaskName 'MSFT Driver Block list update' -Description 'Microsoft Recommended Driver Block List update' -Force
# Define advanced settings for the scheduled task
[Microsoft.Management.Infrastructure.CimInstance]$TaskSettings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -Compatibility 'Win8' -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 3) -RestartCount 4 -RestartInterval (New-TimeSpan -Hours 6) -RunOnlyIfNetworkAvailable
@@ -1032,7 +1032,7 @@ try {
Write-Progress -Id 0 -Activity 'Attack Surface Reduction Rules' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Attack Surface Reduction Rules Policies\registry.pol'
} 'No' { break ASRRulesCategoryLabel }
@@ -1053,7 +1053,7 @@ try {
Write-Progress -Id 0 -Activity 'Bitlocker Settings' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Bitlocker Policies\registry.pol'
@@ -1110,7 +1110,7 @@ try {
[System.Boolean]$BootDMAProtection = ([SystemInfo.NativeMethods]::BootDmaCheck()) -ne 0
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
# Enables or disables DMA protection from Bitlocker Countermeasures based on the status of Kernel DMA protection.
if ($BootDMAProtection) {
@@ -1723,7 +1723,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
# TLS Registry section
- Set-Location $WorkingDir
+ Set-Location -Path $WorkingDir
[System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
foreach ($Item in $Items) {
@@ -1732,7 +1732,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\TLS Security\registry.pol'
} 'No' { break }
'Exit' { &$CleanUp }
@@ -1752,7 +1752,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Progress -Id 0 -Activity 'Lock Screen' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Lock Screen Policies\registry.pol'
.\LGPO.exe /q /s '..\Security-Baselines-X\Lock Screen Policies\GptTmpl.inf'
@@ -1786,7 +1786,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Progress -Id 0 -Activity 'User Account Control' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /s '..\Security-Baselines-X\User Account Control UAC Policies\GptTmpl.inf'
# Apply the Automatically deny all UAC prompts on Standard accounts policy
@@ -1843,7 +1843,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Progress -Id 0 -Activity 'Windows Firewall' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Windows Firewall Policies\registry.pol'
# Disables Multicast DNS (mDNS) UDP-in Firewall Rules for all 3 Firewall profiles - disables only 3 rules
@@ -2166,7 +2166,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Progress -Id 0 -Activity 'Windows Networking' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Windows Networking Policies\registry.pol'
.\LGPO.exe /q /s '..\Security-Baselines-X\Windows Networking Policies\GptTmpl.inf'
@@ -2193,7 +2193,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Progress -Id 0 -Activity 'Miscellaneous Configurations' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
# Miscellaneous Registry section
- Set-Location $WorkingDir
+ Set-Location -Path $WorkingDir
[System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
foreach ($Item in $Items) {
if ($Item.category -eq 'Miscellaneous') {
@@ -2201,7 +2201,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Miscellaneous Policies\registry.pol'
.\LGPO.exe /q /s '..\Security-Baselines-X\Miscellaneous Policies\GptTmpl.inf'
@@ -2259,7 +2259,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Enable restart notification for Windows update
Edit-Registry -path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings' -key 'RestartNotificationsAllowed2' -value '1' -type 'DWORD' -Action 'AddOrModify'
# Change current working directory to the LGPO's folder
- Set-Location "$WorkingDir\LGPO_30"
+ Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /m '..\Security-Baselines-X\Windows Update Policies\registry.pol'
} 'No' { break }
'Exit' { &$CleanUp }
@@ -2279,7 +2279,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Progress -Id 0 -Activity 'Edge Browser Configurations' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
# Edge Browser Configurations registry
- Set-Location $WorkingDir
+ Set-Location -Path $WorkingDir
[System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
foreach ($Item in $Items) {
if ($Item.category -eq 'Edge') {
@@ -2394,7 +2394,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Progress -Id 0 -Activity 'Non-Admin category' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
# Non-Admin Registry section
- Set-Location $WorkingDir
+ Set-Location -Path $WorkingDir
Invoke-WithoutProgress {
# Download Registry CSV file from GitHub or Azure DevOps
try {
@@ -2441,7 +2441,7 @@ finally {
}
}
- Set-Location $HOME; Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
+ Set-Location -Path $HOME; Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
# Disable progress bars
0..6 | ForEach-Object -Process { Write-Progress -Id $_ -Activity 'Done' -Completed }
From ebdbf91011c1da54ff647434d0d73659dc882f7f Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Sun, 10 Dec 2023 12:04:50 -0930
Subject: [PATCH 11/79] More Parameter improvements
---
.../Main files/Harden-Windows-Security.ps1 | 12 ++++++------
.../Main files/Unprotect-WindowsSecurity.psm1 | 8 ++++----
Harden-Windows-Security.ps1 | 12 ++++++------
3 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
index d40e419a8..65229faaa 100644
--- a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
@@ -884,10 +884,10 @@ try {
Set-Location -Path $WorkingDir
# Apply Process Mitigations
- [System.Object[]]$ProcessMitigations = Import-Csv 'ProcessMitigations.csv' -Delimiter ','
+ [System.Object[]]$ProcessMitigations = Import-Csv -Path 'ProcessMitigations.csv' -Delimiter ','
# Group the data by ProgramName
- [System.Object[]]$GroupedMitigations = $ProcessMitigations | Group-Object ProgramName
+ [System.Object[]]$GroupedMitigations = $ProcessMitigations | Group-Object -Property ProgramName
# Get the current process mitigations
[System.Object[]]$AllAvailableMitigations = (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*')
@@ -1725,7 +1725,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# TLS Registry section
Set-Location -Path $WorkingDir
- [System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
+ [System.Object[]]$Items = Import-Csv -Path '.\Registry.csv' -Delimiter ','
foreach ($Item in $Items) {
if ($Item.category -eq 'TLS') {
Edit-Registry -path $Item.Path -key $Item.Key -value $Item.Value -type $Item.Type -Action $Item.Action
@@ -2194,7 +2194,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Miscellaneous Registry section
Set-Location -Path $WorkingDir
- [System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
+ [System.Object[]]$Items = Import-Csv -Path '.\Registry.csv' -Delimiter ','
foreach ($Item in $Items) {
if ($Item.category -eq 'Miscellaneous') {
Edit-Registry -path $Item.Path -key $Item.Key -value $Item.Value -type $Item.Type -Action $Item.Action
@@ -2280,7 +2280,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Edge Browser Configurations registry
Set-Location -Path $WorkingDir
- [System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
+ [System.Object[]]$Items = Import-Csv -Path '.\Registry.csv' -Delimiter ','
foreach ($Item in $Items) {
if ($Item.category -eq 'Edge') {
Edit-Registry -path $Item.Path -key $Item.Key -value $Item.Value -type $Item.Type -Action $Item.Action
@@ -2405,7 +2405,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Invoke-WebRequest -Uri 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/Registry.csv' -OutFile '.\Registry.csv' -ErrorAction Stop
}
}
- [System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
+ [System.Object[]]$Items = Import-Csv -Path '.\Registry.csv' -Delimiter ','
foreach ($Item in $Items) {
if ($Item.category -eq 'NonAdmin') {
Edit-Registry -path $Item.Path -key $Item.Key -value $Item.Value -type $Item.Type -Action $Item.Action
diff --git a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
index d4c7f460b..73f204c59 100644
--- a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
+++ b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
@@ -104,7 +104,7 @@ Function Unprotect-WindowsSecurity {
Write-Progress -Activity 'Deleting all the registry keys created by the Protect-WindowsSecurity cmdlet' -Status 'Processing' -PercentComplete 60
- [System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
+ [System.Object[]]$Items = Import-Csv -Path '.\Registry.csv' -Delimiter ','
foreach ($Item in $Items) {
if (Test-Path -Path $item.path) {
Remove-ItemProperty -Path $Item.path -Name $Item.key -Force -ErrorAction SilentlyContinue
@@ -153,9 +153,9 @@ Function Unprotect-WindowsSecurity {
# Remove Process Mitigations
- [System.Object[]]$ProcessMitigations = Import-Csv '.\ProcessMitigations.csv' -Delimiter ','
+ [System.Object[]]$ProcessMitigations = Import-Csv -Path '.\ProcessMitigations.csv' -Delimiter ','
# Group the data by ProgramName
- [System.Object[]]$GroupedMitigations = $ProcessMitigations | Group-Object ProgramName
+ [System.Object[]]$GroupedMitigations = $ProcessMitigations | Group-Object -Property ProgramName
[System.Object[]]$AllAvailableMitigations = (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*')
Write-Progress -Activity 'Removing Process Mitigations for apps' -Status 'Processing' -PercentComplete 90
@@ -220,7 +220,7 @@ Function Unprotect-WindowsSecurity {
Set-MpPreference -ControlledFolderAccessAllowedApplications $CFAAllowedAppsBackup
}
- Set-Location -Path $HOME; Remove-Item -Recurse "$global:UserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
+ Set-Location -Path $HOME; Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
}
<#
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index e53ec1a86..87d9754a3 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -884,10 +884,10 @@ try {
Set-Location -Path $WorkingDir
# Apply Process Mitigations
- [System.Object[]]$ProcessMitigations = Import-Csv 'ProcessMitigations.csv' -Delimiter ','
+ [System.Object[]]$ProcessMitigations = Import-Csv -Path 'ProcessMitigations.csv' -Delimiter ','
# Group the data by ProgramName
- [System.Object[]]$GroupedMitigations = $ProcessMitigations | Group-Object ProgramName
+ [System.Object[]]$GroupedMitigations = $ProcessMitigations | Group-Object -Property ProgramName
# Get the current process mitigations
[System.Object[]]$AllAvailableMitigations = (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*')
@@ -1725,7 +1725,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# TLS Registry section
Set-Location -Path $WorkingDir
- [System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
+ [System.Object[]]$Items = Import-Csv -Path '.\Registry.csv' -Delimiter ','
foreach ($Item in $Items) {
if ($Item.category -eq 'TLS') {
Edit-Registry -path $Item.Path -key $Item.Key -value $Item.Value -type $Item.Type -Action $Item.Action
@@ -2194,7 +2194,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Miscellaneous Registry section
Set-Location -Path $WorkingDir
- [System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
+ [System.Object[]]$Items = Import-Csv -Path '.\Registry.csv' -Delimiter ','
foreach ($Item in $Items) {
if ($Item.category -eq 'Miscellaneous') {
Edit-Registry -path $Item.Path -key $Item.Key -value $Item.Value -type $Item.Type -Action $Item.Action
@@ -2280,7 +2280,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Edge Browser Configurations registry
Set-Location -Path $WorkingDir
- [System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
+ [System.Object[]]$Items = Import-Csv -Path '.\Registry.csv' -Delimiter ','
foreach ($Item in $Items) {
if ($Item.category -eq 'Edge') {
Edit-Registry -path $Item.Path -key $Item.Key -value $Item.Value -type $Item.Type -Action $Item.Action
@@ -2405,7 +2405,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Invoke-WebRequest -Uri 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/Registry.csv' -OutFile '.\Registry.csv' -ErrorAction Stop
}
}
- [System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
+ [System.Object[]]$Items = Import-Csv -Path '.\Registry.csv' -Delimiter ','
foreach ($Item in $Items) {
if ($Item.category -eq 'NonAdmin') {
Edit-Registry -path $Item.Path -key $Item.Key -value $Item.Value -type $Item.Type -Action $Item.Action
From 8ea810158e406c838fd1fc1df25d55b64fe9f02c Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Sun, 10 Dec 2023 12:37:56 -0930
Subject: [PATCH 12/79] Applied so many best practices in the code
---
.../Main files/Harden-Windows-Security.ps1 | 223 ++++++++++++------
Harden-Windows-Security.ps1 | 223 ++++++++++++------
2 files changed, 294 insertions(+), 152 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
index 65229faaa..c64358bb2 100644
--- a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
@@ -77,13 +77,10 @@
🏴 If you have any questions, requests, suggestions etc. about this script, please open a new Discussion or Issue on GitHub
-
.EXAMPLE
.NOTES
-
Check out GitHub page for security recommendations: https://github.com/HotCakeX/Harden-Windows-Security
-
#>
# Get the execution policy for the current process
@@ -112,13 +109,23 @@ $Host.UI.RawUI.WindowTitle = '❤️🔥Harden Windows Security❤️🔥'
[System.Boolean]$ShouldEnableOptionalDiagnosticData = $false
#region Functions
-# Questions function
function Select-Option {
+ <#
+ .synopsis
+ Function to show a prompt to the user to select an option from a list of options
+ .INPUTS
+ System.String
+ System.Management.Automation.SwitchParameter
+ .PARAMETER Message
+ Contains the main prompt message
+ .PARAMETER ExtraMessage
+ Contains any extra notes for sub-categories
+ #>
param(
- [parameter(Mandatory = $True)][System.String]$Message, # Contains the main prompt message
+ [parameter(Mandatory = $True)][System.String]$Message,
[parameter(Mandatory = $True)][System.String[]]$Options,
[parameter(Mandatory = $false)][System.Management.Automation.SwitchParameter]$SubCategory,
- [parameter(Mandatory = $false)][System.String]$ExtraMessage # Contains any extra notes for sub-categories
+ [parameter(Mandatory = $false)][System.String]$ExtraMessage
)
$Selected = $null
@@ -160,8 +167,15 @@ function Select-Option {
return $Selected
}
-# Function to modify registry
function Edit-Registry {
+ <#
+ .SYNOPSIS
+ Function to modify registry
+ .INPUTS
+ System.String
+ .OUTPUTS
+ System.Void
+ #>
param ([System.String]$Path, [System.String]$Key, [System.String]$Value, [System.String]$Type, [System.String]$Action)
If (-NOT (Test-Path -Path $Path)) {
New-Item -Path $Path -Force | Out-Null
@@ -174,25 +188,37 @@ function Edit-Registry {
}
}
-# https://devblogs.microsoft.com/scripting/use-function-to-determine-elevation-of-powershell-console/
-# Function to test if current session has administrator privileges
Function Test-IsAdmin {
+ <#
+ .SYNOPSIS
+ Function to test if current session has administrator privileges
+ .LINK
+ https://devblogs.microsoft.com/scripting/use-function-to-determine-elevation-of-powershell-console/
+ #>
[System.Security.Principal.WindowsIdentity]$Identity = [Security.Principal.WindowsIdentity]::GetCurrent()
[System.Security.Principal.WindowsPrincipal]$Principal = New-Object -TypeName 'Security.Principal.WindowsPrincipal' -ArgumentList $Identity
$Principal.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
}
-# Hiding Invoke-WebRequest progress because it creates lingering visual effect on PowerShell console for some reason
-# https://github.com/PowerShell/PowerShell/issues/14348
-
-# https://stackoverflow.com/questions/18770723/hide-progress-of-Invoke-WebRequest
# Create an in-memory module so $ScriptBlock doesn't run in new scope
$null = New-Module {
function Invoke-WithoutProgress {
+ <#
+ .SYNOPSIS
+ Hiding Invoke-WebRequest progress because it creates lingering visual effect on PowerShell console for some reason
+ .LINK
+ https://github.com/PowerShell/PowerShell/issues/14348
+ .LINK
+ https://stackoverflow.com/questions/18770723/hide-progress-of-Invoke-WebRequest
+ .INPUTS
+ System.Management.Automation.ScriptBlock
+ .OUTPUTS
+ System.Void
+ #>
[CmdletBinding()]
param (
[Parameter(Mandatory = $true)]
- [scriptblock]$ScriptBlock
+ [System.Management.Automation.ScriptBlock]$ScriptBlock
)
# Save current progress preference and hide the progress
[System.Management.Automation.ActionPreference]$PrevProgressPreference = $global:ProgressPreference
@@ -208,13 +234,20 @@ $null = New-Module {
}
}
-<#
-https://stackoverflow.com/questions/48809012/compare-two-credentials-in-powershell
-
- Safely compares two SecureString objects without decrypting them.
- Outputs $true if they are equal, or $false otherwise.
-#>
function Compare-SecureString {
+ <#
+ .SYNOPSIS
+ Safely compares two SecureString objects without decrypting them.
+ Outputs $true if they are equal, or $false otherwise.
+ .LINK
+ https://stackoverflow.com/questions/48809012/compare-two-credentials-in-powershell
+ .INPUTS
+ System.Security.SecureString
+ .PARAMETER SecureString1
+ First secure string
+ .PARAMETER SecureString2
+ Second secure string to compare with the first secure string
+ #>
param(
[Security.SecureString]$SecureString1,
[Security.SecureString]$SecureString2
@@ -246,8 +279,24 @@ function Compare-SecureString {
}
}
-# Function to write colorful text based on PS edition
Function Write-SmartText {
+ <#
+ .SYNOPSIS
+ Function to write colorful text based on PS edition
+ .INPUTS
+ System.String
+ System.Management.Automation.SwitchParameter
+ .OUTPUTS
+ System.String
+ .PARAMETER CustomColor
+ The custom color to use to display the text, uses PSStyle
+ .PARAMETER GenericColor
+ The generic color to use to display the text, uses Write-Host and legacy colors
+ .PARAMETER InputText
+ The text to display in the selected color
+ .PARAMETER NoNewLineLegacy
+ Only used with Legacy colors to write them on the same line, used by the function that gets the removable drives for BitLocker Enhanced security level encryption
+ #>
[CmdletBinding()]
[Alias('WST')]
@@ -268,7 +317,7 @@ Function Write-SmartText {
[parameter(Mandatory = $false)]
[Alias('N')]
- [System.Management.Automation.SwitchParameter]$NoNewLineLegacy # Only used with Legacy colors to write them on the same line, used by the function that gets the removable drives for BitLocker Enhanced security level encryption
+ [System.Management.Automation.SwitchParameter]$NoNewLineLegacy
)
# Determining if PowerShell edition is Core to use modern styling
@@ -322,11 +371,15 @@ Function Write-SmartText {
Write-Host -Object $InputText -ForegroundColor $GenericColor
}
}
-
}
-# Function to get a removable drive to be used by BitLocker category
function Get-AvailableRemovableDrives {
+ <#
+ .SYNOPSIS
+ Function to get a removable drive to be used by BitLocker category
+ .INPUTS
+ None. You cannot pipe objects to this function
+ #>
# An empty array of objects that holds the final removable drives list
[System.Object[]]$AvailableRemovableDrives = @()
@@ -465,9 +518,19 @@ function Get-AvailableRemovableDrives {
Write-Host ('{0,-4}' -f "$ExitCodeRemovableDriveSelection") -NoNewline -ForegroundColor DarkRed
Write-Host -Object '|Skip encryptions altogether' -ForegroundColor DarkRed
- # A function to validate the user input
function Confirm-Choice {
- param([System.String]$Choice)
+ <#
+ .SYNOPSIS
+ A function to validate the user input
+ .INPUTS
+ System.String
+ .OUTPUTS
+ System.Boolean
+ #>
+ param(
+ [System.String]$Choice
+ )
+
# Initialize a flag to indicate if the input is valid or not
[System.Boolean]$IsValid = $false
# Initialize a variable to store the parsed integer value
@@ -505,6 +568,43 @@ function Get-AvailableRemovableDrives {
return ($($AvailableRemovableDrives[$Choice - 1]).DriveLetter + ':')
}
}
+
+function Block-CountryIP {
+ <#
+ .SYNOPSIS
+ A function that gets a list of IP addresses and a name for them, then adds those IP addresses in the firewall block rules
+ .NOTES
+ -RemoteAddress in New-NetFirewallRule accepts array according to Microsoft Docs,
+ so we use "[System.String[]]$IPList = $IPList -split '\r?\n' -ne ''" to convert the IP lists, which is a single multiline string, into an array
+
+ how to query the number of IPs in each rule
+ (Get-NetFirewallRule -DisplayName "OFAC Sanctioned Countries IP range blocking" -PolicyStore localhost | Get-NetFirewallAddressFilter).RemoteAddress.count
+ .INPUTS
+ System.String
+ System.String[]
+ .OUTPUTS
+ System.Void
+ #>
+ param (
+ [System.String[]]$IPList,
+ [System.String]$ListName
+ )
+
+ # deletes previous rules (if any) to get new up-to-date IP ranges from the sources and set new rules
+ Remove-NetFirewallRule -DisplayName "$ListName IP range blocking" -PolicyStore localhost -ErrorAction SilentlyContinue
+
+ # converts the list which is in string into array
+ [System.String[]]$IPList = $IPList -split '\r?\n' -ne ''
+
+ # makes sure the list isn't empty
+ if ($IPList.count -eq 0) {
+ Write-Host -Object "The IP list was empty, skipping $ListName" -ForegroundColor Yellow
+ break
+ }
+
+ New-NetFirewallRule -DisplayName "$ListName IP range blocking" -Direction Inbound -Action Block -LocalAddress Any -RemoteAddress $IPList -Description "$ListName IP range blocking" -EdgeTraversalPolicy Block -PolicyStore localhost
+ New-NetFirewallRule -DisplayName "$ListName IP range blocking" -Direction Outbound -Action Block -LocalAddress Any -RemoteAddress $IPList -Description "$ListName IP range blocking" -EdgeTraversalPolicy Block -PolicyStore localhost
+}
#endregion functions
if (Test-IsAdmin) {
@@ -527,8 +627,8 @@ if (Test-IsAdmin) {
}
-# doing a try-finally block on the entire script so that when CTRL + C is pressed to forcefully exit the script,
-# or break is passed, clean up will still happen for secure exit
+# doing a try-catch-finally block on the entire script so that when CTRL + C is pressed to forcefully exit the script,
+# or break is passed, clean up will still happen for secure exit. Any errors that happens will be thrown
try {
try {
Invoke-WithoutProgress {
@@ -536,8 +636,7 @@ try {
}
}
catch {
- Write-Error "Couldn't verify if the latest version of the script is installed, please check your Internet connection."
- break
+ Throw 'Could not verify if the latest version of the script is installed, please check your Internet connection.'
}
# Check the current hard-coded version against the latest version online
# the messages can technically only be seen if installing the script in standalone mode using old Windows PowerShell
@@ -561,8 +660,7 @@ try {
#region RequirementsCheck
# check if user's OS is Windows Home edition
if ((Get-CimInstance -ClassName Win32_OperatingSystem).OperatingSystemSKU -eq '101') {
- Write-Error -Message 'Windows Home edition detected, exiting...'
- break
+ Throw 'Windows Home edition detected, exiting...'
}
# check if user's OS is the latest build
@@ -577,42 +675,35 @@ try {
# Make sure the current OS build is equal or greater than the required build
if (-NOT ($FullOSBuild -ge $Requiredbuild)) {
- Write-Error -Message "You're not using the latest build of the Windows OS. A minimum build of $Requiredbuild is required but your OS build is $FullOSBuild`nPlease go to Windows Update to install the updates and then try again."
- break
+ Throw "You're not using the latest build of the Windows OS. A minimum build of $Requiredbuild is required but your OS build is $FullOSBuild`nPlease go to Windows Update to install the updates and then try again."
}
if (Test-IsAdmin) {
# check to make sure Secure Boot is enabled
if (-NOT (Confirm-SecureBootUEFI)) {
- Write-Error -Message 'Secure Boot is not enabled, please go to your UEFI settings to enable it and then try again.'
- break
+ Throw 'Secure Boot is not enabled, please go to your UEFI settings to enable it and then try again.'
}
# check to make sure TPM is available and enabled
[System.Object]$TPM = Get-Tpm
if (-not ($TPM.tpmpresent -and $TPM.tpmenabled)) {
- Write-Error -Message 'TPM is not available or enabled, please enable it in UEFI settings and try again.'
- break
+ Throw 'TPM is not available or enabled, please enable it in UEFI settings and try again.'
}
if (-NOT ($MDAVConfigCurrent.AMServiceEnabled -eq $true)) {
- Write-Error -Message 'Microsoft Defender Anti Malware service is not enabled, please enable it and then try again.'
- break
+ Throw 'Microsoft Defender Anti Malware service is not enabled, please enable it and then try again.'
}
if (-NOT ($MDAVConfigCurrent.AntispywareEnabled -eq $true)) {
- Write-Error -Message 'Microsoft Defender Anti Spyware is not enabled, please enable it and then try again.'
- break
+ Throw 'Microsoft Defender Anti Spyware is not enabled, please enable it and then try again.'
}
if (-NOT ($MDAVConfigCurrent.AntivirusEnabled -eq $true)) {
- Write-Error -Message 'Microsoft Defender Anti Virus is not enabled, please enable it and then try again.'
- break
+ Throw 'Microsoft Defender Anti Virus is not enabled, please enable it and then try again.'
}
if ($MDAVConfigCurrent.AMRunningMode -ne 'Normal') {
- Write-Error -Message "Microsoft Defender is running in $($MDAVConfigCurrent.AMRunningMode) state, please remove any 3rd party AV and then try again."
- break
+ Throw "Microsoft Defender is running in $($MDAVConfigCurrent.AMRunningMode) state, please remove any 3rd party AV and then try again."
}
}
#endregion RequirementsCheck
@@ -625,7 +716,7 @@ try {
Set-Location -Path $WorkingDir
# Clean up script block
- [scriptblock]$CleanUp = {
+ [System.Management.Automation.ScriptBlock]$CleanUp = {
Set-Location -Path $HOME
Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force
# Disable progress bars
@@ -729,7 +820,7 @@ try {
Write-Progress -Id 1 -ParentId 0 -Activity 'Downloading files completed.' -Completed
}
catch {
- Write-Error "The required files couldn't be downloaded, Make sure you have Internet connection."
+ Write-Error 'The required files could not be downloaded, Make sure you have Internet connection.' -ErrorAction Continue
foreach ($Job in $Jobs) { Remove-Job -Job $Job -ErrorAction Stop }
&$CleanUp
}
@@ -762,7 +853,7 @@ try {
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x30 /f
Write-Host -Object 'The required security measures have been applied to the system' -ForegroundColor Green
- Write-Warning 'Make sure to restart your device once. After restart, wait for at least 5-10 minutes and perform a 2nd restart to finish applying security measures completely.'
+ Write-Warning -Message 'Make sure to restart your device once. After restart, wait for at least 5-10 minutes and perform a 2nd restart to finish applying security measures completely.'
} 'No' { break }
'Exit' { &$CleanUp }
}
@@ -1126,7 +1217,7 @@ try {
# check, make sure there is no CD/DVD drives in the system, because Bitlocker throws an error when there is
$CdDvdCheck = (Get-CimInstance -ClassName Win32_CDROMDrive -Property *).MediaLoaded
if ($CdDvdCheck) {
- Write-Warning 'Remove any CD/DVD drives or mounted images/ISO from the system and run the Bitlocker category again.'
+ Write-Warning -Message 'Remove any CD/DVD drives or mounted images/ISO from the system and run the Bitlocker category again.'
# break from the entire BitLocker category and continue to the next category
break BitLockerCategoryLabel
}
@@ -1141,7 +1232,7 @@ try {
}
# A script block that generates recovery code just like the Windows does
- [scriptblock]$RecoveryPasswordContentGenerator = {
+ [System.Management.Automation.ScriptBlock]$RecoveryPasswordContentGenerator = {
param ([System.Object[]]$KeyProtectorsInputFromScriptBlock)
return @"
@@ -2335,26 +2426,6 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
'Yes' {
Write-Progress -Id 0 -Activity 'Country IP Blocking' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
- # -RemoteAddress in New-NetFirewallRule accepts array according to Microsoft Docs,
- # so we use "[System.String[]]$IPList = $IPList -split '\r?\n' -ne ''" to convert the IP lists, which is a single multiline string, into an array
- function Block-CountryIP {
- param ([System.String[]]$IPList , [System.String]$ListName)
-
- # deletes previous rules (if any) to get new up-to-date IP ranges from the sources and set new rules
- Remove-NetFirewallRule -DisplayName "$ListName IP range blocking" -PolicyStore localhost -ErrorAction SilentlyContinue
-
- # converts the list which is in string into array
- [System.String[]]$IPList = $IPList -split '\r?\n' -ne ''
-
- # makes sure the list isn't empty
- if ($IPList.count -eq 0) {
- Write-Host -Object "The IP list was empty, skipping $ListName" -ForegroundColor Yellow
- break
- }
-
- New-NetFirewallRule -DisplayName "$ListName IP range blocking" -Direction Inbound -Action Block -LocalAddress Any -RemoteAddress $IPList -Description "$ListName IP range blocking" -EdgeTraversalPolicy Block -PolicyStore localhost
- New-NetFirewallRule -DisplayName "$ListName IP range blocking" -Direction Outbound -Action Block -LocalAddress Any -RemoteAddress $IPList -Description "$ListName IP range blocking" -EdgeTraversalPolicy Block -PolicyStore localhost
- }
switch (Select-Option -SubCategory -Options 'Yes', 'No' -Message 'Add countries in the State Sponsors of Terrorism list to the Firewall block list?') {
'Yes' {
Invoke-WithoutProgress {
@@ -2370,11 +2441,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
Block-CountryIP -IPList $OFACSanctioned -ListName 'OFAC Sanctioned Countries'
} 'No' { break }
- }
-
- # how to query the number of IPs in each rule
- # (Get-NetFirewallRule -DisplayName "OFAC Sanctioned Countries IP range blocking" -PolicyStore localhost | Get-NetFirewallAddressFilter).RemoteAddress.count
-
+ }
} 'No' { break }
'Exit' { &$CleanUp }
}
@@ -2426,6 +2493,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# ====================================================End of Non-Admin Commands============================================
#endregion Non-Admin-Commands
}
+catch {
+ # Throw whatever error that occured
+ Throw $_
+}
finally {
if (Test-IsAdmin) {
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index 87d9754a3..1fa4d0613 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -77,13 +77,10 @@
🏴 If you have any questions, requests, suggestions etc. about this script, please open a new Discussion or Issue on GitHub
-
.EXAMPLE
.NOTES
-
Check out GitHub page for security recommendations: https://github.com/HotCakeX/Harden-Windows-Security
-
#>
# Get the execution policy for the current process
@@ -112,13 +109,23 @@ $Host.UI.RawUI.WindowTitle = '❤️🔥Harden Windows Security❤️🔥'
[System.Boolean]$ShouldEnableOptionalDiagnosticData = $false
#region Functions
-# Questions function
function Select-Option {
+ <#
+ .synopsis
+ Function to show a prompt to the user to select an option from a list of options
+ .INPUTS
+ System.String
+ System.Management.Automation.SwitchParameter
+ .PARAMETER Message
+ Contains the main prompt message
+ .PARAMETER ExtraMessage
+ Contains any extra notes for sub-categories
+ #>
param(
- [parameter(Mandatory = $True)][System.String]$Message, # Contains the main prompt message
+ [parameter(Mandatory = $True)][System.String]$Message,
[parameter(Mandatory = $True)][System.String[]]$Options,
[parameter(Mandatory = $false)][System.Management.Automation.SwitchParameter]$SubCategory,
- [parameter(Mandatory = $false)][System.String]$ExtraMessage # Contains any extra notes for sub-categories
+ [parameter(Mandatory = $false)][System.String]$ExtraMessage
)
$Selected = $null
@@ -160,8 +167,15 @@ function Select-Option {
return $Selected
}
-# Function to modify registry
function Edit-Registry {
+ <#
+ .SYNOPSIS
+ Function to modify registry
+ .INPUTS
+ System.String
+ .OUTPUTS
+ System.Void
+ #>
param ([System.String]$Path, [System.String]$Key, [System.String]$Value, [System.String]$Type, [System.String]$Action)
If (-NOT (Test-Path -Path $Path)) {
New-Item -Path $Path -Force | Out-Null
@@ -174,25 +188,37 @@ function Edit-Registry {
}
}
-# https://devblogs.microsoft.com/scripting/use-function-to-determine-elevation-of-powershell-console/
-# Function to test if current session has administrator privileges
Function Test-IsAdmin {
+ <#
+ .SYNOPSIS
+ Function to test if current session has administrator privileges
+ .LINK
+ https://devblogs.microsoft.com/scripting/use-function-to-determine-elevation-of-powershell-console/
+ #>
[System.Security.Principal.WindowsIdentity]$Identity = [Security.Principal.WindowsIdentity]::GetCurrent()
[System.Security.Principal.WindowsPrincipal]$Principal = New-Object -TypeName 'Security.Principal.WindowsPrincipal' -ArgumentList $Identity
$Principal.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
}
-# Hiding Invoke-WebRequest progress because it creates lingering visual effect on PowerShell console for some reason
-# https://github.com/PowerShell/PowerShell/issues/14348
-
-# https://stackoverflow.com/questions/18770723/hide-progress-of-Invoke-WebRequest
# Create an in-memory module so $ScriptBlock doesn't run in new scope
$null = New-Module {
function Invoke-WithoutProgress {
+ <#
+ .SYNOPSIS
+ Hiding Invoke-WebRequest progress because it creates lingering visual effect on PowerShell console for some reason
+ .LINK
+ https://github.com/PowerShell/PowerShell/issues/14348
+ .LINK
+ https://stackoverflow.com/questions/18770723/hide-progress-of-Invoke-WebRequest
+ .INPUTS
+ System.Management.Automation.ScriptBlock
+ .OUTPUTS
+ System.Void
+ #>
[CmdletBinding()]
param (
[Parameter(Mandatory = $true)]
- [scriptblock]$ScriptBlock
+ [System.Management.Automation.ScriptBlock]$ScriptBlock
)
# Save current progress preference and hide the progress
[System.Management.Automation.ActionPreference]$PrevProgressPreference = $global:ProgressPreference
@@ -208,13 +234,20 @@ $null = New-Module {
}
}
-<#
-https://stackoverflow.com/questions/48809012/compare-two-credentials-in-powershell
-
- Safely compares two SecureString objects without decrypting them.
- Outputs $true if they are equal, or $false otherwise.
-#>
function Compare-SecureString {
+ <#
+ .SYNOPSIS
+ Safely compares two SecureString objects without decrypting them.
+ Outputs $true if they are equal, or $false otherwise.
+ .LINK
+ https://stackoverflow.com/questions/48809012/compare-two-credentials-in-powershell
+ .INPUTS
+ System.Security.SecureString
+ .PARAMETER SecureString1
+ First secure string
+ .PARAMETER SecureString2
+ Second secure string to compare with the first secure string
+ #>
param(
[Security.SecureString]$SecureString1,
[Security.SecureString]$SecureString2
@@ -246,8 +279,24 @@ function Compare-SecureString {
}
}
-# Function to write colorful text based on PS edition
Function Write-SmartText {
+ <#
+ .SYNOPSIS
+ Function to write colorful text based on PS edition
+ .INPUTS
+ System.String
+ System.Management.Automation.SwitchParameter
+ .OUTPUTS
+ System.String
+ .PARAMETER CustomColor
+ The custom color to use to display the text, uses PSStyle
+ .PARAMETER GenericColor
+ The generic color to use to display the text, uses Write-Host and legacy colors
+ .PARAMETER InputText
+ The text to display in the selected color
+ .PARAMETER NoNewLineLegacy
+ Only used with Legacy colors to write them on the same line, used by the function that gets the removable drives for BitLocker Enhanced security level encryption
+ #>
[CmdletBinding()]
[Alias('WST')]
@@ -268,7 +317,7 @@ Function Write-SmartText {
[parameter(Mandatory = $false)]
[Alias('N')]
- [System.Management.Automation.SwitchParameter]$NoNewLineLegacy # Only used with Legacy colors to write them on the same line, used by the function that gets the removable drives for BitLocker Enhanced security level encryption
+ [System.Management.Automation.SwitchParameter]$NoNewLineLegacy
)
# Determining if PowerShell edition is Core to use modern styling
@@ -322,11 +371,15 @@ Function Write-SmartText {
Write-Host -Object $InputText -ForegroundColor $GenericColor
}
}
-
}
-# Function to get a removable drive to be used by BitLocker category
function Get-AvailableRemovableDrives {
+ <#
+ .SYNOPSIS
+ Function to get a removable drive to be used by BitLocker category
+ .INPUTS
+ None. You cannot pipe objects to this function
+ #>
# An empty array of objects that holds the final removable drives list
[System.Object[]]$AvailableRemovableDrives = @()
@@ -465,9 +518,19 @@ function Get-AvailableRemovableDrives {
Write-Host ('{0,-4}' -f "$ExitCodeRemovableDriveSelection") -NoNewline -ForegroundColor DarkRed
Write-Host -Object '|Skip encryptions altogether' -ForegroundColor DarkRed
- # A function to validate the user input
function Confirm-Choice {
- param([System.String]$Choice)
+ <#
+ .SYNOPSIS
+ A function to validate the user input
+ .INPUTS
+ System.String
+ .OUTPUTS
+ System.Boolean
+ #>
+ param(
+ [System.String]$Choice
+ )
+
# Initialize a flag to indicate if the input is valid or not
[System.Boolean]$IsValid = $false
# Initialize a variable to store the parsed integer value
@@ -505,6 +568,43 @@ function Get-AvailableRemovableDrives {
return ($($AvailableRemovableDrives[$Choice - 1]).DriveLetter + ':')
}
}
+
+function Block-CountryIP {
+ <#
+ .SYNOPSIS
+ A function that gets a list of IP addresses and a name for them, then adds those IP addresses in the firewall block rules
+ .NOTES
+ -RemoteAddress in New-NetFirewallRule accepts array according to Microsoft Docs,
+ so we use "[System.String[]]$IPList = $IPList -split '\r?\n' -ne ''" to convert the IP lists, which is a single multiline string, into an array
+
+ how to query the number of IPs in each rule
+ (Get-NetFirewallRule -DisplayName "OFAC Sanctioned Countries IP range blocking" -PolicyStore localhost | Get-NetFirewallAddressFilter).RemoteAddress.count
+ .INPUTS
+ System.String
+ System.String[]
+ .OUTPUTS
+ System.Void
+ #>
+ param (
+ [System.String[]]$IPList,
+ [System.String]$ListName
+ )
+
+ # deletes previous rules (if any) to get new up-to-date IP ranges from the sources and set new rules
+ Remove-NetFirewallRule -DisplayName "$ListName IP range blocking" -PolicyStore localhost -ErrorAction SilentlyContinue
+
+ # converts the list which is in string into array
+ [System.String[]]$IPList = $IPList -split '\r?\n' -ne ''
+
+ # makes sure the list isn't empty
+ if ($IPList.count -eq 0) {
+ Write-Host -Object "The IP list was empty, skipping $ListName" -ForegroundColor Yellow
+ break
+ }
+
+ New-NetFirewallRule -DisplayName "$ListName IP range blocking" -Direction Inbound -Action Block -LocalAddress Any -RemoteAddress $IPList -Description "$ListName IP range blocking" -EdgeTraversalPolicy Block -PolicyStore localhost
+ New-NetFirewallRule -DisplayName "$ListName IP range blocking" -Direction Outbound -Action Block -LocalAddress Any -RemoteAddress $IPList -Description "$ListName IP range blocking" -EdgeTraversalPolicy Block -PolicyStore localhost
+}
#endregion functions
if (Test-IsAdmin) {
@@ -527,8 +627,8 @@ if (Test-IsAdmin) {
}
-# doing a try-finally block on the entire script so that when CTRL + C is pressed to forcefully exit the script,
-# or break is passed, clean up will still happen for secure exit
+# doing a try-catch-finally block on the entire script so that when CTRL + C is pressed to forcefully exit the script,
+# or break is passed, clean up will still happen for secure exit. Any errors that happens will be thrown
try {
try {
Invoke-WithoutProgress {
@@ -536,8 +636,7 @@ try {
}
}
catch {
- Write-Error "Couldn't verify if the latest version of the script is installed, please check your Internet connection."
- break
+ Throw 'Could not verify if the latest version of the script is installed, please check your Internet connection.'
}
# Check the current hard-coded version against the latest version online
# the messages can technically only be seen if installing the script in standalone mode using old Windows PowerShell
@@ -561,8 +660,7 @@ try {
#region RequirementsCheck
# check if user's OS is Windows Home edition
if ((Get-CimInstance -ClassName Win32_OperatingSystem).OperatingSystemSKU -eq '101') {
- Write-Error -Message 'Windows Home edition detected, exiting...'
- break
+ Throw 'Windows Home edition detected, exiting...'
}
# check if user's OS is the latest build
@@ -577,42 +675,35 @@ try {
# Make sure the current OS build is equal or greater than the required build
if (-NOT ($FullOSBuild -ge $Requiredbuild)) {
- Write-Error -Message "You're not using the latest build of the Windows OS. A minimum build of $Requiredbuild is required but your OS build is $FullOSBuild`nPlease go to Windows Update to install the updates and then try again."
- break
+ Throw "You're not using the latest build of the Windows OS. A minimum build of $Requiredbuild is required but your OS build is $FullOSBuild`nPlease go to Windows Update to install the updates and then try again."
}
if (Test-IsAdmin) {
# check to make sure Secure Boot is enabled
if (-NOT (Confirm-SecureBootUEFI)) {
- Write-Error -Message 'Secure Boot is not enabled, please go to your UEFI settings to enable it and then try again.'
- break
+ Throw 'Secure Boot is not enabled, please go to your UEFI settings to enable it and then try again.'
}
# check to make sure TPM is available and enabled
[System.Object]$TPM = Get-Tpm
if (-not ($TPM.tpmpresent -and $TPM.tpmenabled)) {
- Write-Error -Message 'TPM is not available or enabled, please enable it in UEFI settings and try again.'
- break
+ Throw 'TPM is not available or enabled, please enable it in UEFI settings and try again.'
}
if (-NOT ($MDAVConfigCurrent.AMServiceEnabled -eq $true)) {
- Write-Error -Message 'Microsoft Defender Anti Malware service is not enabled, please enable it and then try again.'
- break
+ Throw 'Microsoft Defender Anti Malware service is not enabled, please enable it and then try again.'
}
if (-NOT ($MDAVConfigCurrent.AntispywareEnabled -eq $true)) {
- Write-Error -Message 'Microsoft Defender Anti Spyware is not enabled, please enable it and then try again.'
- break
+ Throw 'Microsoft Defender Anti Spyware is not enabled, please enable it and then try again.'
}
if (-NOT ($MDAVConfigCurrent.AntivirusEnabled -eq $true)) {
- Write-Error -Message 'Microsoft Defender Anti Virus is not enabled, please enable it and then try again.'
- break
+ Throw 'Microsoft Defender Anti Virus is not enabled, please enable it and then try again.'
}
if ($MDAVConfigCurrent.AMRunningMode -ne 'Normal') {
- Write-Error -Message "Microsoft Defender is running in $($MDAVConfigCurrent.AMRunningMode) state, please remove any 3rd party AV and then try again."
- break
+ Throw "Microsoft Defender is running in $($MDAVConfigCurrent.AMRunningMode) state, please remove any 3rd party AV and then try again."
}
}
#endregion RequirementsCheck
@@ -625,7 +716,7 @@ try {
Set-Location -Path $WorkingDir
# Clean up script block
- [scriptblock]$CleanUp = {
+ [System.Management.Automation.ScriptBlock]$CleanUp = {
Set-Location -Path $HOME
Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force
# Disable progress bars
@@ -729,7 +820,7 @@ try {
Write-Progress -Id 1 -ParentId 0 -Activity 'Downloading files completed.' -Completed
}
catch {
- Write-Error "The required files couldn't be downloaded, Make sure you have Internet connection."
+ Write-Error 'The required files could not be downloaded, Make sure you have Internet connection.' -ErrorAction Continue
foreach ($Job in $Jobs) { Remove-Job -Job $Job -ErrorAction Stop }
&$CleanUp
}
@@ -762,7 +853,7 @@ try {
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x30 /f
Write-Host -Object 'The required security measures have been applied to the system' -ForegroundColor Green
- Write-Warning 'Make sure to restart your device once. After restart, wait for at least 5-10 minutes and perform a 2nd restart to finish applying security measures completely.'
+ Write-Warning -Message 'Make sure to restart your device once. After restart, wait for at least 5-10 minutes and perform a 2nd restart to finish applying security measures completely.'
} 'No' { break }
'Exit' { &$CleanUp }
}
@@ -1126,7 +1217,7 @@ try {
# check, make sure there is no CD/DVD drives in the system, because Bitlocker throws an error when there is
$CdDvdCheck = (Get-CimInstance -ClassName Win32_CDROMDrive -Property *).MediaLoaded
if ($CdDvdCheck) {
- Write-Warning 'Remove any CD/DVD drives or mounted images/ISO from the system and run the Bitlocker category again.'
+ Write-Warning -Message 'Remove any CD/DVD drives or mounted images/ISO from the system and run the Bitlocker category again.'
# break from the entire BitLocker category and continue to the next category
break BitLockerCategoryLabel
}
@@ -1141,7 +1232,7 @@ try {
}
# A script block that generates recovery code just like the Windows does
- [scriptblock]$RecoveryPasswordContentGenerator = {
+ [System.Management.Automation.ScriptBlock]$RecoveryPasswordContentGenerator = {
param ([System.Object[]]$KeyProtectorsInputFromScriptBlock)
return @"
@@ -2335,26 +2426,6 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
'Yes' {
Write-Progress -Id 0 -Activity 'Country IP Blocking' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
- # -RemoteAddress in New-NetFirewallRule accepts array according to Microsoft Docs,
- # so we use "[System.String[]]$IPList = $IPList -split '\r?\n' -ne ''" to convert the IP lists, which is a single multiline string, into an array
- function Block-CountryIP {
- param ([System.String[]]$IPList , [System.String]$ListName)
-
- # deletes previous rules (if any) to get new up-to-date IP ranges from the sources and set new rules
- Remove-NetFirewallRule -DisplayName "$ListName IP range blocking" -PolicyStore localhost -ErrorAction SilentlyContinue
-
- # converts the list which is in string into array
- [System.String[]]$IPList = $IPList -split '\r?\n' -ne ''
-
- # makes sure the list isn't empty
- if ($IPList.count -eq 0) {
- Write-Host -Object "The IP list was empty, skipping $ListName" -ForegroundColor Yellow
- break
- }
-
- New-NetFirewallRule -DisplayName "$ListName IP range blocking" -Direction Inbound -Action Block -LocalAddress Any -RemoteAddress $IPList -Description "$ListName IP range blocking" -EdgeTraversalPolicy Block -PolicyStore localhost
- New-NetFirewallRule -DisplayName "$ListName IP range blocking" -Direction Outbound -Action Block -LocalAddress Any -RemoteAddress $IPList -Description "$ListName IP range blocking" -EdgeTraversalPolicy Block -PolicyStore localhost
- }
switch (Select-Option -SubCategory -Options 'Yes', 'No' -Message 'Add countries in the State Sponsors of Terrorism list to the Firewall block list?') {
'Yes' {
Invoke-WithoutProgress {
@@ -2370,11 +2441,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
Block-CountryIP -IPList $OFACSanctioned -ListName 'OFAC Sanctioned Countries'
} 'No' { break }
- }
-
- # how to query the number of IPs in each rule
- # (Get-NetFirewallRule -DisplayName "OFAC Sanctioned Countries IP range blocking" -PolicyStore localhost | Get-NetFirewallAddressFilter).RemoteAddress.count
-
+ }
} 'No' { break }
'Exit' { &$CleanUp }
}
@@ -2426,6 +2493,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# ====================================================End of Non-Admin Commands============================================
#endregion Non-Admin-Commands
}
+catch {
+ # Throw whatever error that occured
+ Throw $_
+}
finally {
if (Test-IsAdmin) {
From e88232e6b673972bf87ca755620ef308e6c60200 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Sun, 10 Dec 2023 12:44:22 -0930
Subject: [PATCH 13/79] Function best practices improvements
---
.../Main files/Confirm-SystemCompliance.psm1 | 46 ++++++++++++-------
1 file changed, 30 insertions(+), 16 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
index 6d69bbfec..514525f60 100644
--- a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
+++ b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
@@ -1,8 +1,14 @@
# Set the progress style
$PSStyle.Progress.Style = "$($PSStyle.Foreground.FromRGB(255,255,49))$($PSStyle.Blink)"
-
-# To parse the ini file from the output of the "Secedit /export /cfg .\security_policy.inf"
function ConvertFrom-IniFile {
+ <#
+ .SYNOPSIS
+ A function to parse the ini file from the output of the "Secedit /export /cfg .\security_policy.inf"
+ .INPUTS
+ System.String
+ .OUTPUTS
+ PSCustomObject
+ #>
[CmdletBinding()]
Param ([System.String]$IniFile)
@@ -36,7 +42,6 @@ function ConvertFrom-IniFile {
return [PSCustomObject]$IniObject
}
-# Main function
function Confirm-SystemCompliance {
[CmdletBinding()]
param (
@@ -46,7 +51,7 @@ function Confirm-SystemCompliance {
[System.Management.Automation.SwitchParameter]$ShowAsObjectsOnly,
[parameter(Mandatory = $false)]
[System.Management.Automation.SwitchParameter]$DetailedDisplay,
- [Parameter(Mandatory = $false, DontShow = $True)] # To hide PowerShell common parameters that clutter parameter auto completion menu
+ [Parameter(Mandatory = $false, DontShow = $True)]
$DummyParam
)
begin {
@@ -1988,39 +1993,48 @@ function Confirm-SystemCompliance {
<#
.SYNOPSIS
-Checks the compliance of a system with the Harden Windows Security script guidelines
+ Checks the compliance of a system with the Harden Windows Security script guidelines
.LINK
-https://github.com/HotCakeX/Harden-Windows-Security/wiki/Harden%E2%80%90Windows%E2%80%90Security%E2%80%90Module
+ https://github.com/HotCakeX/Harden-Windows-Security/wiki/Harden%E2%80%90Windows%E2%80%90Security%E2%80%90Module
.DESCRIPTION
-Checks the compliance of a system with the Harden Windows Security script. Checks the applied Group policies, registry keys and PowerShell cmdlets used by the hardening script.
+ Checks the compliance of a system with the Harden Windows Security script. Checks the applied Group policies, registry keys and PowerShell cmdlets used by the hardening script.
.COMPONENT
-Gpresult, Secedit, PowerShell, Registry
+ Gpresult, Secedit, PowerShell, Registry
.FUNCTIONALITY
-Uses Gpresult and Secedit to first export the effective Group policies and Security policies, then goes through them and checks them against the Harden Windows Security's guidelines.
+ Uses Gpresult and Secedit to first export the effective Group policies and Security policies, then goes through them and checks them against the Harden Windows Security's guidelines.
.EXAMPLE
-($result.Microsoft Defender | Where-Object -FilterScript {$_.name -eq 'Controlled Folder Access Exclusions'}).value.programs
+ ($result.Microsoft Defender | Where-Object -FilterScript {$_.name -eq 'Controlled Folder Access Exclusions'}).value.programs
-# Do this to get the Controlled Folder Access Programs list when using ShowAsObjectsOnly optional parameter to output an object
+ Do this to get the Controlled Folder Access Programs list when using ShowAsObjectsOnly optional parameter to output an object
.EXAMPLE
-$result.Microsoft Defender
+ $result.Microsoft Defender
-# Do this to only see the result for the Microsoft Defender category when using ShowAsObjectsOnly optional parameter to output an object
+ Do this to only see the result for the Microsoft Defender category when using ShowAsObjectsOnly optional parameter to output an object
.PARAMETER ExportToCSV
-Export the output to a CSV file in the current working directory
+ Export the output to a CSV file in the current working directory
.PARAMETER ShowAsObjectsOnly
-Returns a nested object instead of writing strings on the PowerShell console, it can be assigned to a variable
+ Returns a nested object instead of writing strings on the PowerShell console, it can be assigned to a variable
.PARAMETER DetailedDisplay
-Shows the output on the PowerShell console with more details and in the list format instead of table format
+ Shows the output on the PowerShell console with more details and in the list format instead of table format
+
+.PARAMETER DummyParam
+ To hide PowerShell common parameters that clutter parameter auto completion menu
+
+.INPUTS
+ System.Management.Automation.SwitchParameter
+.OUTPUTS
+ System.String
+ System.Object[]
#>
}
From b51f9e31c448236c890150b48c1566415fba3653 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Sun, 10 Dec 2023 12:51:06 -0930
Subject: [PATCH 14/79] Updated function help sections
---
.../Main files/Functions.ps1 | 16 ++++++++++++++--
.../Main files/Harden-Windows-Security.ps1 | 4 ++++
.../Main files/Protect-WindowsSecurity.psm1 | 15 ++++++++++-----
.../Main files/Unprotect-WindowsSecurity.psm1 | 16 +++++++++-------
Harden-Windows-Security.ps1 | 4 ++++
5 files changed, 41 insertions(+), 14 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Functions.ps1 b/Harden-Windows-Security Module/Main files/Functions.ps1
index de9bd250a..893464679 100644
--- a/Harden-Windows-Security Module/Main files/Functions.ps1
+++ b/Harden-Windows-Security Module/Main files/Functions.ps1
@@ -1,15 +1,27 @@
# Stop the execution when there is an error
$global:ErrorActionPreference = 'Stop'
-# Function to test if current session has administrator privileges
Function Test-IsAdmin {
+ <#
+ .SYNOPSIS
+ Function to test if current session has administrator privileges
+ .INPUTS
+ None
+ .OUTPUTS
+ System.Boolean
+ #>
[System.Security.Principal.WindowsIdentity]$Identity = [Security.Principal.WindowsIdentity]::GetCurrent()
[System.Security.Principal.WindowsPrincipal]$Principal = New-Object -TypeName 'Security.Principal.WindowsPrincipal' -ArgumentList $Identity
$Principal.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
}
-# Make sure the latest version of the module is installed and if not, automatically update it, clean up any old versions
function Update-self {
+ <#
+ .SYNOPSIS
+ Make sure the latest version of the module is installed and if not, automatically update it, clean up any old versions
+ .INPUTS
+ None
+ #>
[System.Version]$CurrentVersion = (Test-ModuleManifest -Path "$psscriptroot\Harden-Windows-Security-Module.psd1").Version
diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
index c64358bb2..4f6a273ba 100644
--- a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
@@ -194,6 +194,10 @@ Function Test-IsAdmin {
Function to test if current session has administrator privileges
.LINK
https://devblogs.microsoft.com/scripting/use-function-to-determine-elevation-of-powershell-console/
+ .INPUTS
+ None
+ .OUTPUTS
+ System.Boolean
#>
[System.Security.Principal.WindowsIdentity]$Identity = [Security.Principal.WindowsIdentity]::GetCurrent()
[System.Security.Principal.WindowsPrincipal]$Principal = New-Object -TypeName 'Security.Principal.WindowsPrincipal' -ArgumentList $Identity
diff --git a/Harden-Windows-Security Module/Main files/Protect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Protect-WindowsSecurity.psm1
index a377d5fab..803dab86e 100644
--- a/Harden-Windows-Security Module/Main files/Protect-WindowsSecurity.psm1
+++ b/Harden-Windows-Security Module/Main files/Protect-WindowsSecurity.psm1
@@ -7,19 +7,24 @@ Function Protect-WindowsSecurity {
<#
.SYNOPSIS
-Applies the hardening measures
+ Applies the hardening measures
.LINK
-https://github.com/HotCakeX/Harden-Windows-Security
+ https://github.com/HotCakeX/Harden-Windows-Security
.DESCRIPTION
-Applies the hardening measures
+ Applies the hardening measures
.COMPONENT
-PowerShell
+ PowerShell
.FUNCTIONALITY
-Applies the hardening measures
+ Applies the hardening measures
+.INPUTS
+ None
+
+.OUTPUTS
+ System.Void
#>
}
diff --git a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
index 73f204c59..a28deacba 100644
--- a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
+++ b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
@@ -3,7 +3,7 @@ Function Unprotect-WindowsSecurity {
param (
[Parameter(Mandatory = $false)]
[switch]$OnlyProcessMitigations,
- [Parameter(Mandatory = $false, DontShow = $True)] # To hide PowerShell common parameters that clutter parameter auto completion menu
+ [Parameter(Mandatory = $false, DontShow = $True)]
$DummyParam
)
# Stop the execution when there is an error
@@ -225,23 +225,25 @@ Function Unprotect-WindowsSecurity {
<#
.SYNOPSIS
-Removes the hardening measures applied by Protect-WindowsSecurity cmdlet
+ Removes the hardening measures applied by Protect-WindowsSecurity cmdlet
.LINK
-https://github.com/HotCakeX/Harden-Windows-Security/wiki/Harden%E2%80%90Windows%E2%80%90Security%E2%80%90Module
+ https://github.com/HotCakeX/Harden-Windows-Security/wiki/Harden%E2%80%90Windows%E2%80%90Security%E2%80%90Module
.DESCRIPTION
-Removes the hardening measures applied by Protect-WindowsSecurity cmdlet
+ Removes the hardening measures applied by Protect-WindowsSecurity cmdlet
.COMPONENT
-PowerShell
+ PowerShell
.FUNCTIONALITY
-Removes the hardening measures applied by Protect-WindowsSecurity cmdlet
+ Removes the hardening measures applied by Protect-WindowsSecurity cmdlet
.PARAMETER OnlyProcessMitigations
-Only removes the Process Mitigations / Exploit Protection settings and doesn't change anything else
+ Only removes the Process Mitigations / Exploit Protection settings and doesn't change anything else
+.PARAMETER DummyParam
+ To hide PowerShell common parameters that clutter parameter auto completion menu
#>
}
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index 1fa4d0613..b4a71f0de 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -194,6 +194,10 @@ Function Test-IsAdmin {
Function to test if current session has administrator privileges
.LINK
https://devblogs.microsoft.com/scripting/use-function-to-determine-elevation-of-powershell-console/
+ .INPUTS
+ None
+ .OUTPUTS
+ System.Boolean
#>
[System.Security.Principal.WindowsIdentity]$Identity = [Security.Principal.WindowsIdentity]::GetCurrent()
[System.Security.Principal.WindowsPrincipal]$Principal = New-Object -TypeName 'Security.Principal.WindowsPrincipal' -ArgumentList $Identity
From 15ba37d409ff2c3b204a3127ce5552bb424a4e21 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Sun, 10 Dec 2023 23:55:25 -0930
Subject: [PATCH 15/79] Improved error handling and function helps
---
.../Main files/Confirm-SystemCompliance.psm1 | 15 +--------------
.../Main files/Functions.ps1 | 13 +++++--------
.../Harden-Windows-Security-Module.psd1 | 2 +-
.../Main files/Protect-WindowsSecurity.psm1 | 8 +-------
.../Main files/Unprotect-WindowsSecurity.psm1 | 6 ------
5 files changed, 8 insertions(+), 36 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
index 514525f60..b5cd62aae 100644
--- a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
+++ b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
@@ -67,6 +67,7 @@ function Confirm-SystemCompliance {
Write-Progress -Activity 'Checking for updates' -Status 'Processing...' -PercentComplete 10
+ # Running the functions.ps1 file in the current scope
. "$psscriptroot\Functions.ps1"
Write-Progress -Activity 'Gathering Security Policy Information' -Status 'Processing...' -PercentComplete 15
@@ -579,7 +580,6 @@ function Confirm-SystemCompliance {
Name = 'Secure OS Drive encryption'
Category = $CatName
Method = 'Cmdlet'
-
}
}
@@ -1994,49 +1994,36 @@ function Confirm-SystemCompliance {
<#
.SYNOPSIS
Checks the compliance of a system with the Harden Windows Security script guidelines
-
.LINK
https://github.com/HotCakeX/Harden-Windows-Security/wiki/Harden%E2%80%90Windows%E2%80%90Security%E2%80%90Module
-
.DESCRIPTION
Checks the compliance of a system with the Harden Windows Security script. Checks the applied Group policies, registry keys and PowerShell cmdlets used by the hardening script.
-
.COMPONENT
Gpresult, Secedit, PowerShell, Registry
-
.FUNCTIONALITY
Uses Gpresult and Secedit to first export the effective Group policies and Security policies, then goes through them and checks them against the Harden Windows Security's guidelines.
-
.EXAMPLE
($result.Microsoft Defender | Where-Object -FilterScript {$_.name -eq 'Controlled Folder Access Exclusions'}).value.programs
Do this to get the Controlled Folder Access Programs list when using ShowAsObjectsOnly optional parameter to output an object
-
.EXAMPLE
$result.Microsoft Defender
Do this to only see the result for the Microsoft Defender category when using ShowAsObjectsOnly optional parameter to output an object
-
.PARAMETER ExportToCSV
Export the output to a CSV file in the current working directory
-
.PARAMETER ShowAsObjectsOnly
Returns a nested object instead of writing strings on the PowerShell console, it can be assigned to a variable
-
.PARAMETER DetailedDisplay
Shows the output on the PowerShell console with more details and in the list format instead of table format
-
.PARAMETER DummyParam
To hide PowerShell common parameters that clutter parameter auto completion menu
-
.INPUTS
System.Management.Automation.SwitchParameter
-
.OUTPUTS
System.String
System.Object[]
#>
-
}
# Set PSReadline tab completion to complete menu for easier access to available parameters - Only for the current session
diff --git a/Harden-Windows-Security Module/Main files/Functions.ps1 b/Harden-Windows-Security Module/Main files/Functions.ps1
index 893464679..b10af3b69 100644
--- a/Harden-Windows-Security Module/Main files/Functions.ps1
+++ b/Harden-Windows-Security Module/Main files/Functions.ps1
@@ -29,7 +29,7 @@ function Update-self {
[System.Version]$global:LatestVersion = Invoke-RestMethod -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/version.txt' -ProgressAction SilentlyContinue
}
catch {
- Write-Error -Message "Couldn't verify if the latest version of the module is installed, please check your Internet connection."
+ Write-Error -Message 'Could not verify if the latest version of the module is installed, please check your Internet connection.'
}
if ($CurrentVersion -lt $LatestVersion) {
@@ -48,7 +48,7 @@ function Update-self {
# Temporarily allow the currently running PowerShell executables to the Controlled Folder Access allowed apps
# so that the script can run without interruption. This change is reverted at the end.
- foreach ($FilePath in (Get-ChildItem -Path "$PSHOME\*.exe" -File).FullNam) {
+ foreach ($FilePath in (Get-ChildItem -Path "$PSHOME\*.exe" -File).FullName) {
Add-MpPreference -ControlledFolderAccessAllowedApplications $FilePath
}
@@ -93,8 +93,7 @@ Update-self
# check if user's OS is Windows Home edition
if ((Get-CimInstance -ClassName Win32_OperatingSystem).OperatingSystemSKU -eq '101') {
- Write-Error 'Windows Home edition detected, exiting...'
- break
+ Throw 'Windows Home edition detected, exiting...'
}
# Check if user's OS is the latest build
@@ -112,16 +111,14 @@ if ((Get-CimInstance -ClassName Win32_OperatingSystem).OperatingSystemSKU -eq '1
# Make sure the current OS build is equal or greater than the required build
if (-NOT ($FullOSBuild -ge $Requiredbuild)) {
- Write-Error -Message "You're not using the latest build of the Windows OS. A minimum build of $Requiredbuild is required but your OS build is $FullOSBuild`nPlease go to Windows Update to install the updates and then try again."
- break
+ Throw "You're not using the latest build of the Windows OS. A minimum build of $Requiredbuild is required but your OS build is $FullOSBuild`nPlease go to Windows Update to install the updates and then try again."
}
if (Test-IsAdmin) {
# check to make sure TPM is available and enabled
[System.Object]$TPM = Get-Tpm
if (-not ($TPM.tpmpresent -and $TPM.tpmenabled)) {
- Write-Error -Message 'TPM is not available or enabled, please enable it in UEFI settings and try again.'
- break
+ Throw 'TPM is not available or enabled, please enable it in UEFI settings and try again.'
}
}
diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1
index 2ecc28618..55b36b069 100644
--- a/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1
+++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1
@@ -12,7 +12,7 @@
# RootModule = ''
# Version number of this module.
- ModuleVersion = '0.2.6'
+ ModuleVersion = '0.2.7'
# Supported PSEditions
CompatiblePSEditions = @('Core')
diff --git a/Harden-Windows-Security Module/Main files/Protect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Protect-WindowsSecurity.psm1
index 803dab86e..ad23a6a90 100644
--- a/Harden-Windows-Security Module/Main files/Protect-WindowsSecurity.psm1
+++ b/Harden-Windows-Security Module/Main files/Protect-WindowsSecurity.psm1
@@ -8,22 +8,16 @@ Function Protect-WindowsSecurity {
<#
.SYNOPSIS
Applies the hardening measures
-
.LINK
https://github.com/HotCakeX/Harden-Windows-Security
-
.DESCRIPTION
Applies the hardening measures
-
.COMPONENT
PowerShell
-
.FUNCTIONALITY
Applies the hardening measures
-
.INPUTS
- None
-
+ None
.OUTPUTS
System.Void
#>
diff --git a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
index a28deacba..a26c0c909 100644
--- a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
+++ b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
@@ -226,22 +226,16 @@ Function Unprotect-WindowsSecurity {
<#
.SYNOPSIS
Removes the hardening measures applied by Protect-WindowsSecurity cmdlet
-
.LINK
https://github.com/HotCakeX/Harden-Windows-Security/wiki/Harden%E2%80%90Windows%E2%80%90Security%E2%80%90Module
-
.DESCRIPTION
Removes the hardening measures applied by Protect-WindowsSecurity cmdlet
-
.COMPONENT
PowerShell
-
.FUNCTIONALITY
Removes the hardening measures applied by Protect-WindowsSecurity cmdlet
-
.PARAMETER OnlyProcessMitigations
Only removes the Process Mitigations / Exploit Protection settings and doesn't change anything else
-
.PARAMETER DummyParam
To hide PowerShell common parameters that clutter parameter auto completion menu
#>
From 7a941e35fe1173b4638f0352a7013b480e5762e0 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Sun, 10 Dec 2023 23:59:50 -0930
Subject: [PATCH 16/79] General improvements
---
.../Main files/Confirm-SystemCompliance.psm1 | 2 +-
Harden-Windows-Security Module/Main files/Functions.ps1 | 2 +-
.../Main files/Harden-Windows-Security-Module.psd1 | 8 --------
.../Main files/Harden-Windows-Security.ps1 | 6 +++---
.../Confirm-SystemCompliance.psm1 | 2 +-
5 files changed, 6 insertions(+), 14 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
index b5cd62aae..dcef4421f 100644
--- a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
+++ b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
@@ -1092,7 +1092,7 @@ function Confirm-SystemCompliance {
# Check network location of all connections to see if they are public
$Condition = Get-NetConnectionProfile | ForEach-Object -Process { $_.NetworkCategory -eq 'public' }
- [System.Boolean]$IndividualItemResult = -not ($condition -contains $false) ? $True : $false
+ [System.Boolean]$IndividualItemResult = -NOT ($condition -contains $false) ? $True : $false
# Verify a Security setting using Cmdlet
$NestedObjectArray += [PSCustomObject]@{
diff --git a/Harden-Windows-Security Module/Main files/Functions.ps1 b/Harden-Windows-Security Module/Main files/Functions.ps1
index b10af3b69..9fe0c4974 100644
--- a/Harden-Windows-Security Module/Main files/Functions.ps1
+++ b/Harden-Windows-Security Module/Main files/Functions.ps1
@@ -117,7 +117,7 @@ if (-NOT ($FullOSBuild -ge $Requiredbuild)) {
if (Test-IsAdmin) {
# check to make sure TPM is available and enabled
[System.Object]$TPM = Get-Tpm
- if (-not ($TPM.tpmpresent -and $TPM.tpmenabled)) {
+ if (-NOT ($TPM.tpmpresent -and $TPM.tpmenabled)) {
Throw 'TPM is not available or enabled, please enable it in UEFI settings and try again.'
}
}
diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1
index 55b36b069..e746a1fc7 100644
--- a/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1
+++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1
@@ -1,11 +1,3 @@
-#
-# Module manifest for module 'Harden-Windows-Security-Module'
-#
-# Generated by: HotCakeX
-#
-# Generated on: 7/29/2023
-#
-
@{
# Script module or binary module file associated with this manifest.
diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
index 4f6a273ba..59454a045 100644
--- a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
@@ -557,11 +557,11 @@ function Get-AvailableRemovableDrives {
[System.String]$Choice = $(Write-Host -Object "Enter the number of the drive you want to select or press $ExitCodeRemovableDriveSelection to Cancel" -ForegroundColor cyan; Read-Host)
# Check if the input is valid using the Confirm-Choice function
- if (-not (Confirm-Choice $Choice)) {
+ if (-NOT (Confirm-Choice $Choice)) {
# Write an error message in red if invalid
Write-Host -Object "Invalid input. Please enter a number between 1 and $ExitCodeRemovableDriveSelection." -ForegroundColor Red
}
- } while (-not (Confirm-Choice $Choice))
+ } while (-NOT (Confirm-Choice $Choice))
# Check if the user entered the exit value to break out of the loop
if ($Choice -eq $ExitCodeRemovableDriveSelection) {
@@ -690,7 +690,7 @@ try {
# check to make sure TPM is available and enabled
[System.Object]$TPM = Get-Tpm
- if (-not ($TPM.tpmpresent -and $TPM.tpmenabled)) {
+ if (-NOT ($TPM.tpmpresent -and $TPM.tpmenabled)) {
Throw 'TPM is not available or enabled, please enable it in UEFI settings and try again.'
}
diff --git a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Confirm-SystemCompliance.psm1
index 4c13891c9..6e712bb80 100644
--- a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Confirm-SystemCompliance.psm1
+++ b/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Confirm-SystemCompliance.psm1
@@ -1632,7 +1632,7 @@ function Confirm-SystemCompliance {
# Check network location of all connections to see if they are public
$Condition = Get-NetConnectionProfile -ErrorAction Stop | ForEach-Object { $_.NetworkCategory -eq 'public' }
- [bool]$IndividualItemResult = -not ($condition -contains $false) ? $True : $false
+ [bool]$IndividualItemResult = -NOT ($condition -contains $false) ? $True : $false
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
From eeeb284a310a93ea9dcb31dd745aa68d3ed82d2f Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Mon, 11 Dec 2023 00:04:00 -0930
Subject: [PATCH 17/79] Position 0 parameter name definition improvements
---
.../Main files/Confirm-SystemCompliance.psm1 | 6 +-
.../Main files/Harden-Windows-Security.ps1 | 2 +-
.../Main files/Protect-WindowsSecurity.psm1 | 2 +-
.../Confirm-SystemCompliance.psm1 | 254 +++++++++---------
4 files changed, 132 insertions(+), 132 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
index dcef4421f..1a0fa3fb9 100644
--- a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
+++ b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
@@ -1261,7 +1261,7 @@ function Confirm-SystemCompliance {
# Append the categories in $FinalMegaObject to the array using += operator
$CsvOutPutFileContent += $FinalMegaObject.PSObject.Properties.Value
# Convert the array to a CSV file and store it in the current working directory
- $CsvOutPutFileContent | ConvertTo-Csv | Out-File '.\Compliance Check Output.CSV' -Force
+ $CsvOutPutFileContent | ConvertTo-Csv | Out-File -FilePath '.\Compliance Check Output.CSV' -Force
}
if ($ShowAsObjectsOnly) {
@@ -1303,7 +1303,7 @@ function Confirm-SystemCompliance {
$color = $colors[$i % $colors.Length]
$Output += "$($PSStyle.Foreground.FromRGB($color.R, $color.G, $color.B))$($text[$i])$($PSStyle.Reset)"
}
- Write-Output $Output
+ Write-Output -InputObject $Output
}
[scriptblock]$WriteRainbow2 = {
@@ -1327,7 +1327,7 @@ function Confirm-SystemCompliance {
$color = $colors[$i % $colors.Length]
$Output += "$($PSStyle.Foreground.FromRGB($color.R, $color.G, $color.B))$($text[$i])$($PSStyle.Reset)"
}
- Write-Output $Output
+ Write-Output -InputObject $Output
}
#Endregion Colors
diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
index 59454a045..cbc2a2b0a 100644
--- a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
@@ -2445,7 +2445,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
Block-CountryIP -IPList $OFACSanctioned -ListName 'OFAC Sanctioned Countries'
} 'No' { break }
- }
+ }
} 'No' { break }
'Exit' { &$CleanUp }
}
diff --git a/Harden-Windows-Security Module/Main files/Protect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Protect-WindowsSecurity.psm1
index ad23a6a90..cf8da6490 100644
--- a/Harden-Windows-Security Module/Main files/Protect-WindowsSecurity.psm1
+++ b/Harden-Windows-Security Module/Main files/Protect-WindowsSecurity.psm1
@@ -17,7 +17,7 @@ Function Protect-WindowsSecurity {
.FUNCTIONALITY
Applies the hardening measures
.INPUTS
- None
+ None
.OUTPUTS
System.Void
#>
diff --git a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Confirm-SystemCompliance.psm1
index 6e712bb80..014c7cb43 100644
--- a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Confirm-SystemCompliance.psm1
+++ b/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Confirm-SystemCompliance.psm1
@@ -49,7 +49,7 @@ function Confirm-SystemCompliance {
# Make sure the latest version of the module is installed and if not, automatically update it, clean up any old versions
function Update-self {
- [version]$CurrentVersion = (Test-modulemanifest "$psscriptroot\Harden-Windows-Security-Module.psd1" -ErrorAction Stop).Version
+ [version]$CurrentVersion = (Test-ModuleManifest "$psscriptroot\Harden-Windows-Security-Module.psd1" -ErrorAction Stop).Version
try {
[version]$LatestVersion = Invoke-RestMethod -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/version.txt'
@@ -115,7 +115,7 @@ function Confirm-SystemCompliance {
# Download Group-Policies.json file from GitHub
try {
- Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/Group-Policies.json' -OutFile ".\Group-Policies.json" -ErrorAction Stop
+ Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/Group-Policies.json' -OutFile '.\Group-Policies.json' -ErrorAction Stop
}
catch {
Write-Error -Message "Group-Policies.json file couldn't be downloaded, exitting..."
@@ -246,7 +246,7 @@ function Confirm-SystemCompliance {
# Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
foreach ($Key in $HashPol[$CatName].Keys) {
# Get the correct object from the PoliciesOutput Object that contains all the group policies in the xml file
- $Item = $PoliciesOutput | Where-object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
+ $Item = $PoliciesOutput | Where-Object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
switch ($Key) {
1 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
@@ -366,25 +366,25 @@ function Confirm-SystemCompliance {
}
25 {
# ListBox 1
- $1index = $Item.ListBoxValue.element.Name.IndexOf("4")
+ $1index = $Item.ListBoxValue.element.Name.IndexOf('4')
# Write-Host "$1index" -ForegroundColor Yellow
$1ListData = $Item.ListBoxValue.element.Data[$1index]
# Write-Host "$1ListData" -ForegroundColor Yellow
# ListBox 2
- $2index = $Item.ListBoxValue.element.Name.IndexOf("2")
+ $2index = $Item.ListBoxValue.element.Name.IndexOf('2')
# Write-Host "$2index" -ForegroundColor Yellow
$2ListData = $Item.ListBoxValue.element.Data[$2index]
# Write-Host "$2ListData" -ForegroundColor Yellow
# ListBox 3
- $3index = $Item.ListBoxValue.element.Name.IndexOf("1")
+ $3index = $Item.ListBoxValue.element.Name.IndexOf('1')
# Write-Host "$3index" -ForegroundColor Yellow
$3ListData = $Item.ListBoxValue.element.Data[$3index]
# Write-Host "$3ListData" -ForegroundColor Yellow
# ListBox 4
- $4index = $Item.ListBoxValue.element.Name.IndexOf("5")
+ $4index = $Item.ListBoxValue.element.Name.IndexOf('5')
# Write-Host "$4index" -ForegroundColor Yellow
$4ListData = $Item.ListBoxValue.element.Data[$4index]
# Write-Host "$4ListData" -ForegroundColor Yellow
@@ -493,7 +493,7 @@ function Confirm-SystemCompliance {
})
# For PowerShell Cmdlet
- $IndividualItemResult = $(($entries | Where-Object { $_.properties.identifier -eq "{current}" }).properties.nx)
+ $IndividualItemResult = $(($entries | Where-Object { $_.properties.identifier -eq '{current}' }).properties.nx)
$NestedObjectArray += [PSCustomObject]@{
Name = 'BCDEDIT NX Value'
Value = $IndividualItemResult
@@ -512,7 +512,7 @@ function Confirm-SystemCompliance {
}
# For PowerShell Cmdlet
- $IndividualItemResult = $((Get-ScheduledTask -TaskPath "\MSFT Driver Block list update\" -TaskName "MSFT Driver Block list update" -ErrorAction SilentlyContinue) ? $True : $false)
+ $IndividualItemResult = $((Get-ScheduledTask -TaskPath '\MSFT Driver Block list update\' -TaskName 'MSFT Driver Block list update' -ErrorAction SilentlyContinue) ? $True : $false)
$NestedObjectArray += [PSCustomObject]@{
Name = 'Fast weekly Microsoft recommended driver block list update'
Value = $IndividualItemResult
@@ -533,7 +533,7 @@ function Confirm-SystemCompliance {
# For PowerShell Cmdlet
$NestedObjectArray += [PSCustomObject]@{
Name = 'Microsoft Defender Platform Updates Channel'
- Value = $($DefenderPlatformUpdatesChannels[[int](get-mppreference).PlatformUpdatesChannel])
+ Value = $($DefenderPlatformUpdatesChannels[[int](Get-MpPreference).PlatformUpdatesChannel])
Compliant = 'N/A'
Category = $CatName
Method = 'Cmdlet'
@@ -551,7 +551,7 @@ function Confirm-SystemCompliance {
# For PowerShell Cmdlet
$NestedObjectArray += [PSCustomObject]@{
Name = 'Microsoft Defender Engine Updates Channel'
- Value = $($DefenderEngineUpdatesChannels[[int](get-mppreference).EngineUpdatesChannel])
+ Value = $($DefenderEngineUpdatesChannels[[int](Get-MpPreference).EngineUpdatesChannel])
Compliant = 'N/A'
Category = $CatName
Method = 'Cmdlet'
@@ -575,7 +575,7 @@ function Confirm-SystemCompliance {
[String]$CatName = 'ASR'
# Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
foreach ($Key in $HashPol[$CatName].Keys) {
- $Item = $PoliciesOutput | Where-object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
+ $Item = $PoliciesOutput | Where-Object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
switch ($Key) {
1 {
$1index = $Item.ListBoxValue.element.Name.IndexOf('92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B')
@@ -675,7 +675,7 @@ function Confirm-SystemCompliance {
# bootDMAProtection check - checks for Kernel DMA Protection status in System information or msinfo32
[string]$BootDMAProtectionCheck =
- @"
+ @'
namespace SystemInfo
{
using System;
@@ -717,7 +717,7 @@ function Confirm-SystemCompliance {
}
}
}
-"@
+'@
Add-Type -TypeDefinition $BootDMAProtectionCheck
# returns true or false depending on whether Kernel DMA Protection is on or off
[bool]$BootDMAProtection = ([SystemInfo.NativeMethods]::BootDmaCheck()) -ne 0
@@ -726,7 +726,7 @@ function Confirm-SystemCompliance {
# Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
foreach ($Key in $HashPol[$CatName].Keys) {
- $Item = $PoliciesOutput | Where-object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
+ $Item = $PoliciesOutput | Where-Object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
switch ($Key) {
1 {
[bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
@@ -763,15 +763,15 @@ function Confirm-SystemCompliance {
) ? $True : $False
}
3 {
- $1index = $Item.DropDownListName.IndexOf("Select the encryption method for operating system drives:")
+ $1index = $Item.DropDownListName.IndexOf('Select the encryption method for operating system drives:')
$1DropDownState = $Item.DropDownListState[$1index]
$1DropDownValue = $Item.DropDownListValue[$1index]
- $2index = $Item.DropDownListName.IndexOf("Select the encryption method for fixed data drives:")
+ $2index = $Item.DropDownListName.IndexOf('Select the encryption method for fixed data drives:')
$2DropDownState = $Item.DropDownListState[$2index]
$2DropDownValue = $Item.DropDownListValue[$2index]
- $3index = $Item.DropDownListName.IndexOf("Select the encryption method for removable data drives:")
+ $3index = $Item.DropDownListName.IndexOf('Select the encryption method for removable data drives:')
$3DropDownState = $Item.DropDownListState[$3index]
$3DropDownValue = $Item.DropDownListValue[$3index]
@@ -844,7 +844,7 @@ function Confirm-SystemCompliance {
}
# For PowerShell Cmdlet
- $IndividualItemResult = $($((Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Power -name HibernateEnabled).hibernateEnabled) -eq 1 ? $True : $False)
+ $IndividualItemResult = $($((Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Power -Name HibernateEnabled).hibernateEnabled) -eq 1 ? $True : $False)
$NestedObjectArray += [PSCustomObject]@{
Name = 'Hibernate enabled and set to full'
Value = $IndividualItemResult
@@ -862,7 +862,7 @@ function Confirm-SystemCompliance {
[String]$CatName = 'TLS'
# Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
foreach ($Key in $HashPol[$CatName].Keys) {
- $Item = $PoliciesOutput | Where-object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
+ $Item = $PoliciesOutput | Where-Object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
switch ($Key) {
1 {
# Write-Host "$($Item.MultiTextValue.string)" -ForegroundColor Yellow
@@ -953,7 +953,7 @@ function Confirm-SystemCompliance {
[String]$CatName = 'LockScreen'
# Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
foreach ($Key in $HashPol[$CatName].Keys) {
- $Item = $PoliciesOutput | Where-object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
+ $Item = $PoliciesOutput | Where-Object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
switch ($Key) {
1 {
[bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
@@ -1054,7 +1054,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool]$($SecurityPoliciesIni.'System Access'['LockoutBadCount'] -eq '5') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
- Name = "Account lockout threshold"
+ Name = 'Account lockout threshold'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
@@ -1064,7 +1064,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool]$($SecurityPoliciesIni.'System Access'['LockoutDuration'] -eq '1440') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
- Name = "Account lockout duration"
+ Name = 'Account lockout duration'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
@@ -1074,7 +1074,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool]$($SecurityPoliciesIni.'System Access'['ResetLockoutCount'] -eq '1440') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
- Name = "Reset account lockout counter after"
+ Name = 'Reset account lockout counter after'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
@@ -1098,10 +1098,10 @@ function Confirm-SystemCompliance {
#Region User-Account-Control-Category
Write-Progress -Activity 'Validating User Account Control Category' -Status 'Processing...' -PercentComplete 60
[System.Array]$NestedObjectArray = @()
- [String]$CatName = "UAC"
+ [String]$CatName = 'UAC'
# Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
foreach ($Key in $HashPol[$CatName].Keys) {
- $Item = $PoliciesOutput | Where-object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
+ $Item = $PoliciesOutput | Where-Object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
switch ($Key) {
1 {
[bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
@@ -1122,7 +1122,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin'] -eq '4,2') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
- Name = "UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode"
+ Name = 'UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
@@ -1150,7 +1150,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
- Name = "UAC: Behavior of the elevation prompt for standard users"
+ Name = 'UAC: Behavior of the elevation prompt for standard users'
Value = $IndividualItemResult
Compliant = $ConsentPromptBehaviorUserCompliance
Category = $CatName
@@ -1174,15 +1174,15 @@ function Confirm-SystemCompliance {
#Region Device-Guard-Category
Write-Progress -Activity 'Validating Device Guard Category' -Status 'Processing...' -PercentComplete 65
[System.Array]$NestedObjectArray = @()
- [String]$CatName = "Device Guard"
+ [String]$CatName = 'Device Guard'
# Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
foreach ($Key in $HashPol[$CatName].Keys) {
- $Item = $PoliciesOutput | Where-object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
+ $Item = $PoliciesOutput | Where-Object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
switch ($Key) {
1 {
# Write-Host "$($Item.DropDownListName)" -ForegroundColor Yellow
# DropDown 1
- $1index = $Item.DropDownListName.IndexOf("Select Platform Security Level:")
+ $1index = $Item.DropDownListName.IndexOf('Select Platform Security Level:')
#Write-Host "$1index" -ForegroundColor Yellow
$1DropDownState = $Item.DropDownListState[$1index]
@@ -1192,7 +1192,7 @@ function Confirm-SystemCompliance {
#Write-Host "$1DropDownValue" -ForegroundColor Yellow
# DropDown 2
- $2index = $Item.DropDownListName.IndexOf("Virtualization Based Protection of Code Integrity:")
+ $2index = $Item.DropDownListName.IndexOf('Virtualization Based Protection of Code Integrity:')
# Write-Host "$2index" -ForegroundColor Yellow
$2DropDownState = $Item.DropDownListState[$2index]
@@ -1202,7 +1202,7 @@ function Confirm-SystemCompliance {
# Write-Host "$2DropDownValue" -ForegroundColor Yellow
# DropDown 3
- $3index = $Item.DropDownListName.IndexOf("Credential Guard Configuration:")
+ $3index = $Item.DropDownListName.IndexOf('Credential Guard Configuration:')
# Write-Host "$3index" -ForegroundColor Yellow
$3DropDownState = $Item.DropDownListState[$3index]
@@ -1212,7 +1212,7 @@ function Confirm-SystemCompliance {
# Write-Host "$3DropDownValue" -ForegroundColor Yellow
# DropDown 4
- $4index = $Item.DropDownListName.IndexOf("Secure Launch Configuration:")
+ $4index = $Item.DropDownListName.IndexOf('Secure Launch Configuration:')
# Write-Host "$4index" -ForegroundColor Yellow
$4DropDownState = $Item.DropDownListState[$4index]
@@ -1222,7 +1222,7 @@ function Confirm-SystemCompliance {
# Write-Host "$4DropDownValue" -ForegroundColor Yellow
# DropDown 5
- $5index = $Item.DropDownListName.IndexOf("Kernel-mode Hardware-enforced Stack Protection:")
+ $5index = $Item.DropDownListName.IndexOf('Kernel-mode Hardware-enforced Stack Protection:')
# Write-Host "$5index" -ForegroundColor Yellow
$5DropDownState = $Item.DropDownListState[$5index]
@@ -1262,7 +1262,7 @@ function Confirm-SystemCompliance {
# Loop through each nested hash table inside the main Registeries hash table and check the item state using a switch statement
foreach ($Key in $HashReg[$CatName].Keys) {
# Get the correct object from the RegistriesOutput Object that contains all the group policies in the xml file
- $Item = $RegistriesOutput | Where-object { $_.Name -eq $HashReg[$CatName][$Key].Name -and $_.KeyPath -eq $HashReg[$CatName][$Key].KeyPath }
+ $Item = $RegistriesOutput | Where-Object { $_.Name -eq $HashReg[$CatName][$Key].Name -and $_.KeyPath -eq $HashReg[$CatName][$Key].KeyPath }
switch ($Key) {
1 {
[bool]$ItemState = ($Item.Number -eq '1') ? $True : $False
@@ -1289,7 +1289,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
- Name = "Domain Profile Default Inbound Action"
+ Name = 'Domain Profile Default Inbound Action'
Value = $FirewallPoliciesOutput.DomainDefaultInboundAction
Compliant = [bool]($FirewallPoliciesOutput.DomainDefaultInboundAction -eq $True ? $True : $False)
Category = $CatName
@@ -1298,7 +1298,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
- Name = "Domain Profile Default Outbound Action"
+ Name = 'Domain Profile Default Outbound Action'
Value = $FirewallPoliciesOutput.DomainDefaultOutboundAction
Compliant = [bool]($FirewallPoliciesOutput.DomainDefaultOutboundAction -eq $true ? $True : $False)
Category = $CatName
@@ -1307,7 +1307,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
- Name = "Domain Profile Do Not Allow Exceptions"
+ Name = 'Domain Profile Do Not Allow Exceptions'
Value = $FirewallPoliciesOutput.DomainDoNotAllowExceptions
Compliant = [bool]($FirewallPoliciesOutput.DomainDoNotAllowExceptions -eq $true ? $True : $False)
Category = $CatName
@@ -1316,7 +1316,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
- Name = "Domain Profile Firewall Enabled"
+ Name = 'Domain Profile Firewall Enabled'
Value = $FirewallPoliciesOutput.DomainEnableFirewall
Compliant = [bool]($FirewallPoliciesOutput.DomainEnableFirewall -eq $true ? $True : $False)
Category = $CatName
@@ -1325,7 +1325,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
- Name = "Domain Profile Log File Path"
+ Name = 'Domain Profile Log File Path'
Value = $FirewallPoliciesOutput.DomainLogFilePath
Compliant = [bool]($FirewallPoliciesOutput.DomainLogFilePath -eq '%systemroot%\system32\logfiles\firewall\domainfirewall.log' ? $True : $False)
Category = $CatName
@@ -1334,7 +1334,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
- Name = "Domain Profile Log File Size"
+ Name = 'Domain Profile Log File Size'
Value = $FirewallPoliciesOutput.DomainLogFileSize
Compliant = [bool]($FirewallPoliciesOutput.DomainLogFileSize -eq '32767' ? $True : $False)
Category = $CatName
@@ -1343,7 +1343,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
- Name = "Domain Profile Log Dropped Packets"
+ Name = 'Domain Profile Log Dropped Packets'
Value = $FirewallPoliciesOutput.DomainLogDroppedPackets
Compliant = [bool]($FirewallPoliciesOutput.DomainLogDroppedPackets -eq $true ? $True : $False)
Category = $CatName
@@ -1352,7 +1352,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
- Name = "Domain Profile Log Successful Connections"
+ Name = 'Domain Profile Log Successful Connections'
Value = $FirewallPoliciesOutput.DomainLogSuccessfulConnections
Compliant = [bool]($FirewallPoliciesOutput.DomainLogSuccessfulConnections -eq $true ? $True : $False)
Category = $CatName
@@ -1361,7 +1361,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
- Name = "Public Profile Disable Notifications"
+ Name = 'Public Profile Disable Notifications'
Value = $FirewallPoliciesOutput.PublicDisableNotifications
Compliant = [bool]($FirewallPoliciesOutput.PublicDisableNotifications -eq $false ? $True : $False)
Category = $CatName
@@ -1370,7 +1370,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
- Name = "Public Profile Enable Firewall"
+ Name = 'Public Profile Enable Firewall'
Value = $FirewallPoliciesOutput.PublicEnableFirewall
Compliant = [bool]($FirewallPoliciesOutput.PublicEnableFirewall -eq $true ? $True : $False)
Category = $CatName
@@ -1379,7 +1379,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
- Name = "Public Profile Log File Path"
+ Name = 'Public Profile Log File Path'
Value = $FirewallPoliciesOutput.PublicLogFilePath
Compliant = [bool]($FirewallPoliciesOutput.PublicLogFilePath -eq '%systemroot%\system32\logfiles\firewall\publicfirewall.log' ? $True : $False)
Category = $CatName
@@ -1388,7 +1388,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
- Name = "Public Profile Log File Size"
+ Name = 'Public Profile Log File Size'
Value = $FirewallPoliciesOutput.PublicLogFileSize
Compliant = [bool]($FirewallPoliciesOutput.PublicLogFileSize -eq '32767' ? $True : $False)
Category = $CatName
@@ -1397,7 +1397,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
- Name = "Public Profile Log Dropped Packets"
+ Name = 'Public Profile Log Dropped Packets'
Value = $FirewallPoliciesOutput.PublicLogDroppedPackets
Compliant = [bool]($FirewallPoliciesOutput.PublicLogDroppedPackets -eq $true ? $True : $False)
Category = $CatName
@@ -1406,7 +1406,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
- Name = "Private Profile Disable Notifications"
+ Name = 'Private Profile Disable Notifications'
Value = $FirewallPoliciesOutput.PrivateDisableNotifications
Compliant = [bool]($FirewallPoliciesOutput.PrivateDisableNotifications -eq $false ? $True : $False)
Category = $CatName
@@ -1415,7 +1415,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
- Name = "Private Profile Enable Firewall"
+ Name = 'Private Profile Enable Firewall'
Value = $FirewallPoliciesOutput.PrivateEnableFirewall
Compliant = [bool]($FirewallPoliciesOutput.PrivateEnableFirewall -eq $true ? $True : $False)
Category = $CatName
@@ -1424,7 +1424,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
- Name = "Private Profile Log File Path"
+ Name = 'Private Profile Log File Path'
Value = $FirewallPoliciesOutput.PrivateLogFilePath
Compliant = [bool]($FirewallPoliciesOutput.PrivateLogFilePath -eq '%systemroot%\system32\logfiles\firewall\privatefirewall.log' ? $True : $False)
Category = $CatName
@@ -1433,7 +1433,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
- Name = "Private Profile Log File Size"
+ Name = 'Private Profile Log File Size'
Value = $FirewallPoliciesOutput.PrivateLogFileSize
Compliant = [bool]($FirewallPoliciesOutput.PrivateLogFileSize -eq '32767' ? $True : $False)
Category = $CatName
@@ -1442,7 +1442,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
- Name = "Private Profile Log Dropped Packets"
+ Name = 'Private Profile Log Dropped Packets'
Value = $FirewallPoliciesOutput.PrivateLogDroppedPackets
Compliant = [bool]($FirewallPoliciesOutput.PrivateLogDroppedPackets -eq $true ? $True : $False)
Category = $CatName
@@ -1450,15 +1450,15 @@ function Confirm-SystemCompliance {
}
# Disables Multicast DNS (mDNS) UDP-in Firewall Rules for all 3 Firewall profiles - disables only 3 rules
- $RulesToDisable = get-NetFirewallRule -ErrorAction Stop |
- Where-Object { $_.RuleGroup -eq "@%SystemRoot%\system32\firewallapi.dll,-37302" -and $_.Direction -eq "inbound" }
+ $RulesToDisable = Get-NetFirewallRule -ErrorAction Stop |
+ Where-Object { $_.RuleGroup -eq '@%SystemRoot%\system32\firewallapi.dll,-37302' -and $_.Direction -eq 'inbound' }
# Check if the number of detected rules that need to be disabled match the number of rules with the same criteria that are disabled
$RulesTarget = $RulesToDisable | Where-Object { $_.Enabled -eq 'False' }
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool](($RulesTarget.count -eq $RulesToDisable.Count) ? $True : $false)
$NestedObjectArray += [PSCustomObject]@{
- Name = "Firewall rules disabled for Multicast DNS (mDNS) UDP-in"
+ Name = 'Firewall rules disabled for Multicast DNS (mDNS) UDP-in'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
@@ -1475,12 +1475,12 @@ function Confirm-SystemCompliance {
[String]$CatName = 'Optional Windows Features'
# Disable PowerShell v2 (needs 2 commands)
- [bool]$IndividualItemResult = ((get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 -ErrorAction Stop).state -eq 'disabled') `
- -and [bool]((get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -ErrorAction Stop).state -eq 'disabled') ? $True : $false
+ [bool]$IndividualItemResult = ((Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 -ErrorAction Stop).state -eq 'disabled') `
+ -and [bool]((Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -ErrorAction Stop).state -eq 'disabled') ? $True : $false
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
- Name = "PowerShell v2 is disabled"
+ Name = 'PowerShell v2 is disabled'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
@@ -1488,9 +1488,9 @@ function Confirm-SystemCompliance {
}
# Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]((get-WindowsOptionalFeature -Online -FeatureName WorkFolders-Client -ErrorAction Stop).state -eq 'disabled')
+ $IndividualItemResult = [bool]((Get-WindowsOptionalFeature -Online -FeatureName WorkFolders-Client -ErrorAction Stop).state -eq 'disabled')
$NestedObjectArray += [PSCustomObject]@{
- Name = "Work Folders client is disabled"
+ Name = 'Work Folders client is disabled'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
@@ -1498,9 +1498,9 @@ function Confirm-SystemCompliance {
}
# Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]((get-WindowsOptionalFeature -Online -FeatureName Printing-Foundation-Features -ErrorAction Stop).state -eq 'disabled')
+ $IndividualItemResult = [bool]((Get-WindowsOptionalFeature -Online -FeatureName Printing-Foundation-Features -ErrorAction Stop).state -eq 'disabled')
$NestedObjectArray += [PSCustomObject]@{
- Name = "Internet Printing Client is disabled"
+ Name = 'Internet Printing Client is disabled'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
@@ -1508,9 +1508,9 @@ function Confirm-SystemCompliance {
}
# Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]((get-WindowsOptionalFeature -Online -FeatureName WindowsMediaPlayer -ErrorAction Stop).state -eq 'disabled')
+ $IndividualItemResult = [bool]((Get-WindowsOptionalFeature -Online -FeatureName WindowsMediaPlayer -ErrorAction Stop).state -eq 'disabled')
$NestedObjectArray += [PSCustomObject]@{
- Name = "Windows Media Player (legacy) is disabled"
+ Name = 'Windows Media Player (legacy) is disabled'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
@@ -1518,9 +1518,9 @@ function Confirm-SystemCompliance {
}
# Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]((get-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard -ErrorAction Stop).state -eq 'enabled')
+ $IndividualItemResult = [bool]((Get-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard -ErrorAction Stop).state -eq 'enabled')
$NestedObjectArray += [PSCustomObject]@{
- Name = "Microsoft Defender Application Guard is enabled"
+ Name = 'Microsoft Defender Application Guard is enabled'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
@@ -1528,9 +1528,9 @@ function Confirm-SystemCompliance {
}
# Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]((get-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM -ErrorAction Stop).state -eq 'enabled')
+ $IndividualItemResult = [bool]((Get-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM -ErrorAction Stop).state -eq 'enabled')
$NestedObjectArray += [PSCustomObject]@{
- Name = "Windows Sandbox is enabled"
+ Name = 'Windows Sandbox is enabled'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
@@ -1538,9 +1538,9 @@ function Confirm-SystemCompliance {
}
# Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]((get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -ErrorAction Stop).state -eq 'enabled')
+ $IndividualItemResult = [bool]((Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -ErrorAction Stop).state -eq 'enabled')
$NestedObjectArray += [PSCustomObject]@{
- Name = "Hyper-V is enabled"
+ Name = 'Hyper-V is enabled'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
@@ -1548,9 +1548,9 @@ function Confirm-SystemCompliance {
}
# Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]((get-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform -ErrorAction Stop).state -eq 'enabled')
+ $IndividualItemResult = [bool]((Get-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform -ErrorAction Stop).state -eq 'enabled')
$NestedObjectArray += [PSCustomObject]@{
- Name = "Virtual Machine Platform is enabled"
+ Name = 'Virtual Machine Platform is enabled'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
@@ -1560,7 +1560,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool]((Get-WindowsCapability -Online -ErrorAction Stop | Where-Object { $_.Name -like '*wmic*' }).state -eq 'NotPresent')
$NestedObjectArray += [PSCustomObject]@{
- Name = "WMIC is not present"
+ Name = 'WMIC is not present'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
@@ -1570,7 +1570,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool]((Get-WindowsCapability -Online -ErrorAction Stop | Where-Object { $_.Name -like '*Browser.InternetExplorer*' }).state -eq 'NotPresent')
$NestedObjectArray += [PSCustomObject]@{
- Name = "Internet Explorer mode functionality for Edge is not present"
+ Name = 'Internet Explorer mode functionality for Edge is not present'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
@@ -1580,7 +1580,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool]((Get-WindowsCapability -Online -ErrorAction Stop | Where-Object { $_.Name -like '*Microsoft.Windows.Notepad.System*' }).state -eq 'NotPresent')
$NestedObjectArray += [PSCustomObject]@{
- Name = "Legacy Notepad is not present"
+ Name = 'Legacy Notepad is not present'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
@@ -1594,10 +1594,10 @@ function Confirm-SystemCompliance {
#Region Windows-Networking-Category
Write-Progress -Activity 'Validating Windows Networking Category' -Status 'Processing...' -PercentComplete 80
[System.Array]$NestedObjectArray = @()
- [String]$CatName = "Windows Networking"
+ [String]$CatName = 'Windows Networking'
# Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
foreach ($Key in $HashPol[$CatName].Keys) {
- $Item = $PoliciesOutput | Where-object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
+ $Item = $PoliciesOutput | Where-Object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
switch ($Key) {
1 {
[bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
@@ -1636,7 +1636,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
- Name = "Network Location of all connections set to Public"
+ Name = 'Network Location of all connections set to Public'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
@@ -1644,13 +1644,13 @@ function Confirm-SystemCompliance {
}
# Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]((Get-ItemPropertyValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters" -Name "EnableLMHOSTS") -eq '0')
+ $IndividualItemResult = [bool]((Get-ItemPropertyValue -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' -Name 'EnableLMHOSTS') -eq '0')
$NestedObjectArray += [PSCustomObject]@{
- Name = "Disable LMHOSTS lookup protocol on all network adapters"
+ Name = 'Disable LMHOSTS lookup protocol on all network adapters'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
- Method = "Registry Key"
+ Method = 'Registry Key'
}
# Create a custom object with 5 properties to store them as nested objects inside the main output object
@@ -1680,10 +1680,10 @@ function Confirm-SystemCompliance {
#Region Miscellaneous-Category
Write-Progress -Activity 'Validating Miscellaneous Category' -Status 'Processing...' -PercentComplete 85
[System.Array]$NestedObjectArray = @()
- [String]$CatName = "Miscellaneous"
+ [String]$CatName = 'Miscellaneous'
# Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
foreach ($Key in $HashPol[$CatName].Keys) {
- $Item = $PoliciesOutput | Where-object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
+ $Item = $PoliciesOutput | Where-Object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
switch ($Key) {
1 {
[bool]$ItemState = ($Item.State -eq 'Enabled' `
@@ -1744,7 +1744,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool]((Get-SmbServerConfiguration -ErrorAction Stop).encryptdata)
$NestedObjectArray += [PSCustomObject]@{
- Name = "SMB Encryption"
+ Name = 'SMB Encryption'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
@@ -1754,7 +1754,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$IndividualItemResult = [bool](((auditpol /get /subcategory:"Other Logon/Logoff Events" /r | ConvertFrom-Csv -ErrorAction Stop).'Inclusion Setting' -eq 'Success and Failure') ? $True : $False)
$NestedObjectArray += [PSCustomObject]@{
- Name = "Audit policy for Other Logon/Logoff Events"
+ Name = 'Audit policy for Other Logon/Logoff Events'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
@@ -1776,7 +1776,7 @@ function Confirm-SystemCompliance {
# Create a custom object with 5 properties to store them as nested objects inside the main output object
$NestedObjectArray += [PSCustomObject]@{
- Name = "All users are part of the Hyper-V Administrators group"
+ Name = 'All users are part of the Hyper-V Administrators group'
Value = $MatchHyperVUsers
Compliant = $MatchHyperVUsers
Category = $CatName
@@ -1817,7 +1817,7 @@ function Confirm-SystemCompliance {
[String]$CatName = 'Windows Update'
# Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
foreach ($Key in $HashPol[$CatName].Keys) {
- $Item = $PoliciesOutput | Where-object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
+ $Item = $PoliciesOutput | Where-Object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
switch ($Key) {
1 {
[bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
@@ -1827,11 +1827,11 @@ function Confirm-SystemCompliance {
}
3 {
# 2 Check boxes with the same name exists, but both of their States and Values are the same that's why this works
- $1index = $Item.DropDownListName.IndexOf("Deadline (days):")
+ $1index = $Item.DropDownListName.IndexOf('Deadline (days):')
$1DropDownState = $Item.DropDownListState[$1index]
$1DropDownValue = $Item.DropDownListValue[$1index]
- $2index = $Item.DropDownListName.IndexOf("Grace period (days):")
+ $2index = $Item.DropDownListName.IndexOf('Grace period (days):')
$2DropDownState = $Item.DropDownListState[$2index]
$2DropDownValue = $Item.DropDownListValue[$2index]
@@ -1910,13 +1910,13 @@ function Confirm-SystemCompliance {
}
# Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]((Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" -Name "RestartNotificationsAllowed2") -eq '1')
+ $IndividualItemResult = [bool]((Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings' -Name 'RestartNotificationsAllowed2') -eq '1')
$NestedObjectArray += [PSCustomObject]@{
- Name = "Enable restart notification for Windows update"
+ Name = 'Enable restart notification for Windows update'
Value = $IndividualItemResult
Compliant = $IndividualItemResult
Category = $CatName
- Method = "Registry Key"
+ Method = 'Registry Key'
}
# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
@@ -1926,7 +1926,7 @@ function Confirm-SystemCompliance {
#Region Edge-Category
Write-Progress -Activity 'Validating Edge Browser Category' -Status 'Processing...' -PercentComplete 95
[System.Array]$NestedObjectArray = @()
- [String]$CatName = "Edge"
+ [String]$CatName = 'Edge'
$MatchRegistryKeys = @() # initialize the variable to false - an array that is going to hold only bool values
foreach ($Item in $CSVFileContent) {
if ($Item.category -eq 'Edge' -and $Item.Action -eq 'AddOrModify') {
@@ -2007,7 +2007,7 @@ function Confirm-SystemCompliance {
$CsvOutPutFileContent += $FinalMegaObject.Edge
$CsvOutPutFileContent += $FinalMegaObject.'Non-Admin'
# Convert the array to CSV and store it in the Output.CSV file in the current working directory
- $CsvOutPutFileContent | ConvertTo-Csv -ErrorAction Stop | Out-File '.\Output.CSV' -Force -ErrorAction Stop
+ $CsvOutPutFileContent | ConvertTo-Csv -ErrorAction Stop | Out-File -FilePath '.\Output.CSV' -Force -ErrorAction Stop
}
if ($ShowAsObjectsOnly) {
@@ -2043,12 +2043,12 @@ function Confirm-SystemCompliance {
[System.Drawing.Color]::Pink
)
- $output = ""
+ $output = ''
for ($i = 0; $i -lt $text.Length; $i++) {
$color = $colors[$i % $colors.Length]
$output += "$($PSStyle.Foreground.FromRGB($color.R, $color.G, $color.B))$($text[$i])$($PSStyle.Reset)"
}
- Write-Output $output
+ Write-Output -InputObject $output
}
[scriptblock]$WriteRainbow2 = {
@@ -2067,58 +2067,58 @@ function Confirm-SystemCompliance {
[System.Drawing.Color]::Gold
)
- $output = ""
+ $output = ''
for ($i = 0; $i -lt $text.Length; $i++) {
$color = $colors[$i % $colors.Length]
$output += "$($PSStyle.Foreground.FromRGB($color.R, $color.G, $color.B))$($text[$i])$($PSStyle.Reset)"
}
- Write-Output $output
+ Write-Output -InputObject $output
}
#Endregion Colors
# Show all properties in list
if ($DetailedDisplay) {
& $WritePlum "`n-------------Microsoft Defender Category-------------"
- $FinalMegaObject.'Microsoft Defender' | Format-list * -ErrorAction Stop
+ $FinalMegaObject.'Microsoft Defender' | Format-List -Property * -ErrorAction Stop
& $WriteOrchid "`n-------------Attack Surface Reduction Rules Category-------------"
- $FinalMegaObject.ASR | Format-list * -ErrorAction Stop
+ $FinalMegaObject.ASR | Format-List -Property * -ErrorAction Stop
& $WriteFuchsia "`n-------------Bitlocker Category-------------"
- $FinalMegaObject.Bitlocker | Format-list * -ErrorAction Stop
+ $FinalMegaObject.Bitlocker | Format-List -Property * -ErrorAction Stop
& $WriteMediumOrchid "`n-------------TLS Category-------------"
- $FinalMegaObject.TLS | Format-list * -ErrorAction Stop
+ $FinalMegaObject.TLS | Format-List -Property * -ErrorAction Stop
& $WriteMediumPurple "`n-------------Lock Screen Category-------------"
- $FinalMegaObject.LockScreen | Format-list * -ErrorAction Stop
+ $FinalMegaObject.LockScreen | Format-List -Property * -ErrorAction Stop
& $WriteBlueViolet "`n-------------User Account Control Category-------------"
- $FinalMegaObject.UAC | Format-list * -ErrorAction Stop
+ $FinalMegaObject.UAC | Format-List -Property * -ErrorAction Stop
& $WriteDarkViolet "`n-------------Device Guard Category-------------"
- $FinalMegaObject.'Device Guard' | Format-list * -ErrorAction Stop
+ $FinalMegaObject.'Device Guard' | Format-List -Property * -ErrorAction Stop
& $WritePink "`n-------------Windows Firewall Category-------------"
- $FinalMegaObject.'Windows Firewall' | Format-list * -ErrorAction Stop
+ $FinalMegaObject.'Windows Firewall' | Format-List -Property * -ErrorAction Stop
& $WriteSkyBlue "`n-------------Optional Windows Features Category-------------"
- $FinalMegaObject.'Optional Windows Features' | Format-list * -ErrorAction Stop
+ $FinalMegaObject.'Optional Windows Features' | Format-List -Property * -ErrorAction Stop
& $WriteHotPink "`n-------------Windows Networking Category-------------"
- $FinalMegaObject.'Windows Networking' | Format-list * -ErrorAction Stop
+ $FinalMegaObject.'Windows Networking' | Format-List -Property * -ErrorAction Stop
& $WriteDeepPink "`n-------------Miscellaneous Category-------------"
- $FinalMegaObject.Miscellaneous | Format-list * -ErrorAction Stop
+ $FinalMegaObject.Miscellaneous | Format-List -Property * -ErrorAction Stop
& $WriteMintGreen "`n-------------Windows Update Category-------------"
- $FinalMegaObject.'Windows Update' | Format-list * -ErrorAction Stop
+ $FinalMegaObject.'Windows Update' | Format-List -Property * -ErrorAction Stop
& $WriteOrange "`n-------------Microsoft Edge Category-------------"
- $FinalMegaObject.Edge | Format-list * -ErrorAction Stop
+ $FinalMegaObject.Edge | Format-List -Property * -ErrorAction Stop
& $WriteSkyBlue "`n-------------Non-Admin Category-------------"
- $FinalMegaObject.'Non-Admin' | Format-list * -ErrorAction Stop
+ $FinalMegaObject.'Non-Admin' | Format-List -Property * -ErrorAction Stop
}
# Show properties that matter in a table
@@ -2185,7 +2185,7 @@ function Confirm-SystemCompliance {
#Region ASCII-Arts
- [string]$WhenValue1To20 = @"
+ [string]$WhenValue1To20 = @'
OH
N
@@ -2202,10 +2202,10 @@ function Confirm-SystemCompliance {
.
.
-"@
+'@
- [string]$WhenValue21To40 = @"
+ [string]$WhenValue21To40 = @'
⣿⣿⣷⡁⢆⠈⠕⢕⢂⢕⢂⢕⢂⢔⢂⢕⢄⠂⣂⠂⠆⢂⢕⢂⢕⢂⢕⢂⢕⢂
⣿⣿⣿⡷⠊⡢⡹⣦⡑⢂⢕⢂⢕⢂⢕⢂⠕⠔⠌⠝⠛⠶⠶⢶⣦⣄⢂⢕⢂⢕
@@ -2222,10 +2222,10 @@ function Confirm-SystemCompliance {
⠨⡂⡀⢑⢕⡅⠂⠄⠉⠛⠻⠿⢿⣿⣿⣿⣿⣿⣿⣿⣿⡿⢋⢔⢕⢕⣿⣿⠠⠈
⠄⠪⣂⠁⢕⠆⠄⠂⠄⠁⡀⠂⡀⠄⢈⠉⢍⢛⢛⢛⢋⢔⢕⢕⢕⣽⣿⣿⠠⠈
-"@
+'@
- [string]$WhenValue41To60 = @"
+ [string]$WhenValue41To60 = @'
⣿⡟⠙⠛⠋⠩⠭⣉⡛⢛⠫⠭⠄⠒⠄⠄⠄⠈⠉⠛⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⡇⠄⠄⠄⠄⣠⠖⠋⣀⡤⠄⠒⠄⠄⠄⠄⠄⠄⠄⠄⠄⣈⡭⠭⠄⠄⠄⠉⠙
@@ -2242,11 +2242,11 @@ function Confirm-SystemCompliance {
⣿⡿⠰⠄⠄⠄⠄⠄⠄⠄⠄⠈⠉⠩⠔⠒⠉⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠐⠘⣿
⣿⠃⠃⠄⠄⠄⠄⠄⠄⣀⢀⠄⠄⡀⡀⢀⣤⣴⣤⣤⣀⣀⠄⠄⠄⠄⠄⠄⠁⢹
-"@
+'@
- [string]$WhenValue61To80 = @"
+ [string]$WhenValue61To80 = @'
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⣿⣿⡷⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⣿⡿⠋⠈⠻⣮⣳⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
@@ -2269,10 +2269,10 @@ function Confirm-SystemCompliance {
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢻⣿⣆⠀⠀⠀⠀⠀⠀⢀⣀⣠⣤⣶⣾⣿⣿⣿⣿⣤⣄⣀⡀⠀⠀⠀⣿
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠻⢿⣻⣷⣶⣾⣿⣿⡿⢯⣛⣛⡋⠁⠀⠀⠉⠙⠛⠛⠿⣿⣿⡷⣶⣿
-"@
+'@
- [string]$WhenValue81To88 = @"
+ [string]$WhenValue81To88 = @'
⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠔⠶⠒⠉⠈⠸⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
@@ -2297,10 +2297,10 @@ function Confirm-SystemCompliance {
⠀⠀⠀⠀⠀⠀⠀⠀⠀⡄⠀⠀⠀⠈⠷⠧⠾⠀⠀⠀⠻⣦⡴⠏⠀⠀⠀⠀⠀⠀⡀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠁⠀⠀⠀⠀⠈⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-"@
+'@
- [string]$WhenValueAbove88 = @"
+ [string]$WhenValueAbove88 = @'
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⢠⣶⣶⣶⣦⣤⣀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⣿⠟⠛⢿⣶⡄⠀⢀⣀⣤⣤⣦⣤⡀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⢠⣿⠋⠀⠀⠈⠙⠻⢿⣶⣶⣶⣶⣶⣶⣶⣿⠟⠀⠀⠀⠀⠹⣿⡿⠟⠋⠉⠁⠈⢻⣷⠀⠀⠀⠀⠀
@@ -2322,7 +2322,7 @@ function Confirm-SystemCompliance {
⠀⠀⠀⠀⠀⠀⠀⠀⠈⠙⠛⠛⠛⠛⠉⠀⠹⣿⣶⣤⣤⣷⣿⣧⣴⣾⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⠻⢦⣭⡽⣯⣡⡴⠟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-"@
+'@
#Endregion ASCII-Arts
# Total number of Compliant values not equal to N/A
@@ -2388,4 +2388,4 @@ Shows the output on the PowerShell console with more details and in the list for
}
# Set PSReadline tab completion to complete menu for easier access to available parameters - Only for the current session
-Set-PSReadlineKeyHandler -Key Tab -Function MenuComplete
+Set-PSReadLineKeyHandler -Key Tab -Function MenuComplete
From d1cd2778f5879ec1560a705d74a43d31e04453c7 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Mon, 11 Dec 2023 00:09:19 -0930
Subject: [PATCH 18/79] Fixed a conflict of variable names between modules
There was a variable name conflict between Harden Windows Security module and WDACConfig module
Since WDACConfig would create a read-only constant variable, if you ran the other module in the same session, you would see an error.
---
.../Main files/Harden-Windows-Security.ps1 | 10 +++++-----
.../Main files/Unprotect-WindowsSecurity.psm1 | 10 +++++-----
2 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
index cbc2a2b0a..90e298738 100644
--- a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
@@ -102,7 +102,7 @@ $Host.UI.RawUI.WindowTitle = '❤️🔥Harden Windows Security❤️🔥'
# Minimum OS build number required for the hardening measures used in this script
[System.Decimal]$Requiredbuild = '22621.2428'
# Fetching Temp Directory
-[System.String]$global:UserTempDirectoryPath = [System.IO.Path]::GetTempPath()
+[System.String]$global:CurrentUserTempDirectoryPath = [System.IO.Path]::GetTempPath()
# The total number of the main categories for the parent/main progress bar to render
[System.Int64]$TotalMainSteps = 18
# Defining a global boolean variable to determine whether optional diagnostic data should be enabled for Smart App Control or not
@@ -713,16 +713,16 @@ try {
#endregion RequirementsCheck
# create our working directory
- New-Item -ItemType Directory -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force | Out-Null
+ New-Item -ItemType Directory -Path "$global:CurrentUserTempDirectoryPath\HardeningXStuff\" -Force | Out-Null
# working directory assignment
- [System.IO.DirectoryInfo]$WorkingDir = "$global:UserTempDirectoryPath\HardeningXStuff\"
+ [System.IO.DirectoryInfo]$WorkingDir = "$global:CurrentUserTempDirectoryPath\HardeningXStuff\"
# change location to the new directory
Set-Location -Path $WorkingDir
# Clean up script block
[System.Management.Automation.ScriptBlock]$CleanUp = {
Set-Location -Path $HOME
- Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force
+ Remove-Item -Recurse -Path "$global:CurrentUserTempDirectoryPath\HardeningXStuff\" -Force
# Disable progress bars
0..6 | ForEach-Object -Process { Write-Progress -Id $_ -Activity 'Done' -Completed }
exit
@@ -2516,7 +2516,7 @@ finally {
}
}
- Set-Location -Path $HOME; Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
+ Set-Location -Path $HOME; Remove-Item -Recurse -Path "$global:CurrentUserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
# Disable progress bars
0..6 | ForEach-Object -Process { Write-Progress -Id $_ -Activity 'Done' -Completed }
diff --git a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
index a26c0c909..e1e769bf0 100644
--- a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
+++ b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
@@ -10,7 +10,7 @@ Function Unprotect-WindowsSecurity {
$global:ErrorActionPreference = 'Stop'
# Fetching Temp Directory
- [System.String]$global:UserTempDirectoryPath = [System.IO.Path]::GetTempPath()
+ [System.String]$global:CurrentUserTempDirectoryPath = [System.IO.Path]::GetTempPath()
# Makes sure this cmdlet is invoked with Admin privileges
if ().IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
@@ -56,16 +56,16 @@ Function Unprotect-WindowsSecurity {
Start-Sleep -Seconds 3
# create our working directory
- New-Item -ItemType Directory -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force | Out-Null
+ New-Item -ItemType Directory -Path "$global:CurrentUserTempDirectoryPath\HardeningXStuff\" -Force | Out-Null
# working directory assignment
- [System.IO.DirectoryInfo]$WorkingDir = "$global:UserTempDirectoryPath\HardeningXStuff\"
+ [System.IO.DirectoryInfo]$WorkingDir = "$global:CurrentUserTempDirectoryPath\HardeningXStuff\"
# change location to the new directory
Set-Location -Path $WorkingDir
# Clean up script block
- [scriptblock]$CleanUp = { Set-Location -Path $HOME; Remove-Item -Recurse "$global:UserTempDirectoryPath\HardeningXStuff\" -Force; exit }
+ [scriptblock]$CleanUp = { Set-Location -Path $HOME; Remove-Item -Recurse "$global:CurrentUserTempDirectoryPath\HardeningXStuff\" -Force; exit }
Write-Progress -Activity 'Downloading the required files' -Status 'Processing' -PercentComplete 30
@@ -220,7 +220,7 @@ Function Unprotect-WindowsSecurity {
Set-MpPreference -ControlledFolderAccessAllowedApplications $CFAAllowedAppsBackup
}
- Set-Location -Path $HOME; Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
+ Set-Location -Path $HOME; Remove-Item -Recurse -Path "$global:CurrentUserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
}
<#
From 01363e74b3f41cd58f0ce1950f69e78a962d888f Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Mon, 11 Dec 2023 00:22:25 -0930
Subject: [PATCH 19/79] Improved parameters
---
.../Main files/Harden-Windows-Security.ps1 | 8 +++---
Harden-Windows-Security.ps1 | 26 +++++++++----------
2 files changed, 15 insertions(+), 19 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
index 90e298738..dc7c88d22 100644
--- a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
@@ -151,7 +151,7 @@ function Select-Option {
# Make sure user only inputs a positive integer
[System.Int64]$SelectedIndex = 0
- $IsValid = [System.Int64]::TryParse((Read-Host 'Select an option'), [ref]$SelectedIndex)
+ $IsValid = [System.Int64]::TryParse((Read-Host -Prompt 'Select an option'), [ref]$SelectedIndex)
if ($IsValid) {
if ($SelectedIndex -gt 0 -and $SelectedIndex -le $Options.Length) {
$Selected = $Options[$SelectedIndex - 1]
@@ -411,7 +411,7 @@ function Get-AvailableRemovableDrives {
# If there is any Writable removable drives, sort and prepare them and then add them to the array
if ($AvailableRemovableDrives) {
$AvailableRemovableDrives = $AvailableRemovableDrives | Sort-Object -Property DriveLetter |
- Select-Object DriveLetter, FileSystemType, DriveType, @{Name = 'Size'; Expression = { '{0:N2}' -f ($_.Size / 1GB) + ' GB' } }
+ Select-Object -Property DriveLetter, FileSystemType, DriveType, @{Name = 'Size'; Expression = { '{0:N2}' -f ($_.Size / 1GB) + ' GB' } }
}
@@ -440,14 +440,12 @@ function Get-AvailableRemovableDrives {
catch {
# Drive is write protected, do nothing
}
-
}
# If there is any Writable removable drives, sort and prepare them and then add them to the array
if ($AvailableRemovableDrives) {
$AvailableRemovableDrives = $AvailableRemovableDrives | Sort-Object -Property DriveLetter |
- Select-Object DriveLetter, FileSystemType, DriveType, @{Name = 'Size'; Expression = { '{0:N2}' -f ($_.Size / 1GB) + ' GB' } }
-
+ Select-Object -Property DriveLetter, FileSystemType, DriveType, @{Name = 'Size'; Expression = { '{0:N2}' -f ($_.Size / 1GB) + ' GB' } }
}
}
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index b4a71f0de..6afa20eee 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -102,7 +102,7 @@ $Host.UI.RawUI.WindowTitle = '❤️🔥Harden Windows Security❤️🔥'
# Minimum OS build number required for the hardening measures used in this script
[System.Decimal]$Requiredbuild = '22621.2428'
# Fetching Temp Directory
-[System.String]$global:UserTempDirectoryPath = [System.IO.Path]::GetTempPath()
+[System.String]$global:CurrentUserTempDirectoryPath = [System.IO.Path]::GetTempPath()
# The total number of the main categories for the parent/main progress bar to render
[System.Int64]$TotalMainSteps = 18
# Defining a global boolean variable to determine whether optional diagnostic data should be enabled for Smart App Control or not
@@ -151,7 +151,7 @@ function Select-Option {
# Make sure user only inputs a positive integer
[System.Int64]$SelectedIndex = 0
- $IsValid = [System.Int64]::TryParse((Read-Host 'Select an option'), [ref]$SelectedIndex)
+ $IsValid = [System.Int64]::TryParse((Read-Host -Prompt 'Select an option'), [ref]$SelectedIndex)
if ($IsValid) {
if ($SelectedIndex -gt 0 -and $SelectedIndex -le $Options.Length) {
$Selected = $Options[$SelectedIndex - 1]
@@ -411,7 +411,7 @@ function Get-AvailableRemovableDrives {
# If there is any Writable removable drives, sort and prepare them and then add them to the array
if ($AvailableRemovableDrives) {
$AvailableRemovableDrives = $AvailableRemovableDrives | Sort-Object -Property DriveLetter |
- Select-Object DriveLetter, FileSystemType, DriveType, @{Name = 'Size'; Expression = { '{0:N2}' -f ($_.Size / 1GB) + ' GB' } }
+ Select-Object -Property DriveLetter, FileSystemType, DriveType, @{Name = 'Size'; Expression = { '{0:N2}' -f ($_.Size / 1GB) + ' GB' } }
}
@@ -440,14 +440,12 @@ function Get-AvailableRemovableDrives {
catch {
# Drive is write protected, do nothing
}
-
}
# If there is any Writable removable drives, sort and prepare them and then add them to the array
if ($AvailableRemovableDrives) {
$AvailableRemovableDrives = $AvailableRemovableDrives | Sort-Object -Property DriveLetter |
- Select-Object DriveLetter, FileSystemType, DriveType, @{Name = 'Size'; Expression = { '{0:N2}' -f ($_.Size / 1GB) + ' GB' } }
-
+ Select-Object -Property DriveLetter, FileSystemType, DriveType, @{Name = 'Size'; Expression = { '{0:N2}' -f ($_.Size / 1GB) + ' GB' } }
}
}
@@ -557,11 +555,11 @@ function Get-AvailableRemovableDrives {
[System.String]$Choice = $(Write-Host -Object "Enter the number of the drive you want to select or press $ExitCodeRemovableDriveSelection to Cancel" -ForegroundColor cyan; Read-Host)
# Check if the input is valid using the Confirm-Choice function
- if (-not (Confirm-Choice $Choice)) {
+ if (-NOT (Confirm-Choice $Choice)) {
# Write an error message in red if invalid
Write-Host -Object "Invalid input. Please enter a number between 1 and $ExitCodeRemovableDriveSelection." -ForegroundColor Red
}
- } while (-not (Confirm-Choice $Choice))
+ } while (-NOT (Confirm-Choice $Choice))
# Check if the user entered the exit value to break out of the loop
if ($Choice -eq $ExitCodeRemovableDriveSelection) {
@@ -690,7 +688,7 @@ try {
# check to make sure TPM is available and enabled
[System.Object]$TPM = Get-Tpm
- if (-not ($TPM.tpmpresent -and $TPM.tpmenabled)) {
+ if (-NOT ($TPM.tpmpresent -and $TPM.tpmenabled)) {
Throw 'TPM is not available or enabled, please enable it in UEFI settings and try again.'
}
@@ -713,16 +711,16 @@ try {
#endregion RequirementsCheck
# create our working directory
- New-Item -ItemType Directory -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force | Out-Null
+ New-Item -ItemType Directory -Path "$global:CurrentUserTempDirectoryPath\HardeningXStuff\" -Force | Out-Null
# working directory assignment
- [System.IO.DirectoryInfo]$WorkingDir = "$global:UserTempDirectoryPath\HardeningXStuff\"
+ [System.IO.DirectoryInfo]$WorkingDir = "$global:CurrentUserTempDirectoryPath\HardeningXStuff\"
# change location to the new directory
Set-Location -Path $WorkingDir
# Clean up script block
[System.Management.Automation.ScriptBlock]$CleanUp = {
Set-Location -Path $HOME
- Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force
+ Remove-Item -Recurse -Path "$global:CurrentUserTempDirectoryPath\HardeningXStuff\" -Force
# Disable progress bars
0..6 | ForEach-Object -Process { Write-Progress -Id $_ -Activity 'Done' -Completed }
exit
@@ -2445,7 +2443,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
Block-CountryIP -IPList $OFACSanctioned -ListName 'OFAC Sanctioned Countries'
} 'No' { break }
- }
+ }
} 'No' { break }
'Exit' { &$CleanUp }
}
@@ -2516,7 +2514,7 @@ finally {
}
}
- Set-Location -Path $HOME; Remove-Item -Recurse -Path "$global:UserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
+ Set-Location -Path $HOME; Remove-Item -Recurse -Path "$global:CurrentUserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
# Disable progress bars
0..6 | ForEach-Object -Process { Write-Progress -Id $_ -Activity 'Done' -Completed }
From 66382d2be971bbe02893422bd29f79b75b72e0eb Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Mon, 11 Dec 2023 00:29:38 -0930
Subject: [PATCH 20/79] Improved comments
---
.../Main files/Harden-Windows-Security.ps1 | 30 +++++++++----------
Harden-Windows-Security.ps1 | 30 +++++++++----------
2 files changed, 30 insertions(+), 30 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
index dc7c88d22..8a080b365 100644
--- a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
@@ -1972,7 +1972,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 -NoRestart -ErrorAction Stop
}
catch {
- # show error
+ # show errors in non-terminating way
$_
}
}
@@ -1989,7 +1989,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'PowerShellv2 2nd part was successfully disabled' -ForegroundColor Green
}
catch {
- # show error
+ # show errors in non-terminating way
$_
}
}
@@ -2023,7 +2023,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'Internet Printing Client was successfully disabled' -ForegroundColor Green
}
catch {
- # show errors
+ # show errors in non-terminating way
$_
}
}
@@ -2040,7 +2040,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'Windows Media Player (legacy) has been uninstalled.' -ForegroundColor Green
}
catch {
- # show error
+ # show errors in non-terminating way
$_
}
}
@@ -2057,7 +2057,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'Microsoft Defender Application Guard was successfully enabled' -ForegroundColor Green
}
catch {
- # show errors
+ # show errors in non-terminating way
$_
}
}
@@ -2079,7 +2079,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'Windows Sandbox was successfully enabled' -ForegroundColor Green
}
catch {
- # show errors
+ # show errors in non-terminating way
$_
}
}
@@ -2096,7 +2096,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'Hyper-V was successfully enabled' -ForegroundColor Green
}
catch {
- # show errors
+ # show errors in non-terminating way
$_
}
}
@@ -2113,7 +2113,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'Virtual Machine Platform was successfully enabled' -ForegroundColor Green
}
catch {
- # show errors
+ # show errors in non-terminating way
$_
}
}
@@ -2130,7 +2130,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'VBSCRIPT has been uninstalled' -ForegroundColor Green
}
catch {
- # show errors
+ # show errors in non-terminating way
$_
}
}
@@ -2144,7 +2144,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'Internet Explorer mode functionality for Edge has been uninstalled' -ForegroundColor Green
}
catch {
- # show errors
+ # show errors in non-terminating way
$_
}
}
@@ -2161,7 +2161,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'WMIC has been uninstalled' -ForegroundColor Green
}
catch {
- # show error
+ # show errors in non-terminating way
$_
}
}
@@ -2178,7 +2178,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'Legacy Notepad has been uninstalled. The modern multi-tabbed Notepad is unaffected.' -ForegroundColor Green
}
catch {
- # show error
+ # show errors in non-terminating way
$_
}
}
@@ -2195,7 +2195,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'WordPad has been uninstalled.' -ForegroundColor Green
}
catch {
- # show error
+ # show errors in non-terminating way
$_
}
}
@@ -2212,7 +2212,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'PowerShell ISE has been uninstalled.' -ForegroundColor Green
}
catch {
- # show error
+ # show errors in non-terminating way
$_
}
}
@@ -2232,7 +2232,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'Steps Recorder has been uninstalled.' -ForegroundColor Green
}
catch {
- # show error
+ # show errors in non-terminating way
$_
}
}
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index 6afa20eee..e16bfbcad 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -1972,7 +1972,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 -NoRestart -ErrorAction Stop
}
catch {
- # show error
+ # show errors in non-terminating way
$_
}
}
@@ -1989,7 +1989,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'PowerShellv2 2nd part was successfully disabled' -ForegroundColor Green
}
catch {
- # show error
+ # show errors in non-terminating way
$_
}
}
@@ -2023,7 +2023,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'Internet Printing Client was successfully disabled' -ForegroundColor Green
}
catch {
- # show errors
+ # show errors in non-terminating way
$_
}
}
@@ -2040,7 +2040,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'Windows Media Player (legacy) has been uninstalled.' -ForegroundColor Green
}
catch {
- # show error
+ # show errors in non-terminating way
$_
}
}
@@ -2057,7 +2057,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'Microsoft Defender Application Guard was successfully enabled' -ForegroundColor Green
}
catch {
- # show errors
+ # show errors in non-terminating way
$_
}
}
@@ -2079,7 +2079,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'Windows Sandbox was successfully enabled' -ForegroundColor Green
}
catch {
- # show errors
+ # show errors in non-terminating way
$_
}
}
@@ -2096,7 +2096,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'Hyper-V was successfully enabled' -ForegroundColor Green
}
catch {
- # show errors
+ # show errors in non-terminating way
$_
}
}
@@ -2113,7 +2113,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'Virtual Machine Platform was successfully enabled' -ForegroundColor Green
}
catch {
- # show errors
+ # show errors in non-terminating way
$_
}
}
@@ -2130,7 +2130,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'VBSCRIPT has been uninstalled' -ForegroundColor Green
}
catch {
- # show errors
+ # show errors in non-terminating way
$_
}
}
@@ -2144,7 +2144,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'Internet Explorer mode functionality for Edge has been uninstalled' -ForegroundColor Green
}
catch {
- # show errors
+ # show errors in non-terminating way
$_
}
}
@@ -2161,7 +2161,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'WMIC has been uninstalled' -ForegroundColor Green
}
catch {
- # show error
+ # show errors in non-terminating way
$_
}
}
@@ -2178,7 +2178,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'Legacy Notepad has been uninstalled. The modern multi-tabbed Notepad is unaffected.' -ForegroundColor Green
}
catch {
- # show error
+ # show errors in non-terminating way
$_
}
}
@@ -2195,7 +2195,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'WordPad has been uninstalled.' -ForegroundColor Green
}
catch {
- # show error
+ # show errors in non-terminating way
$_
}
}
@@ -2212,7 +2212,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'PowerShell ISE has been uninstalled.' -ForegroundColor Green
}
catch {
- # show error
+ # show errors in non-terminating way
$_
}
}
@@ -2232,7 +2232,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object 'Steps Recorder has been uninstalled.' -ForegroundColor Green
}
catch {
- # show error
+ # show errors in non-terminating way
$_
}
}
From 38bf5946ed1a64688fbae359d019aaa0e3cfffb9 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Wed, 13 Dec 2023 02:03:03 -0930
Subject: [PATCH 21/79] Removed the Old unused stuff
---
.../Misc/ADMX as XML parsing.ps1 | 52 -
.../Confirm-SystemCompliance.psm1 | 2391 -----------------
.../Group-Policies.json | 314 ---
.../Harden-Windows-Security-Module.psd1 | 183 --
.../Misc/Only Show Group Policy Data.ps1 | 88 -
.../only show Registry count and content.ps1 | 21 -
.../Protect-WindowsSecurity.psm1 | 29 -
.../version.txt | 1 -
8 files changed, 3079 deletions(-)
delete mode 100644 Harden-Windows-Security Module/Misc/ADMX as XML parsing.ps1
delete mode 100644 Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Confirm-SystemCompliance.psm1
delete mode 100644 Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Group-Policies.json
delete mode 100644 Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Harden-Windows-Security-Module.psd1
delete mode 100644 Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Misc/Only Show Group Policy Data.ps1
delete mode 100644 Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Misc/only show Registry count and content.ps1
delete mode 100644 Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Protect-WindowsSecurity.psm1
delete mode 100644 Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/version.txt
diff --git a/Harden-Windows-Security Module/Misc/ADMX as XML parsing.ps1 b/Harden-Windows-Security Module/Misc/ADMX as XML parsing.ps1
deleted file mode 100644
index db909e498..000000000
--- a/Harden-Windows-Security Module/Misc/ADMX as XML parsing.ps1
+++ /dev/null
@@ -1,52 +0,0 @@
-# You can download official Windows ADMX files from here
-# https://www.microsoft.com/en-us/download/details.aspx?id=105390
-
-# Define the path of the XML file
-$xmlFile = "C:\New Folder\WindowsDefender.admx"
-
-# Load the XML content into a variable
-$xmlContent = [xml](Get-Content $xmlFile)
-
-# Create an empty array to store the results
-$results = @()
-
-# Loop through each policy element in the XML content
-foreach ($policy in $xmlContent.policyDefinitions.policies.policy) {
- # Check if the policy has a valueName attribute
- if ($policy.valueName) {
- # Check if the policy's class is class="Machine"
- if ($policy.class -eq "Machine") {
- # Add HKEY_LOCAL_MACHINE to the beginning of the key
- $key = "HKLM:\" + $policy.key
- }
- else {
- # Use the key as it is
- Write-Error "Class is not machine"
- }
-
- # Create a PSCustomObject with two properties: RegDirectory and RegKey
- $result = [PSCustomObject]@{
- Category = "Microsoft Defender"
- RegistryKey = $key
- RegistryName = $policy.valueName
- }
-
- # Check if the registry key exists and get its value
- try {
- $regValue = Get-ItemPropertyValue -Path $key -Name $policy.valueName -ErrorAction Stop
-
- # Add the value as a property of the PSCustomObject
- $result | Add-Member -MemberType NoteProperty -Name 'RegValue' -Value $regValue
- }
- catch {
- # If the registry key does not exist, add a null value as a property of the PSCustomObject
- $result | Add-Member -MemberType NoteProperty -Name 'RegValue' -Value $null
- }
-
- # Add the result to the array
- $results += $result
- }
-}
-
-# Output the array of PSCustomObjects
-$results | Where-Object { $null -ne $_.RegValue }
\ No newline at end of file
diff --git a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Confirm-SystemCompliance.psm1
deleted file mode 100644
index 014c7cb43..000000000
--- a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Confirm-SystemCompliance.psm1
+++ /dev/null
@@ -1,2391 +0,0 @@
-# To parse the ini file from the output of the "secedit /export /cfg c:\\security_policy.inf"
-function ConvertFrom-IniFile {
- [CmdletBinding()]
- Param ([string]$IniFile)
-
- # Don't prompt to continue if '-Debug' is specified.
- $DebugPreference = 'Continue'
-
- [hashtable]$IniObject = @{}
- [string]$SectionName = ''
- switch -regex -file $IniFile {
- '^\[(.+)\]$' {
- # Header of the section
- $SectionName = $matches[1]
- #Write-Debug "Section: $SectionName"
- $IniObject[$SectionName] = @{}
- continue
- }
- '^(.+?)\s*=\s*(.*)$' {
- # Name/value pair
- [string]$KeyName, [string]$KeyValue = $matches[1..2]
- #Write-Debug "Name: $KeyName"
- # Write-Debug "Value: $KeyValue"
- $IniObject[$SectionName][$KeyName] = $KeyValue
- continue
- }
- default {
- # Ignore blank lines or comments
- continue
- }
- }
- return [PSCustomObject]$IniObject
-}
-
-# Main function that also parses the output of "gpresult /Scope Computer /x GPResult.xml"
-function Confirm-SystemCompliance {
- [CmdletBinding()]
- param (
- [parameter(Mandatory = $false)]
- [switch]$ExportToCSV,
- [parameter(Mandatory = $false)]
- [switch]$ShowAsObjectsOnly,
- [parameter(Mandatory = $false)]
- [switch]$DetailedDisplay
- )
- begin {
-
- Write-Progress -Activity 'Starting' -Status 'Processing...' -PercentComplete 5
-
- # Make sure the latest version of the module is installed and if not, automatically update it, clean up any old versions
- function Update-self {
- [version]$CurrentVersion = (Test-ModuleManifest "$psscriptroot\Harden-Windows-Security-Module.psd1" -ErrorAction Stop).Version
-
- try {
- [version]$LatestVersion = Invoke-RestMethod -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/version.txt'
- }
- catch {
- Write-Error -Message "Couldn't verify if the latest version of the module is installed, please check your Internet connection." -ErrorAction Stop
- }
-
- if ($CurrentVersion -lt $LatestVersion) {
- Write-Output "$($PSStyle.Foreground.FromRGB(255,105,180))The currently installed module's version is $CurrentVersion while the latest version is $LatestVersion - Auto Updating the module... 💓$($PSStyle.Reset)"
- Remove-Module -Name 'Harden-Windows-Security-Module' -Force
- # Do this if the module was installed properly using Install-moodule cmdlet
- try {
- Uninstall-Module -Name 'Harden-Windows-Security-Module' -AllVersions -Force -ErrorAction Stop
- Install-Module -Name 'Harden-Windows-Security-Module' -RequiredVersion $LatestVersion -Force -ErrorAction Stop
- Import-Module -Name 'Harden-Windows-Security-Module' -RequiredVersion $LatestVersion -Force -Global -ErrorAction Stop
- }
- # Do this if module files/folder was just copied to Documents folder and not properly installed - Should rarely happen
- catch {
- Install-Module -Name 'Harden-Windows-Security-Module' -RequiredVersion $LatestVersion -Force -ErrorAction Stop
- Import-Module -Name 'Harden-Windows-Security-Module' -RequiredVersion $LatestVersion -Force -Global -ErrorAction Stop
- }
- # Make sure the old version isn't run after update
- Write-Output "$($PSStyle.Foreground.FromRGB(152,255,152))Update successful, please run the Confirm-SystemCompliance cmdlet again.$($PSStyle.Reset)"
- break
- return
- }
- }
-
- # Make sure this cmdlet is invoked with Admin privileges
- if ().IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
- Write-Error -Message 'Confirm-SystemCompliance cmdlet requires Administrator privileges.' -ErrorAction Stop
- }
-
- Write-Progress -Activity 'Checking for updates' -Status 'Processing...' -PercentComplete 10
-
- # Self update the module
- Update-self -ErrorAction Stop
-
- # Stop operation as soon as there is an error anywhere, unless explicitly specified otherwise
- $ErrorActionPreference = 'SilentlyContinue'
-
- Write-Progress -Activity 'Gathering Security Policy Information' -Status 'Processing...' -PercentComplete 15
-
- Secedit /export /cfg .\security_policy.inf | Out-Null
- # Storing the output of the ini file parsing function
- [PSCustomObject]$SecurityPoliciesIni = ConvertFrom-IniFile -IniFile .\security_policy.inf
-
- Write-Progress -Activity 'Downloading Registry CSV File from GitHub or Azure DevOps' -Status 'Processing...' -PercentComplete 20
-
- # Download Registry CSV file from GitHub or Azure DevOps
- try {
- Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/Registry.csv' -OutFile '.\Registry.csv' -ErrorAction Stop
- }
- catch {
- Write-Host 'Using Azure DevOps...' -ForegroundColor Yellow
- Invoke-WebRequest -Uri 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/Registry.csv' -OutFile '.\Registry.csv' -ErrorAction Stop
- }
- # Import the registry.csv file as CSV
- [PSCustomObject]$CSVFileContent = Import-Csv -Path '.\Registry.csv'
-
- Write-Progress -Activity 'Downloading Group-Policies.json file from GitHub' -Status 'Processing...' -PercentComplete 25
-
- # Download Group-Policies.json file from GitHub
- try {
- Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/Group-Policies.json' -OutFile '.\Group-Policies.json' -ErrorAction Stop
- }
- catch {
- Write-Error -Message "Group-Policies.json file couldn't be downloaded, exitting..."
- }
- # Hash table to store Hardening Script's Policy Categories and Names
- # Importing it from the JSON file as hashtable
- [System.Collections.Hashtable]$HashPol = Get-Content -Path '.\Group-Policies.json' -ErrorAction Stop | ConvertFrom-Json -Depth 100 -AsHashtable -ErrorAction Stop
-
- Write-Progress -Activity 'Gathering Group Policy Information' -Status 'Processing...' -PercentComplete 30
-
- Gpresult /Scope Computer /x .\GPResult.xml /f
- # Load the xml file into a variable
- [System.Xml.XmlDocument]$GroupPolicyXmlContent = Get-Content -Path .\GPResult.xml -ErrorAction Stop
-
-
- # An array to store each Group Policy "<q6:Policy>" element as a separate object
- [System.Array]$PoliciesOutput = @()
- # Use dot notation to access the Group Policy elements
- $GroupPolicyXmlContent.Rsop.ComputerResults.ExtensionData.Extension.Policy | Where-Object { $null -ne $_.name } | ForEach-Object {
- # All the sub-elements of the "<q6:Policy>" that we need to verify
- $PoliciesOutput += [PSCustomObject]@{
- Name = $_.Name
- State = $_.State
- Category = $_.Category
- DropDownListName = $_.DropDownList.Name
- DropDownListState = $_.DropDownList.State
- DropDownListValue = $_.DropDownList.Value.Name
- CheckboxName = $_.Checkbox.Name
- CheckboxState = $_.Checkbox.State
- Numeric = $_.Numeric
- NumericName = $_.Numeric.Name
- NumericState = $_.Numeric.State
- NumericValue = $_.Numeric.Value
- ListBox = $_.ListBox
- ListBoxName = $_.ListBox.Name
- ListBoxState = $_.ListBox.State
- ListBoxExplicitValue = $_.ListBox.ExplicitValue
- ListBoxAdditive = $_.ListBox.Additive
- ListBoxValue = $_.ListBox.Value
- MultiTextName = $_.MultiText.Name
- MultiTextState = $_.MultiText.State
- MultiTextValue = $_.MultiText.Value
- EditTextName = $_.EditText.Name
- EditTextState = $_.EditText.State
- EditTextValue = $_.EditText.Value
- }
- }
-
-
- # An array to store Group Policy Firewall settings as an object
- [System.Array]$FirewallPoliciesOutput = @()
- # Use dot notation to access the Group Policy elements - sometimes the type is q4 or q3 or q7, so using wildcard for the number
- [System.Xml.XmlLinkedNode]$FirewallGroupPolicySettings = $GroupPolicyXmlContent.Rsop.ComputerResults.ExtensionData.Extension | Where-Object { $_.type -like 'q*:WindowsFirewallSettings' }
-
- $FirewallPoliciesOutput += [PSCustomObject]@{
-
- GlobalSettingsPolicyVersion = $FirewallGroupPolicySettings.GlobalSettings.PolicyVersion.Value
- # Domain profile policies
- DomainDefaultInboundAction = $FirewallGroupPolicySettings.DomainProfile.DefaultInboundAction.value
- DomainDefaultOutboundAction = $FirewallGroupPolicySettings.DomainProfile.DefaultOutboundAction.value
- DomainDisableNotifications = $FirewallGroupPolicySettings.DomainProfile.DisableNotifications.value
- DomainDoNotAllowExceptions = $FirewallGroupPolicySettings.DomainProfile.DoNotAllowExceptions.value
- DomainEnableFirewall = $FirewallGroupPolicySettings.DomainProfile.EnableFirewall.value
- DomainLogFilePath = $FirewallGroupPolicySettings.DomainProfile.LogFilePath.value
- DomainLogFileSize = $FirewallGroupPolicySettings.DomainProfile.LogFileSize.value
- DomainLogDroppedPackets = $FirewallGroupPolicySettings.DomainProfile.LogDroppedPackets.value
- DomainLogSuccessfulConnections = $FirewallGroupPolicySettings.DomainProfile.LogSuccessfulConnections.value
- # Public profile policies
- PublicAllowLocalIPsecPolicyMerge = $FirewallGroupPolicySettings.PublicProfile.AllowLocalIPsecPolicyMerge.value
- PublicAllowLocalPolicyMerge = $FirewallGroupPolicySettings.PublicProfile.AllowLocalPolicyMerge.value
- PublicDefaultInboundAction = $FirewallGroupPolicySettings.PublicProfile.DefaultInboundAction.value
- PublicDefaultOutboundAction = $FirewallGroupPolicySettings.PublicProfile.DefaultOutboundAction.value
- PublicDisableNotifications = $FirewallGroupPolicySettings.PublicProfile.DisableNotifications.value
- PublicDoNotAllowExceptions = $FirewallGroupPolicySettings.PublicProfile.DoNotAllowExceptions.value
- PublicEnableFirewall = $FirewallGroupPolicySettings.PublicProfile.EnableFirewall.value
- PublicLogFilePath = $FirewallGroupPolicySettings.PublicProfile.LogFilePath.value
- PublicLogFileSize = $FirewallGroupPolicySettings.PublicProfile.LogFileSize.value
- PublicLogDroppedPackets = $FirewallGroupPolicySettings.PublicProfile.LogDroppedPackets.value
- PublicLogSuccessfulConnections = $FirewallGroupPolicySettings.PublicProfile.LogSuccessfulConnections.value
- # Private profile policies
- PrivateDefaultInboundAction = $FirewallGroupPolicySettings.PrivateProfile.DefaultInboundAction.value
- PrivateDefaultOutboundAction = $FirewallGroupPolicySettings.PrivateProfile.DefaultOutboundAction.value
- PrivateDisableNotifications = $FirewallGroupPolicySettings.PrivateProfile.DisableNotifications.value
- PrivateEnableFirewall = $FirewallGroupPolicySettings.PrivateProfile.EnableFirewall.value
- PrivateLogFilePath = $FirewallGroupPolicySettings.PrivateProfile.LogFilePath.value
- PrivateLogFileSize = $FirewallGroupPolicySettings.PrivateProfile.LogFileSize.value
- PrivateLogDroppedPackets = $FirewallGroupPolicySettings.PrivateProfile.LogDroppedPackets.value
- PrivateLogSuccessfulConnections = $FirewallGroupPolicySettings.PrivateProfile.LogSuccessfulConnections.value
- }
-
-
- # An array to store each Group Policy "<q6:RegistrySetting>" element as a separate object
- [System.Array]$RegistriesOutput = @()
- # Use dot notation to access the Policy element
- $GroupPolicyXmlContent.Rsop.ComputerResults.ExtensionData.Extension.RegistrySetting | Where-Object { $null -ne $_.Value.Name } | ForEach-Object {
-
- $RegistriesOutput += [PSCustomObject]@{
- KeyPath = $_.KeyPath
- Name = $_.Value.Name
- Number = $_.Value.Number
- }
- }
-
-
- # An object to store the FINAL results
- $FinalMegaObject = [PSCustomObject]@{}
-
- # Hash table to store Hardening Script's Registry Policy Categories and Names
- # They are still Group Policies but instead of being in "<q6:Policy>" element they are in "<q6:RegistrySetting>"
- [System.Collections.Hashtable]$HashReg = @{
- # Device Guard
- 'Device Guard' = @{
- 1 = @{
- KeyPath = 'Software\Policies\Microsoft\Windows\System'
- Name = 'RunAsPPL'
- }
- }
- }
- }
-
- process {
-
- #Region Microsoft-Defender-Category
- Write-Progress -Activity 'Validating Microsoft Defender Category' -Status 'Processing...' -PercentComplete 35
- # An array to store the nested custom objects (Results of the foreach loop), inside the main output object
- [System.Array]$NestedObjectArray = @()
- [String]$CatName = 'Microsoft Defender'
- # Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
- foreach ($Key in $HashPol[$CatName].Keys) {
- # Get the correct object from the PoliciesOutput Object that contains all the group policies in the xml file
- $Item = $PoliciesOutput | Where-Object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
- switch ($Key) {
- 1 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.DropDownListState -eq 'NotConfigured') ? $True : $False # It's actually Enabled but Gpresult shows NotConfigured!
- }
- 2 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 3 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.DropDownListState -eq 'Enabled' `
- -and $Item.DropDownListValue -eq 'Advanced MAPS') ? $True : $False
- }
- 4 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.DropDownListName -eq 'Send file samples when further analysis is required' `
- -and $Item.DropDownListState -eq 'Enabled' `
- -and $Item.DropDownListValue -eq 'Send all samples'
- ) ? $True : $False
- }
- 5 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.DropDownListName -eq 'Configure the guard my folders feature' `
- -and $Item.DropDownListState -eq 'NotConfigured' ` # It's actually Enabled but Gpresult shows NotConfigured!
- ) ? $True : $False
- }
- 6 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.DropDownListState -eq 'NotConfigured' # It's actually Enabled but Gpresult shows NotConfigured!
- ) ? $True : $False
- }
- 7 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.NumericName -eq 'Specify the extended cloud check time in seconds' `
- -and $Item.NumericState -eq 'Enabled' `
- -and $Item.NumericValue -eq '50'
- ) ? $True : $False
- }
- 8 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 9 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.DropDownListName -eq 'Select cloud blocking level' `
- -and $Item.DropDownListState -eq 'Enabled' `
- -and $Item.DropDownListValue -eq 'Zero tolerance blocking level'
- ) ? $True : $False
- }
- 10 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.NumericName -eq 'Configure removal of items from Quarantine folder' `
- -and $Item.NumericState -eq 'Enabled' `
- -and $Item.NumericValue -eq '3'
- ) ? $True : $False
- }
- 11 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.NumericName -eq 'Define the maximum size of downloaded files and attachments to be scanned' `
- -and $Item.NumericState -eq 'Enabled' `
- -and $Item.NumericValue -eq '10000000'
- ) ? $True : $False
- }
- 12 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 13 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 14 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 15 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 16 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.NumericName -eq 'Specify the maximum depth to scan archive files' `
- -and $Item.NumericState -eq 'Enabled' `
- -and $Item.NumericValue -eq '4294967295'
- ) ? $True : $False
- }
- 17 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 18 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 19 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 20 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 21 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 22 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.NumericName -eq 'Define the number of days before spyware security intelligence is considered out of date' `
- -and $Item.NumericState -eq 'Enabled' `
- -and $Item.NumericValue -eq '2'
- ) ? $True : $False
- }
- 23 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.NumericName -eq 'Define the number of days before virus security intelligence is considered out of date' `
- -and $Item.NumericState -eq 'Enabled' `
- -and $Item.NumericValue -eq '2'
- ) ? $True : $False
- }
- 24 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.NumericName -eq 'Specify the interval to check for security intelligence updates' `
- -and $Item.NumericState -eq 'Enabled' `
- -and $Item.NumericValue -eq '3'
- ) ? $True : $False
- }
- 25 {
- # ListBox 1
- $1index = $Item.ListBoxValue.element.Name.IndexOf('4')
- # Write-Host "$1index" -ForegroundColor Yellow
- $1ListData = $Item.ListBoxValue.element.Data[$1index]
- # Write-Host "$1ListData" -ForegroundColor Yellow
-
- # ListBox 2
- $2index = $Item.ListBoxValue.element.Name.IndexOf('2')
- # Write-Host "$2index" -ForegroundColor Yellow
- $2ListData = $Item.ListBoxValue.element.Data[$2index]
- # Write-Host "$2ListData" -ForegroundColor Yellow
-
- # ListBox 3
- $3index = $Item.ListBoxValue.element.Name.IndexOf('1')
- # Write-Host "$3index" -ForegroundColor Yellow
- $3ListData = $Item.ListBoxValue.element.Data[$3index]
- # Write-Host "$3ListData" -ForegroundColor Yellow
-
- # ListBox 4
- $4index = $Item.ListBoxValue.element.Name.IndexOf('5')
- # Write-Host "$4index" -ForegroundColor Yellow
- $4ListData = $Item.ListBoxValue.element.Data[$4index]
- # Write-Host "$4ListData" -ForegroundColor Yellow
-
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.ListBoxName -eq 'Specify threat alert levels at which default action should not be taken when detected' `
- -and $Item.ListBoxState -eq 'Enabled' `
- -and $Item.ListBoxExplicitValue -eq 'true' `
- -and $Item.ListBoxAdditive -eq 'true' `
- -and $1ListData -eq '3' `
- -and $2ListData -eq '2' `
- -and $3ListData -eq '2' `
- -and $4ListData -eq '3' `
- ) ? $True : $False
- }
- 26 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 27 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 28 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 29 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = $HashPol[$CatName][$Key].Name
- Value = $ItemState
- Compliant = $ItemState
- Category = $CatName
- Method = 'Group Policy'
- }
- }
-
- # For PowerShell Cmdlet
- $IndividualItemResult = $((Get-MpPreference).AllowSwitchToAsyncInspection)
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'AllowSwitchToAsyncInspection'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Cmdlet'
- }
-
- # For PowerShell Cmdlet
- $IndividualItemResult = $((Get-MpPreference).oobeEnableRtpAndSigUpdate)
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'oobeEnableRtpAndSigUpdate'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Cmdlet'
- }
-
- # For PowerShell Cmdlet
- $IndividualItemResult = $((Get-MpPreference).IntelTDTEnabled)
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'IntelTDTEnabled'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Cmdlet'
- }
-
- # For PowerShell Cmdlet
- $IndividualItemResult = $((Get-ProcessMitigation -System -ErrorAction Stop).aslr.ForceRelocateImages)
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Mandatory ASLR'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult -eq 'on' ? $True : $false
- Category = $CatName
- Method = 'Cmdlet'
- }
-
- # For BCDEDIT NX value verification
- # IMPORTANT: bcdedit /enum requires an ELEVATED session.
- # Answer by mklement0: https://stackoverflow.com/a/50949849
- $bcdOutput = (bcdedit /enum) -join "`n" # collect bcdedit's output as a *single* string
-
- # Initialize the output list.
- $entries = New-Object System.Collections.Generic.List[PSCustomObject] -ErrorAction Stop
-
- # Parse bcdedit's output.
- ($bcdOutput -split '(?m)^(.+\n-)-+\n' -ne '').ForEach({
- if ($_.EndsWith("`n-")) {
- # entry header
- $entries.Add([PSCustomObject] @{ Name = ($_ -split '\n')[0]; Properties = [ordered] @{} })
- }
- else {
- # block of property-value lines
- ($_ -split '\n' -ne '').ForEach({
- $propAndVal = $_ -split '\s+', 2 # split line into property name and value
- if ($propAndVal[0] -ne '') {
- # [start of] new property; initialize list of values
- $currProp = $propAndVal[0]
- $entries[-1].Properties[$currProp] = New-Object Collections.Generic.List[string] -ErrorAction Stop
- }
- $entries[-1].Properties[$currProp].Add($propAndVal[1]) # add the value
- })
- }
- })
-
- # For PowerShell Cmdlet
- $IndividualItemResult = $(($entries | Where-Object { $_.properties.identifier -eq '{current}' }).properties.nx)
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'BCDEDIT NX Value'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult -eq 'AlwaysOn' ? $True : $false
- Category = $CatName
- Method = 'Cmdlet'
- }
-
- # For PowerShell Cmdlet
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Smart App Control State'
- Value = $((Get-MpComputerStatus).SmartAppControlState)
- Compliant = 'N/A'
- Category = $CatName
- Method = 'Cmdlet'
- }
-
- # For PowerShell Cmdlet
- $IndividualItemResult = $((Get-ScheduledTask -TaskPath '\MSFT Driver Block list update\' -TaskName 'MSFT Driver Block list update' -ErrorAction SilentlyContinue) ? $True : $false)
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Fast weekly Microsoft recommended driver block list update'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Cmdlet'
- }
-
-
- $DefenderPlatformUpdatesChannels = @{
- 0 = 'NotConfigured'
- 2 = 'Beta'
- 3 = 'Preview'
- 4 = 'Staged'
- 5 = 'Broad'
- 6 = 'Delayed'
- }
- # For PowerShell Cmdlet
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Microsoft Defender Platform Updates Channel'
- Value = $($DefenderPlatformUpdatesChannels[[int](Get-MpPreference).PlatformUpdatesChannel])
- Compliant = 'N/A'
- Category = $CatName
- Method = 'Cmdlet'
- }
-
-
- $DefenderEngineUpdatesChannels = @{
- 0 = 'NotConfigured'
- 2 = 'Beta'
- 3 = 'Preview'
- 4 = 'Staged'
- 5 = 'Broad'
- 6 = 'Delayed'
- }
- # For PowerShell Cmdlet
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Microsoft Defender Engine Updates Channel'
- Value = $($DefenderEngineUpdatesChannels[[int](Get-MpPreference).EngineUpdatesChannel])
- Compliant = 'N/A'
- Category = $CatName
- Method = 'Cmdlet'
- }
-
- # For PowerShell Cmdlet
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Controlled Folder Access Exclusions'
- Value = [PSCustomObject]@{Count = $((Get-MpPreference).ControlledFolderAccessAllowedApplications.count); Programs = $((Get-MpPreference).ControlledFolderAccessAllowedApplications) }
- Compliant = 'N/A'
- Category = $CatName
- Method = 'Cmdlet'
- }
- # Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
- Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
- #EndRegion Microsoft-Defender-Category
-
- #Region Attack-Surface-Reduction-Rules-Category
- Write-Progress -Activity 'Validating Attack Surface Reduction Rules Category' -Status 'Processing...' -PercentComplete 40
- [System.Array]$NestedObjectArray = @()
- [String]$CatName = 'ASR'
- # Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
- foreach ($Key in $HashPol[$CatName].Keys) {
- $Item = $PoliciesOutput | Where-Object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
- switch ($Key) {
- 1 {
- $1index = $Item.ListBoxValue.element.Name.IndexOf('92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B')
- $1ListData = $Item.ListBoxValue.element.Data[$1index]
-
- $2index = $Item.ListBoxValue.element.Name.IndexOf('e6db77e5-3df2-4cf1-b95a-636979351e5b')
- $2ListData = $Item.ListBoxValue.element.Data[$2index]
-
- $3index = $Item.ListBoxValue.element.Name.IndexOf('d1e49aac-8f56-4280-b9ba-993a6d77406c')
- $3ListData = $Item.ListBoxValue.element.Data[$3index]
-
- $4index = $Item.ListBoxValue.element.Name.IndexOf('3b576869-a4ec-4529-8536-b80a7769e899')
- $4ListData = $Item.ListBoxValue.element.Data[$4index]
-
- $5index = $Item.ListBoxValue.element.Name.IndexOf('be9ba2d9-53ea-4cdc-84e5-9b1eeee46550')
- $5ListData = $Item.ListBoxValue.element.Data[$5index]
-
- $6index = $Item.ListBoxValue.element.Name.IndexOf('75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84')
- $6ListData = $Item.ListBoxValue.element.Data[$6index]
-
- $7index = $Item.ListBoxValue.element.Name.IndexOf('56a863a9-875e-4185-98a7-b882c64b5ce5')
- $7ListData = $Item.ListBoxValue.element.Data[$7index]
-
- $8index = $Item.ListBoxValue.element.Name.IndexOf('01443614-cd74-433a-b99e-2ecdc07bfc25')
- $8ListData = $Item.ListBoxValue.element.Data[$8index]
-
- $9index = $Item.ListBoxValue.element.Name.IndexOf('b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4')
- $9ListData = $Item.ListBoxValue.element.Data[$9index]
-
- $10index = $Item.ListBoxValue.element.Name.IndexOf('d4f940ab-401b-4efc-aadc-ad5f3c50688a')
- $10ListData = $Item.ListBoxValue.element.Data[$10index]
-
- $11index = $Item.ListBoxValue.element.Name.IndexOf('5beb7efe-fd9a-4556-801d-275e5ffc04cc')
- $11ListData = $Item.ListBoxValue.element.Data[$11index]
-
- $12index = $Item.ListBoxValue.element.Name.IndexOf('c1db55ab-c21a-4637-bb3f-a12568109d35')
- $12ListData = $Item.ListBoxValue.element.Data[$12index]
-
- $13index = $Item.ListBoxValue.element.Name.IndexOf('9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2')
- $13ListData = $Item.ListBoxValue.element.Data[$13index]
-
- $14index = $Item.ListBoxValue.element.Name.IndexOf('7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c')
- $14ListData = $Item.ListBoxValue.element.Data[$14index]
-
- $15index = $Item.ListBoxValue.element.Name.IndexOf('26190899-1602-49e8-8b27-eb1d0a1ce869')
- $15ListData = $Item.ListBoxValue.element.Data[$15index]
-
- $16index = $Item.ListBoxValue.element.Name.IndexOf('d3e037e1-3eb8-44c8-a917-57927947596d')
- $16ListData = $Item.ListBoxValue.element.Data[$16index]
-
- # Use ternary operator instead of if-else statements
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.ListBoxName -eq 'Set the state for each ASR rule:' `
- -and $Item.ListBoxState -eq 'Enabled' `
- -and $Item.ListBoxExplicitValue -eq 'true' `
- -and $Item.ListBoxAdditive -eq 'true' `
- -and $1ListData -eq 1 `
- -and $2ListData -eq 1 `
- -and $3ListData -eq 1 `
- -and $4ListData -eq 1 `
- -and $5ListData -eq 1 `
- -and $6ListData -eq 1 `
- -and $7ListData -eq 1 `
- -and $8ListData -eq 1 `
- -and $9ListData -eq 1 `
- -and $10ListData -eq 1 `
- -and $11ListData -eq 1 `
- -and $12ListData -eq 1 `
- -and $13ListData -eq 1 `
- -and $14ListData -eq 1 `
- -and $15ListData -eq 1 `
- -and $16ListData -eq 1 `
- ) ? $True : $False
- }
- }
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = $HashPol[$CatName][$Key].Name
- Value = $ItemState
- Compliant = $ItemState
- Category = $CatName
- Method = 'Group Policy'
- }
- }
- # Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
- Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
- #EndRegion Attack-Surface-Reduction-Rules-Category
-
- #Region Bitlocker-Category
- Write-Progress -Activity 'Validating Bitlocker Category' -Status 'Processing...' -PercentComplete 45
- [System.Array]$NestedObjectArray = @()
- [String]$CatName = 'Bitlocker'
-
-
- # This PowerShell script can be used to find out if the DMA Protection is ON \ OFF.
- # The Script will show this by emitting True \ False for On \ Off respectively.
-
- # bootDMAProtection check - checks for Kernel DMA Protection status in System information or msinfo32
- [string]$BootDMAProtectionCheck =
- @'
- namespace SystemInfo
- {
- using System;
- using System.Runtime.InteropServices;
-
- public static class NativeMethods
- {
- internal enum SYSTEM_DMA_GUARD_POLICY_INFORMATION : int
- {
- /// </summary>
- SystemDmaGuardPolicyInformation = 202
- }
-
- [DllImport("ntdll.dll")]
- internal static extern Int32 NtQuerySystemInformation(
- SYSTEM_DMA_GUARD_POLICY_INFORMATION SystemDmaGuardPolicyInformation,
- IntPtr SystemInformation,
- Int32 SystemInformationLength,
- out Int32 ReturnLength);
-
- public static byte BootDmaCheck() {
- Int32 result;
- Int32 SystemInformationLength = 1;
- IntPtr SystemInformation = Marshal.AllocHGlobal(SystemInformationLength);
- Int32 ReturnLength;
-
- result = NativeMethods.NtQuerySystemInformation(
- NativeMethods.SYSTEM_DMA_GUARD_POLICY_INFORMATION.SystemDmaGuardPolicyInformation,
- SystemInformation,
- SystemInformationLength,
- out ReturnLength);
-
- if (result == 0) {
- byte info = Marshal.ReadByte(SystemInformation, 0);
- return info;
- }
-
- return 0;
- }
- }
- }
-'@
- Add-Type -TypeDefinition $BootDMAProtectionCheck
- # returns true or false depending on whether Kernel DMA Protection is on or off
- [bool]$BootDMAProtection = ([SystemInfo.NativeMethods]::BootDmaCheck()) -ne 0
-
-
-
- # Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
- foreach ($Key in $HashPol[$CatName].Keys) {
- $Item = $PoliciesOutput | Where-Object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
- switch ($Key) {
- 1 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 2 {
- $1index = $Item.DropDownListName.IndexOf('Configure TPM startup:')
- $1DropDownState = $Item.DropDownListState[$1index]
- $1DropDownValue = $Item.DropDownListValue[$1index]
-
- $2index = $Item.DropDownListName.IndexOf('Configure TPM startup PIN:')
- $2DropDownState = $Item.DropDownListState[$2index]
- $2DropDownValue = $Item.DropDownListValue[$2index]
-
- $3index = $Item.DropDownListName.IndexOf('Configure TPM startup key:')
- $3DropDownState = $Item.DropDownListState[$3index]
- $3DropDownValue = $Item.DropDownListValue[$3index]
-
- $4index = $Item.DropDownListName.IndexOf('Configure TPM startup key and PIN:')
- $4DropDownState = $Item.DropDownListState[$4index]
- $4DropDownValue = $Item.DropDownListValue[$4index]
-
-
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.CheckboxName -eq 'Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)' `
- -and $Item.CheckboxState -eq 'Disabled' `
- -and $1DropDownState -eq 'Enabled' `
- -and $1DropDownValue -eq 'Allow TPM' `
- -and $2DropDownState -eq 'Enabled' `
- -and $2DropDownValue -eq 'Allow startup PIN with TPM' `
- -and $3DropDownState -eq 'Enabled' `
- -and $3DropDownValue -eq 'Allow startup key with TPM' `
- -and $4DropDownState -eq 'Enabled' `
- -and $4DropDownValue -eq 'Allow startup key and PIN with TPM' `
- ) ? $True : $False
- }
- 3 {
- $1index = $Item.DropDownListName.IndexOf('Select the encryption method for operating system drives:')
- $1DropDownState = $Item.DropDownListState[$1index]
- $1DropDownValue = $Item.DropDownListValue[$1index]
-
- $2index = $Item.DropDownListName.IndexOf('Select the encryption method for fixed data drives:')
- $2DropDownState = $Item.DropDownListState[$2index]
- $2DropDownValue = $Item.DropDownListValue[$2index]
-
- $3index = $Item.DropDownListName.IndexOf('Select the encryption method for removable data drives:')
- $3DropDownState = $Item.DropDownListState[$3index]
- $3DropDownValue = $Item.DropDownListValue[$3index]
-
-
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $1DropDownState -eq 'Enabled' `
- -and $1DropDownValue -eq 'XTS-AES 256-bit' `
- -and $2DropDownState -eq 'Enabled' `
- -and $2DropDownValue -eq 'XTS-AES 256-bit' `
- -and $3DropDownState -eq 'Enabled' `
- -and $3DropDownValue -eq 'XTS-AES 256-bit'
- ) ? $True : $False
- }
- 4 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.DropDownListName -eq 'Select the encryption type:' `
- -and $Item.DropDownListState -eq 'NotConfigured' # It's actually set to "Full Encryption" but Gpresult shows NotConfigured!
- ) ? $True : $False
- }
- 5 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.NumericName -eq 'Minimum characters:' `
- -and $Item.NumericState -eq 'Enabled' `
- -and $Item.NumericValue -eq '10'
- ) ? $True : $False
- }
- 6 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.DropDownListName -eq 'Select the encryption type:' `
- -and $Item.DropDownListState -eq 'NotConfigured' # NotConfigured actually means "Full Encryption" but Gpresult reports it NotConfigured
- ) ? $True : $False
- }
- 7 {
- [bool]$ItemState = ($Item.State -eq 'Disabled') ? $True : $False
- }
- 8 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.DropDownListName -eq 'Select the encryption type:' `
- -and $Item.DropDownListState -eq 'NotConfigured' # It's actually set to "Full Encryption" but Gpresult shows NotConfigured!
- ) ? $True : $False
- }
- 9 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 10 {
- [bool]$ItemState = ($Item.State -eq 'Disabled') ? $True : $False
- }
- 11 {
- [bool]$ItemState = ($Item.State -eq 'Disabled') ? $True : $False
- }
- 12 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 13 {
- # Bitlocker DMA counter measure status
- # Returns true if only either Kernel DMA protection is on and Bitlocker DMA protection if off
- # or Kernel DMA protection is off and Bitlocker DMA protection is on
- [bool]$ItemState = ($bootDMAProtection -xor ($Item.State -eq 'Enabled')) ? $True : $False
- }
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = $HashPol[$CatName][$Key].Name
- Value = $ItemState
- Compliant = $ItemState
- Category = $CatName
- Method = 'Group Policy'
- }
- }
-
- # For PowerShell Cmdlet
- $IndividualItemResult = $($((Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Power -Name HibernateEnabled).hibernateEnabled) -eq 1 ? $True : $False)
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Hibernate enabled and set to full'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Cmdlet'
- }
- # Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
- Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
- #EndRegion Bitlocker-Category
-
- #Region TLS-Category
- Write-Progress -Activity 'Validating TLS Category' -Status 'Processing...' -PercentComplete 50
- [System.Array]$NestedObjectArray = @()
- [String]$CatName = 'TLS'
- # Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
- foreach ($Key in $HashPol[$CatName].Keys) {
- $Item = $PoliciesOutput | Where-Object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
- switch ($Key) {
- 1 {
- # Write-Host "$($Item.MultiTextValue.string)" -ForegroundColor Yellow
- # Make sure the content and their exact order is present in Group Policy
- [System.Array]$ExpectedOrderAndContent = @('nistP521', 'curve25519', 'NistP384', 'NistP256')
-
- # Loop through the array and compare each element with the expected value
- foreach ($i in 0..3) {
- # Use a ternary operator to set the result to false and break the loop if the element does not match
- $ItemStateAux = $Item.MultiTextValue.string[$i] -eq $ExpectedOrderAndContent[$i] ? $True : $false
- }
- # Write-Host "$ItemStateAux" -ForegroundColor Red
-
-
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.MultiTextName -eq 'ECC Curve Order:' `
- -and $Item.MultiTextState -eq 'Enabled' `
- -and $ItemStateAux -eq $True
- ) ? $True : $False
- }
- 2 {
-
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.EditTextName -eq 'SSL Cipher Suites' `
- -and $Item.EditTextState -eq 'Enabled' `
- -and $Item.EditTextValue -eq 'TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256' # Checks the exact values and order
- ) ? $True : $False
- }
- }
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = $HashPol[$CatName][$Key].Name
- Value = $ItemState
- Compliant = $ItemState
- Category = $CatName
- Method = 'Group Policy'
- }
- }
-
-
- $MatchRegistryKeys = @() # initialize the variable to false - an array that is going to hold only bool values
- foreach ($Item in $CSVFileContent) {
- if ($Item.category -eq 'TLS' -and $Item.Action -eq 'AddOrModify') {
- $path = $Item.Path
- $key = $Item.Key
- $value = $Item.value
-
- $regValue = Get-ItemPropertyValue -Path $path -Name $key
- # Store only boolean values in the $MatchRegistryKeys
- $MatchRegistryKeys += [bool]($regValue -eq $value)
- <#
- Testing the key's value type
-
- Reg Type PS Type
- -------- -------
- REG_DWORD System.Int32
- REG_SZ System.String
- REG_QWORD System.Int64
- REG_BINARY System.Byte[]
- REG_MULTI_SZ System.String[]
- REG_EXPAND_SZ System.String
-
- (Get-ItemPropertyValue -Path $path -Name $key).GetType().name -eq $type
- (Get-ItemPropertyValue -Path $path -Name $key) -is [System.Int32]
-
- #>
- }
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- # Make sure the boolean array doesn't contain any $false values
- $IndividualItemResult = ($MatchRegistryKeys -notcontains $false)
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Registry Keys All correct'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Registry Keys'
- }
-
- # Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
- Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
- #EndRegion TLS-Category
-
- #Region LockScreen-Category
- Write-Progress -Activity 'Validating Lock Screen Category' -Status 'Processing...' -PercentComplete 55
- [System.Array]$NestedObjectArray = @()
- [String]$CatName = 'LockScreen'
- # Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
- foreach ($Key in $HashPol[$CatName].Keys) {
- $Item = $PoliciesOutput | Where-Object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
- switch ($Key) {
- 1 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 2 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 3 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.NumericName -eq 'PIN Expiration' `
- -and $Item.NumericState -eq 'Enabled' `
- -and $Item.NumericValue -eq '180'
- ) ? $True : $False
- }
- 4 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.NumericName -eq 'PIN History' `
- -and $Item.NumericState -eq 'Enabled' `
- -and $Item.NumericValue -eq '3'
- ) ? $True : $False
- }
- 5 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 6 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.EditTextName -eq 'Exclude the following credential providers:' `
- -and $Item.EditTextState -eq 'Enabled' `
- -and $item.EditTextValue -eq '{60b78e88-ead8-445c-9cfd-0b87f74ea6cd},{F8A0B131-5F68-486c-8040-7E8FC3C85BB6},{8FD7E19C-3BF7-489B-A72C-846AB3678C96},{1ee7337f-85ac-45e2-a23c-37c753209769},{1b283861-754f-4022-ad47-a5eaaa618894}' ) ? $True : $False
- }
- 7 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.EditTextName -eq 'Assign the following credential provider as the default credential provider:' `
- -and $Item.EditTextState -eq 'Enabled' `
- -and $item.EditTextValue -eq '{D6886603-9D2F-4EB2-B667-1971041FA96B}' ) ? $True : $False
- }
- }
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = $HashPol[$CatName][$Key].Name
- Value = $ItemState
- Compliant = $ItemState
- Category = $CatName
- Method = 'Group Policy'
- }
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs'] -eq '4,120') ? $True : $False
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Machine inactivity limit'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Security Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD'] -eq '4,0') ? $True : $False
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Interactive logon: Do not require CTRL+ALT+DEL'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Security Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\MaxDevicePasswordFailedAttempts'] -eq '4,5') ? $True : $False
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Interactive logon: Machine account lockout threshold'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Security Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLockedUserId'] -eq '4,4') ? $True : $False
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Interactive logon: Display user information when the session is locked'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Security Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayUserName'] -eq '4,1') ? $True : $False
- $NestedObjectArray += [PSCustomObject]@{
- Name = "Interactive logon: Don't display username at sign-in"
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Security Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]$($SecurityPoliciesIni.'System Access'['LockoutBadCount'] -eq '5') ? $True : $False
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Account lockout threshold'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Security Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]$($SecurityPoliciesIni.'System Access'['LockoutDuration'] -eq '1440') ? $True : $False
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Account lockout duration'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Security Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]$($SecurityPoliciesIni.'System Access'['ResetLockoutCount'] -eq '1440') ? $True : $False
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Reset account lockout counter after'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Security Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName'] -eq '4,1') ? $True : $False
- $NestedObjectArray += [PSCustomObject]@{
- Name = "Interactive logon: Don't display last signed-in"
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Security Group Policy'
- }
-
- # Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
- Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
- #EndRegion LockScreen-Category
-
- #Region User-Account-Control-Category
- Write-Progress -Activity 'Validating User Account Control Category' -Status 'Processing...' -PercentComplete 60
- [System.Array]$NestedObjectArray = @()
- [String]$CatName = 'UAC'
- # Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
- foreach ($Key in $HashPol[$CatName].Keys) {
- $Item = $PoliciesOutput | Where-Object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
- switch ($Key) {
- 1 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = $HashPol[$CatName][$Key].Name
- Value = $ItemState
- Compliant = $ItemState
- Category = $CatName
- Method = 'Group Policy'
- }
- }
-
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin'] -eq '4,2') ? $True : $False
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Security Group Policy'
- }
-
-
- # This particular policy can have 2 values and they are both acceptable depending on whichever user selects
- [string]$ConsentPromptBehaviorUserValue = $SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser']
- # This option is automatically applied when UAC category is run
- if ($ConsentPromptBehaviorUserValue -eq '4,1') {
- $ConsentPromptBehaviorUserCompliance = $true
- $IndividualItemResult = 'Prompt for credentials on the secure desktop'
- }
- # This option prompts for additional confirmation before it's applied
- elseif ($ConsentPromptBehaviorUserValue -eq '4,0') {
- $ConsentPromptBehaviorUserCompliance = $true
- $IndividualItemResult = 'Automatically deny elevation requests'
- }
- # If none of them is applied then return false for compliance and N/A for value
- else {
- $ConsentPromptBehaviorUserCompliance = $false
- $IndividualItemResult = 'N/A'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'UAC: Behavior of the elevation prompt for standard users'
- Value = $IndividualItemResult
- Compliant = $ConsentPromptBehaviorUserCompliance
- Category = $CatName
- Method = 'Security Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]($($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures'] -eq '4,1') ? $True : $False)
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'UAC: Only elevate executables that are signed and validated'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Security Group Policy'
- }
-
- # Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
- Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
- #EndRegion User-Account-Control-Category
-
- #Region Device-Guard-Category
- Write-Progress -Activity 'Validating Device Guard Category' -Status 'Processing...' -PercentComplete 65
- [System.Array]$NestedObjectArray = @()
- [String]$CatName = 'Device Guard'
- # Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
- foreach ($Key in $HashPol[$CatName].Keys) {
- $Item = $PoliciesOutput | Where-Object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
- switch ($Key) {
- 1 {
- # Write-Host "$($Item.DropDownListName)" -ForegroundColor Yellow
- # DropDown 1
- $1index = $Item.DropDownListName.IndexOf('Select Platform Security Level:')
- #Write-Host "$1index" -ForegroundColor Yellow
-
- $1DropDownState = $Item.DropDownListState[$1index]
- #Write-Host "$1DropDownState" -ForegroundColor Yellow
-
- $1DropDownValue = $Item.DropDownListValue[$1index]
- #Write-Host "$1DropDownValue" -ForegroundColor Yellow
-
- # DropDown 2
- $2index = $Item.DropDownListName.IndexOf('Virtualization Based Protection of Code Integrity:')
- # Write-Host "$2index" -ForegroundColor Yellow
-
- $2DropDownState = $Item.DropDownListState[$2index]
- # Write-Host "$2DropDownState" -ForegroundColor Yellow
-
- $2DropDownValue = $Item.DropDownListValue[$2index]
- # Write-Host "$2DropDownValue" -ForegroundColor Yellow
-
- # DropDown 3
- $3index = $Item.DropDownListName.IndexOf('Credential Guard Configuration:')
- # Write-Host "$3index" -ForegroundColor Yellow
-
- $3DropDownState = $Item.DropDownListState[$3index]
- # Write-Host "$3DropDownState" -ForegroundColor Yellow
-
- $3DropDownValue = $Item.DropDownListValue[$3index]
- # Write-Host "$3DropDownValue" -ForegroundColor Yellow
-
- # DropDown 4
- $4index = $Item.DropDownListName.IndexOf('Secure Launch Configuration:')
- # Write-Host "$4index" -ForegroundColor Yellow
-
- $4DropDownState = $Item.DropDownListState[$4index]
- # Write-Host "$4DropDownState" -ForegroundColor Yellow
-
- $4DropDownValue = $Item.DropDownListValue[$4index]
- # Write-Host "$4DropDownValue" -ForegroundColor Yellow
-
- # DropDown 5
- $5index = $Item.DropDownListName.IndexOf('Kernel-mode Hardware-enforced Stack Protection:')
- # Write-Host "$5index" -ForegroundColor Yellow
-
- $5DropDownState = $Item.DropDownListState[$5index]
- # Write-Host "$5DropDownState" -ForegroundColor Yellow
-
- $5DropDownValue = $Item.DropDownListValue[$5index]
- # Write-Host "$5DropDownValue" -ForegroundColor Yellow
-
-
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $1DropDownState -eq 'Enabled' `
- -and $1DropDownValue -eq 'Secure Boot' `
- -and $2DropDownState -eq 'Enabled' `
- -and $2DropDownValue -eq 'Enabled with UEFI lock' `
- -and $Item.CheckboxName -eq 'Require UEFI Memory Attributes Table' `
- -and $Item.CheckboxState -eq 'Disabled' `
- -and $3DropDownState -eq 'Enabled' `
- -and $3DropDownValue -eq 'Enabled with UEFI lock' `
- -and $4DropDownState -eq 'Enabled' `
- -and $4DropDownValue -eq 'Enabled' `
- -and $5DropDownState -eq 'Enabled' `
- -and $5DropDownValue -eq 'Enabled in enforcement mode'
- ) ? $True : $False
- }
- }
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = $HashPol[$CatName][$Key].Name
- Value = $ItemState
- Compliant = $ItemState
- Category = $CatName
- Method = 'Group Policy'
- }
- }
-
-
- # Loop through each nested hash table inside the main Registeries hash table and check the item state using a switch statement
- foreach ($Key in $HashReg[$CatName].Keys) {
- # Get the correct object from the RegistriesOutput Object that contains all the group policies in the xml file
- $Item = $RegistriesOutput | Where-Object { $_.Name -eq $HashReg[$CatName][$Key].Name -and $_.KeyPath -eq $HashReg[$CatName][$Key].KeyPath }
- switch ($Key) {
- 1 {
- [bool]$ItemState = ($Item.Number -eq '1') ? $True : $False
- }
- }
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = $HashReg[$CatName][$Key].Name
- Value = $ItemState
- Compliant = $ItemState
- Category = $CatName
- Method = 'Group Policy'
- }
- }
- # Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
- Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
- #EndRegion Device-Guard-Category
-
- #Region Windows-Firewall-Category
- Write-Progress -Activity 'Validating Windows Firewall Category' -Status 'Processing...' -PercentComplete 70
- [System.Array]$NestedObjectArray = @()
- [String]$CatName = 'Windows Firewall'
-
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Domain Profile Default Inbound Action'
- Value = $FirewallPoliciesOutput.DomainDefaultInboundAction
- Compliant = [bool]($FirewallPoliciesOutput.DomainDefaultInboundAction -eq $True ? $True : $False)
- Category = $CatName
- Method = 'Firewall Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Domain Profile Default Outbound Action'
- Value = $FirewallPoliciesOutput.DomainDefaultOutboundAction
- Compliant = [bool]($FirewallPoliciesOutput.DomainDefaultOutboundAction -eq $true ? $True : $False)
- Category = $CatName
- Method = 'Firewall Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Domain Profile Do Not Allow Exceptions'
- Value = $FirewallPoliciesOutput.DomainDoNotAllowExceptions
- Compliant = [bool]($FirewallPoliciesOutput.DomainDoNotAllowExceptions -eq $true ? $True : $False)
- Category = $CatName
- Method = 'Firewall Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Domain Profile Firewall Enabled'
- Value = $FirewallPoliciesOutput.DomainEnableFirewall
- Compliant = [bool]($FirewallPoliciesOutput.DomainEnableFirewall -eq $true ? $True : $False)
- Category = $CatName
- Method = 'Firewall Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Domain Profile Log File Path'
- Value = $FirewallPoliciesOutput.DomainLogFilePath
- Compliant = [bool]($FirewallPoliciesOutput.DomainLogFilePath -eq '%systemroot%\system32\logfiles\firewall\domainfirewall.log' ? $True : $False)
- Category = $CatName
- Method = 'Firewall Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Domain Profile Log File Size'
- Value = $FirewallPoliciesOutput.DomainLogFileSize
- Compliant = [bool]($FirewallPoliciesOutput.DomainLogFileSize -eq '32767' ? $True : $False)
- Category = $CatName
- Method = 'Firewall Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Domain Profile Log Dropped Packets'
- Value = $FirewallPoliciesOutput.DomainLogDroppedPackets
- Compliant = [bool]($FirewallPoliciesOutput.DomainLogDroppedPackets -eq $true ? $True : $False)
- Category = $CatName
- Method = 'Firewall Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Domain Profile Log Successful Connections'
- Value = $FirewallPoliciesOutput.DomainLogSuccessfulConnections
- Compliant = [bool]($FirewallPoliciesOutput.DomainLogSuccessfulConnections -eq $true ? $True : $False)
- Category = $CatName
- Method = 'Firewall Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Public Profile Disable Notifications'
- Value = $FirewallPoliciesOutput.PublicDisableNotifications
- Compliant = [bool]($FirewallPoliciesOutput.PublicDisableNotifications -eq $false ? $True : $False)
- Category = $CatName
- Method = 'Firewall Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Public Profile Enable Firewall'
- Value = $FirewallPoliciesOutput.PublicEnableFirewall
- Compliant = [bool]($FirewallPoliciesOutput.PublicEnableFirewall -eq $true ? $True : $False)
- Category = $CatName
- Method = 'Firewall Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Public Profile Log File Path'
- Value = $FirewallPoliciesOutput.PublicLogFilePath
- Compliant = [bool]($FirewallPoliciesOutput.PublicLogFilePath -eq '%systemroot%\system32\logfiles\firewall\publicfirewall.log' ? $True : $False)
- Category = $CatName
- Method = 'Firewall Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Public Profile Log File Size'
- Value = $FirewallPoliciesOutput.PublicLogFileSize
- Compliant = [bool]($FirewallPoliciesOutput.PublicLogFileSize -eq '32767' ? $True : $False)
- Category = $CatName
- Method = 'Firewall Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Public Profile Log Dropped Packets'
- Value = $FirewallPoliciesOutput.PublicLogDroppedPackets
- Compliant = [bool]($FirewallPoliciesOutput.PublicLogDroppedPackets -eq $true ? $True : $False)
- Category = $CatName
- Method = 'Firewall Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Private Profile Disable Notifications'
- Value = $FirewallPoliciesOutput.PrivateDisableNotifications
- Compliant = [bool]($FirewallPoliciesOutput.PrivateDisableNotifications -eq $false ? $True : $False)
- Category = $CatName
- Method = 'Firewall Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Private Profile Enable Firewall'
- Value = $FirewallPoliciesOutput.PrivateEnableFirewall
- Compliant = [bool]($FirewallPoliciesOutput.PrivateEnableFirewall -eq $true ? $True : $False)
- Category = $CatName
- Method = 'Firewall Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Private Profile Log File Path'
- Value = $FirewallPoliciesOutput.PrivateLogFilePath
- Compliant = [bool]($FirewallPoliciesOutput.PrivateLogFilePath -eq '%systemroot%\system32\logfiles\firewall\privatefirewall.log' ? $True : $False)
- Category = $CatName
- Method = 'Firewall Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Private Profile Log File Size'
- Value = $FirewallPoliciesOutput.PrivateLogFileSize
- Compliant = [bool]($FirewallPoliciesOutput.PrivateLogFileSize -eq '32767' ? $True : $False)
- Category = $CatName
- Method = 'Firewall Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Private Profile Log Dropped Packets'
- Value = $FirewallPoliciesOutput.PrivateLogDroppedPackets
- Compliant = [bool]($FirewallPoliciesOutput.PrivateLogDroppedPackets -eq $true ? $True : $False)
- Category = $CatName
- Method = 'Firewall Group Policy'
- }
-
- # Disables Multicast DNS (mDNS) UDP-in Firewall Rules for all 3 Firewall profiles - disables only 3 rules
- $RulesToDisable = Get-NetFirewallRule -ErrorAction Stop |
- Where-Object { $_.RuleGroup -eq '@%SystemRoot%\system32\firewallapi.dll,-37302' -and $_.Direction -eq 'inbound' }
- # Check if the number of detected rules that need to be disabled match the number of rules with the same criteria that are disabled
- $RulesTarget = $RulesToDisable | Where-Object { $_.Enabled -eq 'False' }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool](($RulesTarget.count -eq $RulesToDisable.Count) ? $True : $false)
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Firewall rules disabled for Multicast DNS (mDNS) UDP-in'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Firewall Group Policy'
- }
-
- # Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
- Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
- #EndRegion Windows-Firewall-Category
-
- #Region Optional-Windows-Features-Category
- Write-Progress -Activity 'Validating Optional Windows Features Category' -Status 'Processing...' -PercentComplete 75
- [System.Array]$NestedObjectArray = @()
- [String]$CatName = 'Optional Windows Features'
-
- # Disable PowerShell v2 (needs 2 commands)
- [bool]$IndividualItemResult = ((Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 -ErrorAction Stop).state -eq 'disabled') `
- -and [bool]((Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -ErrorAction Stop).state -eq 'disabled') ? $True : $false
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'PowerShell v2 is disabled'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Optional Windows Features'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]((Get-WindowsOptionalFeature -Online -FeatureName WorkFolders-Client -ErrorAction Stop).state -eq 'disabled')
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Work Folders client is disabled'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Optional Windows Features'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]((Get-WindowsOptionalFeature -Online -FeatureName Printing-Foundation-Features -ErrorAction Stop).state -eq 'disabled')
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Internet Printing Client is disabled'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Optional Windows Features'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]((Get-WindowsOptionalFeature -Online -FeatureName WindowsMediaPlayer -ErrorAction Stop).state -eq 'disabled')
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Windows Media Player (legacy) is disabled'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Optional Windows Features'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]((Get-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard -ErrorAction Stop).state -eq 'enabled')
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Microsoft Defender Application Guard is enabled'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Optional Windows Features'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]((Get-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM -ErrorAction Stop).state -eq 'enabled')
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Windows Sandbox is enabled'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Optional Windows Features'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]((Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -ErrorAction Stop).state -eq 'enabled')
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Hyper-V is enabled'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Optional Windows Features'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]((Get-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform -ErrorAction Stop).state -eq 'enabled')
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Virtual Machine Platform is enabled'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Optional Windows Features'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]((Get-WindowsCapability -Online -ErrorAction Stop | Where-Object { $_.Name -like '*wmic*' }).state -eq 'NotPresent')
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'WMIC is not present'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Optional Windows Features'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]((Get-WindowsCapability -Online -ErrorAction Stop | Where-Object { $_.Name -like '*Browser.InternetExplorer*' }).state -eq 'NotPresent')
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Internet Explorer mode functionality for Edge is not present'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Optional Windows Features'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]((Get-WindowsCapability -Online -ErrorAction Stop | Where-Object { $_.Name -like '*Microsoft.Windows.Notepad.System*' }).state -eq 'NotPresent')
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Legacy Notepad is not present'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Optional Windows Features'
- }
-
- # Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
- Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
- #EndRegion Optional-Windows-Features-Category
-
- #Region Windows-Networking-Category
- Write-Progress -Activity 'Validating Windows Networking Category' -Status 'Processing...' -PercentComplete 80
- [System.Array]$NestedObjectArray = @()
- [String]$CatName = 'Windows Networking'
- # Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
- foreach ($Key in $HashPol[$CatName].Keys) {
- $Item = $PoliciesOutput | Where-Object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
- switch ($Key) {
- 1 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 2 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 3 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.DropDownListName -eq 'Configure NetBIOS options:' `
- -and $Item.DropDownListState -eq 'Enabled' `
- -and $Item.DropDownListValue -eq 'Disable NetBIOS name resolution'
- ) ? $True : $False
- }
- 4 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 5 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- }
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = $HashPol[$CatName][$Key].Name
- Value = $ItemState
- Compliant = $ItemState
- Category = $CatName
- Method = 'Group Policy'
- }
- }
-
-
- # Check network location of all connections to see if they are public
- $Condition = Get-NetConnectionProfile -ErrorAction Stop | ForEach-Object { $_.NetworkCategory -eq 'public' }
- [bool]$IndividualItemResult = -NOT ($condition -contains $false) ? $True : $false
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Network Location of all connections set to Public'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Cmdlet'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]((Get-ItemPropertyValue -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' -Name 'EnableLMHOSTS') -eq '0')
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Disable LMHOSTS lookup protocol on all network adapters'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Registry Key'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]$($SecurityPoliciesIni.'Registry Values'['MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine'] -eq '7,') ? $True : $False
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Network access: Remotely accessible registry paths'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Security Group Policy'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]$($SecurityPoliciesIni.'Registry Values'['MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine'] -eq '7,') ? $True : $False
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Network access: Remotely accessible registry paths and subpaths'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Security Group Policy'
- }
-
- # Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
- Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
- #EndRegion Windows-Networking-Category
-
- #Region Miscellaneous-Category
- Write-Progress -Activity 'Validating Miscellaneous Category' -Status 'Processing...' -PercentComplete 85
- [System.Array]$NestedObjectArray = @()
- [String]$CatName = 'Miscellaneous'
- # Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
- foreach ($Key in $HashPol[$CatName].Keys) {
- $Item = $PoliciesOutput | Where-Object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
- switch ($Key) {
- 1 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.DropDownListState -eq 'Enabled' `
- -and $Item.DropDownListValue -eq 'Send optional diagnostic data'
- ) ? $True : $False
- }
- 2 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 3 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 4 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 5 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 6 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.DropDownListName -eq 'Choose the boot-start drivers that can be initialized:' `
- -and $Item.DropDownListState -eq 'Enabled' `
- -and $Item.DropDownListValue -eq 'Good only'
- ) ? $True : $False
- }
- 7 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 8 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 9 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.DropDownListName -eq 'RPC Runtime Unauthenticated Client Restriction to Apply:' `
- -and $Item.DropDownListState -eq 'Enabled' `
- -and $Item.DropDownListValue -eq 'Authenticated without exceptions'
- ) ? $True : $False
- }
- 10 {
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $Item.DropDownListName -eq 'Mitigation Options' `
- -and $Item.DropDownListState -eq 'Enabled' `
- -and $Item.DropDownListValue -eq 'Block untrusted fonts and log events'
- ) ? $True : $False
- }
- }
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = $HashPol[$CatName][$Key].Name
- Value = $ItemState
- Compliant = $ItemState
- Category = $CatName
- Method = 'Group Policy'
- }
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]((Get-SmbServerConfiguration -ErrorAction Stop).encryptdata)
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'SMB Encryption'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Cmdlet'
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool](((auditpol /get /subcategory:"Other Logon/Logoff Events" /r | ConvertFrom-Csv -ErrorAction Stop).'Inclusion Setting' -eq 'Success and Failure') ? $True : $False)
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Audit policy for Other Logon/Logoff Events'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Cmdlet'
- }
-
-
- # Checking if all user accounts are part of the Hyper-V security Group
- # Get all the enabled user accounts
- [string[]]$enabledUsers = (Get-LocalUser -ErrorAction Stop | Where-Object { $_.Enabled -eq 'True' }).Name | Sort-Object
- # Get the members of the Hyper-V Administrators security group using their SID
- [string[]]$groupMembers = (Get-LocalGroupMember -SID 'S-1-5-32-578' -ErrorAction Stop).Name -replace "$($env:COMPUTERNAME)\\" | Sort-Object
-
- # Set the $MatchHyperVUsers variable to $True only if all enabled user accounts are part of the Hyper-V Security group, if one of them isn't part of the group then returns false
- [bool]$MatchHyperVUsers = $false # initialize the $MatchHyperVUsers variable to false
- for ($i = 0; $i -lt $enabledUsers.Count; $i++) {
- $MatchHyperVUsers = ($enabledUsers[$i] -ceq $groupMembers[$i]) ? $True : $false
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'All users are part of the Hyper-V Administrators group'
- Value = $MatchHyperVUsers
- Compliant = $MatchHyperVUsers
- Category = $CatName
- Method = 'Cmdlet'
- }
-
-
- $MatchRegistryKeys = @() # initialize the variable to false - an array that is going to hold only bool values
- foreach ($Item in $CSVFileContent) {
- if ($Item.category -eq 'Miscellaneous' -and $Item.Action -eq 'AddOrModify') {
- $path = $Item.Path
- $key = $Item.Key
- $value = $Item.value
-
- $regValue = Get-ItemPropertyValue -Path $path -Name $key
- # Store only boolean values in the $MatchRegistryKeys
- $MatchRegistryKeys += [bool]($regValue -eq $value)
- }
- }
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]($MatchRegistryKeys -notcontains $false)
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Registry Keys All correct'
- # Make sure the boolean array doesn't contain any $false values
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Registry Keys'
- }
-
- # Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
- Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
- #EndRegion Miscellaneous-Category
-
- #Region Windows-Update-Category
- Write-Progress -Activity 'Validating Windows Update Category' -Status 'Processing...' -PercentComplete 90
- [System.Array]$NestedObjectArray = @()
- [String]$CatName = 'Windows Update'
- # Loop through each nested hash table inside the main Policies hash table and check the item state using a switch statement
- foreach ($Key in $HashPol[$CatName].Keys) {
- $Item = $PoliciesOutput | Where-Object { $_.Name -eq $HashPol[$CatName][$Key].Name -and $_.Category -eq $HashPol[$CatName][$Key].Cat }
- switch ($Key) {
- 1 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 2 {
- [bool]$ItemState = ($Item.State -eq 'Enabled') ? $True : $False
- }
- 3 {
- # 2 Check boxes with the same name exists, but both of their States and Values are the same that's why this works
- $1index = $Item.DropDownListName.IndexOf('Deadline (days):')
- $1DropDownState = $Item.DropDownListState[$1index]
- $1DropDownValue = $Item.DropDownListValue[$1index]
-
- $2index = $Item.DropDownListName.IndexOf('Grace period (days):')
- $2DropDownState = $Item.DropDownListState[$2index]
- $2DropDownValue = $Item.DropDownListValue[$2index]
-
-
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $1DropDownState -eq 'Enabled' `
- -and $1DropDownValue -eq '0' `
- -and $2DropDownState -eq 'Enabled' `
- -and $2DropDownValue -eq '1' `
- -and $Item.CheckboxName -eq "Don't auto-restart until end of grace period" `
- -and $Item.CheckboxState -eq 'Disabled'
- ) ? $True : $False
- }
- 4 {
- # 2 Check boxes with the same name exists, but both of their States and Values are the same that's why this works
- $1index = $Item.DropDownListName.IndexOf('Configure automatic updating:')
- $1DropDownState = $Item.DropDownListState[$1index]
- $1DropDownValue = $Item.DropDownListValue[$1index]
-
- $2index = $Item.CheckboxName.IndexOf('Install during automatic maintenance')
- $2CheckBoxState = $Item.CheckboxState[$2index]
-
- $3index = $Item.DropDownListName.IndexOf('Scheduled install day: ') # Has an extra space in the xml!
- $3DropDownState = $Item.DropDownListState[$3index]
- $3DropDownValue = $Item.DropDownListValue[$3index]
-
- $4index = $Item.DropDownListName.IndexOf('Scheduled install time:')
- $4DropDownState = $Item.DropDownListState[$4index]
- $4DropDownValue = $Item.DropDownListValue[$4index]
-
- $5index = $Item.CheckboxName.IndexOf('Every week')
- $5CheckBoxState = $Item.CheckboxState[$5index]
-
- $6index = $Item.CheckboxName.IndexOf('First week of the month')
- $6CheckBoxState = $Item.CheckboxState[$6index]
-
- $7index = $Item.CheckboxName.IndexOf('Second week of the month')
- $7CheckBoxState = $Item.CheckboxState[$7index]
-
- $8index = $Item.CheckboxName.IndexOf('Third week of the month')
- $8CheckBoxState = $Item.CheckboxState[$8index]
-
- $9index = $Item.CheckboxName.IndexOf('Fourth week of the month')
- $9CheckBoxState = $Item.CheckboxState[$9index]
-
- $10index = $Item.CheckboxName.IndexOf('Install updates for other Microsoft products')
- $10CheckBoxState = $Item.CheckboxState[$10index]
-
-
- [bool]$ItemState = ($Item.State -eq 'Enabled' `
- -and $1DropDownState -eq 'Enabled' `
- -and $1DropDownValue -eq '4 - Auto download and schedule the install' `
- -and $2CheckBoxState -eq 'Enabled' `
- -and $3DropDownState -eq 'Enabled' `
- -and $3DropDownValue -eq '0 - Every day' `
- -and $4DropDownState -eq 'Enabled' `
- -and $4DropDownValue -eq 'Automatic' `
- -and $5CheckBoxState -eq 'Disabled' `
- -and $6CheckBoxState -eq 'Disabled' `
- -and $7CheckBoxState -eq 'Disabled' `
- -and $8CheckBoxState -eq 'Disabled' `
- -and $9CheckBoxState -eq 'Disabled' `
- -and $10CheckBoxState -eq 'Enabled' `
- ) ? $True : $False
- }
-
- }
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $NestedObjectArray += [PSCustomObject]@{
- Name = $HashPol[$CatName][$Key].Name
- Value = $ItemState
- Compliant = $ItemState
- Category = $CatName
- Method = 'Group Policy'
- }
- }
-
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- $IndividualItemResult = [bool]((Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings' -Name 'RestartNotificationsAllowed2') -eq '1')
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Enable restart notification for Windows update'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Registry Key'
- }
-
- # Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
- Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
- #EndRegion Windows-Update-Category
-
- #Region Edge-Category
- Write-Progress -Activity 'Validating Edge Browser Category' -Status 'Processing...' -PercentComplete 95
- [System.Array]$NestedObjectArray = @()
- [String]$CatName = 'Edge'
- $MatchRegistryKeys = @() # initialize the variable to false - an array that is going to hold only bool values
- foreach ($Item in $CSVFileContent) {
- if ($Item.category -eq 'Edge' -and $Item.Action -eq 'AddOrModify') {
- $path = $Item.Path
- $key = $Item.Key
- $value = $Item.value
-
- $regValue = Get-ItemPropertyValue -Path $path -Name $key
- # Store only boolean values in the $MatchRegistryKeys
- $MatchRegistryKeys += [bool]($regValue -eq $value)
-
- }
- }
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- # Make sure the boolean array doesn't contain any $false values
- $IndividualItemResult = [bool]($MatchRegistryKeys -notcontains $false)
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Registry Keys All correct'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Registry Keys'
- }
-
- # Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
- Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
- #EndRegion Edge-Category
-
- #Region Non-Admin-Category
- Write-Progress -Activity 'Validating Non-Admin Category' -Status 'Processing...' -PercentComplete 100
- [System.Array]$NestedObjectArray = @()
- [String]$CatName = 'Non-Admin'
-
- $MatchRegistryKeys = @() # initialize the variable to false - an array that is going to hold only bool values
- foreach ($Item in $CSVFileContent) {
- if ($Item.category -eq 'NonAdmin' -and $Item.Action -eq 'AddOrModify') {
- $path = $Item.Path
- $key = $Item.Key
- $value = $Item.value
-
- $regValue = Get-ItemPropertyValue -Path $path -Name $key
- # Store only boolean values in the $MatchRegistryKeys
- $MatchRegistryKeys += [bool]($regValue -eq $value)
-
- }
- }
- # Create a custom object with 5 properties to store them as nested objects inside the main output object
- # Make sure the boolean array doesn't contain any $false values
- $IndividualItemResult = ($MatchRegistryKeys -notcontains $false)
- $NestedObjectArray += [PSCustomObject]@{
- Name = 'Registry Keys All correct'
- Value = $IndividualItemResult
- Compliant = $IndividualItemResult
- Category = $CatName
- Method = 'Registry Keys'
- }
-
- # Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
- Add-Member -InputObject $FinalMegaObject -MemberType NoteProperty -Name $CatName -Value $NestedObjectArray -ErrorAction Stop
- #EndRegion Non-Admin-Category
-
- if ($ExportToCSV) {
-
- # An array to store the content of each category
- $CsvOutPutFileContent = @()
- $CsvOutPutFileContent += $FinalMegaObject.'Microsoft Defender'
- $CsvOutPutFileContent += $FinalMegaObject.ASR
- $CsvOutPutFileContent += $FinalMegaObject.Bitlocker
- $CsvOutPutFileContent += $FinalMegaObject.TLS
- $CsvOutPutFileContent += $FinalMegaObject.LockScreen
- $CsvOutPutFileContent += $FinalMegaObject.UAC
- $CsvOutPutFileContent += $FinalMegaObject.'Device Guard'
- $CsvOutPutFileContent += $FinalMegaObject.'Windows Firewall'
- $CsvOutPutFileContent += $FinalMegaObject.'Optional Windows Features'
- $CsvOutPutFileContent += $FinalMegaObject.'Windows Networking'
- $CsvOutPutFileContent += $FinalMegaObject.Miscellaneous
- $CsvOutPutFileContent += $FinalMegaObject.'Windows Update'
- $CsvOutPutFileContent += $FinalMegaObject.Edge
- $CsvOutPutFileContent += $FinalMegaObject.'Non-Admin'
- # Convert the array to CSV and store it in the Output.CSV file in the current working directory
- $CsvOutPutFileContent | ConvertTo-Csv -ErrorAction Stop | Out-File -FilePath '.\Output.CSV' -Force -ErrorAction Stop
- }
-
- if ($ShowAsObjectsOnly) {
- # return the main object that contains multiple nested objects
- return $FinalMegaObject
- }
- else {
-
- #Region Colors
- [scriptblock]$WritePlum = { Write-Output "$($PSStyle.Foreground.FromRGB(221,160,221))$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteOrchid = { Write-Output "$($PSStyle.Foreground.FromRGB(218,112,214))$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteFuchsia = { Write-Output "$($PSStyle.Foreground.FromRGB(255,0,255))$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteMediumOrchid = { Write-Output "$($PSStyle.Foreground.FromRGB(186,85,211))$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteMediumPurple = { Write-Output "$($PSStyle.Foreground.FromRGB(147,112,219))$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteBlueViolet = { Write-Output "$($PSStyle.Foreground.FromRGB(138,43,226))$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteDarkViolet = { Write-Output "$($PSStyle.Foreground.FromRGB(148,0,211))$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WritePink = { Write-Output "$($PSStyle.Foreground.FromRGB(255,192,203))$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteHotPink = { Write-Output "$($PSStyle.Foreground.FromRGB(255,105,180))$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteDeepPink = { Write-Output "$($PSStyle.Foreground.FromRGB(255,20,147))$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteMintGreen = { Write-Output "$($PSStyle.Foreground.FromRGB(152,255,152))$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteOrange = { Write-Output "$($PSStyle.Foreground.FromRGB(255,165,0))$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteSkyBlue = { Write-Output "$($PSStyle.Foreground.FromRGB(135,206,235))$($args[0])$($PSStyle.Reset)" }
-
- [scriptblock]$WriteRainbow1 = {
- $text = $args[0]
- $colors = @(
- [System.Drawing.Color]::Pink,
- [System.Drawing.Color]::HotPink,
- [System.Drawing.Color]::SkyBlue,
- [System.Drawing.Color]::Pink,
- [System.Drawing.Color]::HotPink,
- [System.Drawing.Color]::SkyBlue,
- [System.Drawing.Color]::Pink
- )
-
- $output = ''
- for ($i = 0; $i -lt $text.Length; $i++) {
- $color = $colors[$i % $colors.Length]
- $output += "$($PSStyle.Foreground.FromRGB($color.R, $color.G, $color.B))$($text[$i])$($PSStyle.Reset)"
- }
- Write-Output -InputObject $output
- }
-
- [scriptblock]$WriteRainbow2 = {
- $text = $args[0]
- $colors = @(
- [System.Drawing.Color]::Pink,
- [System.Drawing.Color]::HotPink,
- [System.Drawing.Color]::SkyBlue,
- [System.Drawing.Color]::HotPink,
- [System.Drawing.Color]::SkyBlue,
- [System.Drawing.Color]::LightSkyBlue,
- [System.Drawing.Color]::Lavender,
- [System.Drawing.Color]::LightGreen,
- [System.Drawing.Color]::Coral,
- [System.Drawing.Color]::Plum,
- [System.Drawing.Color]::Gold
- )
-
- $output = ''
- for ($i = 0; $i -lt $text.Length; $i++) {
- $color = $colors[$i % $colors.Length]
- $output += "$($PSStyle.Foreground.FromRGB($color.R, $color.G, $color.B))$($text[$i])$($PSStyle.Reset)"
- }
- Write-Output -InputObject $output
- }
- #Endregion Colors
-
- # Show all properties in list
- if ($DetailedDisplay) {
- & $WritePlum "`n-------------Microsoft Defender Category-------------"
- $FinalMegaObject.'Microsoft Defender' | Format-List -Property * -ErrorAction Stop
-
- & $WriteOrchid "`n-------------Attack Surface Reduction Rules Category-------------"
- $FinalMegaObject.ASR | Format-List -Property * -ErrorAction Stop
-
- & $WriteFuchsia "`n-------------Bitlocker Category-------------"
- $FinalMegaObject.Bitlocker | Format-List -Property * -ErrorAction Stop
-
- & $WriteMediumOrchid "`n-------------TLS Category-------------"
- $FinalMegaObject.TLS | Format-List -Property * -ErrorAction Stop
-
- & $WriteMediumPurple "`n-------------Lock Screen Category-------------"
- $FinalMegaObject.LockScreen | Format-List -Property * -ErrorAction Stop
-
- & $WriteBlueViolet "`n-------------User Account Control Category-------------"
- $FinalMegaObject.UAC | Format-List -Property * -ErrorAction Stop
-
- & $WriteDarkViolet "`n-------------Device Guard Category-------------"
- $FinalMegaObject.'Device Guard' | Format-List -Property * -ErrorAction Stop
-
- & $WritePink "`n-------------Windows Firewall Category-------------"
- $FinalMegaObject.'Windows Firewall' | Format-List -Property * -ErrorAction Stop
-
- & $WriteSkyBlue "`n-------------Optional Windows Features Category-------------"
- $FinalMegaObject.'Optional Windows Features' | Format-List -Property * -ErrorAction Stop
-
- & $WriteHotPink "`n-------------Windows Networking Category-------------"
- $FinalMegaObject.'Windows Networking' | Format-List -Property * -ErrorAction Stop
-
- & $WriteDeepPink "`n-------------Miscellaneous Category-------------"
- $FinalMegaObject.Miscellaneous | Format-List -Property * -ErrorAction Stop
-
- & $WriteMintGreen "`n-------------Windows Update Category-------------"
- $FinalMegaObject.'Windows Update' | Format-List -Property * -ErrorAction Stop
-
- & $WriteOrange "`n-------------Microsoft Edge Category-------------"
- $FinalMegaObject.Edge | Format-List -Property * -ErrorAction Stop
-
- & $WriteSkyBlue "`n-------------Non-Admin Category-------------"
- $FinalMegaObject.'Non-Admin' | Format-List -Property * -ErrorAction Stop
- }
-
- # Show properties that matter in a table
- else {
-
- & $WritePlum "`n-------------Microsoft Defender Category-------------"
- $FinalMegaObject.'Microsoft Defender' | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
- & $WriteOrchid "`n-------------Attack Surface Reduction Rules Category-------------"
- $FinalMegaObject.ASR | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
- & $WriteFuchsia "`n-------------Bitlocker Category-------------"
- $FinalMegaObject.Bitlocker | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
- & $WriteMediumOrchid "`n-------------TLS Category-------------"
- $FinalMegaObject.TLS | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
- & $WriteMediumPurple "`n-------------Lock Screen Category-------------"
- $FinalMegaObject.LockScreen | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
- & $WriteBlueViolet "`n-------------User Account Control Category-------------"
- $FinalMegaObject.UAC | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
- & $WriteDarkViolet "`n-------------Device Guard Category-------------"
- $FinalMegaObject.'Device Guard' | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
- & $WritePink "`n-------------Windows Firewall Category-------------"
- $FinalMegaObject.'Windows Firewall' | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
- & $WriteSkyBlue "`n-------------Optional Windows Features Category-------------"
- $FinalMegaObject.'Optional Windows Features' | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
- & $WriteHotPink "`n-------------Windows Networking Category-------------"
- $FinalMegaObject.'Windows Networking' | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
- & $WriteDeepPink "`n-------------Miscellaneous Category-------------"
- $FinalMegaObject.Miscellaneous | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
- & $WriteMintGreen "`n-------------Windows Update Category-------------"
- $FinalMegaObject.'Windows Update' | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
- & $WriteOrange "`n-------------Microsoft Edge Category-------------"
- $FinalMegaObject.Edge | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
-
- & $WriteSkyBlue "`n-------------Non-Admin Category-------------"
- $FinalMegaObject.'Non-Admin' | Format-Table -AutoSize -Property Name, Compliant, Value -ErrorAction Stop
- }
-
- # Counting the number of $True Compliant values in the Final Output Object
- [int]$TotalTrueValuesInOutPut = ($FinalMegaObject.'Microsoft Defender' | Where-Object { $_.Compliant -eq $True }).value.Count + `
- [int]($FinalMegaObject.ASR | Where-Object { $_.Compliant -eq $True }).value.Count + `
- [int]($FinalMegaObject.Bitlocker | Where-Object { $_.Compliant -eq $True }).value.Count + `
- [int]($FinalMegaObject.TLS | Where-Object { $_.Compliant -eq $True }).value.Count + `
- [int]($FinalMegaObject.LockScreen | Where-Object { $_.Compliant -eq $True }).value.Count + `
- [int]($FinalMegaObject.UAC | Where-Object { $_.Compliant -eq $True }).value.Count + `
- [int]($FinalMegaObject.'Device Guard' | Where-Object { $_.Compliant -eq $True }).value.Count + `
- [int]($FinalMegaObject.'Windows Firewall' | Where-Object { $_.Compliant -eq $True }).value.Count + `
- [int]($FinalMegaObject.'Optional Windows Features' | Where-Object { $_.Compliant -eq $True }).value.Count + `
- [int]($FinalMegaObject.'Windows Networking' | Where-Object { $_.Compliant -eq $True }).value.Count + `
- [int]($FinalMegaObject.Miscellaneous | Where-Object { $_.Compliant -eq $True }).value.Count + `
- [int]($FinalMegaObject.'Windows Update' | Where-Object { $_.Compliant -eq $True }).value.Count + `
- [int]($FinalMegaObject.Edge | Where-Object { $_.Compliant -eq $True }).value.Count + `
- [int]($FinalMegaObject.'Non-Admin' | Where-Object { $_.Compliant -eq $True }).value.Count
-
-
- #Region ASCII-Arts
- [string]$WhenValue1To20 = @'
- OH
-
- N
- O
- O
- o
- o
- o
- o
- 。
- 。
- .
- .
- .
- .
-
-'@
-
-
- [string]$WhenValue21To40 = @'
-
-⣿⣿⣷⡁⢆⠈⠕⢕⢂⢕⢂⢕⢂⢔⢂⢕⢄⠂⣂⠂⠆⢂⢕⢂⢕⢂⢕⢂⢕⢂
-⣿⣿⣿⡷⠊⡢⡹⣦⡑⢂⢕⢂⢕⢂⢕⢂⠕⠔⠌⠝⠛⠶⠶⢶⣦⣄⢂⢕⢂⢕
-⣿⣿⠏⣠⣾⣦⡐⢌⢿⣷⣦⣅⡑⠕⠡⠐⢿⠿⣛⠟⠛⠛⠛⠛⠡⢷⡈⢂⢕⢂
-⠟⣡⣾⣿⣿⣿⣿⣦⣑⠝⢿⣿⣿⣿⣿⣿⡵⢁⣤⣶⣶⣿⢿⢿⢿⡟⢻⣤⢑⢂
-⣾⣿⣿⡿⢟⣛⣻⣿⣿⣿⣦⣬⣙⣻⣿⣿⣷⣿⣿⢟⢝⢕⢕⢕⢕⢽⣿⣿⣷⣔
-⣿⣿⠵⠚⠉⢀⣀⣀⣈⣿⣿⣿⣿⣿⣿⣿⣿⣿⣗⢕⢕⢕⢕⢕⢕⣽⣿⣿⣿⣿
-⢷⣂⣠⣴⣾⡿⡿⡻⡻⣿⣿⣴⣿⣿⣿⣿⣿⣿⣷⣵⣵⣵⣷⣿⣿⣿⣿⣿⣿⡿
-⢌⠻⣿⡿⡫⡪⡪⡪⡪⣺⣿⣿⣿⣿⣿⠿⠿⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠃
-⠣⡁⠹⡪⡪⡪⡪⣪⣾⣿⣿⣿⣿⠋⠐⢉⢍⢄⢌⠻⣿⣿⣿⣿⣿⣿⣿⣿⠏⠈
-⡣⡘⢄⠙⣾⣾⣾⣿⣿⣿⣿⣿⣿⡀⢐⢕⢕⢕⢕⢕⡘⣿⣿⣿⣿⣿⣿⠏⠠⠈
-⠌⢊⢂⢣⠹⣿⣿⣿⣿⣿⣿⣿⣿⣧⢐⢕⢕⢕⢕⢕⢅⣿⣿⣿⣿⡿⢋⢜⠠⠈
-⠄⠁⠕⢝⡢⠈⠻⣿⣿⣿⣿⣿⣿⣿⣷⣕⣑⣑⣑⣵⣿⣿⣿⡿⢋⢔⢕⣿⠠⠈
-⠨⡂⡀⢑⢕⡅⠂⠄⠉⠛⠻⠿⢿⣿⣿⣿⣿⣿⣿⣿⣿⡿⢋⢔⢕⢕⣿⣿⠠⠈
-⠄⠪⣂⠁⢕⠆⠄⠂⠄⠁⡀⠂⡀⠄⢈⠉⢍⢛⢛⢛⢋⢔⢕⢕⢕⣽⣿⣿⠠⠈
-
-'@
-
-
- [string]$WhenValue41To60 = @'
-
- ⣿⡟⠙⠛⠋⠩⠭⣉⡛⢛⠫⠭⠄⠒⠄⠄⠄⠈⠉⠛⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿
- ⣿⡇⠄⠄⠄⠄⣠⠖⠋⣀⡤⠄⠒⠄⠄⠄⠄⠄⠄⠄⠄⠄⣈⡭⠭⠄⠄⠄⠉⠙
- ⣿⡇⠄⠄⢀⣞⣡⠴⠚⠁⠄⠄⢀⠠⠄⠄⠄⠄⠄⠄⠄⠉⠄⠄⠄⠄⠄⠄⠄⠄
- ⣿⡇⠄⡴⠁⡜⣵⢗⢀⠄⢠⡔⠁⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄
- ⣿⡇⡜⠄⡜⠄⠄⠄⠉⣠⠋⠠⠄⢀⡄⠄⠄⣠⣆⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⢸
- ⣿⠸⠄⡼⠄⠄⠄⠄⢰⠁⠄⠄⠄⠈⣀⣠⣬⣭⣛⠄⠁⠄⡄⠄⠄⠄⠄⠄⢀⣿
- ⣏⠄⢀⠁⠄⠄⠄⠄⠇⢀⣠⣴⣶⣿⣿⣿⣿⣿⣿⡇⠄⠄⡇⠄⠄⠄⠄⢀⣾⣿
- ⣿⣸⠈⠄⠄⠰⠾⠴⢾⣻⣿⣿⣿⣿⣿⣿⣿⣿⣿⢁⣾⢀⠁⠄⠄⠄⢠⢸⣿⣿
- ⣿⣿⣆⠄⠆⠄⣦⣶⣦⣌⣿⣿⣿⣿⣷⣋⣀⣈⠙⠛⡛⠌⠄⠄⠄⠄⢸⢸⣿⣿
- ⣿⣿⣿⠄⠄⠄⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠇⠈⠄⠄⠄⠄⠄⠈⢸⣿⣿
- ⣿⣿⣿⠄⠄⠄⠘⣿⣿⣿⡆⢀⣈⣉⢉⣿⣿⣯⣄⡄⠄⠄⠄⠄⠄⠄⠄⠈⣿⣿
- ⣿⣿⡟⡜⠄⠄⠄⠄⠙⠿⣿⣧⣽⣍⣾⣿⠿⠛⠁⠄⠄⠄⠄⠄⠄⠄⠄⠃⢿⣿
- ⣿⡿⠰⠄⠄⠄⠄⠄⠄⠄⠄⠈⠉⠩⠔⠒⠉⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠐⠘⣿
- ⣿⠃⠃⠄⠄⠄⠄⠄⠄⣀⢀⠄⠄⡀⡀⢀⣤⣴⣤⣤⣀⣀⠄⠄⠄⠄⠄⠄⠁⢹
-
-'@
-
-
-
- [string]$WhenValue61To80 = @'
-
- ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⣿⣿⡷⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
- ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⣿⡿⠋⠈⠻⣮⣳⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
- ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣴⣾⡿⠋⠀⠀⠀⠀⠙⣿⣿⣤⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
- ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣤⣶⣿⡿⠟⠛⠉⠀⠀⠀⠀⠀⠀⠀⠈⠛⠛⠿⠿⣿⣷⣶⣤⣄⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
- ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣴⣾⡿⠟⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠛⠻⠿⣿⣶⣦⣄⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
- ⠀⠀⠀⣀⣠⣤⣤⣀⡀⠀⠀⣀⣴⣿⡿⠛⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠛⠿⣿⣷⣦⣄⡀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣤⣄⠀⠀
- ⢀⣤⣾⡿⠟⠛⠛⢿⣿⣶⣾⣿⠟⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠛⠿⣿⣷⣦⣀⣀⣤⣶⣿⡿⠿⢿⣿⡀⠀
- ⣿⣿⠏⠀⢰⡆⠀⠀⠉⢿⣿⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⠻⢿⡿⠟⠋⠁⠀⠀⢸⣿⠇⠀
- ⣿⡟⠀⣀⠈⣀⡀⠒⠃⠀⠙⣿⡆⠀⠀⠀⠀⠀⠀⠀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⠇⠀
- ⣿⡇⠀⠛⢠⡋⢙⡆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣾⣿⣿⠄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠀⠀
- ⣿⣧⠀⠀⠀⠓⠛⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⠛⠋⠀⠀⢸⣧⣤⣤⣶⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢰⣿⡿⠀⠀
- ⣿⣿⣤⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠉⠉⠻⣷⣶⣶⡆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣿⣿⠁⠀⠀
- ⠈⠛⠻⠿⢿⣿⣷⣶⣦⣤⣄⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣴⣿⣷⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣾⣿⡏⠀⠀⠀
- ⠀⠀⠀⠀⠀⠀⠀⠉⠙⠛⠻⠿⢿⣿⣷⣶⣦⣤⣄⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⠿⠛⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⢿⣿⡄⠀⠀
- ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠙⠛⠻⠿⢿⣿⣷⣶⣦⣤⣄⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⣿⡄⠀
- ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠉⠛⠛⠿⠿⣿⣷⣶⣶⣤⣤⣀⡀⠀⠀⠀⢀⣴⡆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⡿⣄
- ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠉⠛⠛⠿⠿⣿⣷⣶⡿⠋⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⣿⣹
- ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣀⠀⠀⠀⠀⠀⠀⢸⣧
- ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢻⣿⣆⠀⠀⠀⠀⠀⠀⢀⣀⣠⣤⣶⣾⣿⣿⣿⣿⣤⣄⣀⡀⠀⠀⠀⣿
- ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠻⢿⣻⣷⣶⣾⣿⣿⡿⢯⣛⣛⡋⠁⠀⠀⠉⠙⠛⠛⠿⣿⣿⡷⣶⣿
-
-'@
-
-
- [string]$WhenValue81To88 = @'
-
- ⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
- ⠀⠀⠀⠀⠀⠔⠶⠒⠉⠈⠸⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
- ⠀⠀⠀⠀⠀⠪⣦⢄⣀⡠⠁⠀⠀⠀⠀⠀⠀⠀⢀⣀⣠⣤⣤⣤⣤⣤⣄⣀⣀⣀⣀⣀⣀⣀⠀⠀⠀⠀⠀
- ⠀⠀⠀⠀⠀⠀⠀⠈⠉⠀⠀⠀⣰⣶⣶⣦⠶⠛⠋⠉⠀⠀⠀⠀⠀⠀⠀⠉⠉⢷⡔⠒⠚⢽⠃⠀⠀⠀⠀
- ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣰⣿⡿⠋⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠐⢅⢰⣾⠀⠀⠀⠀⠀
- ⠀⠀⠀⠀⠀⠀⣀⡴⠞⠛⠉⣿⠏⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⣧⠀⠀⠀⠀⠀
- ⠀⣀⣀⣤⣤⡞⠋⠀⠀⠀⢠⡏⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠸⡇⠀⠀⠀⠀
- ⢸⡏⠉⣴⠏⠀⠀⠀⠀⠀⢸⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⠀⠀⠀⠀
- ⠈⣧⢰⠏⠀⠀⠀⠀⠀⠀⢸⡆⠀⠀⠀⠀⠀⠀⠀⠀⠰⠯⠥⠠⠒⠄⠀⠀⠀⠀⠀⠀⢠⠀⣿⠀⠀⠀⠀
- ⠀⠈⣿⠀⠀⠀⠀⠀⠀⠀⠈⡧⢀⢻⠿⠀⠲⡟⣞⠀⠀⠀⠀⠈⠀⠁⠀⠀⠀⠀⠀⢀⠆⣰⠇⠀⠀⠀⠀
- ⠀⠀⣿⠀⠀⠀⠀⠀⠀⠀⠀⣧⡀⠃⠀⠀⠀⠱⣼⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠠⣂⡴⠋⠀⣀⡀⠀⠀
- ⠀⠀⢹⡄⠀⠀⠀⠀⠀⠀⠀⠹⣜⢄⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠒⠒⠿⡻⢦⣄⣰⠏⣿⠀⠀
- ⠀⠀⠀⢿⡢⡀⠀⠀⠀⠀⠀⠀⠙⠳⢮⣥⣤⣤⠶⠖⠒⠛⠓⠀⠀⠀⠀⠀⠀⠀⠀⠀⠑⢌⢻⣴⠏⠀⠀
- ⠀⠀⠀⠀⠻⣮⣒⠀⠀⠀⠀⠀⠀⠀⠀⠀⠸⣧⣤⣀⣀⣀⣤⡴⠖⠛⢻⡆⠀⠀⠀⠀⠀⠀⢣⢻⡄⠀⠀
- ⠀⠀⠀⠀⠀⠀⠉⠛⠒⠶⠶⡶⢶⠛⠛⠁⠀⠀⠀⠀⠀⠀⠀⢀⣀⣤⠞⠁⠀⠀⠀⠀⠀⠀⠈⢜⢧⣄⠀
- ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣸⠃⠇⠀⠀⠀⠀⠀⠀⠀⠀⠈⠛⠉⢻⠀⠀⠀⠀⠀⠀⠀⢀⣀⠀⠀⠉⠈⣷
- ⠀⠀⠀⠀⠀⠀⠀⣼⠟⠷⣿⣸⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⠲⠶⢶⣶⠶⠶⢛⣻⠏⠙⠛⠛⠛⠁
- ⠀⠀⠀⠀⠀⠀⠀⠈⠷⣤⣀⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⠀⠀⠀⠉⠛⠓⠚⠋⠀⠀⠀⠀⠀⠀
- ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠻⣟⡂⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
- ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢹⡟⡟⢻⡟⠛⢻⡄⠀⠀⣸⠇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
- ⠀⠀⠀⠀⠀⠀⠀⠀⠀⡄⠀⠀⠀⠈⠷⠧⠾⠀⠀⠀⠻⣦⡴⠏⠀⠀⠀⠀⠀⠀⡀⠀⠀⠀⠀⠀⠀⠀⠀
- ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠁⠀⠀⠀⠀⠈⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-
-'@
-
-
- [string]$WhenValueAbove88 = @'
- ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
- ⠀⠀⠀⠀⠀⠀⠀⢠⣶⣶⣶⣦⣤⣀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⣿⠟⠛⢿⣶⡄⠀⢀⣀⣤⣤⣦⣤⡀⠀⠀⠀⠀⠀
- ⠀⠀⠀⠀⠀⠀⢠⣿⠋⠀⠀⠈⠙⠻⢿⣶⣶⣶⣶⣶⣶⣶⣿⠟⠀⠀⠀⠀⠹⣿⡿⠟⠋⠉⠁⠈⢻⣷⠀⠀⠀⠀⠀
- ⠀⠀⠀⠀⠀⠀⣼⡧⠀⠀⠀⠀⠀⠀⠀⠉⠁⠀⠀⠀⠀⣾⡏⠀⠀⢠⣾⢶⣶⣽⣷⣄⡀⠀⠀⠀⠈⣿⡆⠀⠀⠀⠀
- ⠀⠀⠀⠀⠀⠀⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⠀⠀⠀⢸⣧⣾⠟⠉⠉⠙⢿⣿⠿⠿⠿⣿⣇⠀⠀⠀⠀
- ⠀⠀⠀⠀⠀⠀⢸⣿⡟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠻⣷⣄⣀⣠⣼⣿⠀⠀⠀⠀⣸⣿⣦⡀⠀⠈⣿⡄⠀⠀⠀
- ⠀⠀⠀⠀⠀⢠⣾⠏⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠉⠉⠉⠻⣷⣤⣤⣶⣿⣧⣿⠃⠀⣰⣿⠁⠀⠀⠀
- ⠀⠀⠀⠀⠀⣾⡏⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠹⣿⣀⠀⠀⣀⣴⣿⣧⠀⠀⠀⠀
- ⠀⠀⠀⠀⢸⣿⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⠻⠿⠿⠛⠉⢸⣿⠀⠀⠀⠀
- ⢀⣠⣤⣤⣼⣿⣤⣄⠀⠀⠀⡶⠟⠻⣦⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣶⣶⡄⠀⠀⠀⠀⢀⣀⣿⣄⣀⠀⠀
- ⠀⠉⠉⠉⢹⣿⣩⣿⠿⠿⣶⡄⠀⠀⠀⠀⠀⠀⠀⢀⣤⠶⣤⡀⠀⠀⠀⠀⠀⠿⡿⠃⠀⠀⠀⠘⠛⠛⣿⠋⠉⠙⠃
- ⠀⠀⠀⣤⣼⣿⣿⡇⠀⠀⠸⣿⠀⠀⠀⠀⠀⠀⠀⠘⠿⣤⡼⠇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣤⣼⣿⣀⠀⠀⠀
- ⠀⠀⣾⡏⠀⠈⠙⢧⠀⠀⠀⢿⣧⣀⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣿⠟⠙⠛⠓⠀
- ⠀⠀⠹⣷⡀⠀⠀⠀⠀⠀⠀⠈⠉⠙⠻⣷⣦⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠰⣶⣿⣯⡀⠀⠀⠀⠀
- ⠀⠀⠀⠈⠻⣷⣄⠀⠀⠀⢀⣴⠿⠿⠗⠈⢻⣧⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣤⣾⠟⠋⠉⠛⠷⠄⠀⠀
- ⠀⠀⠀⠀⠀⢸⡏⠀⠀⠀⢿⣇⠀⢀⣠⡄⢘⣿⣶⣶⣤⣤⣤⣤⣀⣤⣤⣤⣤⣶⣶⡿⠿⣿⠁⠀⠀⠀⠀⠀⠀⠀⠀
- ⠀⠀⠀⠀⠀⠘⣿⡄⠀⠀⠈⠛⠛⠛⠋⠁⣼⡟⠈⠻⣿⣿⣿⣿⡿⠛⠛⢿⣿⣿⣿⣡⣾⠛⠀⠀⠀⠀⠀⠀⠀⠀⠀
- ⠀⠀⠀⠀⠀⠀⠙⢿⣦⣄⣀⣀⣀⣀⣴⣾⣿⡁⠀⠀⠀⡉⣉⠁⠀⠀⣠⣾⠟⠉⠉⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
- ⠀⠀⠀⠀⠀⠀⠀⠀⠈⠙⠛⠛⠛⠛⠉⠀⠹⣿⣶⣤⣤⣷⣿⣧⣴⣾⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
- ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⠻⢦⣭⡽⣯⣡⡴⠟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
-
-'@
- #Endregion ASCII-Arts
-
- # Total number of Compliant values not equal to N/A
- [int]$TotalNumberOfTrueCompliantValues = 135
-
- switch ($True) {
- ($TotalTrueValuesInOutPut -in 1..20) { & $WriteRainbow2 "$WhenValue1To20`nYour compliance score is $TotalTrueValuesInOutPut out of $TotalNumberOfTrueCompliantValues!" }
- ($TotalTrueValuesInOutPut -in 21..40) { & $WriteRainbow1 "$WhenValue21To40`nYour compliance score is $TotalTrueValuesInOutPut out of $TotalNumberOfTrueCompliantValues!" }
- ($TotalTrueValuesInOutPut -in 41..60) { & $WriteRainbow1 "$WhenValue41To60`nYour compliance score is $TotalTrueValuesInOutPut out of $TotalNumberOfTrueCompliantValues!" }
- ($TotalTrueValuesInOutPut -in 61..80) { & $WriteRainbow2 "$WhenValue61To80`nYour compliance score is $TotalTrueValuesInOutPut out of $TotalNumberOfTrueCompliantValues!" }
- ($TotalTrueValuesInOutPut -in 81..100) { & $WriteRainbow1 "$WhenValue81To88`nYour compliance score is $TotalTrueValuesInOutPut out of $TotalNumberOfTrueCompliantValues!" }
- ($TotalTrueValuesInOutPut -gt 100) { & $WriteRainbow2 "$WhenValueAbove88`nYour compliance score is $TotalTrueValuesInOutPut out of $TotalNumberOfTrueCompliantValues!" }
- }
- }
-
- } # End of Process Block
-
- end {
- # Clean up
- Remove-Item -Path '.\security_policy.inf' -Force -ErrorAction Stop
- Remove-Item -Path '.\Registry.csv' -Force -ErrorAction Stop
- Remove-Item -Path '.\Group-Policies.json' -Force -ErrorAction Stop
- Remove-Item -Path '.\GPResult.xml' -Force -ErrorAction Stop
- }
-
- <#
-.SYNOPSIS
-Checks the compliance of a system with the Harden Windows Security script guidelines
-
-.LINK
-https://github.com/HotCakeX/Harden-Windows-Security
-
-.DESCRIPTION
-Checks the compliance of a system with the Harden Windows Security script. Checks the applied Group policies, registry keys and PowerShell cmdlets used by the hardening script.
-
-.COMPONENT
-Gpresult, Secedit, PowerShell, Registry
-
-.FUNCTIONALITY
-Uses Gpresult and Secedit to first export the effective Group policies and Security policies, then goes through them and checks them against the Harden Windows Security's guidelines.
-
-.EXAMPLE
-($result.Microsoft Defender | Where-Object {$_.name -eq 'Controlled Folder Access Exclusions'}).value.programs
-
-# Do this to get the Controlled Folder Access Programs list when using ShowAsObjectsOnly optional parameter to output an object
-
-.EXAMPLE
-$result.Microsoft Defender
-
-# Do this to only see the result for the Microsoft Defender category when using ShowAsObjectsOnly optional parameter to output an object
-
-.PARAMETER ExportToCSV
-Export the output to a CSV file in the current working directory
-
-.PARAMETER ShowAsObjectsOnly
-Returns a nested object instead of writing strings on the PowerShell console, it can be assigned to a variable
-
-.PARAMETER DetailedDisplay
-Shows the output on the PowerShell console with more details and in the list format instead of table format
-
-#>
-
-}
-
-# Set PSReadline tab completion to complete menu for easier access to available parameters - Only for the current session
-Set-PSReadLineKeyHandler -Key Tab -Function MenuComplete
diff --git a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Group-Policies.json b/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Group-Policies.json
deleted file mode 100644
index 76ca9fdb0..000000000
--- a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Group-Policies.json
+++ /dev/null
@@ -1,314 +0,0 @@
-{
- "ASR": {
- "1": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/Microsoft Defender Exploit Guard/Attack Surface Reduction",
- "Name": "Configure Attack Surface Reduction rules"
- }
- },
- "Bitlocker": {
- "1": {
- "Cat": "Windows Components/BitLocker Drive Encryption/Operating System Drives",
- "Name": "Disallow standard users from changing the PIN or password"
- },
- "2": {
- "Cat": "Windows Components/BitLocker Drive Encryption/Operating System Drives",
- "Name": "Require additional authentication at startup"
- },
- "3": {
- "Cat": "Windows Components/BitLocker Drive Encryption",
- "Name": "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)"
- },
- "4": {
- "Cat": "Windows Components/BitLocker Drive Encryption/Fixed Data Drives",
- "Name": "Enforce drive encryption type on fixed data drives"
- },
- "5": {
- "Cat": "Windows Components/BitLocker Drive Encryption/Operating System Drives",
- "Name": "Configure minimum PIN length for startup"
- },
- "6": {
- "Cat": "Windows Components/BitLocker Drive Encryption/Operating System Drives",
- "Name": "Enforce drive encryption type on operating system drives"
- },
- "7": {
- "Cat": "Windows Components/BitLocker Drive Encryption/Removable Data Drives",
- "Name": "Allow access to BitLocker-protected removable data drives from earlier versions of Windows"
- },
- "8": {
- "Cat": "Windows Components/BitLocker Drive Encryption/Removable Data Drives",
- "Name": "Enforce drive encryption type on removable data drives"
- },
- "9": {
- "Cat": "Windows Components/BitLocker Drive Encryption/Operating System Drives",
- "Name": "Allow enhanced PINs for startup"
- },
- "10": {
- "Cat": "System/Power Management/Sleep Settings",
- "Name": "Allow standby states (S1-S3) when sleeping (plugged in)"
- },
- "11": {
- "Cat": "System/Power Management/Sleep Settings",
- "Name": "Allow standby states (S1-S3) when sleeping (on battery)"
- },
- "12": {
- "Cat": "Windows Components/File Explorer",
- "Name": "Show hibernate in the power options menu"
- },
- "13": {
- "Cat": "Windows Components/BitLocker Drive Encryption",
- "Name": "Disable new DMA devices when this computer is locked"
- }
- },
- "Device Guard": {
- "1": {
- "Cat": "System/Device Guard",
- "Name": "Turn On Virtualization Based Security"
- }
- },
- "LockScreen": {
- "1": {
- "Cat": "System/Logon",
- "Name": "Do not display network selection UI"
- },
- "2": {
- "Cat": "System/PIN Complexity",
- "Name": "Require digits"
- },
- "3": {
- "Cat": "System/PIN Complexity",
- "Name": "Expiration"
- },
- "4": {
- "Cat": "System/PIN Complexity",
- "Name": "History"
- },
- "5": {
- "Cat": "System/PIN Complexity",
- "Name": "Require lowercase letters"
- },
- "6": {
- "Cat": "System/Logon",
- "Name": "Exclude credential providers"
- },
- "7": {
- "Cat": "System/Logon",
- "Name": "Assign a default credential provider"
- }
- },
- "Microsoft Defender": {
- "1": {
- "Cat": "Windows Components/Microsoft Defender Antivirus",
- "Name": "Configure detection for potentially unwanted applications"
- },
- "2": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/MAPS",
- "Name": "Configure the 'Block at First Sight' feature"
- },
- "3": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/MAPS",
- "Name": "Join Microsoft MAPS"
- },
- "4": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/MAPS",
- "Name": "Send file samples when further analysis is required"
- },
- "5": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/Microsoft Defender Exploit Guard/Controlled Folder Access",
- "Name": "Configure Controlled folder access"
- },
- "6": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/Microsoft Defender Exploit Guard/Network Protection",
- "Name": "Prevent users and apps from accessing dangerous websites"
- },
- "7": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/MpEngine",
- "Name": "Configure extended cloud check"
- },
- "8": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/MpEngine",
- "Name": "Enable file hash computation feature"
- },
- "9": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/MpEngine",
- "Name": "Select cloud protection level"
- },
- "10": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/Quarantine",
- "Name": "Configure removal of items from Quarantine folder"
- },
- "11": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/Real-time Protection",
- "Name": "Define the maximum size of downloaded files and attachments to be scanned"
- },
- "12": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/Scan",
- "Name": "Check for the latest virus and spyware security intelligence before running a scheduled scan"
- },
- "13": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/Scan",
- "Name": "Run full scan on mapped network drives"
- },
- "14": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/Scan",
- "Name": "Scan network files"
- },
- "15": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/Scan",
- "Name": "Scan removable drives"
- },
- "16": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/Scan",
- "Name": "Specify the maximum depth to scan archive files"
- },
- "17": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/Scan",
- "Name": "Turn on catch-up quick scan"
- },
- "18": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/Scan",
- "Name": "Turn on e-mail scanning"
- },
- "19": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/Scan",
- "Name": "Turn on reparse point scanning"
- },
- "20": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/Security Intelligence Updates",
- "Name": "Allows Microsoft Defender Antivirus to update and communicate over a metered connection."
- },
- "21": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/Security Intelligence Updates",
- "Name": "Check for the latest virus and spyware security intelligence on startup"
- },
- "22": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/Security Intelligence Updates",
- "Name": "Define the number of days before spyware security intelligence is considered out of date"
- },
- "23": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/Security Intelligence Updates",
- "Name": "Define the number of days before virus security intelligence is considered out of date"
- },
- "24": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/Security Intelligence Updates",
- "Name": "Specify the interval to check for security intelligence updates"
- },
- "25": {
- "Cat": "Windows Components/Microsoft Defender Antivirus/Threats",
- "Name": "Specify threat alert levels at which default action should not be taken when detected"
- },
- "26": {
- "Cat": "Windows Components/Windows Defender SmartScreen/Enhanced Phishing Protection",
- "Name": "Notify Malicious"
- },
- "27": {
- "Cat": "Windows Components/Windows Defender SmartScreen/Enhanced Phishing Protection",
- "Name": "Notify Password Reuse"
- },
- "28": {
- "Cat": "Windows Components/Windows Defender SmartScreen/Enhanced Phishing Protection",
- "Name": "Notify Unsafe App"
- },
- "29": {
- "Cat": "Windows Components/Windows Defender SmartScreen/Enhanced Phishing Protection",
- "Name": "Service Enabled"
- }
- },
- "Miscellaneous": {
- "1": {
- "Cat": "Windows Components/Data Collection and Preview Builds",
- "Name": "Allow Diagnostic Data"
- },
- "2": {
- "Cat": "Windows Components/Location and Sensors",
- "Name": "Turn off location"
- },
- "3": {
- "Cat": "Windows Components/Location and Sensors",
- "Name": "Turn off location scripting"
- },
- "4": {
- "Cat": "Windows Components/Location and Sensors/Windows Location Provider",
- "Name": "Turn off Windows Location Provider"
- },
- "5": {
- "Cat": "System/Service Control Manager Settings/Security Settings",
- "Name": "Enable svchost.exe mitigation options"
- },
- "6": {
- "Cat": "System/Early Launch Antimalware",
- "Name": "Boot-Start Driver Initialization Policy"
- },
- "7": {
- "Cat": "System/Audit Process Creation",
- "Name": "Include command line in process creation events"
- },
- "8": {
- "Cat": "System/Remote Procedure Call",
- "Name": "Enable RPC Endpoint Mapper Client Authentication"
- },
- "9": {
- "Cat": "System/Remote Procedure Call",
- "Name": "Restrict Unauthenticated RPC clients"
- },
- "10": {
- "Cat": "System/Mitigation Options",
- "Name": "Untrusted Font Blocking"
- }
- },
- "TLS": {
- "1": {
- "Cat": "Network/SSL Configuration Settings",
- "Name": "ECC Curve Order"
- },
- "2": {
- "Cat": "Network/SSL Configuration Settings",
- "Name": "SSL Cipher Suite Order"
- }
- },
- "Windows Networking": {
- "1": {
- "Cat": "Network/DNS Client",
- "Name": "Turn off smart multi-homed name resolution"
- },
- "2": {
- "Cat": "Network/DNS Client",
- "Name": "Turn off multicast name resolution"
- },
- "3": {
- "Cat": "Network/DNS Client",
- "Name": "Configure NetBIOS settings"
- },
- "4": {
- "Cat": "System/Internet Communication Management/Internet Communication settings",
- "Name": "Turn off printing over HTTP"
- },
- "5": {
- "Cat": "System/Internet Communication Management/Internet Communication settings",
- "Name": "Turn off downloading of print drivers over HTTP"
- }
- },
- "Windows Update": {
- "1": {
- "Cat": "Windows Components/Windows Update/Manage end user experience",
- "Name": "Allow updates to be downloaded automatically over metered connections"
- },
- "2": {
- "Cat": "Windows Components/Windows Update/Manage end user experience",
- "Name": "Enable features introduced via servicing that are off by default"
- },
- "3": {
- "Cat": "Windows Components/Windows Update/Manage end user experience",
- "Name": "Specify deadlines for automatic updates and restarts"
- },
- "4": {
- "Cat": "Windows Components/Windows Update/Manage end user experience",
- "Name": "Configure Automatic Updates"
- }
- },
- "UAC": {
- "1": {
- "Cat": "System/Logon",
- "Name": "Hide entry points for Fast User Switching"
- }
- }
-}
\ No newline at end of file
diff --git a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Harden-Windows-Security-Module.psd1 b/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Harden-Windows-Security-Module.psd1
deleted file mode 100644
index fe1ad914a..000000000
--- a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Harden-Windows-Security-Module.psd1
+++ /dev/null
@@ -1,183 +0,0 @@
-#
-# Module manifest for module 'Harden-Windows-Security-Module'
-#
-# Generated by: HotCakeX
-#
-# Generated on: 7/29/2023
-#
-
-@{
-
- # Script module or binary module file associated with this manifest.
- # RootModule = ''
-
- # Version number of this module.
- ModuleVersion = '0.0.7'
-
- # Supported PSEditions
- CompatiblePSEditions = @('Core')
-
- # ID used to uniquely identify this module
- GUID = 'afae7a0a-5eff-4a4d-9139-e1702b7ac426'
-
- # Author of this module
- Author = 'HotCakeX'
-
- # Company or vendor of this module
- CompanyName = 'SpyNetGirl'
-
- # Copyright statement for this module
- Copyright = '(c) HotCakeX. All rights reserved.'
-
- # Description of the functionality provided by this module
- Description = @"
-
-✅ This is a PowerShell module for Harden Windows Security script.
-✅ It offers System Compliance checking in addition to hardening.
-✅ You can check and validate a system to see whether it conforms to the Harden Windows Security guidelines or not.
-
-💠 The module generates a nice output on the screen as well as giving users an option to export the results in a CSV file.
-
-💠 If you use the "Protect-WindowsSecurity" Cmdlet, it will download and run the Harden Windows Security PowerShell script from the official repository
-
-🟡 Refer to this GitHub repository for more info: https://github.com/HotCakeX/Harden-Windows-Security
-
-🏴 Module's documentation: https://github.com/HotCakeX/Harden-Windows-Security/wiki/Harden%E2%80%90Windows%E2%80%90Security%E2%80%90Module
-
-💎 If you have any questions, requests, suggestions etc. about this module, please open a new Discussion or Issue on GitHub
-
-
-"@
-
- # Minimum version of the PowerShell engine required by this module
- PowerShellVersion = '7.3.4'
-
- # Name of the PowerShell host required by this module
- # PowerShellHostName = ''
-
- # Minimum version of the PowerShell host required by this module
- # PowerShellHostVersion = ''
-
- # Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only.
- # DotNetFrameworkVersion = ''
-
- # Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only.
- # ClrVersion = ''
-
- # Processor architecture (None, X86, Amd64) required by this module
- # ProcessorArchitecture = ''
-
- # Modules that must be imported into the global environment prior to importing this module
- # RequiredModules = @()
-
- # Assemblies that must be loaded prior to importing this module
- # RequiredAssemblies = @()
-
- # Script files (.ps1) that are run in the caller's environment prior to importing this module.
- # ScriptsToProcess = @()
-
- # Type files (.ps1xml) to be loaded when importing this module
- # TypesToProcess = @()
-
- # Format files (.ps1xml) to be loaded when importing this module
- # FormatsToProcess = @()
-
- # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
- NestedModules = @('Confirm-SystemCompliance.psm1', 'Protect-WindowsSecurity.psm1')
-
- # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
- FunctionsToExport = @('Confirm-SystemCompliance', 'Protect-WindowsSecurity')
-
- # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
- CmdletsToExport = @('Confirm-SystemCompliance', 'Protect-WindowsSecurity')
-
- # Variables to export from this module
- VariablesToExport = '*'
-
- # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export.
- AliasesToExport = @()
-
- # DSC resources to export from this module
- # DscResourcesToExport = @()
-
- # List of all modules packaged with this module
- # ModuleList = @()
-
- # List of all files packaged with this module
- FileList = @('Harden-Windows-Security-Module.psd1', 'Confirm-SystemCompliance.psm1', 'Protect-WindowsSecurity.psm1')
-
- # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.
- PrivateData = @{
-
- PSData = @{
-
- # Tags applied to this module. These help with module discovery in online galleries.
- Tags = @('Harden-Windows-Security', 'Harden', 'Windows', 'Security', 'Compliance', 'Validation', 'Baseline', 'Security-Score', 'Benchmark', 'Group-Policy')
-
- # A URL to the license for this module.
- LicenseUri = 'https://github.com/HotCakeX/.github/blob/main/LICENSE'
-
- # A URL to the main website for this project.
- ProjectUri = 'https://github.com/HotCakeX/Harden-Windows-Security'
-
- # A URL to an icon representing this module.
- IconUri = 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/PowerShell%20Gallery%20Icon/Peach%20Small.png'
-
- # ReleaseNotes of this module
- ReleaseNotes = @"
-
-## Version 0.0.7
-Changed the Hyper-V Administrators security group members detection from using name to SID to make it compatible with non-English system locales.
-Improved the code security and readability by adding explicit types to many variables and using single quotes instead of double quotes wherever possible.
-
-## Version 0.0.6
-Fixed the URL for Group-Policies.json
-
-## Version 0.0.5
-Small update to improve the auto-updating mechanism
-
-## Version 0.0.4
-Updated the Compliance checks to include changes in the following Harden Windows Security update:
-https://github.com/HotCakeX/Harden-Windows-Security/releases/tag/v2023.08.08
-Changed Windows Firewall category from using cmdlets to Group policy xml parsing
-
-## Version 0.0.3
-Updated the Compliance checks to include changes in the following Harden Windows Security update:
-https://github.com/HotCakeX/Harden-Windows-Security/releases/tag/v2023.08.04
-
-## Version 0.0.2
-Added self-updating mechanism
-Added all the missing categories such as Optional Windows Features category and Top Security category
-Added Bitlocker DMA protection check
-Fixed the CSV output to stop repeating the headers for each category
-Improved the ASCII arts and their colors
-Added Total number of checks to the output
-Improved the displayed output to include checks that do not output bool value by adding an extra property called Compliant to each item
-Improved the module's PowerShell gallery page (Description, image)
-Added a new optional parameter called "-DetailedDisplay" to show the output in a detailed list instead of the default table format
-
-## Version 0.0.1
-First release
-
-"@
-
- # Prerelease string of this module
- # Prerelease = ''
-
- # Flag to indicate whether the module requires explicit user acceptance for install/update/save
- # RequireLicenseAcceptance = $false
-
- # External dependent modules of this module
- # ExternalModuleDependencies = @()
-
- } # End of PSData hashtable
-
- } # End of PrivateData hashtable
-
- # HelpInfo URI of this module
- HelpInfoURI = 'https://github.com/HotCakeX/Harden-Windows-Security'
-
- # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
- # DefaultCommandPrefix = ''
-
-}
diff --git a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Misc/Only Show Group Policy Data.ps1 b/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Misc/Only Show Group Policy Data.ps1
deleted file mode 100644
index 483e5011b..000000000
--- a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Misc/Only Show Group Policy Data.ps1
+++ /dev/null
@@ -1,88 +0,0 @@
-
-# Load the xml file into a variable
-$GroupPolicyXmlContent = [xml](Get-Content -Path ".\GPResult.xml" -ErrorAction Stop)
-
-
-# An array to store each Group Policy "<q6:Policy>" element as a separate object
-$PoliciesOutput = @()
-# Use dot notation to access the Group Policy elements
-$GroupPolicyXmlContent.Rsop.ComputerResults.ExtensionData.Extension.Policy | Where-Object { $null -ne $_.name } | ForEach-Object {
- # All the sub-elements of the "<q6:Policy>" that we need to verify
- $PoliciesOutput += [PSCustomObject]@{
- Name = $_.Name
- State = $_.State
- Category = $_.Category
- DropDownListName = $_.DropDownList.Name
- DropDownListState = $_.DropDownList.State
- DropDownListValue = $_.DropDownList.Value.Name
- CheckboxName = $_.Checkbox.Name
- CheckboxState = $_.Checkbox.State
- Numeric = $_.Numeric
- NumericName = $_.Numeric.Name
- NumericState = $_.Numeric.State
- NumericValue = $_.Numeric.Value
- ListBox = $_.ListBox
- ListBoxName = $_.ListBox.Name
- ListBoxState = $_.ListBox.State
- ListBoxExplicitValue = $_.ListBox.ExplicitValue
- ListBoxAdditive = $_.ListBox.Additive
- ListBoxValue = $_.ListBox.Value
- MultiTextName = $_.MultiText.Name
- MultiTextState = $_.MultiText.State
- MultiTextValue = $_.MultiText.Value
- EditTextName = $_.EditText.Name
- EditTextState = $_.EditText.State
- EditTextValue = $_.EditText.Value
- }
-}
-
-
-# Shows the Group Policies policies
-# $PoliciesOutput
-
-# An array to store Group Policy Firewall settings as an object
-$FirewallPoliciesOutput = @()
-# Use dot notation to access the Group Policy elements - sometimes the type is q4 or q3 or q7, so using wildcard for the number
-$FirewallGroupPolicySettings = $GroupPolicyXmlContent.Rsop.ComputerResults.ExtensionData.Extension | Where-Object { $_.type -like 'q*:WindowsFirewallSettings' }
-
-$FirewallPoliciesOutput += [PSCustomObject]@{
- GlobalSettingsPolicyVersion = $FirewallGroupPolicySettings.GlobalSettings.PolicyVersion.Value
-
- DomainDefaultInboundAction = $FirewallGroupPolicySettings.DomainProfile.DefaultInboundAction.value
- DomainDefaultOutboundAction = $FirewallGroupPolicySettings.DomainProfile.DefaultOutboundAction.value
- DomainDisableNotifications = $FirewallGroupPolicySettings.DomainProfile.DisableNotifications.value
- DomainDoNotAllowExceptions = $FirewallGroupPolicySettings.DomainProfile.DoNotAllowExceptions.value
- DomainEnableFirewall = $FirewallGroupPolicySettings.DomainProfile.EnableFirewall.value
- DomainLogFilePath = $FirewallGroupPolicySettings.DomainProfile.LogFilePath.value
- DomainLogFileSize = $FirewallGroupPolicySettings.DomainProfile.LogFileSize.value
- DomainLogDroppedPackets = $FirewallGroupPolicySettings.DomainProfile.LogDroppedPackets.value
- DomainLogSuccessfulConnections = $FirewallGroupPolicySettings.DomainProfile.LogSuccessfulConnections.value
-
- PublicAllowLocalIPsecPolicyMerge = $FirewallGroupPolicySettings.PublicProfile.AllowLocalIPsecPolicyMerge.value
- PublicAllowLocalPolicyMerge = $FirewallGroupPolicySettings.PublicProfile.AllowLocalPolicyMerge.value
- PublicDefaultInboundAction = $FirewallGroupPolicySettings.PublicProfile.DefaultInboundAction.value
- PublicDefaultOutboundAction = $FirewallGroupPolicySettings.PublicProfile.DefaultOutboundAction.value
- PublicDisableNotifications = $FirewallGroupPolicySettings.PublicProfile.DisableNotifications.value
- PublicDoNotAllowExceptions = $FirewallGroupPolicySettings.PublicProfile.DoNotAllowExceptions.value
- PublicEnableFirewall = $FirewallGroupPolicySettings.PublicProfile.EnableFirewall.value
- PublicLogFilePath = $FirewallGroupPolicySettings.PublicProfile.LogFilePath.value
- PublicLogFileSize = $FirewallGroupPolicySettings.PublicProfile.LogFileSize.value
- PublicLogDroppedPackets = $FirewallGroupPolicySettings.PublicProfile.LogDroppedPackets.value
- PublicLogSuccessfulConnections = $FirewallGroupPolicySettings.PublicProfile.LogSuccessfulConnections.value
-
- #PrivateAllowLocalIPsecPolicyMerge = $FirewallGroupPolicySettings.PrivateProfile.AllowLocalIPsecPolicyMerge.value
- # PrivateAllowLocalPolicyMerge = $FirewallGroupPolicySettings.PrivateProfile.AllowLocalPolicyMerge.value
- PrivateDefaultInboundAction = $FirewallGroupPolicySettings.PrivateProfile.DefaultInboundAction.value
- PrivateDefaultOutboundAction = $FirewallGroupPolicySettings.PrivateProfile.DefaultOutboundAction.value
- PrivateDisableNotifications = $FirewallGroupPolicySettings.PrivateProfile.DisableNotifications.value
- # PrivateDoNotAllowExceptions = $FirewallGroupPolicySettings.PrivateProfile.DoNotAllowExceptions.value
- PrivateEnableFirewall = $FirewallGroupPolicySettings.PrivateProfile.EnableFirewall.value
- PrivateLogFilePath = $FirewallGroupPolicySettings.PrivateProfile.LogFilePath.value
- PrivateLogFileSize = $FirewallGroupPolicySettings.PrivateProfile.LogFileSize.value
- PrivateLogDroppedPackets = $FirewallGroupPolicySettings.PrivateProfile.LogDroppedPackets.value
- PrivateLogSuccessfulConnections = $FirewallGroupPolicySettings.PrivateProfile.LogSuccessfulConnections.value
-}
-
-
-# Shows the Group Policies Firewall settings/policies
-$FirewallPoliciesOutput
diff --git a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Misc/only show Registry count and content.ps1 b/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Misc/only show Registry count and content.ps1
deleted file mode 100644
index 35f7fd94a..000000000
--- a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Misc/only show Registry count and content.ps1
+++ /dev/null
@@ -1,21 +0,0 @@
-cls
-
-# Load the xml file into a variable
-$xml = [xml](Get-Content -Path ".\GPResult.xml")
-
-# An array to store each Group Policy as a separate object
-$RegistryOutput = @()
-# Use dot notation to access the Policy element
-$xml.Rsop.ComputerResults.ExtensionData.Extension.RegistrySetting | Where-Object { $null -ne $_.Value.Name } | ForEach-Object {
-
- $RegistryOutput += [PSCustomObject]@{
- KeyPath = $_.KeyPath
- Name = $_.Value.Name
- Number = $_.Value.Number
- }
-}
-
-$RegistryOutput
-
-$RegistryOutput.Count
-
diff --git a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Protect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Protect-WindowsSecurity.psm1
deleted file mode 100644
index 694e4ea86..000000000
--- a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/Protect-WindowsSecurity.psm1
+++ /dev/null
@@ -1,29 +0,0 @@
-Function Protect-WindowsSecurity {
-
- Invoke-RestMethod 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1' -OutFile .\Harden-Windows-Security.ps1
- try {
- .\Harden-Windows-Security.ps1
- }
- finally {
- # Will delete the script after it's done when Exit is selected or CTRL + C is pressed
- Remove-Item -Path .\Harden-Windows-Security.ps1 -Force
- }
-
- <#
-.SYNOPSIS
-Downloads and runs the Harden Windows Security PowerShell script from the official repository
-
-.LINK
-https://github.com/HotCakeX/Harden-Windows-Security
-
-.DESCRIPTION
-Downloads and runs the Harden Windows Security PowerShell script from the official repository
-
-.COMPONENT
-PowerShell
-
-.FUNCTIONALITY
-Downloads and runs the Harden Windows Security PowerShell script from the official repository
-
-#>
-}
diff --git a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/version.txt b/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/version.txt
deleted file mode 100644
index 5c4511c36..000000000
--- a/Harden-Windows-Security Module/Misc/[Old] Using Group Policies parsing - keeping for historical purposes/version.txt
+++ /dev/null
@@ -1 +0,0 @@
-0.0.7
\ No newline at end of file
From 4cbea76199f1c297ef6aaa91017278230832a4b5 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Wed, 13 Dec 2023 02:08:27 -0930
Subject: [PATCH 22/79] typo fixes
---
.../Main files/Harden-Windows-Security.ps1 | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
index 8a080b365..e58e535cb 100644
--- a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
@@ -1342,7 +1342,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-SmartText -C MintGreen -G Green -I "`nPINs matched, enabling TPM and startup PIN now`n"
}
catch {
- Write-Host -Object 'These errors occured, run Bitlocker category again after meeting the requirements' -ForegroundColor Red
+ Write-Host -Object 'These errors occurred, run Bitlocker category again after meeting the requirements' -ForegroundColor Red
$_
break BitLockerCategoryLabel
}
@@ -1380,7 +1380,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Enable-BitLocker -MountPoint $env:SystemDrive -EncryptionMethod 'XtsAes256' -Pin $Pin -TpmAndPinProtector -SkipHardwareTest -ErrorAction Stop *> $null
}
catch {
- Write-Host -Object 'These errors occured, run Bitlocker category again after meeting the requirements' -ForegroundColor Red
+ Write-Host -Object 'These errors occurred, run Bitlocker category again after meeting the requirements' -ForegroundColor Red
$_
break BitLockerCategoryLabel
}
@@ -2496,7 +2496,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
#endregion Non-Admin-Commands
}
catch {
- # Throw whatever error that occured
+ # Throw whatever error that occurred
Throw $_
}
finally {
From eafe2ca7850bf7713d1225475ce3b4cb1e95b2e5 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Wed, 13 Dec 2023 02:14:27 -0930
Subject: [PATCH 23/79] Fixed typos
---
.../Main files/Confirm-SystemCompliance.psm1 | 2 +-
Harden-Windows-Security Module/Main files/Functions.ps1 | 2 +-
.../Main files/Resources/Registry resources.csv | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
index 1a0fa3fb9..f934349b3 100644
--- a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
+++ b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
@@ -1804,7 +1804,7 @@ function Confirm-SystemCompliance {
# Counting the number of $True Compliant values in the Final Output Object
[System.Int64]$TotalTrueCompliantValuesInOutPut = ($FinalMegaObject.'Microsoft Defender' | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 49 - 4x(N/A) = 45
[System.Int64]($FinalMegaObject.ASR | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 17
- [System.Int64]($FinalMegaObject.Bitlocker | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 22 + Number of Non-OS drives which are dynamicly increased
+ [System.Int64]($FinalMegaObject.Bitlocker | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 22 + Number of Non-OS drives which are dynamically increased
[System.Int64]($FinalMegaObject.TLS | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 21
[System.Int64]($FinalMegaObject.LockScreen | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 14
[System.Int64]($FinalMegaObject.UAC | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 4
diff --git a/Harden-Windows-Security Module/Main files/Functions.ps1 b/Harden-Windows-Security Module/Main files/Functions.ps1
index 9fe0c4974..10acde620 100644
--- a/Harden-Windows-Security Module/Main files/Functions.ps1
+++ b/Harden-Windows-Security Module/Main files/Functions.ps1
@@ -52,7 +52,7 @@ function Update-self {
Add-MpPreference -ControlledFolderAccessAllowedApplications $FilePath
}
- # Do this if the module was installed properly using Install-moodule cmdlet
+ # Do this if the module was installed properly using Install-module cmdlet
Uninstall-Module -Name 'Harden-Windows-Security-Module' -AllVersions -Force
Install-Module -Name 'Harden-Windows-Security-Module' -RequiredVersion $LatestVersion -Force
Import-Module -Name 'Harden-Windows-Security-Module' -RequiredVersion $LatestVersion -Force -Global
diff --git a/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv b/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv
index 7d4e2acc0..cba2b1b60 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv
+++ b/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv
@@ -53,7 +53,7 @@ Origin,Category,Key,Name,FriendlyName,Type,Value
"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,RDVNoBitLockerToGoReader,Do not install BitLocker To Go Reader on FAT formatted removable drives,DWORD,0
"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,MinimumPIN,Configure minimum PIN length for startup,DWORD,10
"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,ACSettingIndex,Disallow standby states (S1-S3) when sleeping (plugged in),DWORD,0
-"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,DCSettingIndex,Disllow standby states (S1-S3) when sleeping (on battery),DWORD,0
+"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,DCSettingIndex,Disallow standby states (S1-S3) when sleeping (on battery),DWORD,0
"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer,ShowHibernateOption,Show Hibernate Option,DWORD,1
"Group Policy","TLS",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002,Functions,Configure the correct TLS Cipher Suites,SZ,"TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"
"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client,DisabledByDefault,Disable TLS 1.0 client,DWORD,1
@@ -113,7 +113,7 @@ Origin,Category,Key,Name,FriendlyName,Type,Value
"Group Policy","Windows Networking",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient,EnableMulticast,Disable Multicast,DWORD,0
"Group Policy","Windows Networking",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers,DisableHTTPPrinting,Disable HTTP Printing,DWORD,1
"Group Policy","Windows Networking",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers,DisableWebPnPDownload,Disable Web PnP Download,DWORD,1
-"Group Policy","Miscellaneous",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions,MitigationOptions_FontBocking,Block untrusted fonts,SZ,1000000000000
+"Group Policy","Miscellaneous",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions,MitigationOptions_FontBlocking,Block untrusted fonts,SZ,1000000000000
"Group Policy","Miscellaneous",HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,Include command line in process creation events,DWORD,1
"Group Policy","Miscellaneous",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,Disable Location,DWORD,1
"Group Policy","Miscellaneous",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors,DisableLocationScripting,Disable Location Scripting,DWORD,1
From 3ef8a7f76407f5b63724ebae7f5611daaba41f85 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Wed, 13 Dec 2023 02:23:30 -0930
Subject: [PATCH 24/79] Added positional parameter names
And fixed variable name casings
---
.../Main files/Confirm-SystemCompliance.psm1 | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
index f934349b3..766e2fa5c 100644
--- a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
+++ b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
@@ -693,15 +693,15 @@ function Confirm-SystemCompliance {
# ECC Curves
[System.Object[]]$ECCCurves = Get-TlsEccCurve
- [System.Object[]]$list = ('nistP521', 'curve25519', 'NistP384', 'NistP256')
+ [System.Object[]]$List = ('nistP521', 'curve25519', 'NistP384', 'NistP256')
# Make sure both arrays are completely identical in terms of members and their exact position
# If this variable is empty that means both arrays are completely identical
- $IndividualItemResult = Compare-Object $ECCCurves $list -SyncWindow 0
+ $IndividualItemResult = Compare-Object -ReferenceObject $ECCCurves -DifferenceObject $List -SyncWindow 0
$NestedObjectArray += [PSCustomObject]@{
FriendlyName = 'ECC Curves and their positions'
Compliant = [System.Boolean]($IndividualItemResult ? $false : $True)
- Value = $list
+ Value = $List
Name = 'ECC Curves and their positions'
Category = $CatName
Method = 'Cmdlet'
@@ -1092,7 +1092,7 @@ function Confirm-SystemCompliance {
# Check network location of all connections to see if they are public
$Condition = Get-NetConnectionProfile | ForEach-Object -Process { $_.NetworkCategory -eq 'public' }
- [System.Boolean]$IndividualItemResult = -NOT ($condition -contains $false) ? $True : $false
+ [System.Boolean]$IndividualItemResult = -NOT ($Condition -contains $false) ? $True : $false
# Verify a Security setting using Cmdlet
$NestedObjectArray += [PSCustomObject]@{
From 3057b651f5934a8a1120e5b086e0a020e73aec1f Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Wed, 13 Dec 2023 04:16:55 -0930
Subject: [PATCH 25/79] Added workspace file to Harden-Windows-Security
---
...den-Windows-Security Module.code-workspace | 31 +++++++++++++++++++
.../Main files/Unprotect-WindowsSecurity.psm1 | 12 ++++---
.../Invoke-Harden-Windows-Security.ps1 | 10 ++++++
3 files changed, 48 insertions(+), 5 deletions(-)
create mode 100644 Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace
create mode 100644 Harden-Windows-Security Module/Utilities/Invoke-Harden-Windows-Security.ps1
diff --git a/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace b/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace
new file mode 100644
index 000000000..7337c0326
--- /dev/null
+++ b/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace
@@ -0,0 +1,31 @@
+{
+ "folders": [
+ {
+ "path": "."
+ }
+ ],
+ "settings": {
+ "powershell.codeFormatting.autoCorrectAliases": true,
+ "powershell.codeFormatting.avoidSemicolonsAsLineTerminators": true,
+ "powershell.codeFormatting.trimWhitespaceAroundPipe": true,
+ "powershell.codeFormatting.useConstantStrings": true,
+ "powershell.codeFormatting.useCorrectCasing": true,
+ "powershell.codeFormatting.whitespaceBetweenParameters": true
+ },
+ "extensions": {
+ "recommendations": [
+ "ms-vscode.powershell"
+ ]
+ },
+ "launch": {
+ "version": "0.2.0",
+ "configurations": [
+ {
+ "name": "Debug",
+ "request": "launch",
+ "type": "PowerShell",
+ "script": "${workspaceFolder}/Utilities/Invoke-Harden-Windows-Security.ps1"
+ }
+ ]
+ }
+}
\ No newline at end of file
diff --git a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
index e1e769bf0..af0cf5661 100644
--- a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
+++ b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
@@ -1,10 +1,12 @@
Function Unprotect-WindowsSecurity {
- [CmdletBinding()]
+ [CmdletBinding(
+ SupportsShouldProcess = $true,
+ PositionalBinding = $false,
+ ConfirmImpact = 'High'
+ )]
param (
[Parameter(Mandatory = $false)]
- [switch]$OnlyProcessMitigations,
- [Parameter(Mandatory = $false, DontShow = $True)]
- $DummyParam
+ [System.Management.Automation.SwitchParameter]$OnlyProcessMitigations
)
# Stop the execution when there is an error
$global:ErrorActionPreference = 'Stop'
@@ -242,4 +244,4 @@ Function Unprotect-WindowsSecurity {
}
# Set PSReadline tab completion to complete menu for easier access to available parameters - Only for the current session
-Set-PSReadLineKeyHandler -Key Tab -Function MenuComplete
\ No newline at end of file
+Set-PSReadLineKeyHandler -Key Tab -Function MenuComplete
diff --git a/Harden-Windows-Security Module/Utilities/Invoke-Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Utilities/Invoke-Harden-Windows-Security.ps1
new file mode 100644
index 000000000..a69d91a5a
--- /dev/null
+++ b/Harden-Windows-Security Module/Utilities/Invoke-Harden-Windows-Security.ps1
@@ -0,0 +1,10 @@
+# This file is for launching Harden-Windows-Security module in VS Code so that it can attach its debugger to the process
+
+# Get the current folder of this script file
+[System.String]$ScriptFilePath = ($MyInvocation.MyCommand.path | Split-Path -Parent)
+
+# Import the module into the current scope using the relative path of the module itself
+Import-Module -FullyQualifiedName "$ScriptFilePath\..\Main files\Harden-Windows-Security-Module.psd1" -Force
+
+# Uncomment and replace with any cmdlet of the Harden-Windows-Security module that is going to be debugged
+Unprotect-WindowsSecurity
From 4ef2732c280d3aa106a6f19d3ef813936997b957 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Wed, 13 Dec 2023 11:37:12 -0930
Subject: [PATCH 26/79] Improved Unprotect-WindowsSecurity cmdlet
---
.../Main files/Unprotect-WindowsSecurity.psm1 | 312 +++++++++---------
1 file changed, 160 insertions(+), 152 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
index af0cf5661..e28c4aa10 100644
--- a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
+++ b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
@@ -8,27 +8,27 @@ Function Unprotect-WindowsSecurity {
[Parameter(Mandatory = $false)]
[System.Management.Automation.SwitchParameter]$OnlyProcessMitigations
)
- # Stop the execution when there is an error
- $global:ErrorActionPreference = 'Stop'
- # Fetching Temp Directory
- [System.String]$global:CurrentUserTempDirectoryPath = [System.IO.Path]::GetTempPath()
+ begin {
+ # Stop the execution when there is an error
+ $ErrorActionPreference = 'Stop'
- # Makes sure this cmdlet is invoked with Admin privileges
- if ().IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
- Throw [System.Security.AccessControl.PrivilegeNotHeldException] 'Administrator'
- }
+ # Import functions
+ . "$psscriptroot\Functions.ps1"
+
+ # Fetching Temp Directory
+ [System.String]$CurrentUserTempDirectoryPath = [System.IO.Path]::GetTempPath()
- # Import functions
- . "$psscriptroot\Functions.ps1"
+ # Makes sure this cmdlet is invoked with Admin privileges
+ if ().IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
+ Throw [System.Security.AccessControl.PrivilegeNotHeldException] 'Administrator'
+ }
- # Custom colors
- [scriptblock]$WriteFuchsia = { Write-Host -Object "$($PSStyle.Foreground.FromRGB(236,68,155))$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteOrange = { Write-Host -Object "$($PSStyle.Foreground.FromRGB(255,165,0))$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteMintGreen = { Write-Host -Object "$($PSStyle.Foreground.FromRGB(152,255,152))$($args[0])$($PSStyle.Reset)" }
+ # Defining custom colors script blocks
+ [System.Management.Automation.ScriptBlock]$WriteFuchsia = { Write-Host -Object "$($PSStyle.Foreground.FromRGB(236,68,155))$($args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WriteOrange = { Write-Host -Object "$($PSStyle.Foreground.FromRGB(255,165,0))$($args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WriteMintGreen = { Write-Host -Object "$($PSStyle.Foreground.FromRGB(152,255,152))$($args[0])$($PSStyle.Reset)" }
- # Only run this if -OnlyProcessMitigations parameter is passed
- if (!$OnlyProcessMitigations) {
&$WriteOrange "`r`n"
&$WriteOrange "###############################################################################################`r`n"
&$WriteMintGreen "## This Will Remove the Hardening Measures Applied by the Protect-WindowsSecurity Cmdlet ##`r`n"
@@ -36,193 +36,203 @@ Function Unprotect-WindowsSecurity {
# Give user a chance to exit if they accidentally ran this
Pause
+
+ # The total number of the steps for the parent/main progress bar to render
+ [System.Int16]$TotalMainSteps = 7
+ [System.Int16]$CurrentMainStep = 0
}
- # doing a try-finally block on the entire script so that when CTRL + C is pressed to forcefully exit the script,
- # or break is passed, clean up will still happen for secure exit
- try {
+ process {
- Write-Progress -Activity 'Backing up Controlled Folder Access exclusion list' -Status 'Processing' -PercentComplete 10
+ # doing a try-finally block on the entire script so that when CTRL + C is pressed to forcefully exit the script,
+ # or break is passed, clean up will still happen for secure exit
+ try {
- # backup the current allowed apps list in Controlled folder access in order to restore them at the end of the script
- # doing this so that when we Add and then Remove PowerShell executables in Controlled folder access exclusions
- # no user customization will be affected
- [System.String[]]$CFAAllowedAppsBackup = (Get-MpPreference).ControlledFolderAccessAllowedApplications
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Backing up Controlled Folder Access exclusion list' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
- # Temporarily allow the currently running PowerShell executables to the Controlled Folder Access allowed apps
- # so that the script can run without interruption. This change is reverted at the end.
- foreach ($FilePath in (Get-ChildItem -Path "$PSHOME\*.exe" -File).FullName) {
- Add-MpPreference -ControlledFolderAccessAllowedApplications $FilePath
- }
+ # backup the current allowed apps list in Controlled folder access in order to restore them at the end of the script
+ # doing this so that when we Add and then Remove PowerShell executables in Controlled folder access exclusions
+ # no user customization will be affected
+ [System.String[]]$CFAAllowedAppsBackup = (Get-MpPreference).ControlledFolderAccessAllowedApplications
- Start-Sleep -Seconds 3
+ # Temporarily allow the currently running PowerShell executables to the Controlled Folder Access allowed apps
+ # so that the script can run without interruption. This change is reverted at the end.
+ foreach ($FilePath in (Get-ChildItem -Path "$PSHOME\*.exe" -File).FullName) {
+ Add-MpPreference -ControlledFolderAccessAllowedApplications $FilePath
+ }
- # create our working directory
- New-Item -ItemType Directory -Path "$global:CurrentUserTempDirectoryPath\HardeningXStuff\" -Force | Out-Null
+ Start-Sleep -Seconds 3
- # working directory assignment
- [System.IO.DirectoryInfo]$WorkingDir = "$global:CurrentUserTempDirectoryPath\HardeningXStuff\"
+ # create our working directory
+ Write-Verbose -Message "Creating a working directory at $CurrentUserTempDirectoryPath\HardeningXStuff\"
+ New-Item -ItemType Directory -Path "$CurrentUserTempDirectoryPath\HardeningXStuff\" -Force | Out-Null
- # change location to the new directory
- Set-Location -Path $WorkingDir
+ # working directory assignment
+ [System.IO.DirectoryInfo]$WorkingDir = "$CurrentUserTempDirectoryPath\HardeningXStuff\"
- # Clean up script block
- [scriptblock]$CleanUp = { Set-Location -Path $HOME; Remove-Item -Recurse "$global:CurrentUserTempDirectoryPath\HardeningXStuff\" -Force; exit }
+ # change location to the new directory
+ Write-Verbose -Message "Changing location to $WorkingDir"
+ Set-Location -Path $WorkingDir
- Write-Progress -Activity 'Downloading the required files' -Status 'Processing' -PercentComplete 30
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Downloading the required files' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
- try {
- # Download Registry CSV file from GitHub or Azure DevOps
try {
- Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/Registry.csv' -OutFile '.\Registry.csv' -ProgressAction SilentlyContinue
- }
- catch {
- Write-Host -Object 'Using Azure DevOps...' -ForegroundColor Yellow
- Invoke-WebRequest -Uri 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/Registry.csv' -OutFile '.\Registry.csv' -ProgressAction SilentlyContinue
- }
+ # Download Registry CSV file from GitHub or Azure DevOps
+ try {
+ Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/Registry.csv' -OutFile '.\Registry.csv' -ProgressAction SilentlyContinue
+ }
+ catch {
+ Write-Host -Object 'Using Azure DevOps...' -ForegroundColor Yellow
+ Invoke-WebRequest -Uri 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/Registry.csv' -OutFile '.\Registry.csv' -ProgressAction SilentlyContinue
+ }
- # Download Process Mitigations CSV file from GitHub or Azure DevOps
- try {
- Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/ProcessMitigations.csv' -OutFile '.\ProcessMitigations.csv' -ProgressAction SilentlyContinue
+ # Download Process Mitigations CSV file from GitHub or Azure DevOps
+ try {
+ Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/ProcessMitigations.csv' -OutFile '.\ProcessMitigations.csv' -ProgressAction SilentlyContinue
+ }
+ catch {
+ Write-Host -Object 'Using Azure DevOps...' -ForegroundColor Yellow
+ Invoke-WebRequest -Uri 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/ProcessMitigations.csv' -OutFile '.\ProcessMitigations.csv' -ProgressAction SilentlyContinue
+ }
}
catch {
- Write-Host -Object 'Using Azure DevOps...' -ForegroundColor Yellow
- Invoke-WebRequest -Uri 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/ProcessMitigations.csv' -OutFile '.\ProcessMitigations.csv' -ProgressAction SilentlyContinue
+ Throw 'The required files could not be downloaded, Make sure you have Internet connection.'
}
- }
- catch {
- Write-Error "The required files couldn't be downloaded, Make sure you have Internet connection."
- &$CleanUp
- }
- # Only run this if -OnlyProcessMitigations parameter is NOT passed
- if (!$OnlyProcessMitigations) {
+ # Disable Mandatory ASLR
+ Set-ProcessMitigation -System -Disable ForceRelocateImages
- Write-Progress -Activity 'Deleting all group policies' -Status 'Processing' -PercentComplete 45
+ # Remove Process Mitigations
- if (Test-Path -Path 'C:\Windows\System32\GroupPolicy') {
- Remove-Item -Path 'C:\Windows\System32\GroupPolicy' -Recurse -Force
- }
+ [System.Object[]]$ProcessMitigations = Import-Csv -Path '.\ProcessMitigations.csv' -Delimiter ','
+ # Group the data by ProgramName
+ [System.Object[]]$GroupedMitigations = $ProcessMitigations | Group-Object -Property ProgramName
+ [System.Object[]]$AllAvailableMitigations = (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*')
- Write-Progress -Activity 'Deleting all the registry keys created by the Protect-WindowsSecurity cmdlet' -Status 'Processing' -PercentComplete 60
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Removing Process Mitigations for apps' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
- [System.Object[]]$Items = Import-Csv -Path '.\Registry.csv' -Delimiter ','
- foreach ($Item in $Items) {
- if (Test-Path -Path $item.path) {
- Remove-ItemProperty -Path $Item.path -Name $Item.key -Force -ErrorAction SilentlyContinue
+ # Loop through each group
+ foreach ($Group in $GroupedMitigations) {
+ # To separate the filename from full path of the item in the CSV and then check whether it exists in the system registry
+ if ($Group.Name -match '\\([^\\]+)$') {
+ if ($Matches[1] -in $AllAvailableMitigations.pschildname) {
+ Remove-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$($Matches[1])" -Recurse -Force
+ }
+ }
+ elseif ($Group.Name -in $AllAvailableMitigations.pschildname) {
+ Remove-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$($Group.Name)" -Recurse -Force
}
}
- # To completely remove the Edge policy since only its sub-keys are removed by the command above
- Remove-Item -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList' -Force -Recurse -ErrorAction SilentlyContinue
+ # Skip these if the user only wants to remove the Process Mitigations
+ if (!$OnlyProcessMitigations) {
- # Restore Security group policies back to their default states
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Deleting all group policies' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
- Write-Progress -Activity 'Restoring the default Security group policies' -Status 'Processing' -PercentComplete 70
+ if (Test-Path -Path 'C:\Windows\System32\GroupPolicy') {
+ Remove-Item -Path 'C:\Windows\System32\GroupPolicy' -Recurse -Force
+ }
- # Download LGPO program from Microsoft servers
- Invoke-WebRequest -Uri 'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip' -OutFile '.\LGPO.zip' -ProgressAction SilentlyContinue
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Deleting all the registry keys created by the Protect-WindowsSecurity cmdlet' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
- # unzip the LGPO file
- Expand-Archive -Path .\LGPO.zip -DestinationPath .\ -Force
- .\'LGPO_30\LGPO.exe' /q /s "$psscriptroot\Resources\Default Security Policy.inf"
+ [System.Object[]]$Items = Import-Csv -Path '.\Registry.csv' -Delimiter ','
+ foreach ($Item in $Items) {
+ if (Test-Path -Path $item.path) {
+ Remove-ItemProperty -Path $Item.path -Name $Item.key -Force -ErrorAction SilentlyContinue
+ }
+ }
- # Enable LMHOSTS lookup protocol on all network adapters again
- Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' -Name 'EnableLMHOSTS' -Value '1' -Type DWord
+ # To completely remove the Edge policy since only its sub-keys are removed by the command above
+ Remove-Item -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList' -Force -Recurse -ErrorAction SilentlyContinue
- # Disable restart notification for Windows update
- Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings' -Name 'RestartNotificationsAllowed2' -Value '0' -Type DWord
+ # Restore Security group policies back to their default states
- # Re-enables the XblGameSave Standby Task that gets disabled by Microsoft Security Baselines
- SCHTASKS.EXE /Change /TN \Microsoft\XblGameSave\XblGameSaveTask /Enable | Out-Null
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Restoring the default Security group policies' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
- Write-Progress -Activity 'Restoring Microsoft Defender configs back to their default states' -Status 'Processing' -PercentComplete 80
+ # Download LGPO program from Microsoft servers
+ Invoke-WebRequest -Uri 'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip' -OutFile '.\LGPO.zip' -ProgressAction SilentlyContinue
- # Disable the advanced new security features of the Microsoft Defender
- Set-MpPreference -AllowSwitchToAsyncInspection $False
- Set-MpPreference -OobeEnableRtpAndSigUpdate $False
- Set-MpPreference -IntelTDTEnabled $False
- Set-MpPreference -DisableRestorePoint $True
- Set-MpPreference -PerformanceModeStatus Enabled
- Set-MpPreference -EnableConvertWarnToBlock $False
- # Set Microsoft Defender engine and platform update channels to NotConfigured State
- Set-MpPreference -EngineUpdatesChannel NotConfigured
- Set-MpPreference -PlatformUpdatesChannel NotConfigured
- }
+ # unzip the LGPO file
+ Expand-Archive -Path .\LGPO.zip -DestinationPath .\ -Force
+ .\'LGPO_30\LGPO.exe' /q /s "$psscriptroot\Resources\Default Security Policy.inf"
- # Disable Mandatory ASLR
- Set-ProcessMitigation -System -Disable ForceRelocateImages
+ # Enable LMHOSTS lookup protocol on all network adapters again
+ Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' -Name 'EnableLMHOSTS' -Value '1' -Type DWord
- # Remove Process Mitigations
+ # Disable restart notification for Windows update
+ Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings' -Name 'RestartNotificationsAllowed2' -Value '0' -Type DWord
- [System.Object[]]$ProcessMitigations = Import-Csv -Path '.\ProcessMitigations.csv' -Delimiter ','
- # Group the data by ProgramName
- [System.Object[]]$GroupedMitigations = $ProcessMitigations | Group-Object -Property ProgramName
- [System.Object[]]$AllAvailableMitigations = (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*')
+ # Re-enables the XblGameSave Standby Task that gets disabled by Microsoft Security Baselines
+ SCHTASKS.EXE /Change /TN \Microsoft\XblGameSave\XblGameSaveTask /Enable | Out-Null
- Write-Progress -Activity 'Removing Process Mitigations for apps' -Status 'Processing' -PercentComplete 90
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Restoring Microsoft Defender configs back to their default states' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
- # Loop through each group
- foreach ($Group in $GroupedMitigations) {
- # To separate the filename from full path of the item in the CSV and then check whether it exists in the system registry
- if ($Group.Name -match '\\([^\\]+)$') {
- if ($Matches[1] -in $AllAvailableMitigations.pschildname) {
- Remove-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$($Matches[1])" -Recurse -Force
- }
- }
- elseif ($Group.Name -in $AllAvailableMitigations.pschildname) {
- Remove-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$($Group.Name)" -Recurse -Force
- }
- }
+ # Disable the advanced new security features of the Microsoft Defender
+ Set-MpPreference -AllowSwitchToAsyncInspection $False
+ Set-MpPreference -OobeEnableRtpAndSigUpdate $False
+ Set-MpPreference -IntelTDTEnabled $False
+ Set-MpPreference -DisableRestorePoint $True
+ Set-MpPreference -PerformanceModeStatus Enabled
+ Set-MpPreference -EnableConvertWarnToBlock $False
+ # Set Microsoft Defender engine and platform update channels to NotConfigured State
+ Set-MpPreference -EngineUpdatesChannel NotConfigured
+ Set-MpPreference -PlatformUpdatesChannel NotConfigured
- # Only run this if -OnlyProcessMitigations parameter is NOT passed
- if (!$OnlyProcessMitigations) {
+ # Set Data Execution Prevention (DEP) back to its default value
+ Set-BcdElement -Element 'nx' -Type 'Integer' -Value '0'
- # Set Data Execution Prevention (DEP) back to its default value
- Set-BcdElement -Element 'nx' -Type 'Integer' -Value '0'
+ # Remove the scheduled task that keeps the Microsoft recommended driver block rules updated
- # Remove the scheduled task that keeps the Microsoft recommended driver block rules updated
+ # Define the name and path of the task
+ [System.String]$taskName = 'MSFT Driver Block list update'
+ [System.String]$taskPath = '\MSFT Driver Block list update\'
- # Define the name and path of the task
- [System.String]$taskName = 'MSFT Driver Block list update'
- [System.String]$taskPath = '\MSFT Driver Block list update\'
+ Write-Verbose -Message "Removing the scheduled task $taskName"
+ if (Get-ScheduledTask -TaskName $taskName -TaskPath $taskPath -ErrorAction SilentlyContinue) {
+ Unregister-ScheduledTask -TaskName $taskName -TaskPath $taskPath -Confirm:$false | Out-Null
+ }
- if (Get-ScheduledTask -TaskName $taskName -TaskPath $taskPath -ErrorAction SilentlyContinue) {
- Unregister-ScheduledTask -TaskName $taskName -TaskPath $taskPath -Confirm:$false | Out-Null
- }
+ # Enables Multicast DNS (mDNS) UDP-in Firewall Rules for all 3 Firewall profiles
+ Get-NetFirewallRule |
+ Where-Object -FilterScript { $_.RuleGroup -eq '@%SystemRoot%\system32\firewallapi.dll,-37302' -and $_.Direction -eq 'inbound' } |
+ ForEach-Object -Process { Enable-NetFirewallRule -DisplayName $_.DisplayName }
- # Enables Multicast DNS (mDNS) UDP-in Firewall Rules for all 3 Firewall profiles
- Get-NetFirewallRule |
- Where-Object -FilterScript { $_.RuleGroup -eq '@%SystemRoot%\system32\firewallapi.dll,-37302' -and $_.Direction -eq 'inbound' } |
- ForEach-Object -Process { Enable-NetFirewallRule -DisplayName $_.DisplayName }
+ # Remove any custom views added by this script for Event Viewer
+ if (Test-Path -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script') {
+ Remove-Item -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script' -Recurse -Force
+ }
- # Remove any custom views added by this script for Event Viewer
- if (Test-Path -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script') {
- Remove-Item -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script' -Recurse -Force
+ # Set a tattooed Group policy for Svchost.exe process mitigations back to disabled state
+ Set-ItemProperty -Path 'Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SCMConfig' -Name 'EnableSvchostMitigationPolicy' -Value '0' -Force -Type 'DWord' -ErrorAction SilentlyContinue
}
+ &$WriteFuchsia 'Operation Completed, please restart your computer.'
}
+ finally {
+ # End the progress bar and mark it as completed
+ Write-Progress -Id 0 -Activity 'Completed' -Completed
- # Set a tattooed Group policy for Svchost.exe process mitigations back to disabled state
- Set-ItemProperty -Path 'Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SCMConfig' -Name 'EnableSvchostMitigationPolicy' -Value '0' -Force -Type 'DWord' -ErrorAction SilentlyContinue
-
- Write-Progress -Activity 'Complete' -Status 'Complete' -PercentComplete 100
+ # Reverting the PowerShell executables allow listings in Controlled folder access
+ foreach ($FilePath in (Get-ChildItem -Path "$PSHOME\*.exe" -File).FullName) {
+ Remove-MpPreference -ControlledFolderAccessAllowedApplications $FilePath
+ }
- &$WriteFuchsia 'Operation Completed, please restart your computer.'
- }
- finally {
- # Reverting the PowerShell executables allow listings in Controlled folder access
- foreach ($FilePath in (Get-ChildItem -Path "$PSHOME\*.exe" -File).FullName) {
- Remove-MpPreference -ControlledFolderAccessAllowedApplications $FilePath
- }
+ # restoring the original Controlled folder access allow list - if user already had added PowerShell executables to the list
+ # they will be restored as well, so user customization will remain intact
+ if ($null -ne $CFAAllowedAppsBackup) {
+ Set-MpPreference -ControlledFolderAccessAllowedApplications $CFAAllowedAppsBackup
+ }
- # restoring the original Controlled folder access allow list - if user already had added PowerShell executables to the list
- # they will be restored as well, so user customization will remain intact
- if ($null -ne $CFAAllowedAppsBackup) {
- Set-MpPreference -ControlledFolderAccessAllowedApplications $CFAAllowedAppsBackup
+ # Remove the working directory
+ Set-Location -Path $HOME; Remove-Item -Recurse -Path "$CurrentUserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
}
-
- Set-Location -Path $HOME; Remove-Item -Recurse -Path "$global:CurrentUserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
}
<#
@@ -238,8 +248,6 @@ Function Unprotect-WindowsSecurity {
Removes the hardening measures applied by Protect-WindowsSecurity cmdlet
.PARAMETER OnlyProcessMitigations
Only removes the Process Mitigations / Exploit Protection settings and doesn't change anything else
-.PARAMETER DummyParam
- To hide PowerShell common parameters that clutter parameter auto completion menu
#>
}
From 2ee3caf516bc82ff92d8d841bd04ccb3f4a500ac Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Wed, 13 Dec 2023 12:08:26 -0930
Subject: [PATCH 27/79] Added native ConfirmImpact check
---
.../Main files/Unprotect-WindowsSecurity.psm1 | 316 +++++++++---------
1 file changed, 157 insertions(+), 159 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
index e28c4aa10..747b76d9b 100644
--- a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
+++ b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
@@ -1,12 +1,13 @@
Function Unprotect-WindowsSecurity {
[CmdletBinding(
SupportsShouldProcess = $true,
- PositionalBinding = $false,
ConfirmImpact = 'High'
)]
param (
[Parameter(Mandatory = $false)]
- [System.Management.Automation.SwitchParameter]$OnlyProcessMitigations
+ [System.Management.Automation.SwitchParameter]$OnlyProcessMitigations,
+ [Parameter(Mandatory = $false)]
+ [System.Management.Automation.SwitchParameter]$Force
)
begin {
@@ -24,214 +25,211 @@ Function Unprotect-WindowsSecurity {
Throw [System.Security.AccessControl.PrivilegeNotHeldException] 'Administrator'
}
- # Defining custom colors script blocks
- [System.Management.Automation.ScriptBlock]$WriteFuchsia = { Write-Host -Object "$($PSStyle.Foreground.FromRGB(236,68,155))$($args[0])$($PSStyle.Reset)" }
- [System.Management.Automation.ScriptBlock]$WriteOrange = { Write-Host -Object "$($PSStyle.Foreground.FromRGB(255,165,0))$($args[0])$($PSStyle.Reset)" }
- [System.Management.Automation.ScriptBlock]$WriteMintGreen = { Write-Host -Object "$($PSStyle.Foreground.FromRGB(152,255,152))$($args[0])$($PSStyle.Reset)" }
-
- &$WriteOrange "`r`n"
- &$WriteOrange "###############################################################################################`r`n"
- &$WriteMintGreen "## This Will Remove the Hardening Measures Applied by the Protect-WindowsSecurity Cmdlet ##`r`n"
- &$WriteOrange "###############################################################################################`r`n"
-
- # Give user a chance to exit if they accidentally ran this
- Pause
-
# The total number of the steps for the parent/main progress bar to render
[System.Int16]$TotalMainSteps = 7
[System.Int16]$CurrentMainStep = 0
+
+ # do not prompt for confirmation if the -Force switch is used
+ # if both -Force and -Confirm switches are used, the prompt for confirmation will still be correctly shown
+ if ($Force -and -Not $Confirm) {
+ $ConfirmPreference = 'None'
+ }
}
process {
+ # Prompt for confirmation before proceeding
+ if ($PSCmdlet.ShouldProcess('This PC', 'Removing the Hardening Measures Applied by the Protect-WindowsSecurity Cmdlet')) {
- # doing a try-finally block on the entire script so that when CTRL + C is pressed to forcefully exit the script,
- # or break is passed, clean up will still happen for secure exit
- try {
+ # doing a try-finally block on the entire script so that when CTRL + C is pressed to forcefully exit the script,
+ # or break is passed, clean up will still happen for secure exit
+ try {
- $CurrentMainStep++
- Write-Progress -Id 0 -Activity 'Backing up Controlled Folder Access exclusion list' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Backing up Controlled Folder Access exclusion list' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
- # backup the current allowed apps list in Controlled folder access in order to restore them at the end of the script
- # doing this so that when we Add and then Remove PowerShell executables in Controlled folder access exclusions
- # no user customization will be affected
- [System.String[]]$CFAAllowedAppsBackup = (Get-MpPreference).ControlledFolderAccessAllowedApplications
+ # backup the current allowed apps list in Controlled folder access in order to restore them at the end of the script
+ # doing this so that when we Add and then Remove PowerShell executables in Controlled folder access exclusions
+ # no user customization will be affected
+ [System.String[]]$CFAAllowedAppsBackup = (Get-MpPreference).ControlledFolderAccessAllowedApplications
- # Temporarily allow the currently running PowerShell executables to the Controlled Folder Access allowed apps
- # so that the script can run without interruption. This change is reverted at the end.
- foreach ($FilePath in (Get-ChildItem -Path "$PSHOME\*.exe" -File).FullName) {
- Add-MpPreference -ControlledFolderAccessAllowedApplications $FilePath
- }
+ # Temporarily allow the currently running PowerShell executables to the Controlled Folder Access allowed apps
+ # so that the script can run without interruption. This change is reverted at the end.
+ foreach ($FilePath in (Get-ChildItem -Path "$PSHOME\*.exe" -File).FullName) {
+ Add-MpPreference -ControlledFolderAccessAllowedApplications $FilePath
+ }
- Start-Sleep -Seconds 3
+ Start-Sleep -Seconds 3
- # create our working directory
- Write-Verbose -Message "Creating a working directory at $CurrentUserTempDirectoryPath\HardeningXStuff\"
- New-Item -ItemType Directory -Path "$CurrentUserTempDirectoryPath\HardeningXStuff\" -Force | Out-Null
+ # create our working directory
+ Write-Verbose -Message "Creating a working directory at $CurrentUserTempDirectoryPath\HardeningXStuff\"
+ New-Item -ItemType Directory -Path "$CurrentUserTempDirectoryPath\HardeningXStuff\" -Force | Out-Null
- # working directory assignment
- [System.IO.DirectoryInfo]$WorkingDir = "$CurrentUserTempDirectoryPath\HardeningXStuff\"
+ # working directory assignment
+ [System.IO.DirectoryInfo]$WorkingDir = "$CurrentUserTempDirectoryPath\HardeningXStuff\"
- # change location to the new directory
- Write-Verbose -Message "Changing location to $WorkingDir"
- Set-Location -Path $WorkingDir
+ # change location to the new directory
+ Write-Verbose -Message "Changing location to $WorkingDir"
+ Set-Location -Path $WorkingDir
- $CurrentMainStep++
- Write-Progress -Id 0 -Activity 'Downloading the required files' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Downloading the required files' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
- try {
- # Download Registry CSV file from GitHub or Azure DevOps
try {
- Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/Registry.csv' -OutFile '.\Registry.csv' -ProgressAction SilentlyContinue
+ # Download Registry CSV file from GitHub or Azure DevOps
+ try {
+ Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/Registry.csv' -OutFile '.\Registry.csv' -ProgressAction SilentlyContinue
+ }
+ catch {
+ Write-Host -Object 'Using Azure DevOps...' -ForegroundColor Yellow
+ Invoke-WebRequest -Uri 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/Registry.csv' -OutFile '.\Registry.csv' -ProgressAction SilentlyContinue
+ }
+
+ # Download Process Mitigations CSV file from GitHub or Azure DevOps
+ try {
+ Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/ProcessMitigations.csv' -OutFile '.\ProcessMitigations.csv' -ProgressAction SilentlyContinue
+ }
+ catch {
+ Write-Host -Object 'Using Azure DevOps...' -ForegroundColor Yellow
+ Invoke-WebRequest -Uri 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/ProcessMitigations.csv' -OutFile '.\ProcessMitigations.csv' -ProgressAction SilentlyContinue
+ }
}
catch {
- Write-Host -Object 'Using Azure DevOps...' -ForegroundColor Yellow
- Invoke-WebRequest -Uri 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/Registry.csv' -OutFile '.\Registry.csv' -ProgressAction SilentlyContinue
+ Throw 'The required files could not be downloaded, Make sure you have Internet connection.'
}
- # Download Process Mitigations CSV file from GitHub or Azure DevOps
- try {
- Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/ProcessMitigations.csv' -OutFile '.\ProcessMitigations.csv' -ProgressAction SilentlyContinue
- }
- catch {
- Write-Host -Object 'Using Azure DevOps...' -ForegroundColor Yellow
- Invoke-WebRequest -Uri 'https://dev.azure.com/SpyNetGirl/011c178a-7b92-462b-bd23-2c014528a67e/_apis/git/repositories/5304fef0-07c0-4821-a613-79c01fb75657/items?path=/Payload/ProcessMitigations.csv' -OutFile '.\ProcessMitigations.csv' -ProgressAction SilentlyContinue
+ # Disable Mandatory ASLR
+ Set-ProcessMitigation -System -Disable ForceRelocateImages
+
+ #region Remove-Process-Mitigations
+ [System.Object[]]$ProcessMitigations = Import-Csv -Path '.\ProcessMitigations.csv' -Delimiter ','
+ # Group the data by ProgramName
+ [System.Object[]]$GroupedMitigations = $ProcessMitigations | Group-Object -Property ProgramName
+ [System.Object[]]$AllAvailableMitigations = (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*')
+
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Removing Process Mitigations for apps' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
+
+ # Loop through each group
+ foreach ($Group in $GroupedMitigations) {
+ # To separate the filename from full path of the item in the CSV and then check whether it exists in the system registry
+ if ($Group.Name -match '\\([^\\]+)$') {
+ if ($Matches[1] -in $AllAvailableMitigations.pschildname) {
+ Remove-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$($Matches[1])" -Recurse -Force
+ }
+ }
+ elseif ($Group.Name -in $AllAvailableMitigations.pschildname) {
+ Remove-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$($Group.Name)" -Recurse -Force
+ }
}
- }
- catch {
- Throw 'The required files could not be downloaded, Make sure you have Internet connection.'
- }
+ #endregion Remove-Process-Mitigations
- # Disable Mandatory ASLR
- Set-ProcessMitigation -System -Disable ForceRelocateImages
+ # Skip these if the user only wants to remove the Process Mitigations
+ if (!$OnlyProcessMitigations) {
- # Remove Process Mitigations
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Deleting all group policies' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
- [System.Object[]]$ProcessMitigations = Import-Csv -Path '.\ProcessMitigations.csv' -Delimiter ','
- # Group the data by ProgramName
- [System.Object[]]$GroupedMitigations = $ProcessMitigations | Group-Object -Property ProgramName
- [System.Object[]]$AllAvailableMitigations = (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*')
+ if (Test-Path -Path 'C:\Windows\System32\GroupPolicy') {
+ Remove-Item -Path 'C:\Windows\System32\GroupPolicy' -Recurse -Force
+ }
- $CurrentMainStep++
- Write-Progress -Id 0 -Activity 'Removing Process Mitigations for apps' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Deleting all the registry keys created by the Protect-WindowsSecurity cmdlet' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
- # Loop through each group
- foreach ($Group in $GroupedMitigations) {
- # To separate the filename from full path of the item in the CSV and then check whether it exists in the system registry
- if ($Group.Name -match '\\([^\\]+)$') {
- if ($Matches[1] -in $AllAvailableMitigations.pschildname) {
- Remove-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$($Matches[1])" -Recurse -Force
+ [System.Object[]]$Items = Import-Csv -Path '.\Registry.csv' -Delimiter ','
+ foreach ($Item in $Items) {
+ if (Test-Path -Path $item.path) {
+ Remove-ItemProperty -Path $Item.path -Name $Item.key -Force -ErrorAction SilentlyContinue
+ }
}
- }
- elseif ($Group.Name -in $AllAvailableMitigations.pschildname) {
- Remove-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$($Group.Name)" -Recurse -Force
- }
- }
- # Skip these if the user only wants to remove the Process Mitigations
- if (!$OnlyProcessMitigations) {
+ # To completely remove the Edge policy since only its sub-keys are removed by the command above
+ Remove-Item -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList' -Force -Recurse -ErrorAction SilentlyContinue
- $CurrentMainStep++
- Write-Progress -Id 0 -Activity 'Deleting all group policies' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
+ # Restore Security group policies back to their default states
- if (Test-Path -Path 'C:\Windows\System32\GroupPolicy') {
- Remove-Item -Path 'C:\Windows\System32\GroupPolicy' -Recurse -Force
- }
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Restoring the default Security group policies' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
- $CurrentMainStep++
- Write-Progress -Id 0 -Activity 'Deleting all the registry keys created by the Protect-WindowsSecurity cmdlet' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
+ # Download LGPO program from Microsoft servers
+ Invoke-WebRequest -Uri 'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip' -OutFile '.\LGPO.zip' -ProgressAction SilentlyContinue
- [System.Object[]]$Items = Import-Csv -Path '.\Registry.csv' -Delimiter ','
- foreach ($Item in $Items) {
- if (Test-Path -Path $item.path) {
- Remove-ItemProperty -Path $Item.path -Name $Item.key -Force -ErrorAction SilentlyContinue
- }
- }
+ # unzip the LGPO file
+ Expand-Archive -Path .\LGPO.zip -DestinationPath .\ -Force
+ .\'LGPO_30\LGPO.exe' /q /s "$psscriptroot\Resources\Default Security Policy.inf"
- # To completely remove the Edge policy since only its sub-keys are removed by the command above
- Remove-Item -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList' -Force -Recurse -ErrorAction SilentlyContinue
+ # Enable LMHOSTS lookup protocol on all network adapters again
+ Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' -Name 'EnableLMHOSTS' -Value '1' -Type DWord
- # Restore Security group policies back to their default states
+ # Disable restart notification for Windows update
+ Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings' -Name 'RestartNotificationsAllowed2' -Value '0' -Type DWord
- $CurrentMainStep++
- Write-Progress -Id 0 -Activity 'Restoring the default Security group policies' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
+ # Re-enables the XblGameSave Standby Task that gets disabled by Microsoft Security Baselines
+ SCHTASKS.EXE /Change /TN \Microsoft\XblGameSave\XblGameSaveTask /Enable | Out-Null
- # Download LGPO program from Microsoft servers
- Invoke-WebRequest -Uri 'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip' -OutFile '.\LGPO.zip' -ProgressAction SilentlyContinue
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Restoring Microsoft Defender configs back to their default states' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
- # unzip the LGPO file
- Expand-Archive -Path .\LGPO.zip -DestinationPath .\ -Force
- .\'LGPO_30\LGPO.exe' /q /s "$psscriptroot\Resources\Default Security Policy.inf"
+ # Disable the advanced new security features of the Microsoft Defender
+ Set-MpPreference -AllowSwitchToAsyncInspection $False
+ Set-MpPreference -OobeEnableRtpAndSigUpdate $False
+ Set-MpPreference -IntelTDTEnabled $False
+ Set-MpPreference -DisableRestorePoint $True
+ Set-MpPreference -PerformanceModeStatus Enabled
+ Set-MpPreference -EnableConvertWarnToBlock $False
+ # Set Microsoft Defender engine and platform update channels to NotConfigured State
+ Set-MpPreference -EngineUpdatesChannel NotConfigured
+ Set-MpPreference -PlatformUpdatesChannel NotConfigured
- # Enable LMHOSTS lookup protocol on all network adapters again
- Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' -Name 'EnableLMHOSTS' -Value '1' -Type DWord
+ # Set Data Execution Prevention (DEP) back to its default value
+ Set-BcdElement -Element 'nx' -Type 'Integer' -Value '0'
- # Disable restart notification for Windows update
- Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings' -Name 'RestartNotificationsAllowed2' -Value '0' -Type DWord
+ # Remove the scheduled task that keeps the Microsoft recommended driver block rules updated
- # Re-enables the XblGameSave Standby Task that gets disabled by Microsoft Security Baselines
- SCHTASKS.EXE /Change /TN \Microsoft\XblGameSave\XblGameSaveTask /Enable | Out-Null
+ # Define the name and path of the task
+ [System.String]$taskName = 'MSFT Driver Block list update'
+ [System.String]$taskPath = '\MSFT Driver Block list update\'
- $CurrentMainStep++
- Write-Progress -Id 0 -Activity 'Restoring Microsoft Defender configs back to their default states' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
-
- # Disable the advanced new security features of the Microsoft Defender
- Set-MpPreference -AllowSwitchToAsyncInspection $False
- Set-MpPreference -OobeEnableRtpAndSigUpdate $False
- Set-MpPreference -IntelTDTEnabled $False
- Set-MpPreference -DisableRestorePoint $True
- Set-MpPreference -PerformanceModeStatus Enabled
- Set-MpPreference -EnableConvertWarnToBlock $False
- # Set Microsoft Defender engine and platform update channels to NotConfigured State
- Set-MpPreference -EngineUpdatesChannel NotConfigured
- Set-MpPreference -PlatformUpdatesChannel NotConfigured
-
- # Set Data Execution Prevention (DEP) back to its default value
- Set-BcdElement -Element 'nx' -Type 'Integer' -Value '0'
-
- # Remove the scheduled task that keeps the Microsoft recommended driver block rules updated
-
- # Define the name and path of the task
- [System.String]$taskName = 'MSFT Driver Block list update'
- [System.String]$taskPath = '\MSFT Driver Block list update\'
-
- Write-Verbose -Message "Removing the scheduled task $taskName"
- if (Get-ScheduledTask -TaskName $taskName -TaskPath $taskPath -ErrorAction SilentlyContinue) {
- Unregister-ScheduledTask -TaskName $taskName -TaskPath $taskPath -Confirm:$false | Out-Null
- }
+ Write-Verbose -Message "Removing the scheduled task $taskName"
+ if (Get-ScheduledTask -TaskName $taskName -TaskPath $taskPath -ErrorAction SilentlyContinue) {
+ Unregister-ScheduledTask -TaskName $taskName -TaskPath $taskPath -Confirm:$false | Out-Null
+ }
+
+ # Enables Multicast DNS (mDNS) UDP-in Firewall Rules for all 3 Firewall profiles
+ Get-NetFirewallRule |
+ Where-Object -FilterScript { $_.RuleGroup -eq '@%SystemRoot%\system32\firewallapi.dll,-37302' -and $_.Direction -eq 'inbound' } |
+ ForEach-Object -Process { Enable-NetFirewallRule -DisplayName $_.DisplayName }
- # Enables Multicast DNS (mDNS) UDP-in Firewall Rules for all 3 Firewall profiles
- Get-NetFirewallRule |
- Where-Object -FilterScript { $_.RuleGroup -eq '@%SystemRoot%\system32\firewallapi.dll,-37302' -and $_.Direction -eq 'inbound' } |
- ForEach-Object -Process { Enable-NetFirewallRule -DisplayName $_.DisplayName }
+ # Remove any custom views added by this script for Event Viewer
+ if (Test-Path -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script') {
+ Remove-Item -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script' -Recurse -Force
+ }
- # Remove any custom views added by this script for Event Viewer
- if (Test-Path -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script') {
- Remove-Item -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script' -Recurse -Force
+ # Set a tattooed Group policy for Svchost.exe process mitigations back to disabled state
+ Set-ItemProperty -Path 'Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SCMConfig' -Name 'EnableSvchostMitigationPolicy' -Value '0' -Force -Type 'DWord' -ErrorAction SilentlyContinue
}
- # Set a tattooed Group policy for Svchost.exe process mitigations back to disabled state
- Set-ItemProperty -Path 'Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SCMConfig' -Name 'EnableSvchostMitigationPolicy' -Value '0' -Force -Type 'DWord' -ErrorAction SilentlyContinue
+ # Write in Fuchsia
+ Write-Host -Object "$($PSStyle.Foreground.FromRGB(236,68,155))Operation Completed, please restart your computer.$($PSStyle.Reset)"
}
+ finally {
+ # End the progress bar and mark it as completed
+ Write-Progress -Id 0 -Activity 'Completed' -Completed
- &$WriteFuchsia 'Operation Completed, please restart your computer.'
- }
- finally {
- # End the progress bar and mark it as completed
- Write-Progress -Id 0 -Activity 'Completed' -Completed
+ # Reverting the PowerShell executables allow listings in Controlled folder access
+ foreach ($FilePath in (Get-ChildItem -Path "$PSHOME\*.exe" -File).FullName) {
+ Remove-MpPreference -ControlledFolderAccessAllowedApplications $FilePath
+ }
- # Reverting the PowerShell executables allow listings in Controlled folder access
- foreach ($FilePath in (Get-ChildItem -Path "$PSHOME\*.exe" -File).FullName) {
- Remove-MpPreference -ControlledFolderAccessAllowedApplications $FilePath
- }
+ # restoring the original Controlled folder access allow list - if user already had added PowerShell executables to the list
+ # they will be restored as well, so user customization will remain intact
+ if ($null -ne $CFAAllowedAppsBackup) {
+ Set-MpPreference -ControlledFolderAccessAllowedApplications $CFAAllowedAppsBackup
+ }
- # restoring the original Controlled folder access allow list - if user already had added PowerShell executables to the list
- # they will be restored as well, so user customization will remain intact
- if ($null -ne $CFAAllowedAppsBackup) {
- Set-MpPreference -ControlledFolderAccessAllowedApplications $CFAAllowedAppsBackup
+ # Remove the working directory
+ Set-Location -Path $HOME; Remove-Item -Recurse -Path "$CurrentUserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
}
-
- # Remove the working directory
- Set-Location -Path $HOME; Remove-Item -Recurse -Path "$CurrentUserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
}
}
From 636fc4f6ac3e9ee97e7c030b9c45675cd049a062 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Wed, 13 Dec 2023 12:30:12 -0930
Subject: [PATCH 28/79] Improved function help and set cmdlet param values
---
.../Main files/Unprotect-WindowsSecurity.psm1 | 26 ++++++++++++++++++-
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
index 747b76d9b..a8b398ec2 100644
--- a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
+++ b/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
@@ -17,6 +17,12 @@ Function Unprotect-WindowsSecurity {
# Import functions
. "$psscriptroot\Functions.ps1"
+ # Defining default parameters for cmdlets
+ $PSDefaultParameterValues = @{
+ 'Invoke-WebRequest:HttpVersion' = '3.0'
+ 'Invoke-WebRequest:SslProtocol' = 'Tls12,Tls13'
+ }
+
# Fetching Temp Directory
[System.String]$CurrentUserTempDirectoryPath = [System.IO.Path]::GetTempPath()
@@ -209,7 +215,7 @@ Function Unprotect-WindowsSecurity {
Set-ItemProperty -Path 'Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SCMConfig' -Name 'EnableSvchostMitigationPolicy' -Value '0' -Force -Type 'DWord' -ErrorAction SilentlyContinue
}
- # Write in Fuchsia
+ # Write in Fuchsia color
Write-Host -Object "$($PSStyle.Foreground.FromRGB(236,68,155))Operation Completed, please restart your computer.$($PSStyle.Reset)"
}
finally {
@@ -246,6 +252,24 @@ Function Unprotect-WindowsSecurity {
Removes the hardening measures applied by Protect-WindowsSecurity cmdlet
.PARAMETER OnlyProcessMitigations
Only removes the Process Mitigations / Exploit Protection settings and doesn't change anything else
+.PARAMETER Force
+ Suppresses the confirmation prompt
+.EXAMPLE
+ Unprotect-WindowsSecurity
+
+ Removes all of the security features applied by the Protect-WindowsSecurity cmdlet
+.EXAMPLE
+ Unprotect-WindowsSecurity -OnlyProcessMitigations
+
+ Removes only the Process Mitigations / Exploit Protection settings and doesn't change anything else
+.EXAMPLE
+ Unprotect-WindowsSecurity -Force
+
+ Removes all of the security features applied by the Protect-WindowsSecurity cmdlet without prompting for confirmation
+.INPUTS
+ System.Management.Automation.SwitchParameter
+.OUTPUTS
+ System.String
#>
}
From f2c3de47a732ba6ba1b796929f7caa0fa82886a6 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Wed, 13 Dec 2023 12:55:44 -0930
Subject: [PATCH 29/79] Improved function help sections
---
.../Main files/Confirm-SystemCompliance.psm1 | 66 ++++++++++++-------
.../Main files/Functions.ps1 | 2 +
.../Invoke-Harden-Windows-Security.ps1 | 2 +-
3 files changed, 45 insertions(+), 25 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
index 766e2fa5c..b3798eb86 100644
--- a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
+++ b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
@@ -4,6 +4,8 @@ function ConvertFrom-IniFile {
<#
.SYNOPSIS
A function to parse the ini file from the output of the "Secedit /export /cfg .\security_policy.inf"
+ .PARAMETER IniFile
+ The path to the ini file
.INPUTS
System.String
.OUTPUTS
@@ -50,9 +52,7 @@ function Confirm-SystemCompliance {
[parameter(Mandatory = $false)]
[System.Management.Automation.SwitchParameter]$ShowAsObjectsOnly,
[parameter(Mandatory = $false)]
- [System.Management.Automation.SwitchParameter]$DetailedDisplay,
- [Parameter(Mandatory = $false, DontShow = $True)]
- $DummyParam
+ [System.Management.Automation.SwitchParameter]$DetailedDisplay
)
begin {
# Stop operation as soon as there is an error anywhere, unless explicitly specified otherwise
@@ -110,10 +110,30 @@ function Confirm-SystemCompliance {
# An object to store the FINAL results
$FinalMegaObject = [PSCustomObject]@{}
- # Function for processing each item in $AllRegistryItems for each category
function Invoke-CategoryProcessing {
+ <#
+ .SYNOPSIS
+ A helper function for processing each item in $AllRegistryItems for each category
+ .PARAMETER CatName
+ Name of the hardening category to verify
+ .PARAMETER Method
+ The method used to verify the hardening category, which can be 'Group Policy' or 'Registry Keys'
+ .INPUTS
+ System.String
+ .OUTPUTS
+ System.Object[]
+ #>
param(
- [System.String]$CatName, [System.String]$Method
+ [CmdletBinding()]
+
+ [parameter(Mandatory = $true)]
+ [ValidateNotNullOrEmpty()]
+ [System.String]$CatName,
+
+ [parameter(Mandatory = $true)]
+ [ValidateSet('Group Policy', 'Registry Keys')]
+ [ValidateNotNullOrEmpty()]
+ [System.String]$Method
)
# an array to hold the output
@@ -1271,22 +1291,22 @@ function Confirm-SystemCompliance {
else {
#Region Colors
- [scriptblock]$WritePlum = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(221,160,221))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteOrchid = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(218,112,214))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteFuchsia = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,0,255))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteMediumOrchid = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(186,85,211))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteMediumPurple = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(147,112,219))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteBlueViolet = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(138,43,226))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$AndroidGreen = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(176,191,26))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WritePink = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,192,203))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteHotPink = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,105,180))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteDeepPink = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,20,147))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteMintGreen = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(152,255,152))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteOrange = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,165,0))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$WriteSkyBlue = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(135,206,235))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [scriptblock]$Daffodil = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,255,49))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
-
- [scriptblock]$WriteRainbow1 = {
+ [System.Management.Automation.ScriptBlock]$WritePlum = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(221,160,221))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WriteOrchid = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(218,112,214))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WriteFuchsia = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,0,255))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WriteMediumOrchid = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(186,85,211))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WriteMediumPurple = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(147,112,219))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WriteBlueViolet = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(138,43,226))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$AndroidGreen = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(176,191,26))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WritePink = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,192,203))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WriteHotPink = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,105,180))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WriteDeepPink = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,20,147))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WriteMintGreen = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(152,255,152))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WriteOrange = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,165,0))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WriteSkyBlue = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(135,206,235))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$Daffodil = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,255,49))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+
+ [System.Management.Automation.ScriptBlock]$WriteRainbow1 = {
$text = $args[0]
$colors = @(
[System.Drawing.Color]::Pink,
@@ -1306,7 +1326,7 @@ function Confirm-SystemCompliance {
Write-Output -InputObject $Output
}
- [scriptblock]$WriteRainbow2 = {
+ [System.Management.Automation.ScriptBlock]$WriteRainbow2 = {
$text = $args[0]
[System.Object[]]$colors = @(
[System.Drawing.Color]::Pink,
@@ -2016,8 +2036,6 @@ function Confirm-SystemCompliance {
Returns a nested object instead of writing strings on the PowerShell console, it can be assigned to a variable
.PARAMETER DetailedDisplay
Shows the output on the PowerShell console with more details and in the list format instead of table format
-.PARAMETER DummyParam
- To hide PowerShell common parameters that clutter parameter auto completion menu
.INPUTS
System.Management.Automation.SwitchParameter
.OUTPUTS
diff --git a/Harden-Windows-Security Module/Main files/Functions.ps1 b/Harden-Windows-Security Module/Main files/Functions.ps1
index 10acde620..a0a6ec32f 100644
--- a/Harden-Windows-Security Module/Main files/Functions.ps1
+++ b/Harden-Windows-Security Module/Main files/Functions.ps1
@@ -21,6 +21,8 @@ function Update-self {
Make sure the latest version of the module is installed and if not, automatically update it, clean up any old versions
.INPUTS
None
+ .OUTPUTS
+ System.String
#>
[System.Version]$CurrentVersion = (Test-ModuleManifest -Path "$psscriptroot\Harden-Windows-Security-Module.psd1").Version
diff --git a/Harden-Windows-Security Module/Utilities/Invoke-Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Utilities/Invoke-Harden-Windows-Security.ps1
index a69d91a5a..aa56fe51e 100644
--- a/Harden-Windows-Security Module/Utilities/Invoke-Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Utilities/Invoke-Harden-Windows-Security.ps1
@@ -7,4 +7,4 @@
Import-Module -FullyQualifiedName "$ScriptFilePath\..\Main files\Harden-Windows-Security-Module.psd1" -Force
# Uncomment and replace with any cmdlet of the Harden-Windows-Security module that is going to be debugged
-Unprotect-WindowsSecurity
+Confirm-SystemCompliance
\ No newline at end of file
From d31cf5231bc51f0bc1807d965c889ed1a0a05f56 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Wed, 13 Dec 2023 12:59:52 -0930
Subject: [PATCH 30/79] improved Secedit path
---
.../Main files/Confirm-SystemCompliance.psm1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
index b3798eb86..79d024016 100644
--- a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
+++ b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
@@ -76,7 +76,7 @@ function Confirm-SystemCompliance {
[System.Int64]$global:TotalNumberOfTrueCompliantValues = 231
# Get the security group policies
- Secedit /export /cfg .\security_policy.inf | Out-Null
+ &'C:\Windows\System32\Secedit.exe' /export /cfg .\security_policy.inf | Out-Null
# Get the current configurations and preferences of the Microsoft Defender
New-Variable -Name 'MDAVConfigCurrent' -Value (Get-MpComputerStatus) -Force
From d00a49536e1347ea3fd4b22a371fed8b9d17261a Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Wed, 13 Dec 2023 13:02:49 -0930
Subject: [PATCH 31/79] Update Confirm-SystemCompliance.psm1
---
.../Main files/Confirm-SystemCompliance.psm1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
index 79d024016..fa8ad3302 100644
--- a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
+++ b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
@@ -76,7 +76,7 @@ function Confirm-SystemCompliance {
[System.Int64]$global:TotalNumberOfTrueCompliantValues = 231
# Get the security group policies
- &'C:\Windows\System32\Secedit.exe' /export /cfg .\security_policy.inf | Out-Null
+ &"$Env:SystemDrive\Windows\System32\Secedit.exe" /export /cfg .\security_policy.inf | Out-Null
# Get the current configurations and preferences of the Microsoft Defender
New-Variable -Name 'MDAVConfigCurrent' -Value (Get-MpComputerStatus) -Force
From bd88b4f8affd3b4ac7acff578f8190f3e0739148 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 01:42:47 -0930
Subject: [PATCH 32/79] Improved Confirm-SystemCompliance cmdlet
Improved the progress bar, code locations and removed unnecessary repeated parts
---
.../Main files/Confirm-SystemCompliance.psm1 | 264 ++++++++++--------
1 file changed, 148 insertions(+), 116 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
index fa8ad3302..f7321c260 100644
--- a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
+++ b/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
@@ -1,49 +1,3 @@
-# Set the progress style
-$PSStyle.Progress.Style = "$($PSStyle.Foreground.FromRGB(255,255,49))$($PSStyle.Blink)"
-function ConvertFrom-IniFile {
- <#
- .SYNOPSIS
- A function to parse the ini file from the output of the "Secedit /export /cfg .\security_policy.inf"
- .PARAMETER IniFile
- The path to the ini file
- .INPUTS
- System.String
- .OUTPUTS
- PSCustomObject
- #>
- [CmdletBinding()]
- Param ([System.String]$IniFile)
-
- # Don't prompt to continue if '-Debug' is specified.
- $DebugPreference = 'Continue'
-
- [System.Collections.Hashtable]$IniObject = @{}
- [System.String]$SectionName = ''
-
- switch -regex -file $IniFile {
- '^\[(.+)\]$' {
- # Header of the section
- $SectionName = $matches[1]
- #Write-Debug "Section: $SectionName"
- $IniObject[$SectionName] = @{}
- continue
- }
- '^(.+?)\s*=\s*(.*)$' {
- # Name/value pair
- [System.String]$KeyName, [System.String]$KeyValue = $matches[1..2]
- #Write-Debug "Name: $KeyName"
- # Write-Debug "Value: $KeyValue"
- $IniObject[$SectionName][$KeyName] = $KeyValue
- continue
- }
- default {
- # Ignore blank lines or comments
- continue
- }
- }
- return [PSCustomObject]$IniObject
-}
-
function Confirm-SystemCompliance {
[CmdletBinding()]
param (
@@ -56,60 +10,85 @@ function Confirm-SystemCompliance {
)
begin {
# Stop operation as soon as there is an error anywhere, unless explicitly specified otherwise
- $global:ErrorActionPreference = 'Stop'
+ $ErrorActionPreference = 'Stop'
+
+ # Set the progress bar style to blinking yellow
+ $PSStyle.Progress.Style = "$($PSStyle.Foreground.FromRGB(255,255,49))$($PSStyle.Blink)"
- Write-Progress -Activity 'Starting' -Status 'Processing...' -PercentComplete 5
+ # Dot-sourcing the functions.ps1 file in the current scope
+ . "$psscriptroot\Functions.ps1"
# Makes sure this cmdlet is invoked with Admin privileges
- if ().IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
+ if (-NOT (Test-IsAdmin)) {
Throw [System.Security.AccessControl.PrivilegeNotHeldException] 'Administrator'
}
- Write-Progress -Activity 'Checking for updates' -Status 'Processing...' -PercentComplete 10
-
- # Running the functions.ps1 file in the current scope
- . "$psscriptroot\Functions.ps1"
-
- Write-Progress -Activity 'Gathering Security Policy Information' -Status 'Processing...' -PercentComplete 15
-
+ #Region Defining-Variables
# Total number of Compliant values not equal to N/A
- [System.Int64]$global:TotalNumberOfTrueCompliantValues = 231
-
- # Get the security group policies
- &"$Env:SystemDrive\Windows\System32\Secedit.exe" /export /cfg .\security_policy.inf | Out-Null
+ [System.Int64]$TotalNumberOfTrueCompliantValues = 231
# Get the current configurations and preferences of the Microsoft Defender
New-Variable -Name 'MDAVConfigCurrent' -Value (Get-MpComputerStatus) -Force
New-Variable -Name 'MDAVPreferencesCurrent' -Value (Get-MpPreference) -Force
- # Storing the output of the ini file parsing function
- [PSCustomObject]$SecurityPoliciesIni = ConvertFrom-IniFile -IniFile .\security_policy.inf
-
- Write-Progress -Activity 'Importing Registry CSV File' -Status 'Processing...' -PercentComplete 20
-
- # Import the CSV file
- [System.Object[]]$CSVResource = Import-Csv -Path "$psscriptroot\Resources\Registry resources.csv"
-
# An object to hold all the initial registry items
[System.Object[]]$AllRegistryItems = @()
- # Loop through each row in the CSV file
- foreach ($Row in $CSVResource) {
- $AllRegistryItems += [PSCustomObject]@{
- FriendlyName = $Row.FriendlyName
- category = $Row.Category
- key = $Row.Key
- value = $Row.Value
- name = $Row.Name
- type = $Row.Type
- regPath = "Registry::$($Row.Key)" # Build the registry path
- Method = $Row.Origin
- }
- }
+ # Import the CSV file
+ [System.Object[]]$CSVResource = Import-Csv -Path "$psscriptroot\Resources\Registry resources.csv"
# An object to store the FINAL results
$FinalMegaObject = [PSCustomObject]@{}
+ # The total number of the steps for the parent/main progress bar to render
+ [System.Int16]$TotalMainSteps = 17
+ [System.Int16]$CurrentMainStep = 0
+ #EndRegion Defining-Variables
+
+ #Region defining-Functions
+ function ConvertFrom-IniFile {
+ <#
+ .SYNOPSIS
+ A helper function to parse the ini file from the output of the "Secedit /export /cfg .\security_policy.inf"
+ .PARAMETER IniFile
+ The path to the ini file
+ .INPUTS
+ System.String
+ .OUTPUTS
+ PSCustomObject
+ #>
+ [CmdletBinding()]
+ Param ([System.String]$IniFile)
+
+ # Don't prompt to continue if '-Debug' is specified.
+ $DebugPreference = 'Continue'
+
+ [System.Collections.Hashtable]$IniObject = @{}
+ [System.String]$SectionName = ''
+
+ switch -regex -file $IniFile {
+ '^\[(.+)\]$' {
+ # Header of the section
+ $SectionName = $matches[1]
+ #Write-Debug "Section: $SectionName"
+ $IniObject[$SectionName] = @{}
+ continue
+ }
+ '^(.+?)\s*=\s*(.*)$' {
+ # Name/value pair
+ [System.String]$KeyName, [System.String]$KeyValue = $matches[1..2]
+ #Write-Debug "Name: $KeyName"
+ # Write-Debug "Value: $KeyValue"
+ $IniObject[$SectionName][$KeyName] = $KeyValue
+ continue
+ }
+ default {
+ # Ignore blank lines or comments
+ continue
+ }
+ }
+ return [PSCustomObject]$IniObject
+ }
function Invoke-CategoryProcessing {
<#
.SYNOPSIS
@@ -194,6 +173,7 @@ function Confirm-SystemCompliance {
}
return $Output
}
+ #EndRegion defining-Functions
}
process {
@@ -205,6 +185,10 @@ function Confirm-SystemCompliance {
# backup the current allowed apps list in Controlled folder access in order to restore them at the end of the script
# doing this so that when we Add and then Remove PowerShell executables in Controlled folder access exclusions
# no user customization will be affected
+
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Backing up Controlled Folder Access exclusion list' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
+
[System.String[]]$CFAAllowedAppsBackup = (Get-MpPreference).ControlledFolderAccessAllowedApplications
# Temporarily allow the currently running PowerShell executables to the Controlled Folder Access allowed apps
@@ -214,10 +198,37 @@ function Confirm-SystemCompliance {
}
# Give the Defender internals time to process the updated exclusions list
- Start-Sleep -Seconds '3'
+ Start-Sleep -Seconds '5'
+
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Gathering Security Policy Information' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
+
+ # Get the security group policies
+ &'C:\Windows\System32\Secedit.exe' /export /cfg .\security_policy.inf | Out-Null
+
+ # Storing the output of the ini file parsing function
+ [PSCustomObject]$SecurityPoliciesIni = ConvertFrom-IniFile -IniFile .\security_policy.inf
+
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Processing the registry CSV file' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
+
+ # Loop through each row in the CSV file and add it to the $AllRegistryItems array as a custom object
+ foreach ($Row in $CSVResource) {
+ $AllRegistryItems += [PSCustomObject]@{
+ FriendlyName = $Row.FriendlyName
+ category = $Row.Category
+ key = $Row.Key
+ value = $Row.Value
+ name = $Row.Name
+ type = $Row.Type
+ regPath = "Registry::$($Row.Key)" # Build the registry path
+ Method = $Row.Origin
+ }
+ }
#Region Microsoft-Defender-Category
- Write-Progress -Activity 'Validating Microsoft Defender Category' -Status 'Processing...' -PercentComplete 35
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Validating Microsoft Defender Category' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
# An array to store the nested custom objects, inside the main output object
[System.Object[]]$NestedObjectArray = @()
@@ -306,7 +317,6 @@ function Confirm-SystemCompliance {
Method = 'Cmdlet'
}
-
[System.Collections.Hashtable]$DefenderPlatformUpdatesChannels = @{
0 = 'NotConfigured'
2 = 'Beta'
@@ -325,7 +335,6 @@ function Confirm-SystemCompliance {
Method = 'Cmdlet'
}
-
[System.Collections.Hashtable]$DefenderEngineUpdatesChannels = @{
0 = 'NotConfigured'
2 = 'Beta'
@@ -394,7 +403,9 @@ function Confirm-SystemCompliance {
#EndRegion Microsoft-Defender-Category
#Region Attack-Surface-Reduction-Rules-Category
- Write-Progress -Activity 'Validating Attack Surface Reduction Rules Category' -Status 'Processing...' -PercentComplete 40
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Validating Attack Surface Reduction Rules Category' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
+
[System.Object[]]$NestedObjectArray = @()
[System.String]$CatName = 'ASR'
@@ -465,7 +476,9 @@ function Confirm-SystemCompliance {
#EndRegion Attack-Surface-Reduction-Rules-Category
#Region Bitlocker-Category
- Write-Progress -Activity 'Validating Bitlocker Category' -Status 'Processing...' -PercentComplete 45
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Validating Bitlocker Category' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
+
[System.Object[]]$NestedObjectArray = @()
[System.String]$CatName = 'Bitlocker'
@@ -517,7 +530,7 @@ function Confirm-SystemCompliance {
}
}
'@
- Add-Type -TypeDefinition $BootDMAProtectionCheck
+ Add-Type -TypeDefinition $BootDMAProtectionCheck -Language CSharp
# Returns true or false depending on whether Kernel DMA Protection is on or off
[System.Boolean]$BootDMAProtection = ([SystemInfo.NativeMethods]::BootDmaCheck()) -ne 0
@@ -565,7 +578,7 @@ function Confirm-SystemCompliance {
}
}
else {
- $global:TotalNumberOfTrueCompliantValues--
+ $TotalNumberOfTrueCompliantValues--
}
# OS Drive encryption verifications
@@ -656,7 +669,7 @@ function Confirm-SystemCompliance {
foreach ($MountPoint in $($NonOSBitLockerVolumes | Sort-Object).MountPoint) {
# Increase the number of available compliant values for each non-OS drive that was found
- $global:TotalNumberOfTrueCompliantValues++
+ $TotalNumberOfTrueCompliantValues++
# If status is unknown, that means the non-OS volume is encrypted and locked, if it's on then it's on
if ((Get-BitLockerVolume -MountPoint $MountPoint).ProtectionStatus -in 'on', 'Unknown') {
@@ -704,7 +717,9 @@ function Confirm-SystemCompliance {
#EndRegion Bitlocker-Category
#Region TLS-Category
- Write-Progress -Activity 'Validating TLS Category' -Status 'Processing...' -PercentComplete 50
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Validating TLS Category' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
+
[System.Object[]]$NestedObjectArray = @()
[System.String]$CatName = 'TLS'
@@ -735,7 +750,9 @@ function Confirm-SystemCompliance {
#EndRegion TLS-Category
#Region LockScreen-Category
- Write-Progress -Activity 'Validating Lock Screen Category' -Status 'Processing...' -PercentComplete 55
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Validating Lock Screen Category' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
+
[System.Object[]]$NestedObjectArray = @()
[System.String]$CatName = 'LockScreen'
@@ -846,7 +863,9 @@ function Confirm-SystemCompliance {
#EndRegion LockScreen-Category
#Region User-Account-Control-Category
- Write-Progress -Activity 'Validating User Account Control Category' -Status 'Processing...' -PercentComplete 60
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Validating User Account Control Category' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
+
[System.Object[]]$NestedObjectArray = @()
[System.String]$CatName = 'UAC'
@@ -909,7 +928,9 @@ function Confirm-SystemCompliance {
#EndRegion User-Account-Control-Category
#Region Device-Guard-Category
- Write-Progress -Activity 'Validating Device Guard Category' -Status 'Processing...' -PercentComplete 65
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Validating Device Guard Category' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
+
[System.Object[]]$NestedObjectArray = @()
[System.String]$CatName = 'Device Guard'
@@ -921,7 +942,9 @@ function Confirm-SystemCompliance {
#EndRegion Device-Guard-Category
#Region Windows-Firewall-Category
- Write-Progress -Activity 'Validating Windows Firewall Category' -Status 'Processing...' -PercentComplete 70
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Validating Windows Firewall Category' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
+
[System.Object[]]$NestedObjectArray = @()
[System.String]$CatName = 'Windows Firewall'
@@ -933,7 +956,9 @@ function Confirm-SystemCompliance {
#EndRegion Windows-Firewall-Category
#Region Optional-Windows-Features-Category
- Write-Progress -Activity 'Validating Optional Windows Features Category' -Status 'Processing...' -PercentComplete 75
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Validating Optional Windows Features Category' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
+
[System.Object[]]$NestedObjectArray = @()
[System.String]$CatName = 'Optional Windows Features'
@@ -1103,7 +1128,9 @@ function Confirm-SystemCompliance {
#EndRegion Optional-Windows-Features-Category
#Region Windows-Networking-Category
- Write-Progress -Activity 'Validating Windows Networking Category' -Status 'Processing...' -PercentComplete 80
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Validating Windows Networking Category' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
+
[System.Object[]]$NestedObjectArray = @()
[System.String]$CatName = 'Windows Networking'
@@ -1167,7 +1194,9 @@ function Confirm-SystemCompliance {
#EndRegion Windows-Networking-Category
#Region Miscellaneous-Category
- Write-Progress -Activity 'Validating Miscellaneous Category' -Status 'Processing...' -PercentComplete 85
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Validating Miscellaneous Category' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
+
[System.Object[]]$NestedObjectArray = @()
[System.String]$CatName = 'Miscellaneous'
@@ -1187,7 +1216,7 @@ function Confirm-SystemCompliance {
}
}
else {
- $global:TotalNumberOfTrueCompliantValues--
+ $TotalNumberOfTrueCompliantValues--
}
# Checking if all user accounts are part of the Hyper-V security Group
@@ -1224,7 +1253,9 @@ function Confirm-SystemCompliance {
#EndRegion Miscellaneous-Category
#Region Windows-Update-Category
- Write-Progress -Activity 'Validating Windows Update Category' -Status 'Processing...' -PercentComplete 90
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Validating Windows Update Category' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
+
[System.Object[]]$NestedObjectArray = @()
[System.String]$CatName = 'Windows Update'
@@ -1252,7 +1283,9 @@ function Confirm-SystemCompliance {
#EndRegion Windows-Update-Category
#Region Edge-Category
- Write-Progress -Activity 'Validating Edge Browser Category' -Status 'Processing...' -PercentComplete 95
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Validating Edge Browser Category' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
+
[System.Object[]]$NestedObjectArray = @()
[System.String]$CatName = 'Edge'
@@ -1264,7 +1297,9 @@ function Confirm-SystemCompliance {
#EndRegion Edge-Category
#Region Non-Admin-Category
- Write-Progress -Activity 'Validating Non-Admin Category' -Status 'Processing...' -PercentComplete 100
+ $CurrentMainStep++
+ Write-Progress -Id 0 -Activity 'Validating Non-Admin Category' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
+
[System.Object[]]$NestedObjectArray = @()
[System.String]$CatName = 'Non-Admin'
@@ -1980,18 +2015,20 @@ function Confirm-SystemCompliance {
#Endregion ASCII-Arts
switch ($True) {
- ($TotalTrueCompliantValuesInOutPut -in 1..40) { & $WriteRainbow2 "$WhenValue1To20`nYour compliance score is $TotalTrueCompliantValuesInOutPut out of $global:TotalNumberOfTrueCompliantValues!" }
- ($TotalTrueCompliantValuesInOutPut -in 41..80) { & $WriteRainbow1 "$WhenValue21To40`nYour compliance score is $TotalTrueCompliantValuesInOutPut out of $global:TotalNumberOfTrueCompliantValues!" }
- ($TotalTrueCompliantValuesInOutPut -in 81..120) { & $WriteRainbow1 "$WhenValue41To60`nYour compliance score is $TotalTrueCompliantValuesInOutPut out of $global:TotalNumberOfTrueCompliantValues!" }
- ($TotalTrueCompliantValuesInOutPut -in 121..160) { & $WriteRainbow2 "$WhenValue61To80`nYour compliance score is $TotalTrueCompliantValuesInOutPut out of $global:TotalNumberOfTrueCompliantValues!" }
- ($TotalTrueCompliantValuesInOutPut -in 161..200) { & $WriteRainbow1 "$WhenValue81To88`nYour compliance score is $TotalTrueCompliantValuesInOutPut out of $global:TotalNumberOfTrueCompliantValues!" }
- ($TotalTrueCompliantValuesInOutPut -gt 200) { & $WriteRainbow2 "$WhenValueAbove88`nYour compliance score is $TotalTrueCompliantValuesInOutPut out of $global:TotalNumberOfTrueCompliantValues!" }
+ ($TotalTrueCompliantValuesInOutPut -in 1..40) { & $WriteRainbow2 "$WhenValue1To20`nYour compliance score is $TotalTrueCompliantValuesInOutPut out of $TotalNumberOfTrueCompliantValues!" }
+ ($TotalTrueCompliantValuesInOutPut -in 41..80) { & $WriteRainbow1 "$WhenValue21To40`nYour compliance score is $TotalTrueCompliantValuesInOutPut out of $TotalNumberOfTrueCompliantValues!" }
+ ($TotalTrueCompliantValuesInOutPut -in 81..120) { & $WriteRainbow1 "$WhenValue41To60`nYour compliance score is $TotalTrueCompliantValuesInOutPut out of $TotalNumberOfTrueCompliantValues!" }
+ ($TotalTrueCompliantValuesInOutPut -in 121..160) { & $WriteRainbow2 "$WhenValue61To80`nYour compliance score is $TotalTrueCompliantValuesInOutPut out of $TotalNumberOfTrueCompliantValues!" }
+ ($TotalTrueCompliantValuesInOutPut -in 161..200) { & $WriteRainbow1 "$WhenValue81To88`nYour compliance score is $TotalTrueCompliantValuesInOutPut out of $TotalNumberOfTrueCompliantValues!" }
+ ($TotalTrueCompliantValuesInOutPut -gt 200) { & $WriteRainbow2 "$WhenValueAbove88`nYour compliance score is $TotalTrueCompliantValuesInOutPut out of $TotalNumberOfTrueCompliantValues!" }
}
}
-
}
finally {
+ # End the progress bar and mark it as completed
+ Write-Progress -Id 0 -Activity 'Completed' -Completed
+
# Reverting the PowerShell executables allow listings in Controlled folder access
foreach ($FilePath in (Get-ChildItem -Path "$PSHOME\*.exe" -File).FullName) {
Remove-MpPreference -ControlledFolderAccessAllowedApplications $FilePath
@@ -2002,15 +2039,10 @@ function Confirm-SystemCompliance {
if ($null -ne $CFAAllowedAppsBackup) {
Set-MpPreference -ControlledFolderAccessAllowedApplications $CFAAllowedAppsBackup
}
+ # Clean up
+ Remove-Item -Path '.\security_policy.inf' -Force
}
-
- } # End of Process Block
-
- end {
- # Clean up
- Remove-Item -Path '.\security_policy.inf' -Force
}
-
<#
.SYNOPSIS
Checks the compliance of a system with the Harden Windows Security script guidelines
From 4248f81051c8541d42546c7ed05d28d828b9bc47 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 01:47:23 -0930
Subject: [PATCH 33/79] module restructuring
---
.../Main files/{ => Core}/Confirm-SystemCompliance.psm1 | 0
.../Main files/{ => Core}/Protect-WindowsSecurity.psm1 | 0
.../Main files/{ => Core}/Unprotect-WindowsSecurity.psm1 | 0
.../Main files/{ => Resources}/Functions.ps1 | 0
.../Main files/{ => Resources}/Harden-Windows-Security.ps1 | 0
5 files changed, 0 insertions(+), 0 deletions(-)
rename Harden-Windows-Security Module/Main files/{ => Core}/Confirm-SystemCompliance.psm1 (100%)
rename Harden-Windows-Security Module/Main files/{ => Core}/Protect-WindowsSecurity.psm1 (100%)
rename Harden-Windows-Security Module/Main files/{ => Core}/Unprotect-WindowsSecurity.psm1 (100%)
rename Harden-Windows-Security Module/Main files/{ => Resources}/Functions.ps1 (100%)
rename Harden-Windows-Security Module/Main files/{ => Resources}/Harden-Windows-Security.ps1 (100%)
diff --git a/Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
similarity index 100%
rename from Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
rename to Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
diff --git a/Harden-Windows-Security Module/Main files/Protect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Core/Protect-WindowsSecurity.psm1
similarity index 100%
rename from Harden-Windows-Security Module/Main files/Protect-WindowsSecurity.psm1
rename to Harden-Windows-Security Module/Main files/Core/Protect-WindowsSecurity.psm1
diff --git a/Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Core/Unprotect-WindowsSecurity.psm1
similarity index 100%
rename from Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
rename to Harden-Windows-Security Module/Main files/Core/Unprotect-WindowsSecurity.psm1
diff --git a/Harden-Windows-Security Module/Main files/Functions.ps1 b/Harden-Windows-Security Module/Main files/Resources/Functions.ps1
similarity index 100%
rename from Harden-Windows-Security Module/Main files/Functions.ps1
rename to Harden-Windows-Security Module/Main files/Resources/Functions.ps1
diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
similarity index 100%
rename from Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
rename to Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
From 33656a349872d91b098704644774f872c1c60b9f Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 02:05:55 -0930
Subject: [PATCH 34/79] completed module restructuring
---
.../Core/Confirm-SystemCompliance.psm1 | 10 +----
.../Core/Protect-WindowsSecurity.psm1 | 4 +-
.../Core/Unprotect-WindowsSecurity.psm1 | 12 ++----
.../Harden-Windows-Security-Module.psd1 | 21 +++++-----
.../Harden-Windows-Security-Module.psm1 | 5 +++
.../Main files/Preloader.ps1 | 38 +++++++++++++++++++
.../Main files/Resources/Functions.ps1 | 32 +---------------
7 files changed, 63 insertions(+), 59 deletions(-)
create mode 100644 Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psm1
create mode 100644 Harden-Windows-Security Module/Main files/Preloader.ps1
diff --git a/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
index f7321c260..b32f7df44 100644
--- a/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
+++ b/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
@@ -9,14 +9,11 @@ function Confirm-SystemCompliance {
[System.Management.Automation.SwitchParameter]$DetailedDisplay
)
begin {
- # Stop operation as soon as there is an error anywhere, unless explicitly specified otherwise
- $ErrorActionPreference = 'Stop'
-
# Set the progress bar style to blinking yellow
$PSStyle.Progress.Style = "$($PSStyle.Foreground.FromRGB(255,255,49))$($PSStyle.Blink)"
# Dot-sourcing the functions.ps1 file in the current scope
- . "$psscriptroot\Functions.ps1"
+ . "$HardeningModulePath\Resources\Functions.ps1"
# Makes sure this cmdlet is invoked with Admin privileges
if (-NOT (Test-IsAdmin)) {
@@ -35,7 +32,7 @@ function Confirm-SystemCompliance {
[System.Object[]]$AllRegistryItems = @()
# Import the CSV file
- [System.Object[]]$CSVResource = Import-Csv -Path "$psscriptroot\Resources\Registry resources.csv"
+ [System.Object[]]$CSVResource = Import-Csv -Path "$HardeningModulePath\Resources\Registry resources.csv"
# An object to store the FINAL results
$FinalMegaObject = [PSCustomObject]@{}
@@ -2075,6 +2072,3 @@ function Confirm-SystemCompliance {
System.Object[]
#>
}
-
-# Set PSReadline tab completion to complete menu for easier access to available parameters - Only for the current session
-Set-PSReadLineKeyHandler -Key Tab -Function MenuComplete
diff --git a/Harden-Windows-Security Module/Main files/Core/Protect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Core/Protect-WindowsSecurity.psm1
index cf8da6490..d07eb34e7 100644
--- a/Harden-Windows-Security Module/Main files/Core/Protect-WindowsSecurity.psm1
+++ b/Harden-Windows-Security Module/Main files/Core/Protect-WindowsSecurity.psm1
@@ -1,9 +1,9 @@
Function Protect-WindowsSecurity {
# Import functions
- . "$psscriptroot\Functions.ps1"
+ . "$HardeningModulePath\Resources\Functions.ps1"
# Apply the hardening measures from the local file
- & "$psscriptroot\Harden-Windows-Security.ps1"
+ & "$HardeningModulePath\Resources\Harden-Windows-Security.ps1"
<#
.SYNOPSIS
diff --git a/Harden-Windows-Security Module/Main files/Core/Unprotect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Core/Unprotect-WindowsSecurity.psm1
index a8b398ec2..ac62f63cc 100644
--- a/Harden-Windows-Security Module/Main files/Core/Unprotect-WindowsSecurity.psm1
+++ b/Harden-Windows-Security Module/Main files/Core/Unprotect-WindowsSecurity.psm1
@@ -11,11 +11,8 @@ Function Unprotect-WindowsSecurity {
)
begin {
- # Stop the execution when there is an error
- $ErrorActionPreference = 'Stop'
-
# Import functions
- . "$psscriptroot\Functions.ps1"
+ . "$HardeningModulePath\Resources\Functions.ps1"
# Defining default parameters for cmdlets
$PSDefaultParameterValues = @{
@@ -27,7 +24,7 @@ Function Unprotect-WindowsSecurity {
[System.String]$CurrentUserTempDirectoryPath = [System.IO.Path]::GetTempPath()
# Makes sure this cmdlet is invoked with Admin privileges
- if ().IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
+ if (-NOT (Test-IsAdmin)) {
Throw [System.Security.AccessControl.PrivilegeNotHeldException] 'Administrator'
}
@@ -162,7 +159,7 @@ Function Unprotect-WindowsSecurity {
# unzip the LGPO file
Expand-Archive -Path .\LGPO.zip -DestinationPath .\ -Force
- .\'LGPO_30\LGPO.exe' /q /s "$psscriptroot\Resources\Default Security Policy.inf"
+ .\'LGPO_30\LGPO.exe' /q /s "$HardeningModulePath\Resources\Default Security Policy.inf"
# Enable LMHOSTS lookup protocol on all network adapters again
Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' -Name 'EnableLMHOSTS' -Value '1' -Type DWord
@@ -272,6 +269,3 @@ Function Unprotect-WindowsSecurity {
System.String
#>
}
-
-# Set PSReadline tab completion to complete menu for easier access to available parameters - Only for the current session
-Set-PSReadLineKeyHandler -Key Tab -Function MenuComplete
diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1
index e746a1fc7..46c4297ea 100644
--- a/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1
+++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1
@@ -1,7 +1,7 @@
@{
# Script module or binary module file associated with this manifest.
- # RootModule = ''
+ RootModule = 'Harden-Windows-Security-Module.psm1'
# Version number of this module.
ModuleVersion = '0.2.7'
@@ -97,7 +97,7 @@ Harden Windows Safely, Securely, only with Official Microsoft methods
# RequiredAssemblies = @()
# Script files (.ps1) that are run in the caller's environment prior to importing this module.
- # ScriptsToProcess = @()
+ ScriptsToProcess = @('Preloader.ps1')
# Type files (.ps1xml) to be loaded when importing this module
# TypesToProcess = @()
@@ -106,7 +106,7 @@ Harden Windows Safely, Securely, only with Official Microsoft methods
# FormatsToProcess = @()
# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
- NestedModules = @('Confirm-SystemCompliance.psm1', 'Protect-WindowsSecurity.psm1', 'Unprotect-WindowsSecurity.psm1')
+ NestedModules = @('Core\Confirm-SystemCompliance.psm1', 'Core\Protect-WindowsSecurity.psm1', 'Core\Unprotect-WindowsSecurity.psm1')
# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
FunctionsToExport = @('Confirm-SystemCompliance', 'Protect-WindowsSecurity', 'Unprotect-WindowsSecurity')
@@ -127,14 +127,17 @@ Harden Windows Safely, Securely, only with Official Microsoft methods
# ModuleList = @()
# List of all files packaged with this module
- FileList = @('Harden-Windows-Security-Module.psd1',
- 'Confirm-SystemCompliance.psm1',
- 'Protect-WindowsSecurity.psm1',
- 'Unprotect-WindowsSecurity.psm1',
+ FileList = @(
+ 'Harden-Windows-Security-Module.psd1',
+ 'Harden-Windows-Security-Module.psm1',
+ 'Preloader.ps1',
+ 'Core\Confirm-SystemCompliance.psm1',
+ 'Core\Protect-WindowsSecurity.psm1',
+ 'Core\Unprotect-WindowsSecurity.psm1',
'Resources\Default Security Policy.inf',
'Resources\Registry resources.csv',
- 'Harden-Windows-Security.ps1',
- 'Functions.ps1'
+ 'Resources\Harden-Windows-Security.ps1',
+ 'Resources\Functions.ps1'
)
# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.
diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psm1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psm1
new file mode 100644
index 000000000..8b7f651ae
--- /dev/null
+++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psm1
@@ -0,0 +1,5 @@
+# Stopping the module process if any error occurs
+$global:ErrorActionPreference = 'Stop'
+
+# Set PSReadline tab completion to complete menu for easier access to available parameters - Only for the current session
+Set-PSReadLineKeyHandler -Key 'Tab' -Function 'MenuComplete'
diff --git a/Harden-Windows-Security Module/Main files/Preloader.ps1 b/Harden-Windows-Security Module/Main files/Preloader.ps1
new file mode 100644
index 000000000..d9abc5c14
--- /dev/null
+++ b/Harden-Windows-Security Module/Main files/Preloader.ps1
@@ -0,0 +1,38 @@
+if (!$IsWindows) {
+ Throw 'The WDACConfig module only runs on Windows operation systems.'
+}
+
+# Create tamper resistant global variables (if they don't already exist)
+try {
+ if ((Test-Path -Path 'Variable:\Requiredbuild') -eq $false) { New-Variable -Name 'Requiredbuild' -Value '22621.2428' -Option 'Constant' -Scope 'Script' -Description 'Minimum required OS build number' -Force }
+ if ((Test-Path -Path 'Variable:\OSBuild') -eq $false) { New-Variable -Name 'OSBuild' -Value ([System.Environment]::OSVersion.Version.Build) -Option 'Constant' -Scope 'Script' -Description 'Current OS build version' -Force }
+ if ((Test-Path -Path 'Variable:\UBR') -eq $false) { New-Variable -Name 'UBR' -Value (Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name 'UBR') -Option 'Constant' -Scope 'Script' -Description 'Update Build Revision (UBR) number' -Force }
+ if ((Test-Path -Path 'Variable:\FullOSBuild') -eq $false) { New-Variable -Name 'FullOSBuild' -Value "$OSBuild.$UBR" -Option 'Constant' -Scope 'Script' -Description 'Create full OS build number as seen in Windows Settings' -Force }
+}
+catch {
+ Throw 'Could not set the required global variables.'
+}
+
+# A constant variable that is automatically imported in the caller's environment and used to detect the main module's root directory
+# Create it only if it's not already present, helps when user tries to import the module over and over again without closing the PowerShell session
+try {
+ Get-Variable -Name 'HardeningModulePath' -ErrorAction Stop | Out-Null
+}
+catch {
+ try {
+ New-Variable -Name 'HardeningModulePath' -Value ($PSScriptRoot) -Option 'Constant' -Scope 'Global' -Description 'Storing the value of $PSScriptRoot in a global constant variable to allow the internal functions to use it when navigating the module structure' -Force
+ }
+ catch {
+ Throw 'Could not set the HardeningModulePath required global variable.'
+ }
+}
+
+# Make sure the current OS build is equal or greater than the required build number
+if (-NOT ([System.Decimal]$FullOSBuild -ge [System.Decimal]$Requiredbuild)) {
+ Throw [System.PlatformNotSupportedException] "You are not using the latest build of the Windows OS. A minimum build of $Requiredbuild is required but your OS build is $FullOSBuild`nPlease go to Windows Update to install the updates and then try again."
+}
+
+# check if user's OS is Windows Home edition
+if ((Get-CimInstance -ClassName Win32_OperatingSystem).OperatingSystemSKU -eq '101') {
+ Throw 'Windows Home edition detected, exiting...'
+}
diff --git a/Harden-Windows-Security Module/Main files/Resources/Functions.ps1 b/Harden-Windows-Security Module/Main files/Resources/Functions.ps1
index a0a6ec32f..47de77a22 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Functions.ps1
+++ b/Harden-Windows-Security Module/Main files/Resources/Functions.ps1
@@ -1,6 +1,3 @@
-# Stop the execution when there is an error
-$global:ErrorActionPreference = 'Stop'
-
Function Test-IsAdmin {
<#
.SYNOPSIS
@@ -25,7 +22,7 @@ function Update-self {
System.String
#>
- [System.Version]$CurrentVersion = (Test-ModuleManifest -Path "$psscriptroot\Harden-Windows-Security-Module.psd1").Version
+ [System.Version]$CurrentVersion = (Test-ModuleManifest -Path "$HardeningModulePath\Harden-Windows-Security-Module.psd1").Version
try {
[System.Version]$global:LatestVersion = Invoke-RestMethod -Uri 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/version.txt' -ProgressAction SilentlyContinue
@@ -91,31 +88,6 @@ function Update-self {
# Self update the module
Update-self
-#Region Requirements-Check
-
-# check if user's OS is Windows Home edition
-if ((Get-CimInstance -ClassName Win32_OperatingSystem).OperatingSystemSKU -eq '101') {
- Throw 'Windows Home edition detected, exiting...'
-}
-
-# Check if user's OS is the latest build
-# Minimum OS build number required for the hardening measures used in this script
-[System.Decimal]$Requiredbuild = '22621.2428'
-
-# Get OS build version
-[System.Decimal]$OSBuild = [System.Environment]::OSVersion.Version.Build
-
-# Get Update Build Revision (UBR) number
-[System.Decimal]$UBR = Get-ItemPropertyValue -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name 'UBR'
-
-# Create full OS build number as seen in Windows Settings
-[System.Decimal]$FullOSBuild = "$OSBuild.$UBR"
-
-# Make sure the current OS build is equal or greater than the required build
-if (-NOT ($FullOSBuild -ge $Requiredbuild)) {
- Throw "You're not using the latest build of the Windows OS. A minimum build of $Requiredbuild is required but your OS build is $FullOSBuild`nPlease go to Windows Update to install the updates and then try again."
-}
-
if (Test-IsAdmin) {
# check to make sure TPM is available and enabled
[System.Object]$TPM = Get-Tpm
@@ -123,5 +95,3 @@ if (Test-IsAdmin) {
Throw 'TPM is not available or enabled, please enable it in UEFI settings and try again.'
}
}
-
-#Endregion Requirements-Check
From 26e37940329e925da0fe248cdb7ce1258ce97887 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 02:56:46 -0930
Subject: [PATCH 35/79] Update Preloader.ps1
---
Harden-Windows-Security Module/Main files/Preloader.ps1 | 3 +++
1 file changed, 3 insertions(+)
diff --git a/Harden-Windows-Security Module/Main files/Preloader.ps1 b/Harden-Windows-Security Module/Main files/Preloader.ps1
index d9abc5c14..2eb5655f4 100644
--- a/Harden-Windows-Security Module/Main files/Preloader.ps1
+++ b/Harden-Windows-Security Module/Main files/Preloader.ps1
@@ -1,3 +1,6 @@
+# This file is automatically imported in the PowerShell session every time a cmdlet of this module is called, without requiring to manually use the Import-Module cmdlet
+# all the variables in here persist until PowerShell (session) is closed
+
if (!$IsWindows) {
Throw 'The WDACConfig module only runs on Windows operation systems.'
}
From c364ab24b47502455cef164f3f864e4ade09a934 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 03:04:25 -0930
Subject: [PATCH 36/79] Removed unnecessary lines
---
.../Resources/Harden-Windows-Security.ps1 | 104 ++++++------------
1 file changed, 34 insertions(+), 70 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
index e58e535cb..2d4340a94 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
@@ -96,13 +96,13 @@ Set-ExecutionPolicy -ExecutionPolicy 'Unrestricted' -Scope Process -Force
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = '❤️🔥Harden Windows Security❤️🔥'
-# Defining global script variables
+# Defining script variables
# Current script's version, the same as the version at the top in the script info section
[System.DateTime]$CurrentVersion = '2023.11.23'
# Minimum OS build number required for the hardening measures used in this script
[System.Decimal]$Requiredbuild = '22621.2428'
# Fetching Temp Directory
-[System.String]$global:CurrentUserTempDirectoryPath = [System.IO.Path]::GetTempPath()
+[System.String]$CurrentUserTempDirectoryPath = [System.IO.Path]::GetTempPath()
# The total number of the main categories for the parent/main progress bar to render
[System.Int64]$TotalMainSteps = 18
# Defining a global boolean variable to determine whether optional diagnostic data should be enabled for Smart App Control or not
@@ -711,16 +711,16 @@ try {
#endregion RequirementsCheck
# create our working directory
- New-Item -ItemType Directory -Path "$global:CurrentUserTempDirectoryPath\HardeningXStuff\" -Force | Out-Null
+ New-Item -ItemType Directory -Path "$CurrentUserTempDirectoryPath\HardeningXStuff\" -Force | Out-Null
# working directory assignment
- [System.IO.DirectoryInfo]$WorkingDir = "$global:CurrentUserTempDirectoryPath\HardeningXStuff\"
+ [System.IO.DirectoryInfo]$WorkingDir = "$CurrentUserTempDirectoryPath\HardeningXStuff\"
# change location to the new directory
Set-Location -Path $WorkingDir
# Clean up script block
[System.Management.Automation.ScriptBlock]$CleanUp = {
Set-Location -Path $HOME
- Remove-Item -Recurse -Path "$global:CurrentUserTempDirectoryPath\HardeningXStuff\" -Force
+ Remove-Item -Recurse -Path "$CurrentUserTempDirectoryPath\HardeningXStuff\" -Force
# Disable progress bars
0..6 | ForEach-Object -Process { Write-Progress -Id $_ -Activity 'Done' -Completed }
exit
@@ -842,7 +842,6 @@ try {
[System.String]$Microsoft365SecurityBaselinePath = (Get-ChildItem -Directory -Path '.\Microsoft365SecurityBaseline\*\').FullName
#region Windows-Boot-Manager-revocations-for-Secure-Boot KB5025885
- # ============================May 9 2023 Windows Boot Manager revocations for Secure Boot =================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -858,12 +857,10 @@ try {
Write-Warning -Message 'Make sure to restart your device once. After restart, wait for at least 5-10 minutes and perform a 2nd restart to finish applying security measures completely.'
} 'No' { break }
'Exit' { &$CleanUp }
- }
- # ============================End of May 9 2023 Windows Boot Manager revocations for Secure Boot===========================
+ }
#endregion Windows-Boot-Manager-revocations-for-Secure-Boot KB5025885
#region Microsoft-Security-Baseline
- # ================================================Microsoft Security Baseline==============================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -906,11 +903,9 @@ try {
'No' { break MicrosoftSecurityBaselinesCategoryLabel }
'Exit' { &$CleanUp }
}
- # ==============================================End of Microsoft Security Baselines============================================
#endregion Microsoft-Security-Baseline
#region Microsoft-365-Apps-Security-Baseline
- # ================================================Microsoft 365 Apps Security Baseline==============================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -932,11 +927,9 @@ try {
} 'No' { break Microsoft365AppsSecurityBaselinesCategoryLabel }
'Exit' { &$CleanUp }
}
- # ================================================End of Microsoft 365 Apps Security Baseline==============================================
#endregion Microsoft-365-Apps-Security-Baseline
#region Microsoft-Defender
- # ================================================Microsoft Defender=======================================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -1110,11 +1103,9 @@ try {
} 'No' { break }
'Exit' { &$CleanUp }
}
- # ============================================End of Microsoft Defender====================================================
#endregion Microsoft-Defender
- #region Attack-Surface-Reduction-Rules
- # =========================================Attack Surface Reduction Rules==================================================
+ #region Attack-Surface-Reduction-Rules
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -1131,11 +1122,9 @@ try {
} 'No' { break ASRRulesCategoryLabel }
'Exit' { &$CleanUp }
}
- # =========================================End of Attack Surface Reduction Rules===========================================
#endregion Attack-Surface-Reduction-Rules
#region Bitlocker-Settings
- # ==========================================Bitlocker Settings=============================================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -1198,7 +1187,7 @@ try {
}
}
'@
- Add-Type -TypeDefinition $BootDMAProtectionCheck
+ Add-Type -TypeDefinition $BootDMAProtectionCheck -Language CSharp
# returns true or false depending on whether Kernel DMA Protection is on or off
[System.Boolean]$BootDMAProtection = ([SystemInfo.NativeMethods]::BootDmaCheck()) -ne 0
@@ -1785,12 +1774,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
} 'No' { break }
'Exit' { &$CleanUp }
- }
- # ==========================================End of Bitlocker Settings======================================================
+ }
#endregion Bitlocker-Settings
- #region TLS-Security
- # ==============================================TLS Security===============================================================
+ #region TLS-Security
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -1829,12 +1816,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
.\LGPO.exe /q /m '..\Security-Baselines-X\TLS Security\registry.pol'
} 'No' { break }
'Exit' { &$CleanUp }
- }
- # ==========================================End of TLS Security============================================================
+ }
#endregion TLS-Security
- #region Lock-Screen
- # ==========================================Lock Screen====================================================================
+ #region Lock-Screen
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -1863,12 +1848,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
} 'No' { break }
'Exit' { &$CleanUp }
- }
- # ==========================================End of Lock Screen=============================================================
+ }
#endregion Lock-Screen
- #region User-Account-Control
- # ==========================================User Account Control===========================================================
+ #region User-Account-Control
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -1920,12 +1903,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
} 'No' { break }
'Exit' { &$CleanUp }
- }
- # ==========================================End of User Account Control====================================================
+ }
#endregion User-Account-Control
- #region Windows-Firewall
- # ====================================================Windows Firewall=====================================================
+ #region Windows-Firewall
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -1945,12 +1926,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
ForEach-Object -Process { Disable-NetFirewallRule -DisplayName $_.DisplayName }
} 'No' { break }
'Exit' { &$CleanUp }
- }
- # =================================================End of Windows Firewall=================================================
+ }
#endregion Windows-Firewall
- #region Optional-Windows-Features
- # =================================================Optional Windows Features===============================================
+ #region Optional-Windows-Features
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -2243,12 +2222,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
} 'No' { break }
'Exit' { &$CleanUp }
- }
- # ==============================================End of Optional Windows Features===========================================
+ }
#endregion Optional-Windows-Features
- #region Windows-Networking
- # ====================================================Windows Networking===================================================
+ #region Windows-Networking
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -2270,12 +2247,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Get-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Public
} 'No' { break }
'Exit' { &$CleanUp }
- }
- # =================================================End of Windows Networking===============================================
+ }
#endregion Windows-Networking
- #region Miscellaneous-Configurations
- # ==============================================Miscellaneous Configurations===============================================
+ #region Miscellaneous-Configurations
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -2334,12 +2309,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
} 'No' { break }
'Exit' { &$CleanUp }
- }
- # ============================================End of Miscellaneous Configurations==========================================
+ }
#endregion Miscellaneous-Configurations
- #region Windows-Update-Configurations
- # ====================================================Windows Update Configurations==============================================
+ #region Windows-Update-Configurations
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -2356,12 +2329,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
.\LGPO.exe /q /m '..\Security-Baselines-X\Windows Update Policies\registry.pol'
} 'No' { break }
'Exit' { &$CleanUp }
- }
- # ====================================================End of Windows Update Configurations=======================================
+ }
#endregion Windows-Update-Configurations
- #region Edge-Browser-Configurations
- # ====================================================Edge Browser Configurations====================================================
+ #region Edge-Browser-Configurations
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -2381,12 +2352,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
} 'No' { break }
'Exit' { &$CleanUp }
- }
- # ====================================================End of Edge Browser Configurations==============================================
+ }
#endregion Edge-Browser-Configurations
- #region Certificate-Checking-Commands
- # ====================================================Certificate Checking Commands========================================
+ #region Certificate-Checking-Commands
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -2413,12 +2382,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Remove-Item -Path .\sigcheck64.exe -Force
} 'No' { break }
'Exit' { &$CleanUp }
- }
- # ====================================================End of Certificate Checking Commands=================================
+ }
#endregion Certificate-Checking-Commands
- #region Country-IP-Blocking
- # ====================================================Country IP Blocking==================================================
+ #region Country-IP-Blocking
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -2446,14 +2413,12 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
} 'No' { break }
'Exit' { &$CleanUp }
- }
- # ====================================================End of Country IP Blocking===========================================
+ }
#endregion Country-IP-Blocking
} # End of Admin test function
- #region Non-Admin-Commands
- # ====================================================Non-Admin Commands===================================================
+ #region Non-Admin-Commands
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'Non-Admins'
@@ -2491,8 +2456,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
} 'No' { &$CleanUp }
'Exit' { &$CleanUp }
- }
- # ====================================================End of Non-Admin Commands============================================
+ }
#endregion Non-Admin-Commands
}
catch {
@@ -2514,7 +2478,7 @@ finally {
}
}
- Set-Location -Path $HOME; Remove-Item -Recurse -Path "$global:CurrentUserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
+ Set-Location -Path $HOME; Remove-Item -Recurse -Path "$CurrentUserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
# Disable progress bars
0..6 | ForEach-Object -Process { Write-Progress -Id $_ -Activity 'Done' -Completed }
From ed17fcd9f916c793f6d16f1e34b52ade74cc4e59 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 03:11:20 -0930
Subject: [PATCH 37/79] Improved the hardening script
---
.../Resources/Harden-Windows-Security.ps1 | 71 ++++++++++---------
1 file changed, 39 insertions(+), 32 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
index 2d4340a94..5dddecf9b 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
@@ -116,11 +116,14 @@ function Select-Option {
.INPUTS
System.String
System.Management.Automation.SwitchParameter
+ .OUTPUTS
+ System.String
.PARAMETER Message
Contains the main prompt message
.PARAMETER ExtraMessage
Contains any extra notes for sub-categories
#>
+ [CmdletBinding()]
param(
[parameter(Mandatory = $True)][System.String]$Message,
[parameter(Mandatory = $True)][System.String[]]$Options,
@@ -164,7 +167,7 @@ function Select-Option {
Write-Warning -Message 'Invalid input. Please only enter a positive number.'
}
}
- return $Selected
+ return [System.String]$Selected
}
function Edit-Registry {
@@ -176,6 +179,7 @@ function Edit-Registry {
.OUTPUTS
System.Void
#>
+ [CmdletBinding()]
param ([System.String]$Path, [System.String]$Key, [System.String]$Value, [System.String]$Type, [System.String]$Action)
If (-NOT (Test-Path -Path $Path)) {
New-Item -Path $Path -Force | Out-Null
@@ -247,11 +251,14 @@ function Compare-SecureString {
https://stackoverflow.com/questions/48809012/compare-two-credentials-in-powershell
.INPUTS
System.Security.SecureString
+ .OUTPUTS
+ System.Boolean
.PARAMETER SecureString1
First secure string
.PARAMETER SecureString2
Second secure string to compare with the first secure string
#>
+ [CmdletBinding()]
param(
[Security.SecureString]$SecureString1,
[Security.SecureString]$SecureString2
@@ -857,7 +864,7 @@ try {
Write-Warning -Message 'Make sure to restart your device once. After restart, wait for at least 5-10 minutes and perform a 2nd restart to finish applying security measures completely.'
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
#endregion Windows-Boot-Manager-revocations-for-Secure-Boot KB5025885
#region Microsoft-Security-Baseline
@@ -1105,7 +1112,7 @@ try {
}
#endregion Microsoft-Defender
- #region Attack-Surface-Reduction-Rules
+ #region Attack-Surface-Reduction-Rules
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -1315,7 +1322,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
[securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
# Compare the PINs and make sure they match
- [System.Boolean]$TheyMatch = Compare-SecureString $Pin1 $Pin2
+ [System.Boolean]$TheyMatch = Compare-SecureString -SecureString1 $Pin1 -SecureString2 $Pin2
# If the PINs match and they are at least 10 characters long, max 20 characters
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
[securestring]$Pin = $Pin1
@@ -1355,7 +1362,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
[securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I 'Enter a Pin for Bitlocker startup (between 10 to 20 characters)'; Read-Host -AsSecureString)
[securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
- [System.Boolean]$TheyMatch = Compare-SecureString $Pin1 $Pin2
+ [System.Boolean]$TheyMatch = Compare-SecureString -SecureString1 $Pin1 -SecureString2 $Pin2
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
[securestring]$Pin = $Pin1
@@ -1456,7 +1463,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
[securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
# Compare the PINs and make sure they match
- [System.Boolean]$TheyMatch = Compare-SecureString $Pin1 $Pin2
+ [System.Boolean]$TheyMatch = Compare-SecureString -SecureString1 $Pin1 -SecureString2 $Pin2
# If the PINs match and they are at least 10 characters long, max 20 characters
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
[securestring]$Pin = $Pin1
@@ -1499,7 +1506,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
[securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
# Compare the PINs and make sure they match
- [System.Boolean]$TheyMatch = Compare-SecureString $Pin1 $Pin2
+ [System.Boolean]$TheyMatch = Compare-SecureString -SecureString1 $Pin1 -SecureString2 $Pin2
# If the PINs match and they are at least 10 characters long, max 20 characters
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
[securestring]$Pin = $Pin1
@@ -1774,10 +1781,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
#endregion Bitlocker-Settings
- #region TLS-Security
+ #region TLS-Security
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -1816,10 +1823,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
.\LGPO.exe /q /m '..\Security-Baselines-X\TLS Security\registry.pol'
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
#endregion TLS-Security
- #region Lock-Screen
+ #region Lock-Screen
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -1848,10 +1855,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
#endregion Lock-Screen
- #region User-Account-Control
+ #region User-Account-Control
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -1903,10 +1910,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
#endregion User-Account-Control
- #region Windows-Firewall
+ #region Windows-Firewall
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -1926,10 +1933,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
ForEach-Object -Process { Disable-NetFirewallRule -DisplayName $_.DisplayName }
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
#endregion Windows-Firewall
- #region Optional-Windows-Features
+ #region Optional-Windows-Features
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -2222,10 +2229,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
#endregion Optional-Windows-Features
- #region Windows-Networking
+ #region Windows-Networking
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -2247,10 +2254,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Get-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Public
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
#endregion Windows-Networking
- #region Miscellaneous-Configurations
+ #region Miscellaneous-Configurations
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -2309,10 +2316,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
#endregion Miscellaneous-Configurations
- #region Windows-Update-Configurations
+ #region Windows-Update-Configurations
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -2329,10 +2336,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
.\LGPO.exe /q /m '..\Security-Baselines-X\Windows Update Policies\registry.pol'
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
#endregion Windows-Update-Configurations
- #region Edge-Browser-Configurations
+ #region Edge-Browser-Configurations
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -2352,10 +2359,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
#endregion Edge-Browser-Configurations
- #region Certificate-Checking-Commands
+ #region Certificate-Checking-Commands
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -2382,10 +2389,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Remove-Item -Path .\sigcheck64.exe -Force
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
#endregion Certificate-Checking-Commands
- #region Country-IP-Blocking
+ #region Country-IP-Blocking
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -2413,12 +2420,12 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
#endregion Country-IP-Blocking
} # End of Admin test function
- #region Non-Admin-Commands
+ #region Non-Admin-Commands
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'Non-Admins'
@@ -2456,7 +2463,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
} 'No' { &$CleanUp }
'Exit' { &$CleanUp }
- }
+ }
#endregion Non-Admin-Commands
}
catch {
From dea481688e0551f5417d07435cb9990c4dbcf9dc Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 03:16:51 -0930
Subject: [PATCH 38/79] Reduced some int64s to int16
---
.../Main files/Resources/Harden-Windows-Security.ps1 | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
index 5dddecf9b..054d42842 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
@@ -757,10 +757,10 @@ try {
)
# Get the total number of files to download
- [System.Int64]$TotalRequiredFiles = $Files.Count
+ [System.Int16]$TotalRequiredFiles = $Files.Count
# Initialize a counter for the progress bar
- [System.Int64]$RequiredFilesCounter = 0
+ [System.Int16]$RequiredFilesCounter = 0
# Start a job for each file download
[System.Object[]]$Jobs = foreach ($File in $Files) {
From 2de5e15f52abfd7bfd4ca22b3c124973f33d1a97 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 03:25:05 -0930
Subject: [PATCH 39/79] Updated both scripts inside and outside of module dir
---
.../Resources/Harden-Windows-Security.ps1 | 2 +-
Harden-Windows-Security.ps1 | 79 ++++++-------------
2 files changed, 26 insertions(+), 55 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
index 054d42842..8d7e0c80e 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
@@ -1026,7 +1026,7 @@ try {
# Old method
# bcdedit.exe /set '{current}' nx AlwaysOn | Out-Null
# New method using PowerShell cmdlets added in Windows 11
- Set-BcdElement -Element 'nx' -Type 'Integer' -Value '3'
+ Set-BcdElement -Element 'nx' -Type 'Integer' -Value '3' -Force
# Suggest turning on Smart App Control only if it's in Eval mode
if ((Get-MpComputerStatus).SmartAppControlState -eq 'Eval') {
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index e16bfbcad..f04786adb 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -96,13 +96,13 @@ Set-ExecutionPolicy -ExecutionPolicy 'Unrestricted' -Scope Process -Force
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = '❤️🔥Harden Windows Security❤️🔥'
-# Defining global script variables
+# Defining script variables
# Current script's version, the same as the version at the top in the script info section
[System.DateTime]$CurrentVersion = '2023.11.23'
# Minimum OS build number required for the hardening measures used in this script
[System.Decimal]$Requiredbuild = '22621.2428'
# Fetching Temp Directory
-[System.String]$global:CurrentUserTempDirectoryPath = [System.IO.Path]::GetTempPath()
+[System.String]$CurrentUserTempDirectoryPath = [System.IO.Path]::GetTempPath()
# The total number of the main categories for the parent/main progress bar to render
[System.Int64]$TotalMainSteps = 18
# Defining a global boolean variable to determine whether optional diagnostic data should be enabled for Smart App Control or not
@@ -116,11 +116,14 @@ function Select-Option {
.INPUTS
System.String
System.Management.Automation.SwitchParameter
+ .OUTPUTS
+ System.String
.PARAMETER Message
Contains the main prompt message
.PARAMETER ExtraMessage
Contains any extra notes for sub-categories
#>
+ [CmdletBinding()]
param(
[parameter(Mandatory = $True)][System.String]$Message,
[parameter(Mandatory = $True)][System.String[]]$Options,
@@ -164,7 +167,7 @@ function Select-Option {
Write-Warning -Message 'Invalid input. Please only enter a positive number.'
}
}
- return $Selected
+ return [System.String]$Selected
}
function Edit-Registry {
@@ -176,6 +179,7 @@ function Edit-Registry {
.OUTPUTS
System.Void
#>
+ [CmdletBinding()]
param ([System.String]$Path, [System.String]$Key, [System.String]$Value, [System.String]$Type, [System.String]$Action)
If (-NOT (Test-Path -Path $Path)) {
New-Item -Path $Path -Force | Out-Null
@@ -247,11 +251,14 @@ function Compare-SecureString {
https://stackoverflow.com/questions/48809012/compare-two-credentials-in-powershell
.INPUTS
System.Security.SecureString
+ .OUTPUTS
+ System.Boolean
.PARAMETER SecureString1
First secure string
.PARAMETER SecureString2
Second secure string to compare with the first secure string
#>
+ [CmdletBinding()]
param(
[Security.SecureString]$SecureString1,
[Security.SecureString]$SecureString2
@@ -711,16 +718,16 @@ try {
#endregion RequirementsCheck
# create our working directory
- New-Item -ItemType Directory -Path "$global:CurrentUserTempDirectoryPath\HardeningXStuff\" -Force | Out-Null
+ New-Item -ItemType Directory -Path "$CurrentUserTempDirectoryPath\HardeningXStuff\" -Force | Out-Null
# working directory assignment
- [System.IO.DirectoryInfo]$WorkingDir = "$global:CurrentUserTempDirectoryPath\HardeningXStuff\"
+ [System.IO.DirectoryInfo]$WorkingDir = "$CurrentUserTempDirectoryPath\HardeningXStuff\"
# change location to the new directory
Set-Location -Path $WorkingDir
# Clean up script block
[System.Management.Automation.ScriptBlock]$CleanUp = {
Set-Location -Path $HOME
- Remove-Item -Recurse -Path "$global:CurrentUserTempDirectoryPath\HardeningXStuff\" -Force
+ Remove-Item -Recurse -Path "$CurrentUserTempDirectoryPath\HardeningXStuff\" -Force
# Disable progress bars
0..6 | ForEach-Object -Process { Write-Progress -Id $_ -Activity 'Done' -Completed }
exit
@@ -750,10 +757,10 @@ try {
)
# Get the total number of files to download
- [System.Int64]$TotalRequiredFiles = $Files.Count
+ [System.Int16]$TotalRequiredFiles = $Files.Count
# Initialize a counter for the progress bar
- [System.Int64]$RequiredFilesCounter = 0
+ [System.Int16]$RequiredFilesCounter = 0
# Start a job for each file download
[System.Object[]]$Jobs = foreach ($File in $Files) {
@@ -842,7 +849,6 @@ try {
[System.String]$Microsoft365SecurityBaselinePath = (Get-ChildItem -Directory -Path '.\Microsoft365SecurityBaseline\*\').FullName
#region Windows-Boot-Manager-revocations-for-Secure-Boot KB5025885
- # ============================May 9 2023 Windows Boot Manager revocations for Secure Boot =================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -859,11 +865,9 @@ try {
} 'No' { break }
'Exit' { &$CleanUp }
}
- # ============================End of May 9 2023 Windows Boot Manager revocations for Secure Boot===========================
#endregion Windows-Boot-Manager-revocations-for-Secure-Boot KB5025885
#region Microsoft-Security-Baseline
- # ================================================Microsoft Security Baseline==============================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -906,11 +910,9 @@ try {
'No' { break MicrosoftSecurityBaselinesCategoryLabel }
'Exit' { &$CleanUp }
}
- # ==============================================End of Microsoft Security Baselines============================================
#endregion Microsoft-Security-Baseline
#region Microsoft-365-Apps-Security-Baseline
- # ================================================Microsoft 365 Apps Security Baseline==============================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -932,11 +934,9 @@ try {
} 'No' { break Microsoft365AppsSecurityBaselinesCategoryLabel }
'Exit' { &$CleanUp }
}
- # ================================================End of Microsoft 365 Apps Security Baseline==============================================
#endregion Microsoft-365-Apps-Security-Baseline
#region Microsoft-Defender
- # ================================================Microsoft Defender=======================================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -1026,7 +1026,7 @@ try {
# Old method
# bcdedit.exe /set '{current}' nx AlwaysOn | Out-Null
# New method using PowerShell cmdlets added in Windows 11
- Set-BcdElement -Element 'nx' -Type 'Integer' -Value '3'
+ Set-BcdElement -Element 'nx' -Type 'Integer' -Value '3' -Force
# Suggest turning on Smart App Control only if it's in Eval mode
if ((Get-MpComputerStatus).SmartAppControlState -eq 'Eval') {
@@ -1110,11 +1110,9 @@ try {
} 'No' { break }
'Exit' { &$CleanUp }
}
- # ============================================End of Microsoft Defender====================================================
#endregion Microsoft-Defender
#region Attack-Surface-Reduction-Rules
- # =========================================Attack Surface Reduction Rules==================================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -1131,11 +1129,9 @@ try {
} 'No' { break ASRRulesCategoryLabel }
'Exit' { &$CleanUp }
}
- # =========================================End of Attack Surface Reduction Rules===========================================
#endregion Attack-Surface-Reduction-Rules
#region Bitlocker-Settings
- # ==========================================Bitlocker Settings=============================================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -1198,7 +1194,7 @@ try {
}
}
'@
- Add-Type -TypeDefinition $BootDMAProtectionCheck
+ Add-Type -TypeDefinition $BootDMAProtectionCheck -Language CSharp
# returns true or false depending on whether Kernel DMA Protection is on or off
[System.Boolean]$BootDMAProtection = ([SystemInfo.NativeMethods]::BootDmaCheck()) -ne 0
@@ -1326,7 +1322,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
[securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
# Compare the PINs and make sure they match
- [System.Boolean]$TheyMatch = Compare-SecureString $Pin1 $Pin2
+ [System.Boolean]$TheyMatch = Compare-SecureString -SecureString1 $Pin1 -SecureString2 $Pin2
# If the PINs match and they are at least 10 characters long, max 20 characters
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
[securestring]$Pin = $Pin1
@@ -1342,7 +1338,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-SmartText -C MintGreen -G Green -I "`nPINs matched, enabling TPM and startup PIN now`n"
}
catch {
- Write-Host -Object 'These errors occured, run Bitlocker category again after meeting the requirements' -ForegroundColor Red
+ Write-Host -Object 'These errors occurred, run Bitlocker category again after meeting the requirements' -ForegroundColor Red
$_
break BitLockerCategoryLabel
}
@@ -1366,7 +1362,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
[securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I 'Enter a Pin for Bitlocker startup (between 10 to 20 characters)'; Read-Host -AsSecureString)
[securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
- [System.Boolean]$TheyMatch = Compare-SecureString $Pin1 $Pin2
+ [System.Boolean]$TheyMatch = Compare-SecureString -SecureString1 $Pin1 -SecureString2 $Pin2
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
[securestring]$Pin = $Pin1
@@ -1380,7 +1376,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Enable-BitLocker -MountPoint $env:SystemDrive -EncryptionMethod 'XtsAes256' -Pin $Pin -TpmAndPinProtector -SkipHardwareTest -ErrorAction Stop *> $null
}
catch {
- Write-Host -Object 'These errors occured, run Bitlocker category again after meeting the requirements' -ForegroundColor Red
+ Write-Host -Object 'These errors occurred, run Bitlocker category again after meeting the requirements' -ForegroundColor Red
$_
break BitLockerCategoryLabel
}
@@ -1467,7 +1463,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
[securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
# Compare the PINs and make sure they match
- [System.Boolean]$TheyMatch = Compare-SecureString $Pin1 $Pin2
+ [System.Boolean]$TheyMatch = Compare-SecureString -SecureString1 $Pin1 -SecureString2 $Pin2
# If the PINs match and they are at least 10 characters long, max 20 characters
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
[securestring]$Pin = $Pin1
@@ -1510,7 +1506,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
[securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
# Compare the PINs and make sure they match
- [System.Boolean]$TheyMatch = Compare-SecureString $Pin1 $Pin2
+ [System.Boolean]$TheyMatch = Compare-SecureString -SecureString1 $Pin1 -SecureString2 $Pin2
# If the PINs match and they are at least 10 characters long, max 20 characters
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
[securestring]$Pin = $Pin1
@@ -1786,11 +1782,9 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
} 'No' { break }
'Exit' { &$CleanUp }
}
- # ==========================================End of Bitlocker Settings======================================================
#endregion Bitlocker-Settings
#region TLS-Security
- # ==============================================TLS Security===============================================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -1830,11 +1824,9 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
} 'No' { break }
'Exit' { &$CleanUp }
}
- # ==========================================End of TLS Security============================================================
#endregion TLS-Security
#region Lock-Screen
- # ==========================================Lock Screen====================================================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -1864,11 +1856,9 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
} 'No' { break }
'Exit' { &$CleanUp }
}
- # ==========================================End of Lock Screen=============================================================
#endregion Lock-Screen
#region User-Account-Control
- # ==========================================User Account Control===========================================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -1921,11 +1911,9 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
} 'No' { break }
'Exit' { &$CleanUp }
}
- # ==========================================End of User Account Control====================================================
#endregion User-Account-Control
#region Windows-Firewall
- # ====================================================Windows Firewall=====================================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -1946,11 +1934,9 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
} 'No' { break }
'Exit' { &$CleanUp }
}
- # =================================================End of Windows Firewall=================================================
#endregion Windows-Firewall
#region Optional-Windows-Features
- # =================================================Optional Windows Features===============================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -2244,11 +2230,9 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
} 'No' { break }
'Exit' { &$CleanUp }
}
- # ==============================================End of Optional Windows Features===========================================
#endregion Optional-Windows-Features
#region Windows-Networking
- # ====================================================Windows Networking===================================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -2271,11 +2255,9 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
} 'No' { break }
'Exit' { &$CleanUp }
}
- # =================================================End of Windows Networking===============================================
#endregion Windows-Networking
#region Miscellaneous-Configurations
- # ==============================================Miscellaneous Configurations===============================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -2335,11 +2317,9 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
} 'No' { break }
'Exit' { &$CleanUp }
}
- # ============================================End of Miscellaneous Configurations==========================================
#endregion Miscellaneous-Configurations
#region Windows-Update-Configurations
- # ====================================================Windows Update Configurations==============================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -2357,11 +2337,9 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
} 'No' { break }
'Exit' { &$CleanUp }
}
- # ====================================================End of Windows Update Configurations=======================================
#endregion Windows-Update-Configurations
#region Edge-Browser-Configurations
- # ====================================================Edge Browser Configurations====================================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -2382,11 +2360,9 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
} 'No' { break }
'Exit' { &$CleanUp }
}
- # ====================================================End of Edge Browser Configurations==============================================
#endregion Edge-Browser-Configurations
#region Certificate-Checking-Commands
- # ====================================================Certificate Checking Commands========================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -2414,11 +2390,9 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
} 'No' { break }
'Exit' { &$CleanUp }
}
- # ====================================================End of Certificate Checking Commands=================================
#endregion Certificate-Checking-Commands
#region Country-IP-Blocking
- # ====================================================Country IP Blocking==================================================
$CurrentMainStep++
# Change the title of the Windows Terminal for PowerShell tab
@@ -2447,13 +2421,11 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
} 'No' { break }
'Exit' { &$CleanUp }
}
- # ====================================================End of Country IP Blocking===========================================
#endregion Country-IP-Blocking
} # End of Admin test function
#region Non-Admin-Commands
- # ====================================================Non-Admin Commands===================================================
# Change the title of the Windows Terminal for PowerShell tab
$Host.UI.RawUI.WindowTitle = 'Non-Admins'
@@ -2492,11 +2464,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
} 'No' { &$CleanUp }
'Exit' { &$CleanUp }
}
- # ====================================================End of Non-Admin Commands============================================
#endregion Non-Admin-Commands
}
catch {
- # Throw whatever error that occured
+ # Throw whatever error that occurred
Throw $_
}
finally {
@@ -2514,7 +2485,7 @@ finally {
}
}
- Set-Location -Path $HOME; Remove-Item -Recurse -Path "$global:CurrentUserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
+ Set-Location -Path $HOME; Remove-Item -Recurse -Path "$CurrentUserTempDirectoryPath\HardeningXStuff\" -Force -ErrorAction SilentlyContinue
# Disable progress bars
0..6 | ForEach-Object -Process { Write-Progress -Id $_ -Activity 'Done' -Completed }
From 2c6c81061f8d8e8cd5a0ac0bd3944c16a949e323 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 06:19:21 -0930
Subject: [PATCH 40/79] Improved Windows feature management section
Removed some 174 lines of code by optimizing that part
---
.../Resources/Harden-Windows-Security.ps1 | 352 +++++-------------
Harden-Windows-Security.ps1 | 352 +++++-------------
2 files changed, 178 insertions(+), 526 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
index 8d7e0c80e..f9bb345cd 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
@@ -1948,165 +1948,97 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# since PowerShell Core (only if installed from Microsoft Store) has problem with these commands, making sure the built-in PowerShell handles them
# There are Github issues for it already: https://github.com/PowerShell/PowerShell/issues/13866
-
- powershell.exe -Command {
-
- # Disable PowerShell v2 (part 1)
- Write-Host -Object "`nDisabling PowerShellv2 1st part" -ForegroundColor Yellow
- if ((Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2).state -eq 'enabled') {
- try {
- Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 -NoRestart -ErrorAction Stop
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'PowerShellv2 1st part is already disabled' -ForegroundColor Green
- }
-
- # Disable PowerShell v2 (part 2)
- Write-Host -Object "`nDisabling PowerShellv2 2nd part" -ForegroundColor Yellow
- if ((Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root).state -eq 'enabled') {
- try {
- Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -NoRestart -ErrorAction Stop
- # Shows the successful message only if removal process was successful
- Write-Host -Object 'PowerShellv2 2nd part was successfully disabled' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'PowerShellv2 2nd part is already disabled' -ForegroundColor Green
- }
-
- # Disable Work Folders client
- Write-Host -Object "`nDisabling Work Folders" -ForegroundColor Yellow
- if ((Get-WindowsOptionalFeature -Online -FeatureName WorkFolders-Client).state -eq 'enabled') {
- try {
- Disable-WindowsOptionalFeature -Online -FeatureName WorkFolders-Client -NoRestart -ErrorAction Stop
- # Shows the successful message only if removal process was successful
- Write-Host -Object 'Work Folders was successfully disabled' -ForegroundColor Green
- }
- catch {
- #show error
- $_
- }
- }
- else {
- Write-Host -Object 'Work Folders is already disabled' -ForegroundColor Green
- }
-
- # Disable Internet Printing Client
- Write-Host -Object "`nDisabling Internet Printing Client" -ForegroundColor Yellow
- if ((Get-WindowsOptionalFeature -Online -FeatureName Printing-Foundation-Features).state -eq 'enabled') {
- try {
- Disable-WindowsOptionalFeature -Online -FeatureName Printing-Foundation-Features -NoRestart -ErrorAction Stop
- # Shows the successful message only if removal process was successful
- Write-Host -Object 'Internet Printing Client was successfully disabled' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'Internet Printing Client is already disabled' -ForegroundColor Green
- }
-
- # Uninstall Windows Media Player (legacy)
- Write-Host -Object "`nUninstalling Windows Media Player (legacy)" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Media.WindowsMediaPlayer*' }).state -ne 'NotPresent') {
- try {
- Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Media.WindowsMediaPlayer*' } | Remove-WindowsCapability -Online -ErrorAction Stop
- # Shows the successful message only if removal process was successful
- Write-Host -Object 'Windows Media Player (legacy) has been uninstalled.' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'Windows Media Player (legacy) is already uninstalled.' -ForegroundColor Green
- }
-
- # Enable Microsoft Defender Application Guard
- Write-Host -Object "`nEnabling Microsoft Defender Application Guard" -ForegroundColor Yellow
- if ((Get-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard).state -eq 'disabled') {
- try {
- Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard -NoRestart -ErrorAction Stop
- # Shows the successful message only if enablement process was successful
- Write-Host -Object 'Microsoft Defender Application Guard was successfully enabled' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'Microsoft Defender Application Guard is already enabled' -ForegroundColor Green
- }
-
- }
-
- # Need to split the commands in 2 scriptblocks so we don't get "program PowerShell.exe failed to run: The filename or extension is too long" error
- powershell.exe -Command {
-
- # Enable Windows Sandbox
- Write-Host -Object "`nEnabling Windows Sandbox" -ForegroundColor Yellow
- if ((Get-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM).state -eq 'disabled') {
- try {
- Enable-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM -All -NoRestart -ErrorAction Stop
- # Shows the successful message only if enablement process was successful
- Write-Host -Object 'Windows Sandbox was successfully enabled' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'Windows Sandbox is already enabled' -ForegroundColor Green
- }
-
- # Enable Hyper-V
- Write-Host -Object "`nEnabling Hyper-V" -ForegroundColor Yellow
- if ((Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V).state -eq 'disabled') {
- try {
- Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -NoRestart -ErrorAction Stop
- # Shows the successful message only if enablement process was successful
- Write-Host -Object 'Hyper-V was successfully enabled' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'Hyper-V is already enabled' -ForegroundColor Green
- }
-
- # Enable Virtual Machine Platform
- Write-Host -Object "`nEnabling Virtual Machine Platform" -ForegroundColor Yellow
- if ((Get-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform).state -eq 'disabled') {
- try {
- Enable-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform -NoRestart -ErrorAction Stop
- # Shows the successful message only if enablement process was successful
- Write-Host -Object 'Virtual Machine Platform was successfully enabled' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
+ Powershell.exe -command {
+ function Edit-Addons {
+ <#
+ .SYNOPSIS
+ A function to enable or disable Windows features and capabilities.
+ .INPUTS
+ System.String
+ .OUTPUTS
+ System.String
+ #>
+ param (
+ [CmdletBinding()]
+ [parameter(Mandatory = $true)]
+ [ValidateSet('Capability', 'Feature')]
+ [System.String]$Type,
+ [parameter(Mandatory = $true, ParameterSetName = 'Capability')]
+ [System.String]$CapabilityName,
+ [parameter(Mandatory = $true, ParameterSetName = 'Feature')]
+ [System.String]$FeatureName,
+ [parameter(Mandatory = $true, ParameterSetName = 'Feature')]
+ [ValidateSet('Enabling', 'Disabling')]
+ [System.String]$FeatureAction
+ )
+ switch ($Type) {
+ 'Feature' {
+ if ($FeatureAction -eq 'Enabling') {
+ $ActionCheck = 'disabled'
+ $ActionOutput = 'enabled'
+ }
+ else {
+ $ActionCheck = 'enabled'
+ $ActionOutput = 'disabled'
+ }
+ Write-Host -Object "`n$FeatureAction $FeatureName" -ForegroundColor Yellow
+ if ((Get-WindowsOptionalFeature -Online -FeatureName $FeatureName).state -eq $ActionCheck) {
+ try {
+ if ($FeatureAction -eq 'Enabling') {
+ Enable-WindowsOptionalFeature -Online -FeatureName $FeatureName -All -NoRestart -ErrorAction Stop
+ }
+ else {
+ Disable-WindowsOptionalFeature -Online -FeatureName $FeatureName -NoRestart -ErrorAction Stop
+ }
+ # Shows the successful message only if the process was successful
+ Write-Host -Object "$FeatureName was successfully $ActionOutput" -ForegroundColor Green
+ }
+ catch {
+ # show errors in non-terminating way
+ $_
+ }
+ }
+ else {
+ Write-Host -Object "$FeatureName is already $ActionOutput" -ForegroundColor Green
+ }
+ break
+ }
+ 'Capability' {
+ Write-Host -Object "`nRemoving $CapabilityName" -ForegroundColor Yellow
+ if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" }).state -ne 'NotPresent') {
+ try {
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" } | Remove-WindowsCapability -Online -ErrorAction Stop
+ # Shows the successful message only if the process was successful
+ Write-Host -Object "$CapabilityName was successfully removed." -ForegroundColor Green
+ }
+ catch {
+ # show errors in non-terminating way
+ $_
+ }
+ }
+ else {
+ Write-Host -Object "$CapabilityName is already removed." -ForegroundColor Green
+ }
+ break
+ }
}
}
- else {
- Write-Host -Object 'Virtual Machine Platform is already enabled' -ForegroundColor Green
- }
-
+ Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'MicrosoftWindowsPowerShellV2'
+ Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'MicrosoftWindowsPowerShellV2Root'
+ Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'WorkFolders-Client'
+ Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'Printing-Foundation-Features'
+ Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'Windows-Defender-ApplicationGuard'
+ Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'Containers-DisposableClientVM'
+ Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'Microsoft-Hyper-V'
+ Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'VirtualMachinePlatform'
+ Edit-Addons -Type Capability -CapabilityName 'Media.WindowsMediaPlayer'
+ Edit-Addons -Type Capability -CapabilityName 'Browser.InternetExplorer'
+ Edit-Addons -Type Capability -CapabilityName 'wmic'
+ Edit-Addons -Type Capability -CapabilityName 'Microsoft.Windows.Notepad.System'
+ Edit-Addons -Type Capability -CapabilityName 'Microsoft.Windows.WordPad'
+ Edit-Addons -Type Capability -CapabilityName 'Microsoft.Windows.PowerShell.ISE'
+ Edit-Addons -Type Capability -CapabilityName 'App.StepsRecorder'
+
# Uninstall VBScript that is now uninstallable as an optional features since Windows 11 insider Dev build 25309 - Won't do anything in other builds
if (Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*VBSCRIPT*' }) {
try {
@@ -2120,113 +2052,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
$_
}
}
-
- # Uninstall Internet Explorer mode functionality for Edge
- Write-Host -Object "`nUninstalling Internet Explorer mode functionality for Edge" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Browser.InternetExplorer*' }).state -ne 'NotPresent') {
- try {
- Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Browser.InternetExplorer*' } | Remove-WindowsCapability -Online -ErrorAction Stop
- # Shows the successful message only if removal process was successful
- Write-Host -Object 'Internet Explorer mode functionality for Edge has been uninstalled' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'Internet Explorer mode functionality for Edge is already uninstalled.' -ForegroundColor Green
- }
-
- # Uninstall WMIC
- Write-Host -Object "`nUninstalling WMIC" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*wmic*' }).state -ne 'NotPresent') {
- try {
- Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*wmic*' } | Remove-WindowsCapability -Online -ErrorAction Stop
- # Shows the successful message only if removal process was successful
- Write-Host -Object 'WMIC has been uninstalled' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'WMIC is already uninstalled.' -ForegroundColor Green
- }
-
- # Uninstall Legacy Notepad
- Write-Host -Object "`nUninstalling Legacy Notepad" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.Notepad.System*' }).state -ne 'NotPresent') {
- try {
- Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.Notepad.System*' } | Remove-WindowsCapability -Online -ErrorAction Stop
- # Shows the successful message only if removal process was successful
- Write-Host -Object 'Legacy Notepad has been uninstalled. The modern multi-tabbed Notepad is unaffected.' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'Legacy Notepad is already uninstalled.' -ForegroundColor Green
- }
-
- # Uninstall WordPad
- Write-Host -Object "`nUninstalling WordPad" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.WordPad*' }).state -ne 'NotPresent') {
- try {
- Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.WordPad*' } | Remove-WindowsCapability -Online -ErrorAction Stop
- # Shows the successful message only if removal process was successful
- Write-Host -Object 'WordPad has been uninstalled.' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'WordPad is already uninstalled.' -ForegroundColor Green
- }
-
- # Uninstall PowerShell ISE
- Write-Host -Object "`nUninstalling PowerShell ISE" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.PowerShell.ISE*' }).state -ne 'NotPresent') {
- try {
- Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.PowerShell.ISE*' } | Remove-WindowsCapability -Online -ErrorAction Stop
- # Shows the successful message only if removal process was successful
- Write-Host -Object 'PowerShell ISE has been uninstalled.' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'PowerShell ISE is already uninstalled.' -ForegroundColor Green
- }
}
-
- powershell.exe -Command {
-
- # Uninstall Steps Recorder
- Write-Host -Object "`nUninstalling Steps Recorder" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*App.StepsRecorder*' }).state -ne 'NotPresent') {
- try {
- Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*App.StepsRecorder*' } | Remove-WindowsCapability -Online -ErrorAction Stop
- # Shows the successful message only if removal process was successful
- Write-Host -Object 'Steps Recorder has been uninstalled.' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'Steps Recorder is already uninstalled.' -ForegroundColor Green
- }
- }
-
} 'No' { break }
'Exit' { &$CleanUp }
}
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index f04786adb..560ccc828 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -1948,165 +1948,97 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# since PowerShell Core (only if installed from Microsoft Store) has problem with these commands, making sure the built-in PowerShell handles them
# There are Github issues for it already: https://github.com/PowerShell/PowerShell/issues/13866
-
- powershell.exe -Command {
-
- # Disable PowerShell v2 (part 1)
- Write-Host -Object "`nDisabling PowerShellv2 1st part" -ForegroundColor Yellow
- if ((Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2).state -eq 'enabled') {
- try {
- Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 -NoRestart -ErrorAction Stop
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'PowerShellv2 1st part is already disabled' -ForegroundColor Green
- }
-
- # Disable PowerShell v2 (part 2)
- Write-Host -Object "`nDisabling PowerShellv2 2nd part" -ForegroundColor Yellow
- if ((Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root).state -eq 'enabled') {
- try {
- Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -NoRestart -ErrorAction Stop
- # Shows the successful message only if removal process was successful
- Write-Host -Object 'PowerShellv2 2nd part was successfully disabled' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'PowerShellv2 2nd part is already disabled' -ForegroundColor Green
- }
-
- # Disable Work Folders client
- Write-Host -Object "`nDisabling Work Folders" -ForegroundColor Yellow
- if ((Get-WindowsOptionalFeature -Online -FeatureName WorkFolders-Client).state -eq 'enabled') {
- try {
- Disable-WindowsOptionalFeature -Online -FeatureName WorkFolders-Client -NoRestart -ErrorAction Stop
- # Shows the successful message only if removal process was successful
- Write-Host -Object 'Work Folders was successfully disabled' -ForegroundColor Green
- }
- catch {
- #show error
- $_
- }
- }
- else {
- Write-Host -Object 'Work Folders is already disabled' -ForegroundColor Green
- }
-
- # Disable Internet Printing Client
- Write-Host -Object "`nDisabling Internet Printing Client" -ForegroundColor Yellow
- if ((Get-WindowsOptionalFeature -Online -FeatureName Printing-Foundation-Features).state -eq 'enabled') {
- try {
- Disable-WindowsOptionalFeature -Online -FeatureName Printing-Foundation-Features -NoRestart -ErrorAction Stop
- # Shows the successful message only if removal process was successful
- Write-Host -Object 'Internet Printing Client was successfully disabled' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'Internet Printing Client is already disabled' -ForegroundColor Green
- }
-
- # Uninstall Windows Media Player (legacy)
- Write-Host -Object "`nUninstalling Windows Media Player (legacy)" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Media.WindowsMediaPlayer*' }).state -ne 'NotPresent') {
- try {
- Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Media.WindowsMediaPlayer*' } | Remove-WindowsCapability -Online -ErrorAction Stop
- # Shows the successful message only if removal process was successful
- Write-Host -Object 'Windows Media Player (legacy) has been uninstalled.' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'Windows Media Player (legacy) is already uninstalled.' -ForegroundColor Green
- }
-
- # Enable Microsoft Defender Application Guard
- Write-Host -Object "`nEnabling Microsoft Defender Application Guard" -ForegroundColor Yellow
- if ((Get-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard).state -eq 'disabled') {
- try {
- Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard -NoRestart -ErrorAction Stop
- # Shows the successful message only if enablement process was successful
- Write-Host -Object 'Microsoft Defender Application Guard was successfully enabled' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'Microsoft Defender Application Guard is already enabled' -ForegroundColor Green
- }
-
- }
-
- # Need to split the commands in 2 scriptblocks so we don't get "program PowerShell.exe failed to run: The filename or extension is too long" error
- powershell.exe -Command {
-
- # Enable Windows Sandbox
- Write-Host -Object "`nEnabling Windows Sandbox" -ForegroundColor Yellow
- if ((Get-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM).state -eq 'disabled') {
- try {
- Enable-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM -All -NoRestart -ErrorAction Stop
- # Shows the successful message only if enablement process was successful
- Write-Host -Object 'Windows Sandbox was successfully enabled' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'Windows Sandbox is already enabled' -ForegroundColor Green
- }
-
- # Enable Hyper-V
- Write-Host -Object "`nEnabling Hyper-V" -ForegroundColor Yellow
- if ((Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V).state -eq 'disabled') {
- try {
- Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -NoRestart -ErrorAction Stop
- # Shows the successful message only if enablement process was successful
- Write-Host -Object 'Hyper-V was successfully enabled' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'Hyper-V is already enabled' -ForegroundColor Green
- }
-
- # Enable Virtual Machine Platform
- Write-Host -Object "`nEnabling Virtual Machine Platform" -ForegroundColor Yellow
- if ((Get-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform).state -eq 'disabled') {
- try {
- Enable-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform -NoRestart -ErrorAction Stop
- # Shows the successful message only if enablement process was successful
- Write-Host -Object 'Virtual Machine Platform was successfully enabled' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
+ Powershell.exe -command {
+ function Edit-Addons {
+ <#
+ .SYNOPSIS
+ A function to enable or disable Windows features and capabilities.
+ .INPUTS
+ System.String
+ .OUTPUTS
+ System.String
+ #>
+ param (
+ [CmdletBinding()]
+ [parameter(Mandatory = $true)]
+ [ValidateSet('Capability', 'Feature')]
+ [System.String]$Type,
+ [parameter(Mandatory = $true, ParameterSetName = 'Capability')]
+ [System.String]$CapabilityName,
+ [parameter(Mandatory = $true, ParameterSetName = 'Feature')]
+ [System.String]$FeatureName,
+ [parameter(Mandatory = $true, ParameterSetName = 'Feature')]
+ [ValidateSet('Enabling', 'Disabling')]
+ [System.String]$FeatureAction
+ )
+ switch ($Type) {
+ 'Feature' {
+ if ($FeatureAction -eq 'Enabling') {
+ $ActionCheck = 'disabled'
+ $ActionOutput = 'enabled'
+ }
+ else {
+ $ActionCheck = 'enabled'
+ $ActionOutput = 'disabled'
+ }
+ Write-Host -Object "`n$FeatureAction $FeatureName" -ForegroundColor Yellow
+ if ((Get-WindowsOptionalFeature -Online -FeatureName $FeatureName).state -eq $ActionCheck) {
+ try {
+ if ($FeatureAction -eq 'Enabling') {
+ Enable-WindowsOptionalFeature -Online -FeatureName $FeatureName -All -NoRestart -ErrorAction Stop
+ }
+ else {
+ Disable-WindowsOptionalFeature -Online -FeatureName $FeatureName -NoRestart -ErrorAction Stop
+ }
+ # Shows the successful message only if the process was successful
+ Write-Host -Object "$FeatureName was successfully $ActionOutput" -ForegroundColor Green
+ }
+ catch {
+ # show errors in non-terminating way
+ $_
+ }
+ }
+ else {
+ Write-Host -Object "$FeatureName is already $ActionOutput" -ForegroundColor Green
+ }
+ break
+ }
+ 'Capability' {
+ Write-Host -Object "`nRemoving $CapabilityName" -ForegroundColor Yellow
+ if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" }).state -ne 'NotPresent') {
+ try {
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" } | Remove-WindowsCapability -Online -ErrorAction Stop
+ # Shows the successful message only if the process was successful
+ Write-Host -Object "$CapabilityName was successfully removed." -ForegroundColor Green
+ }
+ catch {
+ # show errors in non-terminating way
+ $_
+ }
+ }
+ else {
+ Write-Host -Object "$CapabilityName is already removed." -ForegroundColor Green
+ }
+ break
+ }
}
}
- else {
- Write-Host -Object 'Virtual Machine Platform is already enabled' -ForegroundColor Green
- }
-
+ Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'MicrosoftWindowsPowerShellV2'
+ Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'MicrosoftWindowsPowerShellV2Root'
+ Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'WorkFolders-Client'
+ Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'Printing-Foundation-Features'
+ Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'Windows-Defender-ApplicationGuard'
+ Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'Containers-DisposableClientVM'
+ Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'Microsoft-Hyper-V'
+ Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'VirtualMachinePlatform'
+ Edit-Addons -Type Capability -CapabilityName 'Media.WindowsMediaPlayer'
+ Edit-Addons -Type Capability -CapabilityName 'Browser.InternetExplorer'
+ Edit-Addons -Type Capability -CapabilityName 'wmic'
+ Edit-Addons -Type Capability -CapabilityName 'Microsoft.Windows.Notepad.System'
+ Edit-Addons -Type Capability -CapabilityName 'Microsoft.Windows.WordPad'
+ Edit-Addons -Type Capability -CapabilityName 'Microsoft.Windows.PowerShell.ISE'
+ Edit-Addons -Type Capability -CapabilityName 'App.StepsRecorder'
+
# Uninstall VBScript that is now uninstallable as an optional features since Windows 11 insider Dev build 25309 - Won't do anything in other builds
if (Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*VBSCRIPT*' }) {
try {
@@ -2120,113 +2052,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
$_
}
}
-
- # Uninstall Internet Explorer mode functionality for Edge
- Write-Host -Object "`nUninstalling Internet Explorer mode functionality for Edge" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Browser.InternetExplorer*' }).state -ne 'NotPresent') {
- try {
- Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Browser.InternetExplorer*' } | Remove-WindowsCapability -Online -ErrorAction Stop
- # Shows the successful message only if removal process was successful
- Write-Host -Object 'Internet Explorer mode functionality for Edge has been uninstalled' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'Internet Explorer mode functionality for Edge is already uninstalled.' -ForegroundColor Green
- }
-
- # Uninstall WMIC
- Write-Host -Object "`nUninstalling WMIC" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*wmic*' }).state -ne 'NotPresent') {
- try {
- Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*wmic*' } | Remove-WindowsCapability -Online -ErrorAction Stop
- # Shows the successful message only if removal process was successful
- Write-Host -Object 'WMIC has been uninstalled' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'WMIC is already uninstalled.' -ForegroundColor Green
- }
-
- # Uninstall Legacy Notepad
- Write-Host -Object "`nUninstalling Legacy Notepad" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.Notepad.System*' }).state -ne 'NotPresent') {
- try {
- Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.Notepad.System*' } | Remove-WindowsCapability -Online -ErrorAction Stop
- # Shows the successful message only if removal process was successful
- Write-Host -Object 'Legacy Notepad has been uninstalled. The modern multi-tabbed Notepad is unaffected.' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'Legacy Notepad is already uninstalled.' -ForegroundColor Green
- }
-
- # Uninstall WordPad
- Write-Host -Object "`nUninstalling WordPad" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.WordPad*' }).state -ne 'NotPresent') {
- try {
- Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.WordPad*' } | Remove-WindowsCapability -Online -ErrorAction Stop
- # Shows the successful message only if removal process was successful
- Write-Host -Object 'WordPad has been uninstalled.' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'WordPad is already uninstalled.' -ForegroundColor Green
- }
-
- # Uninstall PowerShell ISE
- Write-Host -Object "`nUninstalling PowerShell ISE" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.PowerShell.ISE*' }).state -ne 'NotPresent') {
- try {
- Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*Microsoft.Windows.PowerShell.ISE*' } | Remove-WindowsCapability -Online -ErrorAction Stop
- # Shows the successful message only if removal process was successful
- Write-Host -Object 'PowerShell ISE has been uninstalled.' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'PowerShell ISE is already uninstalled.' -ForegroundColor Green
- }
}
-
- powershell.exe -Command {
-
- # Uninstall Steps Recorder
- Write-Host -Object "`nUninstalling Steps Recorder" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*App.StepsRecorder*' }).state -ne 'NotPresent') {
- try {
- Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*App.StepsRecorder*' } | Remove-WindowsCapability -Online -ErrorAction Stop
- # Shows the successful message only if removal process was successful
- Write-Host -Object 'Steps Recorder has been uninstalled.' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-Host -Object 'Steps Recorder is already uninstalled.' -ForegroundColor Green
- }
- }
-
} 'No' { break }
'Exit' { &$CleanUp }
}
From 561ef3e73b5a5b780fafa229023783e24fdd71e3 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 06:20:22 -0930
Subject: [PATCH 41/79] Removed trailing whitespace
---
.../Main files/Resources/Harden-Windows-Security.ps1 | 12 ++++++------
Harden-Windows-Security.ps1 | 12 ++++++------
2 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
index f9bb345cd..9355b07dc 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
@@ -1966,11 +1966,11 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
[parameter(Mandatory = $true, ParameterSetName = 'Capability')]
[System.String]$CapabilityName,
[parameter(Mandatory = $true, ParameterSetName = 'Feature')]
- [System.String]$FeatureName,
+ [System.String]$FeatureName,
[parameter(Mandatory = $true, ParameterSetName = 'Feature')]
[ValidateSet('Enabling', 'Disabling')]
[System.String]$FeatureAction
- )
+ )
switch ($Type) {
'Feature' {
if ($FeatureAction -eq 'Enabling') {
@@ -1991,7 +1991,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Disable-WindowsOptionalFeature -Online -FeatureName $FeatureName -NoRestart -ErrorAction Stop
}
# Shows the successful message only if the process was successful
- Write-Host -Object "$FeatureName was successfully $ActionOutput" -ForegroundColor Green
+ Write-Host -Object "$FeatureName was successfully $ActionOutput" -ForegroundColor Green
}
catch {
# show errors in non-terminating way
@@ -2006,7 +2006,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
'Capability' {
Write-Host -Object "`nRemoving $CapabilityName" -ForegroundColor Yellow
if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" }).state -ne 'NotPresent') {
- try {
+ try {
Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if the process was successful
Write-Host -Object "$CapabilityName was successfully removed." -ForegroundColor Green
@@ -2020,7 +2020,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object "$CapabilityName is already removed." -ForegroundColor Green
}
break
- }
+ }
}
}
Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'MicrosoftWindowsPowerShellV2'
@@ -2038,7 +2038,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Edit-Addons -Type Capability -CapabilityName 'Microsoft.Windows.WordPad'
Edit-Addons -Type Capability -CapabilityName 'Microsoft.Windows.PowerShell.ISE'
Edit-Addons -Type Capability -CapabilityName 'App.StepsRecorder'
-
+
# Uninstall VBScript that is now uninstallable as an optional features since Windows 11 insider Dev build 25309 - Won't do anything in other builds
if (Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*VBSCRIPT*' }) {
try {
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index 560ccc828..4a30530c8 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -1966,11 +1966,11 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
[parameter(Mandatory = $true, ParameterSetName = 'Capability')]
[System.String]$CapabilityName,
[parameter(Mandatory = $true, ParameterSetName = 'Feature')]
- [System.String]$FeatureName,
+ [System.String]$FeatureName,
[parameter(Mandatory = $true, ParameterSetName = 'Feature')]
[ValidateSet('Enabling', 'Disabling')]
[System.String]$FeatureAction
- )
+ )
switch ($Type) {
'Feature' {
if ($FeatureAction -eq 'Enabling') {
@@ -1991,7 +1991,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Disable-WindowsOptionalFeature -Online -FeatureName $FeatureName -NoRestart -ErrorAction Stop
}
# Shows the successful message only if the process was successful
- Write-Host -Object "$FeatureName was successfully $ActionOutput" -ForegroundColor Green
+ Write-Host -Object "$FeatureName was successfully $ActionOutput" -ForegroundColor Green
}
catch {
# show errors in non-terminating way
@@ -2006,7 +2006,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
'Capability' {
Write-Host -Object "`nRemoving $CapabilityName" -ForegroundColor Yellow
if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" }).state -ne 'NotPresent') {
- try {
+ try {
Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if the process was successful
Write-Host -Object "$CapabilityName was successfully removed." -ForegroundColor Green
@@ -2020,7 +2020,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object "$CapabilityName is already removed." -ForegroundColor Green
}
break
- }
+ }
}
}
Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'MicrosoftWindowsPowerShellV2'
@@ -2038,7 +2038,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Edit-Addons -Type Capability -CapabilityName 'Microsoft.Windows.WordPad'
Edit-Addons -Type Capability -CapabilityName 'Microsoft.Windows.PowerShell.ISE'
Edit-Addons -Type Capability -CapabilityName 'App.StepsRecorder'
-
+
# Uninstall VBScript that is now uninstallable as an optional features since Windows 11 insider Dev build 25309 - Won't do anything in other builds
if (Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*VBSCRIPT*' }) {
try {
From cfcc4e0368b4492f133cae0c5b8917abce9a6284 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 06:37:27 -0930
Subject: [PATCH 42/79] Improved DISM module usage
---
.../Resources/Harden-Windows-Security.ps1 | 174 +++++++++---------
Harden-Windows-Security.ps1 | 174 +++++++++---------
2 files changed, 172 insertions(+), 176 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
index 9355b07dc..ea2104594 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
@@ -1946,11 +1946,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
'Yes' {
Write-Progress -Id 0 -Activity 'Optional Windows Features' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
- # since PowerShell Core (only if installed from Microsoft Store) has problem with these commands, making sure the built-in PowerShell handles them
- # There are Github issues for it already: https://github.com/PowerShell/PowerShell/issues/13866
- Powershell.exe -command {
- function Edit-Addons {
- <#
+ # PowerShell Core (only if installed from Microsoft Store) has problem with these commands: https://github.com/PowerShell/PowerShell/issues/13866#issuecomment-1519066710
+ Import-Module -Name 'DISM' -UseWindowsPowerShell -Force -WarningAction SilentlyContinue
+ function Edit-Addons {
+ <#
.SYNOPSIS
A function to enable or disable Windows features and capabilities.
.INPUTS
@@ -1958,99 +1957,98 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
.OUTPUTS
System.String
#>
- param (
- [CmdletBinding()]
- [parameter(Mandatory = $true)]
- [ValidateSet('Capability', 'Feature')]
- [System.String]$Type,
- [parameter(Mandatory = $true, ParameterSetName = 'Capability')]
- [System.String]$CapabilityName,
- [parameter(Mandatory = $true, ParameterSetName = 'Feature')]
- [System.String]$FeatureName,
- [parameter(Mandatory = $true, ParameterSetName = 'Feature')]
- [ValidateSet('Enabling', 'Disabling')]
- [System.String]$FeatureAction
- )
- switch ($Type) {
- 'Feature' {
- if ($FeatureAction -eq 'Enabling') {
- $ActionCheck = 'disabled'
- $ActionOutput = 'enabled'
- }
- else {
- $ActionCheck = 'enabled'
- $ActionOutput = 'disabled'
- }
- Write-Host -Object "`n$FeatureAction $FeatureName" -ForegroundColor Yellow
- if ((Get-WindowsOptionalFeature -Online -FeatureName $FeatureName).state -eq $ActionCheck) {
- try {
- if ($FeatureAction -eq 'Enabling') {
- Enable-WindowsOptionalFeature -Online -FeatureName $FeatureName -All -NoRestart -ErrorAction Stop
- }
- else {
- Disable-WindowsOptionalFeature -Online -FeatureName $FeatureName -NoRestart -ErrorAction Stop
- }
- # Shows the successful message only if the process was successful
- Write-Host -Object "$FeatureName was successfully $ActionOutput" -ForegroundColor Green
+ param (
+ [CmdletBinding()]
+ [parameter(Mandatory = $true)]
+ [ValidateSet('Capability', 'Feature')]
+ [System.String]$Type,
+ [parameter(Mandatory = $true, ParameterSetName = 'Capability')]
+ [System.String]$CapabilityName,
+ [parameter(Mandatory = $true, ParameterSetName = 'Feature')]
+ [System.String]$FeatureName,
+ [parameter(Mandatory = $true, ParameterSetName = 'Feature')]
+ [ValidateSet('Enabling', 'Disabling')]
+ [System.String]$FeatureAction
+ )
+ switch ($Type) {
+ 'Feature' {
+ if ($FeatureAction -eq 'Enabling') {
+ $ActionCheck = 'disabled'
+ $ActionOutput = 'enabled'
+ }
+ else {
+ $ActionCheck = 'enabled'
+ $ActionOutput = 'disabled'
+ }
+ Write-Host -Object "`n$FeatureAction $FeatureName" -ForegroundColor Yellow
+ if ((Get-WindowsOptionalFeature -Online -FeatureName $FeatureName).state -eq $ActionCheck) {
+ try {
+ if ($FeatureAction -eq 'Enabling') {
+ Enable-WindowsOptionalFeature -Online -FeatureName $FeatureName -All -NoRestart -ErrorAction Stop
}
- catch {
- # show errors in non-terminating way
- $_
+ else {
+ Disable-WindowsOptionalFeature -Online -FeatureName $FeatureName -NoRestart -ErrorAction Stop
}
+ # Shows the successful message only if the process was successful
+ Write-Host -Object "$FeatureName was successfully $ActionOutput" -ForegroundColor Green
}
- else {
- Write-Host -Object "$FeatureName is already $ActionOutput" -ForegroundColor Green
+ catch {
+ # show errors in non-terminating way
+ $_
}
- break
}
- 'Capability' {
- Write-Host -Object "`nRemoving $CapabilityName" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" }).state -ne 'NotPresent') {
- try {
- Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" } | Remove-WindowsCapability -Online -ErrorAction Stop
- # Shows the successful message only if the process was successful
- Write-Host -Object "$CapabilityName was successfully removed." -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
+ else {
+ Write-Host -Object "$FeatureName is already $ActionOutput" -ForegroundColor Green
+ }
+ break
+ }
+ 'Capability' {
+ Write-Host -Object "`nRemoving $CapabilityName" -ForegroundColor Yellow
+ if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" }).state -ne 'NotPresent') {
+ try {
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" } | Remove-WindowsCapability -Online -ErrorAction Stop
+ # Shows the successful message only if the process was successful
+ Write-Host -Object "$CapabilityName was successfully removed." -ForegroundColor Green
}
- else {
- Write-Host -Object "$CapabilityName is already removed." -ForegroundColor Green
+ catch {
+ # show errors in non-terminating way
+ $_
}
- break
}
+ else {
+ Write-Host -Object "$CapabilityName is already removed." -ForegroundColor Green
+ }
+ break
}
}
- Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'MicrosoftWindowsPowerShellV2'
- Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'MicrosoftWindowsPowerShellV2Root'
- Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'WorkFolders-Client'
- Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'Printing-Foundation-Features'
- Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'Windows-Defender-ApplicationGuard'
- Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'Containers-DisposableClientVM'
- Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'Microsoft-Hyper-V'
- Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'VirtualMachinePlatform'
- Edit-Addons -Type Capability -CapabilityName 'Media.WindowsMediaPlayer'
- Edit-Addons -Type Capability -CapabilityName 'Browser.InternetExplorer'
- Edit-Addons -Type Capability -CapabilityName 'wmic'
- Edit-Addons -Type Capability -CapabilityName 'Microsoft.Windows.Notepad.System'
- Edit-Addons -Type Capability -CapabilityName 'Microsoft.Windows.WordPad'
- Edit-Addons -Type Capability -CapabilityName 'Microsoft.Windows.PowerShell.ISE'
- Edit-Addons -Type Capability -CapabilityName 'App.StepsRecorder'
-
- # Uninstall VBScript that is now uninstallable as an optional features since Windows 11 insider Dev build 25309 - Won't do anything in other builds
- if (Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*VBSCRIPT*' }) {
- try {
- Write-Host -Object "`nUninstalling VBSCRIPT" -ForegroundColor Yellow
- Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*VBSCRIPT*' } | Remove-WindowsCapability -Online -ErrorAction Stop
- # Shows the successful message only if removal process was successful
- Write-Host -Object 'VBSCRIPT has been uninstalled' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
+ }
+ Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'MicrosoftWindowsPowerShellV2'
+ Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'MicrosoftWindowsPowerShellV2Root'
+ Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'WorkFolders-Client'
+ Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'Printing-Foundation-Features'
+ Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'Windows-Defender-ApplicationGuard'
+ Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'Containers-DisposableClientVM'
+ Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'Microsoft-Hyper-V'
+ Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'VirtualMachinePlatform'
+ Edit-Addons -Type Capability -CapabilityName 'Media.WindowsMediaPlayer'
+ Edit-Addons -Type Capability -CapabilityName 'Browser.InternetExplorer'
+ Edit-Addons -Type Capability -CapabilityName 'wmic'
+ Edit-Addons -Type Capability -CapabilityName 'Microsoft.Windows.Notepad.System'
+ Edit-Addons -Type Capability -CapabilityName 'Microsoft.Windows.WordPad'
+ Edit-Addons -Type Capability -CapabilityName 'Microsoft.Windows.PowerShell.ISE'
+ Edit-Addons -Type Capability -CapabilityName 'App.StepsRecorder'
+
+ # Uninstall VBScript that is now uninstallable as an optional features since Windows 11 insider Dev build 25309 - Won't do anything in other builds
+ if (Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*VBSCRIPT*' }) {
+ try {
+ Write-Host -Object "`nUninstalling VBSCRIPT" -ForegroundColor Yellow
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*VBSCRIPT*' } | Remove-WindowsCapability -Online -ErrorAction Stop
+ # Shows the successful message only if removal process was successful
+ Write-Host -Object 'VBSCRIPT has been uninstalled' -ForegroundColor Green
+ }
+ catch {
+ # show errors in non-terminating way
+ $_
}
}
} 'No' { break }
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index 4a30530c8..cfada8ce2 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -1946,11 +1946,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
'Yes' {
Write-Progress -Id 0 -Activity 'Optional Windows Features' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
- # since PowerShell Core (only if installed from Microsoft Store) has problem with these commands, making sure the built-in PowerShell handles them
- # There are Github issues for it already: https://github.com/PowerShell/PowerShell/issues/13866
- Powershell.exe -command {
- function Edit-Addons {
- <#
+ # PowerShell Core (only if installed from Microsoft Store) has problem with these commands: https://github.com/PowerShell/PowerShell/issues/13866#issuecomment-1519066710
+ Import-Module -Name 'DISM' -UseWindowsPowerShell -Force -WarningAction SilentlyContinue
+ function Edit-Addons {
+ <#
.SYNOPSIS
A function to enable or disable Windows features and capabilities.
.INPUTS
@@ -1958,99 +1957,98 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
.OUTPUTS
System.String
#>
- param (
- [CmdletBinding()]
- [parameter(Mandatory = $true)]
- [ValidateSet('Capability', 'Feature')]
- [System.String]$Type,
- [parameter(Mandatory = $true, ParameterSetName = 'Capability')]
- [System.String]$CapabilityName,
- [parameter(Mandatory = $true, ParameterSetName = 'Feature')]
- [System.String]$FeatureName,
- [parameter(Mandatory = $true, ParameterSetName = 'Feature')]
- [ValidateSet('Enabling', 'Disabling')]
- [System.String]$FeatureAction
- )
- switch ($Type) {
- 'Feature' {
- if ($FeatureAction -eq 'Enabling') {
- $ActionCheck = 'disabled'
- $ActionOutput = 'enabled'
- }
- else {
- $ActionCheck = 'enabled'
- $ActionOutput = 'disabled'
- }
- Write-Host -Object "`n$FeatureAction $FeatureName" -ForegroundColor Yellow
- if ((Get-WindowsOptionalFeature -Online -FeatureName $FeatureName).state -eq $ActionCheck) {
- try {
- if ($FeatureAction -eq 'Enabling') {
- Enable-WindowsOptionalFeature -Online -FeatureName $FeatureName -All -NoRestart -ErrorAction Stop
- }
- else {
- Disable-WindowsOptionalFeature -Online -FeatureName $FeatureName -NoRestart -ErrorAction Stop
- }
- # Shows the successful message only if the process was successful
- Write-Host -Object "$FeatureName was successfully $ActionOutput" -ForegroundColor Green
+ param (
+ [CmdletBinding()]
+ [parameter(Mandatory = $true)]
+ [ValidateSet('Capability', 'Feature')]
+ [System.String]$Type,
+ [parameter(Mandatory = $true, ParameterSetName = 'Capability')]
+ [System.String]$CapabilityName,
+ [parameter(Mandatory = $true, ParameterSetName = 'Feature')]
+ [System.String]$FeatureName,
+ [parameter(Mandatory = $true, ParameterSetName = 'Feature')]
+ [ValidateSet('Enabling', 'Disabling')]
+ [System.String]$FeatureAction
+ )
+ switch ($Type) {
+ 'Feature' {
+ if ($FeatureAction -eq 'Enabling') {
+ $ActionCheck = 'disabled'
+ $ActionOutput = 'enabled'
+ }
+ else {
+ $ActionCheck = 'enabled'
+ $ActionOutput = 'disabled'
+ }
+ Write-Host -Object "`n$FeatureAction $FeatureName" -ForegroundColor Yellow
+ if ((Get-WindowsOptionalFeature -Online -FeatureName $FeatureName).state -eq $ActionCheck) {
+ try {
+ if ($FeatureAction -eq 'Enabling') {
+ Enable-WindowsOptionalFeature -Online -FeatureName $FeatureName -All -NoRestart -ErrorAction Stop
}
- catch {
- # show errors in non-terminating way
- $_
+ else {
+ Disable-WindowsOptionalFeature -Online -FeatureName $FeatureName -NoRestart -ErrorAction Stop
}
+ # Shows the successful message only if the process was successful
+ Write-Host -Object "$FeatureName was successfully $ActionOutput" -ForegroundColor Green
}
- else {
- Write-Host -Object "$FeatureName is already $ActionOutput" -ForegroundColor Green
+ catch {
+ # show errors in non-terminating way
+ $_
}
- break
}
- 'Capability' {
- Write-Host -Object "`nRemoving $CapabilityName" -ForegroundColor Yellow
- if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" }).state -ne 'NotPresent') {
- try {
- Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" } | Remove-WindowsCapability -Online -ErrorAction Stop
- # Shows the successful message only if the process was successful
- Write-Host -Object "$CapabilityName was successfully removed." -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
+ else {
+ Write-Host -Object "$FeatureName is already $ActionOutput" -ForegroundColor Green
+ }
+ break
+ }
+ 'Capability' {
+ Write-Host -Object "`nRemoving $CapabilityName" -ForegroundColor Yellow
+ if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" }).state -ne 'NotPresent') {
+ try {
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" } | Remove-WindowsCapability -Online -ErrorAction Stop
+ # Shows the successful message only if the process was successful
+ Write-Host -Object "$CapabilityName was successfully removed." -ForegroundColor Green
}
- else {
- Write-Host -Object "$CapabilityName is already removed." -ForegroundColor Green
+ catch {
+ # show errors in non-terminating way
+ $_
}
- break
}
+ else {
+ Write-Host -Object "$CapabilityName is already removed." -ForegroundColor Green
+ }
+ break
}
}
- Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'MicrosoftWindowsPowerShellV2'
- Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'MicrosoftWindowsPowerShellV2Root'
- Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'WorkFolders-Client'
- Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'Printing-Foundation-Features'
- Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'Windows-Defender-ApplicationGuard'
- Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'Containers-DisposableClientVM'
- Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'Microsoft-Hyper-V'
- Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'VirtualMachinePlatform'
- Edit-Addons -Type Capability -CapabilityName 'Media.WindowsMediaPlayer'
- Edit-Addons -Type Capability -CapabilityName 'Browser.InternetExplorer'
- Edit-Addons -Type Capability -CapabilityName 'wmic'
- Edit-Addons -Type Capability -CapabilityName 'Microsoft.Windows.Notepad.System'
- Edit-Addons -Type Capability -CapabilityName 'Microsoft.Windows.WordPad'
- Edit-Addons -Type Capability -CapabilityName 'Microsoft.Windows.PowerShell.ISE'
- Edit-Addons -Type Capability -CapabilityName 'App.StepsRecorder'
-
- # Uninstall VBScript that is now uninstallable as an optional features since Windows 11 insider Dev build 25309 - Won't do anything in other builds
- if (Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*VBSCRIPT*' }) {
- try {
- Write-Host -Object "`nUninstalling VBSCRIPT" -ForegroundColor Yellow
- Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*VBSCRIPT*' } | Remove-WindowsCapability -Online -ErrorAction Stop
- # Shows the successful message only if removal process was successful
- Write-Host -Object 'VBSCRIPT has been uninstalled' -ForegroundColor Green
- }
- catch {
- # show errors in non-terminating way
- $_
- }
+ }
+ Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'MicrosoftWindowsPowerShellV2'
+ Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'MicrosoftWindowsPowerShellV2Root'
+ Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'WorkFolders-Client'
+ Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'Printing-Foundation-Features'
+ Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'Windows-Defender-ApplicationGuard'
+ Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'Containers-DisposableClientVM'
+ Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'Microsoft-Hyper-V'
+ Edit-Addons -Type Feature -FeatureAction Enabling -FeatureName 'VirtualMachinePlatform'
+ Edit-Addons -Type Capability -CapabilityName 'Media.WindowsMediaPlayer'
+ Edit-Addons -Type Capability -CapabilityName 'Browser.InternetExplorer'
+ Edit-Addons -Type Capability -CapabilityName 'wmic'
+ Edit-Addons -Type Capability -CapabilityName 'Microsoft.Windows.Notepad.System'
+ Edit-Addons -Type Capability -CapabilityName 'Microsoft.Windows.WordPad'
+ Edit-Addons -Type Capability -CapabilityName 'Microsoft.Windows.PowerShell.ISE'
+ Edit-Addons -Type Capability -CapabilityName 'App.StepsRecorder'
+
+ # Uninstall VBScript that is now uninstallable as an optional features since Windows 11 insider Dev build 25309 - Won't do anything in other builds
+ if (Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*VBSCRIPT*' }) {
+ try {
+ Write-Host -Object "`nUninstalling VBSCRIPT" -ForegroundColor Yellow
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*VBSCRIPT*' } | Remove-WindowsCapability -Online -ErrorAction Stop
+ # Shows the successful message only if removal process was successful
+ Write-Host -Object 'VBSCRIPT has been uninstalled' -ForegroundColor Green
+ }
+ catch {
+ # show errors in non-terminating way
+ $_
}
}
} 'No' { break }
From ca1a44554121f4a67620ccf309f3f491ba57f7aa Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 06:42:13 -0930
Subject: [PATCH 43/79] Removed an unnecessary comment
---
.../Main files/Resources/Harden-Windows-Security.ps1 | 2 +-
Harden-Windows-Security.ps1 | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
index ea2104594..a2b94ec7a 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
@@ -2247,7 +2247,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
#endregion Country-IP-Blocking
- } # End of Admin test function
+ }
#region Non-Admin-Commands
# Change the title of the Windows Terminal for PowerShell tab
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index cfada8ce2..7f17aae4d 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -2247,7 +2247,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
#endregion Country-IP-Blocking
- } # End of Admin test function
+ }
#region Non-Admin-Commands
# Change the title of the Windows Terminal for PowerShell tab
From b9c50bc08d8252dca32fcbfcb60d905493d289c3 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 09:24:58 -0930
Subject: [PATCH 44/79] Assigned custom colors to optional features part
---
.../Resources/Harden-Windows-Security.ps1 | 19 ++++++++++---------
Harden-Windows-Security.ps1 | 19 ++++++++++---------
2 files changed, 20 insertions(+), 18 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
index a2b94ec7a..f8945adfe 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
@@ -314,7 +314,7 @@ Function Write-SmartText {
param (
[Parameter(Mandatory = $True)]
[Alias('C')]
- [ValidateSet('Fuchsia', 'Orange', 'NeonGreen', 'MintGreen', 'PinkBoldBlink', 'PinkBold', 'Rainbow' , 'Gold', 'TeaGreenNoNewLine', 'LavenderNoNewLine', 'PinkNoNewLine', 'VioletNoNewLine', 'Violet', 'Pink')]
+ [ValidateSet('Fuchsia', 'Orange', 'NeonGreen', 'MintGreen', 'PinkBoldBlink', 'PinkBold', 'Rainbow' , 'Gold', 'TeaGreenNoNewLine', 'LavenderNoNewLine', 'PinkNoNewLine', 'VioletNoNewLine', 'Violet', 'Pink', 'Lavender')]
[System.String]$CustomColor,
[Parameter(Mandatory = $True)]
@@ -347,6 +347,7 @@ Function Write-SmartText {
'Violet' { Write-Host -Object "$($PSStyle.Foreground.FromRGB(153,0,255))$InputText$($PSStyle.Reset)"; break }
'Pink' { Write-Host -Object "$($PSStyle.Foreground.FromRGB(255,0,230))$InputText$($PSStyle.Reset)"; break }
'LavenderNoNewLine' { Write-Host -Object "$($PSStyle.Foreground.FromRgb(255,179,255))$InputText$($PSStyle.Reset)" -NoNewline; break }
+ 'Lavender' { Write-Host -Object "$($PSStyle.Foreground.FromRgb(255,179,255))$InputText$($PSStyle.Reset)"; break }
'TeaGreenNoNewLine' { Write-Host -Object "$($PSStyle.Foreground.FromRgb(133, 222, 119))$InputText$($PSStyle.Reset)" -NoNewline; break }
'Rainbow' {
[System.Object[]]$Colors = @(
@@ -1980,7 +1981,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
$ActionCheck = 'enabled'
$ActionOutput = 'disabled'
}
- Write-Host -Object "`n$FeatureAction $FeatureName" -ForegroundColor Yellow
+ Write-SmartText -CustomColor Lavender -GenericColor Yellow -InputText "`n$FeatureAction $FeatureName"
if ((Get-WindowsOptionalFeature -Online -FeatureName $FeatureName).state -eq $ActionCheck) {
try {
if ($FeatureAction -eq 'Enabling') {
@@ -1990,7 +1991,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Disable-WindowsOptionalFeature -Online -FeatureName $FeatureName -NoRestart -ErrorAction Stop
}
# Shows the successful message only if the process was successful
- Write-Host -Object "$FeatureName was successfully $ActionOutput" -ForegroundColor Green
+ Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$FeatureName was successfully $ActionOutput"
}
catch {
# show errors in non-terminating way
@@ -1998,17 +1999,17 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host -Object "$FeatureName is already $ActionOutput" -ForegroundColor Green
+ Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$FeatureName is already $ActionOutput"
}
break
}
'Capability' {
- Write-Host -Object "`nRemoving $CapabilityName" -ForegroundColor Yellow
+ Write-SmartText -CustomColor Lavender -GenericColor Yellow -InputText "`nRemoving $CapabilityName"
if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" }).state -ne 'NotPresent') {
try {
Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if the process was successful
- Write-Host -Object "$CapabilityName was successfully removed." -ForegroundColor Green
+ Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$CapabilityName was successfully removed."
}
catch {
# show errors in non-terminating way
@@ -2016,7 +2017,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host -Object "$CapabilityName is already removed." -ForegroundColor Green
+ Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$CapabilityName is already removed."
}
break
}
@@ -2041,10 +2042,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Uninstall VBScript that is now uninstallable as an optional features since Windows 11 insider Dev build 25309 - Won't do anything in other builds
if (Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*VBSCRIPT*' }) {
try {
- Write-Host -Object "`nUninstalling VBSCRIPT" -ForegroundColor Yellow
+ Write-SmartText -CustomColor Lavender -GenericColor Yellow -InputText "`nUninstalling VBSCRIPT"
Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*VBSCRIPT*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host -Object 'VBSCRIPT has been uninstalled' -ForegroundColor Green
+ Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText 'VBSCRIPT has been uninstalled'
}
catch {
# show errors in non-terminating way
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index 7f17aae4d..6372c54ab 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -314,7 +314,7 @@ Function Write-SmartText {
param (
[Parameter(Mandatory = $True)]
[Alias('C')]
- [ValidateSet('Fuchsia', 'Orange', 'NeonGreen', 'MintGreen', 'PinkBoldBlink', 'PinkBold', 'Rainbow' , 'Gold', 'TeaGreenNoNewLine', 'LavenderNoNewLine', 'PinkNoNewLine', 'VioletNoNewLine', 'Violet', 'Pink')]
+ [ValidateSet('Fuchsia', 'Orange', 'NeonGreen', 'MintGreen', 'PinkBoldBlink', 'PinkBold', 'Rainbow' , 'Gold', 'TeaGreenNoNewLine', 'LavenderNoNewLine', 'PinkNoNewLine', 'VioletNoNewLine', 'Violet', 'Pink', 'Lavender')]
[System.String]$CustomColor,
[Parameter(Mandatory = $True)]
@@ -347,6 +347,7 @@ Function Write-SmartText {
'Violet' { Write-Host -Object "$($PSStyle.Foreground.FromRGB(153,0,255))$InputText$($PSStyle.Reset)"; break }
'Pink' { Write-Host -Object "$($PSStyle.Foreground.FromRGB(255,0,230))$InputText$($PSStyle.Reset)"; break }
'LavenderNoNewLine' { Write-Host -Object "$($PSStyle.Foreground.FromRgb(255,179,255))$InputText$($PSStyle.Reset)" -NoNewline; break }
+ 'Lavender' { Write-Host -Object "$($PSStyle.Foreground.FromRgb(255,179,255))$InputText$($PSStyle.Reset)"; break }
'TeaGreenNoNewLine' { Write-Host -Object "$($PSStyle.Foreground.FromRgb(133, 222, 119))$InputText$($PSStyle.Reset)" -NoNewline; break }
'Rainbow' {
[System.Object[]]$Colors = @(
@@ -1980,7 +1981,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
$ActionCheck = 'enabled'
$ActionOutput = 'disabled'
}
- Write-Host -Object "`n$FeatureAction $FeatureName" -ForegroundColor Yellow
+ Write-SmartText -CustomColor Lavender -GenericColor Yellow -InputText "`n$FeatureAction $FeatureName"
if ((Get-WindowsOptionalFeature -Online -FeatureName $FeatureName).state -eq $ActionCheck) {
try {
if ($FeatureAction -eq 'Enabling') {
@@ -1990,7 +1991,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Disable-WindowsOptionalFeature -Online -FeatureName $FeatureName -NoRestart -ErrorAction Stop
}
# Shows the successful message only if the process was successful
- Write-Host -Object "$FeatureName was successfully $ActionOutput" -ForegroundColor Green
+ Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$FeatureName was successfully $ActionOutput"
}
catch {
# show errors in non-terminating way
@@ -1998,17 +1999,17 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host -Object "$FeatureName is already $ActionOutput" -ForegroundColor Green
+ Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$FeatureName is already $ActionOutput"
}
break
}
'Capability' {
- Write-Host -Object "`nRemoving $CapabilityName" -ForegroundColor Yellow
+ Write-SmartText -CustomColor Lavender -GenericColor Yellow -InputText "`nRemoving $CapabilityName"
if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" }).state -ne 'NotPresent') {
try {
Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if the process was successful
- Write-Host -Object "$CapabilityName was successfully removed." -ForegroundColor Green
+ Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$CapabilityName was successfully removed."
}
catch {
# show errors in non-terminating way
@@ -2016,7 +2017,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
}
else {
- Write-Host -Object "$CapabilityName is already removed." -ForegroundColor Green
+ Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$CapabilityName is already removed."
}
break
}
@@ -2041,10 +2042,10 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Uninstall VBScript that is now uninstallable as an optional features since Windows 11 insider Dev build 25309 - Won't do anything in other builds
if (Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*VBSCRIPT*' }) {
try {
- Write-Host -Object "`nUninstalling VBSCRIPT" -ForegroundColor Yellow
+ Write-SmartText -CustomColor Lavender -GenericColor Yellow -InputText "`nUninstalling VBSCRIPT"
Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like '*VBSCRIPT*' } | Remove-WindowsCapability -Online -ErrorAction Stop
# Shows the successful message only if removal process was successful
- Write-Host -Object 'VBSCRIPT has been uninstalled' -ForegroundColor Green
+ Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText 'VBSCRIPT has been uninstalled'
}
catch {
# show errors in non-terminating way
From 1775ad28c1fd20013baf891b8355594bb527c904 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 10:11:16 -0930
Subject: [PATCH 45/79] function help improvement
---
.../Main files/Resources/Harden-Windows-Security.ps1 | 2 ++
Harden-Windows-Security.ps1 | 2 ++
2 files changed, 4 insertions(+)
diff --git a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
index f8945adfe..3dbadf741 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
@@ -391,6 +391,8 @@ function Get-AvailableRemovableDrives {
Function to get a removable drive to be used by BitLocker category
.INPUTS
None. You cannot pipe objects to this function
+ .OUTPUTS
+ System.String
#>
# An empty array of objects that holds the final removable drives list
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index 6372c54ab..3354dcfbc 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -391,6 +391,8 @@ function Get-AvailableRemovableDrives {
Function to get a removable drive to be used by BitLocker category
.INPUTS
None. You cannot pipe objects to this function
+ .OUTPUTS
+ System.String
#>
# An empty array of objects that holds the final removable drives list
From 7aa02e85319711970f36725a191ef45c6326999d Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 11:49:16 -0930
Subject: [PATCH 46/79] Improved scheduled task PS code
---
.../Main files/Resources/Harden-Windows-Security.ps1 | 2 +-
Harden-Windows-Security.ps1 | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
index 3dbadf741..37692397e 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
@@ -1076,7 +1076,7 @@ try {
# Create a scheduled task action, this defines how to download and install the latest Microsoft Recommended Driver Block Rules
[Microsoft.Management.Infrastructure.CimInstance]$Action = New-ScheduledTaskAction -Execute 'Powershell.exe' `
- -Argument '-NoProfile -WindowStyle Hidden -command "& {try {Invoke-WebRequest -Uri "https://aka.ms/VulnerableDriverBlockList" -OutFile VulnerableDriverBlockList.zip -ErrorAction Stop}catch{exit};Expand-Archive .\VulnerableDriverBlockList.zip -DestinationPath "VulnerableDriverBlockList" -Force;Rename-Item .\VulnerableDriverBlockList\SiPolicy_Enforced.p7b -NewName "SiPolicy.p7b" -Force;Copy-Item .\VulnerableDriverBlockList\SiPolicy.p7b -Destination "C:\Windows\System32\CodeIntegrity";citool --refresh -json;Remove-Item .\VulnerableDriverBlockList -Recurse -Force;Remove-Item .\VulnerableDriverBlockList.zip -Force;}"'
+ -Argument '-NoProfile -WindowStyle Hidden -command "& {try {Invoke-WebRequest -Uri "https://aka.ms/VulnerableDriverBlockList" -OutFile VulnerableDriverBlockList.zip -ErrorAction Stop}catch{exit 1};Expand-Archive -Path .\VulnerableDriverBlockList.zip -DestinationPath "VulnerableDriverBlockList" -Force;Rename-Item -Path .\VulnerableDriverBlockList\SiPolicy_Enforced.p7b -NewName "SiPolicy.p7b" -Force;Copy-Item -Path .\VulnerableDriverBlockList\SiPolicy.p7b -Destination "C:\Windows\System32\CodeIntegrity";citool --refresh -json;Remove-Item -Path .\VulnerableDriverBlockList -Recurse -Force;Remove-Item -Path .\VulnerableDriverBlockList.zip -Force; exit 0;}"'
# Create a scheduled task principal and assign the SYSTEM account's SID to it so that the task will run under its context
[Microsoft.Management.Infrastructure.CimInstance]$TaskPrincipal = New-ScheduledTaskPrincipal -LogonType S4U -UserId $($SYSTEMSID.Value) -RunLevel Highest
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index 3354dcfbc..3d2303fdc 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -1076,7 +1076,7 @@ try {
# Create a scheduled task action, this defines how to download and install the latest Microsoft Recommended Driver Block Rules
[Microsoft.Management.Infrastructure.CimInstance]$Action = New-ScheduledTaskAction -Execute 'Powershell.exe' `
- -Argument '-NoProfile -WindowStyle Hidden -command "& {try {Invoke-WebRequest -Uri "https://aka.ms/VulnerableDriverBlockList" -OutFile VulnerableDriverBlockList.zip -ErrorAction Stop}catch{exit};Expand-Archive .\VulnerableDriverBlockList.zip -DestinationPath "VulnerableDriverBlockList" -Force;Rename-Item .\VulnerableDriverBlockList\SiPolicy_Enforced.p7b -NewName "SiPolicy.p7b" -Force;Copy-Item .\VulnerableDriverBlockList\SiPolicy.p7b -Destination "C:\Windows\System32\CodeIntegrity";citool --refresh -json;Remove-Item .\VulnerableDriverBlockList -Recurse -Force;Remove-Item .\VulnerableDriverBlockList.zip -Force;}"'
+ -Argument '-NoProfile -WindowStyle Hidden -command "& {try {Invoke-WebRequest -Uri "https://aka.ms/VulnerableDriverBlockList" -OutFile VulnerableDriverBlockList.zip -ErrorAction Stop}catch{exit 1};Expand-Archive -Path .\VulnerableDriverBlockList.zip -DestinationPath "VulnerableDriverBlockList" -Force;Rename-Item -Path .\VulnerableDriverBlockList\SiPolicy_Enforced.p7b -NewName "SiPolicy.p7b" -Force;Copy-Item -Path .\VulnerableDriverBlockList\SiPolicy.p7b -Destination "C:\Windows\System32\CodeIntegrity";citool --refresh -json;Remove-Item -Path .\VulnerableDriverBlockList -Recurse -Force;Remove-Item -Path .\VulnerableDriverBlockList.zip -Force; exit 0;}"'
# Create a scheduled task principal and assign the SYSTEM account's SID to it so that the task will run under its context
[Microsoft.Management.Infrastructure.CimInstance]$TaskPrincipal = New-ScheduledTaskPrincipal -LogonType S4U -UserId $($SYSTEMSID.Value) -RunLevel Highest
From 793afa74710ca476117d44eb4e1c60015fb9df97 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 22:36:14 -0930
Subject: [PATCH 47/79] Changed a policy in Confirm-SystemCompliance
---
.../Core/Confirm-SystemCompliance.psm1 | 26 +++----------------
1 file changed, 4 insertions(+), 22 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
index b32f7df44..06a084989 100644
--- a/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
+++ b/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
@@ -880,31 +880,13 @@ function Confirm-SystemCompliance {
Method = 'Security Group Policy'
}
-
- # This particular policy can have 2 values and they are both acceptable depending on whichever user selects
- [System.String]$ConsentPromptBehaviorUserValue = $SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser']
- # This option is automatically applied when UAC category is run
- if ($ConsentPromptBehaviorUserValue -eq '4,1') {
- $ConsentPromptBehaviorUserCompliance = $true
- $IndividualItemResult = 'Prompt for credentials on the secure desktop'
- }
- # This option prompts for additional confirmation before it's applied
- elseif ($ConsentPromptBehaviorUserValue -eq '4,0') {
- $ConsentPromptBehaviorUserCompliance = $true
- $IndividualItemResult = 'Automatically deny elevation requests'
- }
- # If none of them is applied then return false for compliance and N/A for value
- else {
- $ConsentPromptBehaviorUserCompliance = $false
- $IndividualItemResult = 'N/A'
- }
-
# Verify a Security Group Policy setting
+ $IndividualItemResult = [System.Boolean]$($SecurityPoliciesIni.'Registry Values'['MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser'] -eq '4,0') ? $True : $False
$NestedObjectArray += [PSCustomObject]@{
- FriendlyName = 'UAC: Behavior of the elevation prompt for standard users'
- Compliant = $ConsentPromptBehaviorUserCompliance
+ FriendlyName = 'UAC: Automatically deny elevation requests on Standard accounts'
+ Compliant = $IndividualItemResult
Value = $IndividualItemResult
- Name = 'UAC: Behavior of the elevation prompt for standard users'
+ Name = 'UAC: Automatically deny elevation requests on Standard accounts'
Category = $CatName
Method = 'Security Group Policy'
}
From aef83228ebf82181e3884acb82770f9b02ccf9b3 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 22:40:21 -0930
Subject: [PATCH 48/79] Removed ConsentPromptBehaviorUser policy
Because it's already applied by Microsoft Security baselines
---
Payload/Security-Baselines-X.zip | Bin 12851 -> 12096 bytes
1 file changed, 0 insertions(+), 0 deletions(-)
diff --git a/Payload/Security-Baselines-X.zip b/Payload/Security-Baselines-X.zip
index b09c201d40c40e0a134fdba4b70ce37e69fed6a5..b66fc4c2ca406cd72a49e5dee31a88024a80bf95 100644
GIT binary patch
delta 600
zcmdm-av*L4D=YKDEq$9gShZQe3^UFw2xBqtZ)T9l<b{I4V43fNiHu-IwD3e$0S<;;
zTl&IHMZ6QPGcYhzFit)rWn3RSVQ=0c2Z5ITQkw4@)=bG1y0}Xr%teDqOk>FbO@U{}
zg>Jmylm7YC`PsF+NzdMurIn?9e`lX<r>S`(XyWF_v)S4HZ<rCb+&t~9)BEO#^P=i$
zC%Smmvo4qXmGAMaNI%tMZZxgvmUsQ+OP<p`1^>(~xL+(8f5=NU>{8{`PMf(eQ@uZG
z-}S3d+$S>omEBD5#FL6kx2`Okv)1}W&HcGi*JgI#TYso;))GVg<&njPiq>gIg!TU}
zs~6sV)~PgL>qP(D%|~5qzTH;)G|M1dcBa*z(B%57l}Bu(|8WO+GqZ>Qy~)4;3ai)B
z(17rl4deia$YRx0NYHSrt3nvY8fjq0<T;wjU?ogi;t&}bZAB&}^w48q&;=V0A{2o5
ziNxd!Qu>qq^thD3c7}r_U?332U=RSZ*rX;&s!W!XF`TTWufbFb<>^n}Bf~TKoH{oB
zktq7Jq(S<-49q868E7#*gz|Ej^kgUhFbHB2ke{rmBsY0A8#mB3Jd+y@<(PC8CNDG$
dVG>cC%%Q9{S=NYyPmV#3L6(Psfma!1Gyp6y&_4hG
delta 1208
zcmX>Qw>f14D=RZ^dd_AJR&5qA!;CWv!dT4vn;9fBd7)r1SmwK6A|sd)Ej*D`n1KN(
z7tVkLq9!X!sRlcimgMIqmSiR;=Hyf=q@?CmDgapup^nZ91x5L}1trA_`FRS#C5d?{
ziA5<2iOI?NrFkXA`T^d|EFwVDI2e|1U=Oe5kKTP1$SY!GU`Pd-TTiaJ?gb?wxdl0T
znR#ik6E^xCb`Wrh?>%C#&^?K1$ril>P7|1f8VkB+D0%fHpR{u?@0?gKXSBVH`Rv`d
zXWpE7_xInLp9carFHNp@KdC-F=Fj0Ewz&sqnC4f7Co#M4nW0@|W-`ae_}l&h|6|6*
zag|FR#QMcws`q}mRC`IszqpDSJDR2%EI;D6Yk}3|<>q^Z=fD1TDEp(|o1pS!y{)Rp
zryN|SmATgX)uAhUx2&1ge2@Row^>Wf_1EV%S1v!Z<6+sY&-wRugs;&GmELJOCuh@?
zme-lreWL9*2F#sd^)Dpf-n44TokBK5$W7Yo9OgT#_2qqF$XPKlFzA9pZt`k2?)s|}
z_vSG<^0e%i(tO__kSe8gOZ$Ncqbq|TBkOdgkJUml8R8ukl?m6j^X_3hTlH4*{Ebh4
z&60f_&owc7hyD5J_;l&Cf~&82XBu9rSH4nwh;yY;;<>)fg{S_>M=dFNdGYz|o_Ni*
zNB@go?wsB!_+{=ZyClirt6Y|HM?Rkl&a`@5FMde9%kOJUg<{Ey9mZ4d%xOM-by?KL
z?e7kJ-dLRxSKaq(d+6<~N!^*2XLpGR?Gc_;^XY4wbx-fpM{K<ntJC*?GE=;*G28oT
z&ScdqD~`to=iW_RuqW+J!Q1ZG-B&yoePf1&0cNTU1cpWEW>qPFNZKuz4&(qQ;?v5h
z5D{ZlRcNwSO9L||A5l*RC;am|(vw{^{(zOcXeu%(VVWKVG#vs2fYcL-$rGhiQpioJ
z0p5&EA`Cb(0n8o-1t2R%5@eA%nHEhxt1BUokycPF*fRN{HZbLAiz}e#a!`0e0LaJp
zq=60zo@}b4#pEk9IZ-DY7H~{XvLGi;7SK&(+6iNtPd=w>%ETr=*-KVqa=tRpWJ^6c
y#ut;<>d6DG5}n+mr@+LjG<ls~2-6#-$p(sQVgcT)Y#_@NfY5@Mf#InNhz9`6F0T;)
From 00b199c3430a7c8ba6d47f3253f48437df864b6f Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 22:41:08 -0930
Subject: [PATCH 49/79] removed prompt for ConsentPromptBehaviorUser
---
.../Main files/Resources/Harden-Windows-Security.ps1 | 12 ------------
1 file changed, 12 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
index 37692397e..899b16dca 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
@@ -1875,18 +1875,6 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /s '..\Security-Baselines-X\User Account Control UAC Policies\GptTmpl.inf'
- # Apply the Automatically deny all UAC prompts on Standard accounts policy
- switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nAutomatically deny all UAC prompts on Standard accounts ?") {
- 'Yes' {
- Write-Progress -Id 3 -ParentId 0 -Activity 'User Account Control' -Status 'Automatically deny all UAC prompts on Standard accounts policy' -PercentComplete 50
-
- .\LGPO.exe /q /s '..\Security-Baselines-X\User Account Control UAC Policies\Automatically deny all UAC prompts on Standard accounts\GptTmpl.inf'
-
- Write-Progress -Id 3 -Activity 'Automatically deny all UAC prompts on Standard accounts policy' -Completed
- } 'No' { break }
- 'Exit' { &$CleanUp }
- }
-
# Apply the Hide the entry points for Fast User Switching policy
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nHide the entry points for Fast User Switching ?" -ExtraMessage 'Read the GitHub Readme!') {
'Yes' {
From 00c080698dcd412ea5883e33b2ccbc93f2380531 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 22:46:48 -0930
Subject: [PATCH 50/79] Readme update
---
README.md | 4 ----
1 file changed, 4 deletions(-)
diff --git a/README.md b/README.md
index 7882e12c8..3688c481c 100644
--- a/README.md
+++ b/README.md
@@ -648,10 +648,6 @@ NistP384
- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif" width="25" alt="Blue Check mark denoting Group Policy"> <img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/200iq.gif" width="35" alt="Requires Additional Confirmation"> Only elevate executables that are signed and validated [by enforcing cryptographic signatures on any interactive application](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated) that requests elevation of privilege. One of the [Potential impacts](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated#potential-impact) of it is that it can prevent certain poorly designed programs from prompting for UAC. <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif" width="15" alt="Rotating green checkmark denoting CSP"> [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#useraccountcontrol_onlyelevateexecutablefilesthataresignedandvalidated)
-- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif" width="25" alt="Blue Check mark denoting Group Policy"> Changes the [behavior of the elevation prompt for standard users](https://learn.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) from "prompt for credentials" to "prompt for credentials on the secure desktop". <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif" width="15" alt="Rotating green checkmark denoting CSP"> [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#useraccountcontrol_behavioroftheelevationpromptforstandardusers)
-
- - <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif" width="25" alt="Blue Check mark denoting Group Policy"> <img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/200iq.gif" width="35" alt="Requires Additional Confirmation"> Optional behavior: Automatically deny all UAC prompts on Standard accounts. **Highly recommended to be used on sensitive critical machines.** Only use Standard account for regular everyday tasks, and if you want to perform administrative tasks such as installing a program system-wide or changing system settings, completely log out of the Standard account and log into an Administrator account, perform the tasks, then completely log out and log back into the Standard account to continue your work. No [fast user switching](https://learn.microsoft.com/en-us/windows/win32/shell/fast-user-switching) and **absolutely no UAC on Standard accounts.** <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif" width="15" alt="Rotating green checkmark denoting CSP"> [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#useraccountcontrol_behavioroftheelevationpromptforstandardusers)
-
- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif" width="25" alt="Blue Check mark denoting Group Policy"> <img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/200iq.gif" width="35" alt="Requires Additional Confirmation"> Hides the entry points for [Fast User Switching](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon). <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif" width="15" alt="Rotating green checkmark denoting CSP"> [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon#hidefastuserswitching)
- This policy will prevent you from using "Forgot my PIN" feature in lock screen or logon screen. If you forget your PIN, you won't be able to recover it.
From c7f1547e5c21bcc0cf2e11e89cfe5f04a1b79c46 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 22:47:25 -0930
Subject: [PATCH 51/79] Removed untrusted font blocking prompt
it's no longer necessary
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/dropping-the-quot-untrusted-font-blocking-quot-setting/ba-p/701068
---
.../Main files/Resources/Harden-Windows-Security.ps1 | 8 --------
1 file changed, 8 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
index 899b16dca..156e6115c 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
@@ -2095,14 +2095,6 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
.\LGPO.exe /q /m '..\Security-Baselines-X\Miscellaneous Policies\registry.pol'
.\LGPO.exe /q /s '..\Security-Baselines-X\Miscellaneous Policies\GptTmpl.inf'
- # Apply the Blocking Untrusted Fonts policy
- switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nBlock Untrusted Fonts ?") {
- 'Yes' {
- .\LGPO.exe /q /m '..\Security-Baselines-X\Miscellaneous Policies\Blocking Untrusted Fonts\registry.pol'
- } 'No' { break }
- 'Exit' { &$CleanUp }
- }
-
# Allow all Windows users to use Hyper-V and Windows Sandbox by adding all Windows users to the "Hyper-V Administrators" security group using its SID
Get-LocalUser | Where-Object -FilterScript { $_.enabled -eq 'True' } | ForEach-Object -Process { Add-LocalGroupMember -SID 'S-1-5-32-578' -Member "$($_.SID)" -ErrorAction SilentlyContinue }
From 93439dec16a3562cbe741c253fb8944460a68df8 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 22:48:30 -0930
Subject: [PATCH 52/79] Removed untrusted font blocking from policies
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/dropping-the-quot-untrusted-font-blocking-quot-setting/ba-p/701068
---
Payload/Security-Baselines-X.zip | Bin 12096 -> 11604 bytes
1 file changed, 0 insertions(+), 0 deletions(-)
diff --git a/Payload/Security-Baselines-X.zip b/Payload/Security-Baselines-X.zip
index b66fc4c2ca406cd72a49e5dee31a88024a80bf95..f36173b91d2f3940d42b4c0a2f6853fa1d6b88a6 100644
GIT binary patch
delta 420
zcmX>QcO_~AD=X8dt()0dbyz^ODQ70j=0kjUn1Gzg3j{+zV&4Rl7(sND@HRFOEhGiu
zmq`b4fcU4B)4=jZsw#|=<<u3Jrtwa8Q1@ec$2WO`x}n0St$pDPNWcQl767se1SUUJ
zcLN$T`J9dn(=ma`iJB3U=WFOP*$RT0YMRm*CPbi^pd|!U*ut~`L`6-u65*NbtEI)%
zBMdZGXYx`lQ>G~*Am$`7p2@m;Jd+i)<(LY^CT|p%26NMa+ymm1CrYVIUac*TVO1cC
zRgWZq3WFz`>S!?qN={DH$%eX{(QWcWZPm#Fx`~W?p)B*s=X6b(xMU`K$!bi_SLT^)
zsVB$uMt1T#JvpF7qLX{{6qq>Wf!q+L5Au@@6xGB6yjj^mw#fitC^rMcOGOY50Ga!B
AIRF3v
delta 808
zcmcZ-bs%m7D=X8&Et}a{byz^ODQ6~&FayKFEq&n(NWft7MqVisr=0xc?99A$h0wf`
zqSE4$)D#7`{JfH4{Qz%f77?Iw4hETx?BRjSE^*cXdC!2@2Bfhbr^cex^vvRtqDsAj
z{G8stvs_I90<HG<7rXW+ybj~qYJ8MMTud=-x`)vo@tRtH;Vs-r7N0*CzMHFg>Yl5^
z;fZr>MNK(Xt^GuLc<#JhBBwv;rb%b@OE-blN9V<uo?n#B_v`Uvo=J<hs#%?y{Q1|n
zIP2~8JM?zFyvrJNwXZ$5_?y+HJ)8C@{u3-nV+8qNvYx8c<}JL(n1BH>xkexa6dsoZ
zk{Cg>nb0;i5dBU9!Vi)P;sEiNDW!qs`BYRGWwC@CJPZXU`>V>~4u}A6MkWyk9AOAI
zL;=Wp!pp$mn^~Nknv;{5mzrN%tPqf&lbM{ETC7hnm?yu`5twYED#x^oZ*qvLACr*4
zWG;TyNh&<@=n-xKw^IPfnlkyJn)PITH6EasC)=vYFuno`#7y3%rp1&fG<k!F&SXAy
zcLj7aB2dim6NV@h)R}x%U5Duif*Y)1!L&gHEW1;~lxc_P<PRE2OjE@t_likR&ezmp
zdLl7NTV;|2_vE+QTr8kKo_s@7hLLUZe=XI?Qd*IWrBIgs<O7mCli%n-6#*T}lqEe$
zyOrr7kc^)ENZXW2Pj<4TP7tHO<byi$le=|HnRFE<=jzB!exPH<B%(N(M?r0}oh}ET
Q9D^K#EDr+%uQJFF09J_k&j0`b
From 1e621cb0ecca1c6357a3f9b690859cbf84e8cc6a Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 22:50:16 -0930
Subject: [PATCH 53/79] Removed compliance check for untrusted font block
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/dropping-the-quot-untrusted-font-blocking-quot-setting/ba-p/701068
---
.../Main files/Core/Confirm-SystemCompliance.psm1 | 4 ++--
.../Main files/Resources/Registry resources.csv | 1 -
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
index 06a084989..2cc1abfbc 100644
--- a/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
+++ b/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
@@ -22,7 +22,7 @@ function Confirm-SystemCompliance {
#Region Defining-Variables
# Total number of Compliant values not equal to N/A
- [System.Int64]$TotalNumberOfTrueCompliantValues = 231
+ [System.Int64]$TotalNumberOfTrueCompliantValues = 230
# Get the current configurations and preferences of the Microsoft Defender
New-Variable -Name 'MDAVConfigCurrent' -Value (Get-MpComputerStatus) -Force
@@ -1846,7 +1846,7 @@ function Confirm-SystemCompliance {
[System.Int64]($FinalMegaObject.'Windows Firewall' | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 19
[System.Int64]($FinalMegaObject.'Optional Windows Features' | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 14
[System.Int64]($FinalMegaObject.'Windows Networking' | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 9
- [System.Int64]($FinalMegaObject.Miscellaneous | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 18
+ [System.Int64]($FinalMegaObject.Miscellaneous | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 17
[System.Int64]($FinalMegaObject.'Windows Update' | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 14
[System.Int64]($FinalMegaObject.Edge | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 15
[System.Int64]($FinalMegaObject.'Non-Admin' | Where-Object -FilterScript { $_.Compliant -eq $True }).Count # 11
diff --git a/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv b/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv
index cba2b1b60..49c9c9ac9 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv
+++ b/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv
@@ -113,7 +113,6 @@ Origin,Category,Key,Name,FriendlyName,Type,Value
"Group Policy","Windows Networking",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient,EnableMulticast,Disable Multicast,DWORD,0
"Group Policy","Windows Networking",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers,DisableHTTPPrinting,Disable HTTP Printing,DWORD,1
"Group Policy","Windows Networking",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers,DisableWebPnPDownload,Disable Web PnP Download,DWORD,1
-"Group Policy","Miscellaneous",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions,MitigationOptions_FontBlocking,Block untrusted fonts,SZ,1000000000000
"Group Policy","Miscellaneous",HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,Include command line in process creation events,DWORD,1
"Group Policy","Miscellaneous",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,Disable Location,DWORD,1
"Group Policy","Miscellaneous",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors,DisableLocationScripting,Disable Location Scripting,DWORD,1
From 001539d5ea364af444af671535fd5998dc7702f3 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 22:51:58 -0930
Subject: [PATCH 54/79] Update Confirm-SystemCompliance.psm1
---
.../Main files/Core/Confirm-SystemCompliance.psm1 | 1 -
1 file changed, 1 deletion(-)
diff --git a/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
index 2cc1abfbc..fcd020e3f 100644
--- a/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
+++ b/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
@@ -1851,7 +1851,6 @@ function Confirm-SystemCompliance {
[System.Int64]($FinalMegaObject.Edge | Where-Object -FilterScript { $_.Compliant -eq $True }).Count + # 15
[System.Int64]($FinalMegaObject.'Non-Admin' | Where-Object -FilterScript { $_.Compliant -eq $True }).Count # 11
-
#Region ASCII-Arts
[System.String]$WhenValue1To20 = @'
OH
From 6b6f73574e5539a14a3d47acabe591e32a0a73b0 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 23:19:41 -0930
Subject: [PATCH 55/79] Separated CTRL + ALT + DEL requirement policy
in lock screen category
---
.../Resources/Harden-Windows-Security.ps1 | 16 ++++++++++++----
Payload/Security-Baselines-X.zip | Bin 11604 -> 12139 bytes
2 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
index 156e6115c..55a43be6c 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
@@ -1845,17 +1845,25 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
.\LGPO.exe /q /s '..\Security-Baselines-X\Lock Screen Policies\GptTmpl.inf'
# Apply the Don't display last signed-in policy
+ Write-Progress -Id 2 -ParentId 0 -Activity 'Lock Screen' -Status "Applying the Don't display last signed-in policy" -PercentComplete 35
+
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nDon't display last signed-in on logon screen ?" -ExtraMessage 'Read the GitHub Readme!') {
'Yes' {
- Write-Progress -Id 2 -ParentId 0 -Activity 'Lock Screen' -Status "Applying the Don't display last signed-in policy" -PercentComplete 50
-
.\LGPO.exe /q /s "..\Security-Baselines-X\Lock Screen Policies\Don't display last signed-in\GptTmpl.inf"
-
- Write-Progress -Id 2 -Activity "Applying the Don't display last signed-in policy" -Completed
} 'No' { break }
'Exit' { &$CleanUp }
}
+ # Enable CTRL + ALT + DEL
+ Write-Progress -Id 2 -ParentId 0 -Activity 'Lock Screen' -Status "Applying the Don't display last signed-in policy" -PercentComplete 70
+
+ switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nEnable requiring CTRL + ALT + DEL on lock screen ?") {
+ 'Yes' {
+ .\LGPO.exe /q /s '..\Security-Baselines-X\Lock Screen Policies\Enable CTRL + ALT + DEL\GptTmpl.inf'
+ } 'No' { break }
+ 'Exit' { &$CleanUp }
+ }
+ Write-Progress -Id 2 -Activity "Applying the Don't display last signed-in policy" -Completed
} 'No' { break }
'Exit' { &$CleanUp }
}
diff --git a/Payload/Security-Baselines-X.zip b/Payload/Security-Baselines-X.zip
index f36173b91d2f3940d42b4c0a2f6853fa1d6b88a6..d09900beec9031b4b15ba313c02a80109f0bef1c 100644
GIT binary patch
delta 1292
zcmcZ-^*U|?D=U-U&duzsm5d?`47EG^!Woc&F2m%0WpNYNyu_rOR0ZddARh&71xKF{
zAnD@jqaWbS%mUQKz`-yHs4>su-uA;lUIZfpg9TV)JuZ#z1tlT51vz?|d1<i|toa!o
zMOybqJ+kl65LLOQ%i{P@u<4MNSoUU4?U`RY?E8(&w=bMI^Ye`2cW0jOO?7oU)u`>B
zR2H)GPa&iJ+MSxwVpi%w#d#K*rq^8N?3}%Phy6nDe!=8rJRJ3rS}#@p2m7hVYqXy)
zfAl$s`)0@KD-~1q#ouXOo@qaM-?eu~mR~YnS^PHL+jH&B?R#=o&FBuepVo8Zw5axK
zZM6l?lf!;ax_>08s9$KIhh_O|z7>}>;vWaMooRXf>|6cE4fB+g7v%mCM}$KQFdSYy
zYf*^?hCvF;<Oyu*^^?!~9SRU=J%8&+c}9n~cviwmrtbPq1;L}NrH)>zE*U3tS!*l5
z?!G*Y<qIRn!tKVz=gwHZ{qnqeP5RPV+F{F93hjLr;a<IS+rAyo!X&djrmR-j9I}9K
z#f?>!NB6dizMlJ<eTBF03&E%<LhL2nSB#!4{wTC*_ng`<J7@hl_wVJs`lqjE1S~LX
z{wQw0P1E>Q+-B$M1%f@SXHr)0Z0`@)zAHFByz9e^m%M-2mN1JqemH-4;`!B4OT>#b
z-x(EH7G`AG+{>0PwEDDklLzy;*3y}`pJY7ubUWiWQ*8Eh)BjDcgr85UdRcZNmS=JA
z?%<fX5IKIw+WyG-d-{)T`Q0lq;bV04#>SU3ihXUCyC14$k2@Jtc&#sr{qeGFi~aF+
z`C$p_S6<)!%r`H$SXOKK)L+jUSFacS-ucJxYII1Q>Tcsx>kqjb-#&HdONF1a`qcdb
z%gw74@^bb++v=-Ry=C>i&2k)~jG*Le%IV4uq$k%1gn+o01d_nQW<uN8K>T+S5PpzU
z5C=%vGNt3P*b+M|<qJ&iQkHSXm3RZZ8JR>FaHV^g845tg;mLi<65=?_nfy>&LIE|s
zFff30L4X2~y2B34em+d4oS<Ad*;Gf2g@FO+d_EN!rh2Z){VL{@lU1~sE`gZ2OnbS3
zl-y()RWqhHe3L^|{g_+?CUfztPEz5K*F($K7EntV7zBW<W0N1MSx?qi;{k<@t(pvz
zjL_r_B07`#1Pv$eP}5+V4CSi3E1(+`fnrdDFjSw;<g@BJOy3aPU=0hVM<QU^of@W0
zuS6$*&`4rBE<U+eOnP#@rWTW!<RopCNfO+X-)eI~e0f7thS6g3e=XI?Qd*IW%b_g&
z$p<8PCcn{vDgwE7j`Sq$RwiMYN!rnqA8DI1CCE;e)CppAntV`4esZ^tDO0?{<Xj!O
h$q#hQnA{X6^C+lIw$tU{lVgx$5aVHBuvZ580RZY+&FBCC
delta 898
zcmaDIcO_~AD=X8dt()0dD;b437%m1gg`e8`en}=H0|N&u1B1fk37is>`8jy%r=0aW
z6d=%g{??K5j1F({tb~(H2lu;7=y=ey>p&2vVAQ3s3)92*TkoCFVCUexWBN=><KlBq
z`0Vc|^G?lJ=dp5G*VjeKva&yB{d#mp*XSC9c6ej@N(bG5iLS--tNp{4l%L}dm_93D
zac)?XY=CaS;R*fI#2?>1Z|O3B^||M7=D(_!J=ep>niFjF@6qvVscv@)&pnXKa5>g=
zrsDX{?!Ik#rOW576Io<<Rr&|-37!~^LuZu_&;K2<BE5$5RZxLt+3gz^dmh_8I`?7v
z8K<v1#luqb<{sYb+4jZnh1kq#ruUm(2!Eecv9j#I`i>s8SAKz&4^6`wYmckhT-07M
zBTCms^?d!Sf;X353&(9ddwuUMJGt*g<|%1kb{?BIyGgT#d;ZQx_x$z-N}9?Z7OnfF
zy+QcV?Y{+FZQEicb(YVo-TUax_MYm9cX#vSt9G9JZF}l$>9sRv%MI-GmM;@te}3;_
zY1@SBW&bU*Uq@Wa_;qW4fHyOX2m>(u8GMbH!~1>f&Yxyrn0#NAbMj=)Z=ks9=5l2R
z(vvR<hJd&lLP?Aux<_~$8;Ew1g78;J2XTOu{ZT$HizQ}(Hb8*F<OeD;z&Pff+^^0v
z`HHF>lRU@diJZ!lAE@&veA?O<4pRuCP2n5?AWM^T@;ff`$yI7vOf?{;^W=BRT$7J-
zi}65|DFCT-E}(?mWNtOF$)4&8Ow)KLCkRMRzNRfYc_xtijt|IH1z81h>N|BArUHS<
z>xHcN0=yZSL>NHfz`y{M`KcqrbPOaDJ^8GL7L%<YkeNO?K@+SkPg90bYjUAR<m4xs
zI*bdztSl`H#-7Q7TDp@jXqhri5do^#nQW|W##AUaIa}M6>45lTeHj&?JH$a2zt@&w
zdL#iB*`T98IYCE@F>vxmZPm#eblgGmAnV<vfb!9ki*&V^_JWvclh^9;Ocv0SW8#vT
yY@ip!^hS1aoV+GD6n6qeIpu*|h{t*L6_`HAPuADh<C9^KVF=}BV0ftr@)-b!@?Q}E
From bde83c784946338008cf54c685b264ef9a3f3236 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Thu, 14 Dec 2023 23:33:50 -0930
Subject: [PATCH 56/79] Fixed progress bars
---
.../Resources/Harden-Windows-Security.ps1 | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
index 55a43be6c..228da4f9c 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
@@ -1845,25 +1845,28 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
.\LGPO.exe /q /s '..\Security-Baselines-X\Lock Screen Policies\GptTmpl.inf'
# Apply the Don't display last signed-in policy
- Write-Progress -Id 2 -ParentId 0 -Activity 'Lock Screen' -Status "Applying the Don't display last signed-in policy" -PercentComplete 35
-
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nDon't display last signed-in on logon screen ?" -ExtraMessage 'Read the GitHub Readme!') {
'Yes' {
+ Write-Progress -Id 2 -ParentId 0 -Activity 'Lock Screen' -Status "Applying the Don't display last signed-in policy" -PercentComplete 50
+
.\LGPO.exe /q /s "..\Security-Baselines-X\Lock Screen Policies\Don't display last signed-in\GptTmpl.inf"
+
+ Write-Progress -Id 2 -Activity "Applying the Don't display last signed-in policy" -Completed
} 'No' { break }
'Exit' { &$CleanUp }
}
# Enable CTRL + ALT + DEL
- Write-Progress -Id 2 -ParentId 0 -Activity 'Lock Screen' -Status "Applying the Don't display last signed-in policy" -PercentComplete 70
-
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nEnable requiring CTRL + ALT + DEL on lock screen ?") {
'Yes' {
+ Write-Progress -Id 3 -ParentId 0 -Activity 'Lock Screen' -Status "Applying the Don't display last signed-in policy" -PercentComplete 50
+
.\LGPO.exe /q /s '..\Security-Baselines-X\Lock Screen Policies\Enable CTRL + ALT + DEL\GptTmpl.inf'
+
+ Write-Progress -Id 3 -Activity "Applying the Don't display last signed-in policy" -Completed
} 'No' { break }
'Exit' { &$CleanUp }
- }
- Write-Progress -Id 2 -Activity "Applying the Don't display last signed-in policy" -Completed
+ }
} 'No' { break }
'Exit' { &$CleanUp }
}
From dfd7d734a4da70c2488d74344f8a138affc312e4 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Fri, 15 Dec 2023 00:03:20 -0930
Subject: [PATCH 57/79] Added support for OS drives with label other than C
---
.../Core/Confirm-SystemCompliance.psm1 | 2 +-
.../Core/Unprotect-WindowsSecurity.psm1 | 8 ++++----
.../Resources/Harden-Windows-Security.ps1 | 20 +++++++++----------
3 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
index fcd020e3f..43a9a1577 100644
--- a/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
+++ b/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
@@ -201,7 +201,7 @@ function Confirm-SystemCompliance {
Write-Progress -Id 0 -Activity 'Gathering Security Policy Information' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
# Get the security group policies
- &'C:\Windows\System32\Secedit.exe' /export /cfg .\security_policy.inf | Out-Null
+ &"$env:SystemDrive\Windows\System32\Secedit.exe" /export /cfg .\security_policy.inf | Out-Null
# Storing the output of the ini file parsing function
[PSCustomObject]$SecurityPoliciesIni = ConvertFrom-IniFile -IniFile .\security_policy.inf
diff --git a/Harden-Windows-Security Module/Main files/Core/Unprotect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Core/Unprotect-WindowsSecurity.psm1
index ac62f63cc..4893e6be4 100644
--- a/Harden-Windows-Security Module/Main files/Core/Unprotect-WindowsSecurity.psm1
+++ b/Harden-Windows-Security Module/Main files/Core/Unprotect-WindowsSecurity.psm1
@@ -132,8 +132,8 @@ Function Unprotect-WindowsSecurity {
$CurrentMainStep++
Write-Progress -Id 0 -Activity 'Deleting all group policies' -Status "Step $CurrentMainStep/$TotalMainSteps" -PercentComplete ($CurrentMainStep / $TotalMainSteps * 100)
- if (Test-Path -Path 'C:\Windows\System32\GroupPolicy') {
- Remove-Item -Path 'C:\Windows\System32\GroupPolicy' -Recurse -Force
+ if (Test-Path -Path "$env:SystemDrive\Windows\System32\GroupPolicy") {
+ Remove-Item -Path "$env:SystemDrive\Windows\System32\GroupPolicy" -Recurse -Force
}
$CurrentMainStep++
@@ -204,8 +204,8 @@ Function Unprotect-WindowsSecurity {
ForEach-Object -Process { Enable-NetFirewallRule -DisplayName $_.DisplayName }
# Remove any custom views added by this script for Event Viewer
- if (Test-Path -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script') {
- Remove-Item -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script' -Recurse -Force
+ if (Test-Path -Path "$env:SystemDrive\ProgramData\Microsoft\Event Viewer\Views\Hardening Script") {
+ Remove-Item -Path "$env:SystemDrive\ProgramData\Microsoft\Event Viewer\Views\Hardening Script" -Recurse -Force
}
# Set a tattooed Group policy for Svchost.exe process mitigations back to disabled state
diff --git a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
index 228da4f9c..bd856f879 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
@@ -633,7 +633,7 @@ if (Test-IsAdmin) {
# Temporarily allow the currently running PowerShell executables to the Controlled Folder Access allowed apps
# so that the script can run without interruption. This change is reverted at the end.
# Adding powercfg.exe so Controlled Folder Access won't complain about it in BitLocker category when setting hibernate file size to full
- foreach ($FilePath in (((Get-ChildItem -Path "$PSHOME\*.exe" -File).FullName) + 'C:\Windows\System32\powercfg.exe')) {
+ foreach ($FilePath in (((Get-ChildItem -Path "$PSHOME\*.exe" -File).FullName) + "$env:SystemDrive\Windows\System32\powercfg.exe")) {
Add-MpPreference -ControlledFolderAccessAllowedApplications $FilePath
}
@@ -972,7 +972,7 @@ try {
Set-MpPreference -EnableConvertWarnToBlock $True
# Add OneDrive folders of all user accounts (personal and work accounts) to the Controlled Folder Access for Ransomware Protection
- Get-ChildItem 'C:\Users\*\OneDrive*\' -Directory | ForEach-Object -Process { Add-MpPreference -ControlledFolderAccessProtectedFolders $_ }
+ Get-ChildItem "$env:SystemDrive\Users\*\OneDrive*\" -Directory | ForEach-Object -Process { Add-MpPreference -ControlledFolderAccessProtectedFolders $_ }
# Enable Mandatory ASLR Exploit Protection system-wide
Set-ProcessMitigation -System -Enable ForceRelocateImages
@@ -1566,7 +1566,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Progress -Id 6 -ParentId 0 -Activity 'Hibernate' -Status 'Setting Hibernate file size to full' -PercentComplete 50
# Set Hibernate mode to full
- &'C:\Windows\System32\powercfg.exe' /h /type full | Out-Null
+ &"$env:SystemDrive\Windows\System32\powercfg.exe" /h /type full | Out-Null
Write-Progress -Id 6 -Activity 'Setting Hibernate file size to full' -Completed
}
@@ -2120,17 +2120,17 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Get the list of subcategories and their associated GUIDs
# auditpol /list /subcategory:* /r
- # Event Viewer custom views are saved in "C:\ProgramData\Microsoft\Event Viewer\Views". files in there can be backed up and restored on new Windows installations.
- New-Item -ItemType Directory -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script\' -Force | Out-Null
+ # Event Viewer custom views are saved in "$env:SystemDrive\ProgramData\Microsoft\Event Viewer\Views". files in there can be backed up and restored on new Windows installations.
+ New-Item -ItemType Directory -Path "$env:SystemDrive\ProgramData\Microsoft\Event Viewer\Views\Hardening Script\" -Force | Out-Null
# Due to change in event viewer custom log files, making sure no old file names exist
- if (Test-Path -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script') {
- Remove-Item -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script' -Recurse -Force
+ if (Test-Path -Path "$env:SystemDrive\ProgramData\Microsoft\Event Viewer\Views\Hardening Script") {
+ Remove-Item -Path "$env:SystemDrive\ProgramData\Microsoft\Event Viewer\Views\Hardening Script" -Recurse -Force
}
# Creating new sub-folder to store the custom views
- New-Item -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script' -ItemType Directory -Force | Out-Null
+ New-Item -Path "$env:SystemDrive\ProgramData\Microsoft\Event Viewer\Views\Hardening Script" -ItemType Directory -Force | Out-Null
- Expand-Archive -Path "$WorkingDir\EventViewerCustomViews.zip" -DestinationPath 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script' -Force -ErrorAction Stop
+ Expand-Archive -Path "$WorkingDir\EventViewerCustomViews.zip" -DestinationPath "$env:SystemDrive\ProgramData\Microsoft\Event Viewer\Views\Hardening Script" -Force -ErrorAction Stop
} 'No' { break }
'Exit' { &$CleanUp }
@@ -2292,7 +2292,7 @@ finally {
if (Test-IsAdmin) {
# Reverting the PowerShell executables and powercfg.exe allow listings in Controlled folder access
- foreach ($FilePath in (((Get-ChildItem -Path "$PSHOME\*.exe" -File).FullName) + 'C:\Windows\System32\powercfg.exe')) {
+ foreach ($FilePath in (((Get-ChildItem -Path "$PSHOME\*.exe" -File).FullName) + "$env:SystemDrive\Windows\System32\powercfg.exe")) {
Remove-MpPreference -ControlledFolderAccessAllowedApplications $FilePath
}
From 21f82bc30bf710f4746d18c566832fdccfedbb2d Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Fri, 15 Dec 2023 00:04:59 -0930
Subject: [PATCH 58/79] Added changes from module to the main script
---
Harden-Windows-Security.ps1 | 53 +++++++++++++++----------------------
1 file changed, 22 insertions(+), 31 deletions(-)
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index 3d2303fdc..0a43d08c0 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -633,7 +633,7 @@ if (Test-IsAdmin) {
# Temporarily allow the currently running PowerShell executables to the Controlled Folder Access allowed apps
# so that the script can run without interruption. This change is reverted at the end.
# Adding powercfg.exe so Controlled Folder Access won't complain about it in BitLocker category when setting hibernate file size to full
- foreach ($FilePath in (((Get-ChildItem -Path "$PSHOME\*.exe" -File).FullName) + 'C:\Windows\System32\powercfg.exe')) {
+ foreach ($FilePath in (((Get-ChildItem -Path "$PSHOME\*.exe" -File).FullName) + "$env:SystemDrive\Windows\System32\powercfg.exe")) {
Add-MpPreference -ControlledFolderAccessAllowedApplications $FilePath
}
@@ -972,7 +972,7 @@ try {
Set-MpPreference -EnableConvertWarnToBlock $True
# Add OneDrive folders of all user accounts (personal and work accounts) to the Controlled Folder Access for Ransomware Protection
- Get-ChildItem 'C:\Users\*\OneDrive*\' -Directory | ForEach-Object -Process { Add-MpPreference -ControlledFolderAccessProtectedFolders $_ }
+ Get-ChildItem "$env:SystemDrive\Users\*\OneDrive*\" -Directory | ForEach-Object -Process { Add-MpPreference -ControlledFolderAccessProtectedFolders $_ }
# Enable Mandatory ASLR Exploit Protection system-wide
Set-ProcessMitigation -System -Enable ForceRelocateImages
@@ -1566,7 +1566,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Progress -Id 6 -ParentId 0 -Activity 'Hibernate' -Status 'Setting Hibernate file size to full' -PercentComplete 50
# Set Hibernate mode to full
- &'C:\Windows\System32\powercfg.exe' /h /type full | Out-Null
+ &"$env:SystemDrive\Windows\System32\powercfg.exe" /h /type full | Out-Null
Write-Progress -Id 6 -Activity 'Setting Hibernate file size to full' -Completed
}
@@ -1850,12 +1850,23 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Progress -Id 2 -ParentId 0 -Activity 'Lock Screen' -Status "Applying the Don't display last signed-in policy" -PercentComplete 50
.\LGPO.exe /q /s "..\Security-Baselines-X\Lock Screen Policies\Don't display last signed-in\GptTmpl.inf"
-
+
Write-Progress -Id 2 -Activity "Applying the Don't display last signed-in policy" -Completed
} 'No' { break }
'Exit' { &$CleanUp }
}
+ # Enable CTRL + ALT + DEL
+ switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nEnable requiring CTRL + ALT + DEL on lock screen ?") {
+ 'Yes' {
+ Write-Progress -Id 3 -ParentId 0 -Activity 'Lock Screen' -Status "Applying the Don't display last signed-in policy" -PercentComplete 50
+
+ .\LGPO.exe /q /s '..\Security-Baselines-X\Lock Screen Policies\Enable CTRL + ALT + DEL\GptTmpl.inf'
+
+ Write-Progress -Id 3 -Activity "Applying the Don't display last signed-in policy" -Completed
+ } 'No' { break }
+ 'Exit' { &$CleanUp }
+ }
} 'No' { break }
'Exit' { &$CleanUp }
}
@@ -1875,18 +1886,6 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Set-Location -Path "$WorkingDir\LGPO_30"
.\LGPO.exe /q /s '..\Security-Baselines-X\User Account Control UAC Policies\GptTmpl.inf'
- # Apply the Automatically deny all UAC prompts on Standard accounts policy
- switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nAutomatically deny all UAC prompts on Standard accounts ?") {
- 'Yes' {
- Write-Progress -Id 3 -ParentId 0 -Activity 'User Account Control' -Status 'Automatically deny all UAC prompts on Standard accounts policy' -PercentComplete 50
-
- .\LGPO.exe /q /s '..\Security-Baselines-X\User Account Control UAC Policies\Automatically deny all UAC prompts on Standard accounts\GptTmpl.inf'
-
- Write-Progress -Id 3 -Activity 'Automatically deny all UAC prompts on Standard accounts policy' -Completed
- } 'No' { break }
- 'Exit' { &$CleanUp }
- }
-
# Apply the Hide the entry points for Fast User Switching policy
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nHide the entry points for Fast User Switching ?" -ExtraMessage 'Read the GitHub Readme!') {
'Yes' {
@@ -2107,14 +2106,6 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
.\LGPO.exe /q /m '..\Security-Baselines-X\Miscellaneous Policies\registry.pol'
.\LGPO.exe /q /s '..\Security-Baselines-X\Miscellaneous Policies\GptTmpl.inf'
- # Apply the Blocking Untrusted Fonts policy
- switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nBlock Untrusted Fonts ?") {
- 'Yes' {
- .\LGPO.exe /q /m '..\Security-Baselines-X\Miscellaneous Policies\Blocking Untrusted Fonts\registry.pol'
- } 'No' { break }
- 'Exit' { &$CleanUp }
- }
-
# Allow all Windows users to use Hyper-V and Windows Sandbox by adding all Windows users to the "Hyper-V Administrators" security group using its SID
Get-LocalUser | Where-Object -FilterScript { $_.enabled -eq 'True' } | ForEach-Object -Process { Add-LocalGroupMember -SID 'S-1-5-32-578' -Member "$($_.SID)" -ErrorAction SilentlyContinue }
@@ -2129,17 +2120,17 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# Get the list of subcategories and their associated GUIDs
# auditpol /list /subcategory:* /r
- # Event Viewer custom views are saved in "C:\ProgramData\Microsoft\Event Viewer\Views". files in there can be backed up and restored on new Windows installations.
- New-Item -ItemType Directory -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script\' -Force | Out-Null
+ # Event Viewer custom views are saved in "$env:SystemDrive\ProgramData\Microsoft\Event Viewer\Views". files in there can be backed up and restored on new Windows installations.
+ New-Item -ItemType Directory -Path "$env:SystemDrive\ProgramData\Microsoft\Event Viewer\Views\Hardening Script\" -Force | Out-Null
# Due to change in event viewer custom log files, making sure no old file names exist
- if (Test-Path -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script') {
- Remove-Item -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script' -Recurse -Force
+ if (Test-Path -Path "$env:SystemDrive\ProgramData\Microsoft\Event Viewer\Views\Hardening Script") {
+ Remove-Item -Path "$env:SystemDrive\ProgramData\Microsoft\Event Viewer\Views\Hardening Script" -Recurse -Force
}
# Creating new sub-folder to store the custom views
- New-Item -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script' -ItemType Directory -Force | Out-Null
+ New-Item -Path "$env:SystemDrive\ProgramData\Microsoft\Event Viewer\Views\Hardening Script" -ItemType Directory -Force | Out-Null
- Expand-Archive -Path "$WorkingDir\EventViewerCustomViews.zip" -DestinationPath 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script' -Force -ErrorAction Stop
+ Expand-Archive -Path "$WorkingDir\EventViewerCustomViews.zip" -DestinationPath "$env:SystemDrive\ProgramData\Microsoft\Event Viewer\Views\Hardening Script" -Force -ErrorAction Stop
} 'No' { break }
'Exit' { &$CleanUp }
@@ -2301,7 +2292,7 @@ finally {
if (Test-IsAdmin) {
# Reverting the PowerShell executables and powercfg.exe allow listings in Controlled folder access
- foreach ($FilePath in (((Get-ChildItem -Path "$PSHOME\*.exe" -File).FullName) + 'C:\Windows\System32\powercfg.exe')) {
+ foreach ($FilePath in (((Get-ChildItem -Path "$PSHOME\*.exe" -File).FullName) + "$env:SystemDrive\Windows\System32\powercfg.exe")) {
Remove-MpPreference -ControlledFolderAccessAllowedApplications $FilePath
}
From 024353f8fb214589ff07faf8571080caa5703b32 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Fri, 15 Dec 2023 00:10:51 -0930
Subject: [PATCH 59/79] Removed hardcoded OS label from scheduled task
---
.../Main files/Resources/Harden-Windows-Security.ps1 | 2 +-
Harden-Windows-Security.ps1 | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
index bd856f879..752493d53 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
@@ -1076,7 +1076,7 @@ try {
# Create a scheduled task action, this defines how to download and install the latest Microsoft Recommended Driver Block Rules
[Microsoft.Management.Infrastructure.CimInstance]$Action = New-ScheduledTaskAction -Execute 'Powershell.exe' `
- -Argument '-NoProfile -WindowStyle Hidden -command "& {try {Invoke-WebRequest -Uri "https://aka.ms/VulnerableDriverBlockList" -OutFile VulnerableDriverBlockList.zip -ErrorAction Stop}catch{exit 1};Expand-Archive -Path .\VulnerableDriverBlockList.zip -DestinationPath "VulnerableDriverBlockList" -Force;Rename-Item -Path .\VulnerableDriverBlockList\SiPolicy_Enforced.p7b -NewName "SiPolicy.p7b" -Force;Copy-Item -Path .\VulnerableDriverBlockList\SiPolicy.p7b -Destination "C:\Windows\System32\CodeIntegrity";citool --refresh -json;Remove-Item -Path .\VulnerableDriverBlockList -Recurse -Force;Remove-Item -Path .\VulnerableDriverBlockList.zip -Force; exit 0;}"'
+ -Argument '-NoProfile -WindowStyle Hidden -command "& {try {Invoke-WebRequest -Uri "https://aka.ms/VulnerableDriverBlockList" -OutFile VulnerableDriverBlockList.zip -ErrorAction Stop}catch{exit 1};Expand-Archive -Path .\VulnerableDriverBlockList.zip -DestinationPath "VulnerableDriverBlockList" -Force;Rename-Item -Path .\VulnerableDriverBlockList\SiPolicy_Enforced.p7b -NewName "SiPolicy.p7b" -Force;Copy-Item -Path .\VulnerableDriverBlockList\SiPolicy.p7b -Destination "$env:SystemDrive\Windows\System32\CodeIntegrity";citool --refresh -json;Remove-Item -Path .\VulnerableDriverBlockList -Recurse -Force;Remove-Item -Path .\VulnerableDriverBlockList.zip -Force; exit 0;}"'
# Create a scheduled task principal and assign the SYSTEM account's SID to it so that the task will run under its context
[Microsoft.Management.Infrastructure.CimInstance]$TaskPrincipal = New-ScheduledTaskPrincipal -LogonType S4U -UserId $($SYSTEMSID.Value) -RunLevel Highest
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index 0a43d08c0..1ef42e8f8 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -1076,7 +1076,7 @@ try {
# Create a scheduled task action, this defines how to download and install the latest Microsoft Recommended Driver Block Rules
[Microsoft.Management.Infrastructure.CimInstance]$Action = New-ScheduledTaskAction -Execute 'Powershell.exe' `
- -Argument '-NoProfile -WindowStyle Hidden -command "& {try {Invoke-WebRequest -Uri "https://aka.ms/VulnerableDriverBlockList" -OutFile VulnerableDriverBlockList.zip -ErrorAction Stop}catch{exit 1};Expand-Archive -Path .\VulnerableDriverBlockList.zip -DestinationPath "VulnerableDriverBlockList" -Force;Rename-Item -Path .\VulnerableDriverBlockList\SiPolicy_Enforced.p7b -NewName "SiPolicy.p7b" -Force;Copy-Item -Path .\VulnerableDriverBlockList\SiPolicy.p7b -Destination "C:\Windows\System32\CodeIntegrity";citool --refresh -json;Remove-Item -Path .\VulnerableDriverBlockList -Recurse -Force;Remove-Item -Path .\VulnerableDriverBlockList.zip -Force; exit 0;}"'
+ -Argument '-NoProfile -WindowStyle Hidden -command "& {try {Invoke-WebRequest -Uri "https://aka.ms/VulnerableDriverBlockList" -OutFile VulnerableDriverBlockList.zip -ErrorAction Stop}catch{exit 1};Expand-Archive -Path .\VulnerableDriverBlockList.zip -DestinationPath "VulnerableDriverBlockList" -Force;Rename-Item -Path .\VulnerableDriverBlockList\SiPolicy_Enforced.p7b -NewName "SiPolicy.p7b" -Force;Copy-Item -Path .\VulnerableDriverBlockList\SiPolicy.p7b -Destination "$env:SystemDrive\Windows\System32\CodeIntegrity";citool --refresh -json;Remove-Item -Path .\VulnerableDriverBlockList -Recurse -Force;Remove-Item -Path .\VulnerableDriverBlockList.zip -Force; exit 0;}"'
# Create a scheduled task principal and assign the SYSTEM account's SID to it so that the task will run under its context
[Microsoft.Management.Infrastructure.CimInstance]$TaskPrincipal = New-ScheduledTaskPrincipal -LogonType S4U -UserId $($SYSTEMSID.Value) -RunLevel Highest
From ed78fc04cf4b3bd3b234df4472e0934dedcd0ecb Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Fri, 15 Dec 2023 00:31:32 -0930
Subject: [PATCH 60/79] function relocation and version increase
---
.../Resources/Harden-Windows-Security.ps1 | 159 +++++++++---------
Harden-Windows-Security.ps1 | 159 +++++++++---------
Version.txt | 2 +-
3 files changed, 161 insertions(+), 159 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
index 752493d53..796db5a09 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
@@ -1,6 +1,6 @@
<#PSScriptInfo
-.VERSION 2023.11.23
+.VERSION 2023.12.15
.GUID d435a293-c9ee-4217-8dc1-4ad2318a5770
@@ -98,7 +98,7 @@ $Host.UI.RawUI.WindowTitle = '❤️🔥Harden Windows Security❤️🔥'
# Defining script variables
# Current script's version, the same as the version at the top in the script info section
-[System.DateTime]$CurrentVersion = '2023.11.23'
+[System.DateTime]$CurrentVersion = '2023.12.15'
# Minimum OS build number required for the hardening measures used in this script
[System.Decimal]$Requiredbuild = '22621.2428'
# Fetching Temp Directory
@@ -617,6 +617,80 @@ function Block-CountryIP {
New-NetFirewallRule -DisplayName "$ListName IP range blocking" -Direction Inbound -Action Block -LocalAddress Any -RemoteAddress $IPList -Description "$ListName IP range blocking" -EdgeTraversalPolicy Block -PolicyStore localhost
New-NetFirewallRule -DisplayName "$ListName IP range blocking" -Direction Outbound -Action Block -LocalAddress Any -RemoteAddress $IPList -Description "$ListName IP range blocking" -EdgeTraversalPolicy Block -PolicyStore localhost
}
+function Edit-Addons {
+ <#
+ .SYNOPSIS
+ A function to enable or disable Windows features and capabilities.
+ .INPUTS
+ System.String
+ .OUTPUTS
+ System.String
+ #>
+ param (
+ [CmdletBinding()]
+ [parameter(Mandatory = $true)]
+ [ValidateSet('Capability', 'Feature')]
+ [System.String]$Type,
+ [parameter(Mandatory = $true, ParameterSetName = 'Capability')]
+ [System.String]$CapabilityName,
+ [parameter(Mandatory = $true, ParameterSetName = 'Feature')]
+ [System.String]$FeatureName,
+ [parameter(Mandatory = $true, ParameterSetName = 'Feature')]
+ [ValidateSet('Enabling', 'Disabling')]
+ [System.String]$FeatureAction
+ )
+ switch ($Type) {
+ 'Feature' {
+ if ($FeatureAction -eq 'Enabling') {
+ $ActionCheck = 'disabled'
+ $ActionOutput = 'enabled'
+ }
+ else {
+ $ActionCheck = 'enabled'
+ $ActionOutput = 'disabled'
+ }
+ Write-SmartText -CustomColor Lavender -GenericColor Yellow -InputText "`n$FeatureAction $FeatureName"
+ if ((Get-WindowsOptionalFeature -Online -FeatureName $FeatureName).state -eq $ActionCheck) {
+ try {
+ if ($FeatureAction -eq 'Enabling') {
+ Enable-WindowsOptionalFeature -Online -FeatureName $FeatureName -All -NoRestart -ErrorAction Stop
+ }
+ else {
+ Disable-WindowsOptionalFeature -Online -FeatureName $FeatureName -NoRestart -ErrorAction Stop
+ }
+ # Shows the successful message only if the process was successful
+ Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$FeatureName was successfully $ActionOutput"
+ }
+ catch {
+ # show errors in non-terminating way
+ $_
+ }
+ }
+ else {
+ Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$FeatureName is already $ActionOutput"
+ }
+ break
+ }
+ 'Capability' {
+ Write-SmartText -CustomColor Lavender -GenericColor Yellow -InputText "`nRemoving $CapabilityName"
+ if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" }).state -ne 'NotPresent') {
+ try {
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" } | Remove-WindowsCapability -Online -ErrorAction Stop
+ # Shows the successful message only if the process was successful
+ Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$CapabilityName was successfully removed."
+ }
+ catch {
+ # show errors in non-terminating way
+ $_
+ }
+ }
+ else {
+ Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$CapabilityName is already removed."
+ }
+ break
+ }
+ }
+}
#endregion functions
if (Test-IsAdmin) {
@@ -1850,7 +1924,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Progress -Id 2 -ParentId 0 -Activity 'Lock Screen' -Status "Applying the Don't display last signed-in policy" -PercentComplete 50
.\LGPO.exe /q /s "..\Security-Baselines-X\Lock Screen Policies\Don't display last signed-in\GptTmpl.inf"
-
+
Write-Progress -Id 2 -Activity "Applying the Don't display last signed-in policy" -Completed
} 'No' { break }
'Exit' { &$CleanUp }
@@ -1862,11 +1936,11 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Progress -Id 3 -ParentId 0 -Activity 'Lock Screen' -Status "Applying the Don't display last signed-in policy" -PercentComplete 50
.\LGPO.exe /q /s '..\Security-Baselines-X\Lock Screen Policies\Enable CTRL + ALT + DEL\GptTmpl.inf'
-
+
Write-Progress -Id 3 -Activity "Applying the Don't display last signed-in policy" -Completed
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
} 'No' { break }
'Exit' { &$CleanUp }
}
@@ -1950,80 +2024,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# PowerShell Core (only if installed from Microsoft Store) has problem with these commands: https://github.com/PowerShell/PowerShell/issues/13866#issuecomment-1519066710
Import-Module -Name 'DISM' -UseWindowsPowerShell -Force -WarningAction SilentlyContinue
- function Edit-Addons {
- <#
- .SYNOPSIS
- A function to enable or disable Windows features and capabilities.
- .INPUTS
- System.String
- .OUTPUTS
- System.String
- #>
- param (
- [CmdletBinding()]
- [parameter(Mandatory = $true)]
- [ValidateSet('Capability', 'Feature')]
- [System.String]$Type,
- [parameter(Mandatory = $true, ParameterSetName = 'Capability')]
- [System.String]$CapabilityName,
- [parameter(Mandatory = $true, ParameterSetName = 'Feature')]
- [System.String]$FeatureName,
- [parameter(Mandatory = $true, ParameterSetName = 'Feature')]
- [ValidateSet('Enabling', 'Disabling')]
- [System.String]$FeatureAction
- )
- switch ($Type) {
- 'Feature' {
- if ($FeatureAction -eq 'Enabling') {
- $ActionCheck = 'disabled'
- $ActionOutput = 'enabled'
- }
- else {
- $ActionCheck = 'enabled'
- $ActionOutput = 'disabled'
- }
- Write-SmartText -CustomColor Lavender -GenericColor Yellow -InputText "`n$FeatureAction $FeatureName"
- if ((Get-WindowsOptionalFeature -Online -FeatureName $FeatureName).state -eq $ActionCheck) {
- try {
- if ($FeatureAction -eq 'Enabling') {
- Enable-WindowsOptionalFeature -Online -FeatureName $FeatureName -All -NoRestart -ErrorAction Stop
- }
- else {
- Disable-WindowsOptionalFeature -Online -FeatureName $FeatureName -NoRestart -ErrorAction Stop
- }
- # Shows the successful message only if the process was successful
- Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$FeatureName was successfully $ActionOutput"
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$FeatureName is already $ActionOutput"
- }
- break
- }
- 'Capability' {
- Write-SmartText -CustomColor Lavender -GenericColor Yellow -InputText "`nRemoving $CapabilityName"
- if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" }).state -ne 'NotPresent') {
- try {
- Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" } | Remove-WindowsCapability -Online -ErrorAction Stop
- # Shows the successful message only if the process was successful
- Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$CapabilityName was successfully removed."
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$CapabilityName is already removed."
- }
- break
- }
- }
- }
+
Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'MicrosoftWindowsPowerShellV2'
Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'MicrosoftWindowsPowerShellV2Root'
Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'WorkFolders-Client'
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index 1ef42e8f8..db35f3e1f 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -1,6 +1,6 @@
<#PSScriptInfo
-.VERSION 2023.11.23
+.VERSION 2023.12.15
.GUID d435a293-c9ee-4217-8dc1-4ad2318a5770
@@ -98,7 +98,7 @@ $Host.UI.RawUI.WindowTitle = '❤️🔥Harden Windows Security❤️🔥'
# Defining script variables
# Current script's version, the same as the version at the top in the script info section
-[System.DateTime]$CurrentVersion = '2023.11.23'
+[System.DateTime]$CurrentVersion = '2023.12.15'
# Minimum OS build number required for the hardening measures used in this script
[System.Decimal]$Requiredbuild = '22621.2428'
# Fetching Temp Directory
@@ -617,6 +617,80 @@ function Block-CountryIP {
New-NetFirewallRule -DisplayName "$ListName IP range blocking" -Direction Inbound -Action Block -LocalAddress Any -RemoteAddress $IPList -Description "$ListName IP range blocking" -EdgeTraversalPolicy Block -PolicyStore localhost
New-NetFirewallRule -DisplayName "$ListName IP range blocking" -Direction Outbound -Action Block -LocalAddress Any -RemoteAddress $IPList -Description "$ListName IP range blocking" -EdgeTraversalPolicy Block -PolicyStore localhost
}
+function Edit-Addons {
+ <#
+ .SYNOPSIS
+ A function to enable or disable Windows features and capabilities.
+ .INPUTS
+ System.String
+ .OUTPUTS
+ System.String
+ #>
+ param (
+ [CmdletBinding()]
+ [parameter(Mandatory = $true)]
+ [ValidateSet('Capability', 'Feature')]
+ [System.String]$Type,
+ [parameter(Mandatory = $true, ParameterSetName = 'Capability')]
+ [System.String]$CapabilityName,
+ [parameter(Mandatory = $true, ParameterSetName = 'Feature')]
+ [System.String]$FeatureName,
+ [parameter(Mandatory = $true, ParameterSetName = 'Feature')]
+ [ValidateSet('Enabling', 'Disabling')]
+ [System.String]$FeatureAction
+ )
+ switch ($Type) {
+ 'Feature' {
+ if ($FeatureAction -eq 'Enabling') {
+ $ActionCheck = 'disabled'
+ $ActionOutput = 'enabled'
+ }
+ else {
+ $ActionCheck = 'enabled'
+ $ActionOutput = 'disabled'
+ }
+ Write-SmartText -CustomColor Lavender -GenericColor Yellow -InputText "`n$FeatureAction $FeatureName"
+ if ((Get-WindowsOptionalFeature -Online -FeatureName $FeatureName).state -eq $ActionCheck) {
+ try {
+ if ($FeatureAction -eq 'Enabling') {
+ Enable-WindowsOptionalFeature -Online -FeatureName $FeatureName -All -NoRestart -ErrorAction Stop
+ }
+ else {
+ Disable-WindowsOptionalFeature -Online -FeatureName $FeatureName -NoRestart -ErrorAction Stop
+ }
+ # Shows the successful message only if the process was successful
+ Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$FeatureName was successfully $ActionOutput"
+ }
+ catch {
+ # show errors in non-terminating way
+ $_
+ }
+ }
+ else {
+ Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$FeatureName is already $ActionOutput"
+ }
+ break
+ }
+ 'Capability' {
+ Write-SmartText -CustomColor Lavender -GenericColor Yellow -InputText "`nRemoving $CapabilityName"
+ if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" }).state -ne 'NotPresent') {
+ try {
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" } | Remove-WindowsCapability -Online -ErrorAction Stop
+ # Shows the successful message only if the process was successful
+ Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$CapabilityName was successfully removed."
+ }
+ catch {
+ # show errors in non-terminating way
+ $_
+ }
+ }
+ else {
+ Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$CapabilityName is already removed."
+ }
+ break
+ }
+ }
+}
#endregion functions
if (Test-IsAdmin) {
@@ -1850,7 +1924,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Progress -Id 2 -ParentId 0 -Activity 'Lock Screen' -Status "Applying the Don't display last signed-in policy" -PercentComplete 50
.\LGPO.exe /q /s "..\Security-Baselines-X\Lock Screen Policies\Don't display last signed-in\GptTmpl.inf"
-
+
Write-Progress -Id 2 -Activity "Applying the Don't display last signed-in policy" -Completed
} 'No' { break }
'Exit' { &$CleanUp }
@@ -1862,11 +1936,11 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Progress -Id 3 -ParentId 0 -Activity 'Lock Screen' -Status "Applying the Don't display last signed-in policy" -PercentComplete 50
.\LGPO.exe /q /s '..\Security-Baselines-X\Lock Screen Policies\Enable CTRL + ALT + DEL\GptTmpl.inf'
-
+
Write-Progress -Id 3 -Activity "Applying the Don't display last signed-in policy" -Completed
} 'No' { break }
'Exit' { &$CleanUp }
- }
+ }
} 'No' { break }
'Exit' { &$CleanUp }
}
@@ -1950,80 +2024,7 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
# PowerShell Core (only if installed from Microsoft Store) has problem with these commands: https://github.com/PowerShell/PowerShell/issues/13866#issuecomment-1519066710
Import-Module -Name 'DISM' -UseWindowsPowerShell -Force -WarningAction SilentlyContinue
- function Edit-Addons {
- <#
- .SYNOPSIS
- A function to enable or disable Windows features and capabilities.
- .INPUTS
- System.String
- .OUTPUTS
- System.String
- #>
- param (
- [CmdletBinding()]
- [parameter(Mandatory = $true)]
- [ValidateSet('Capability', 'Feature')]
- [System.String]$Type,
- [parameter(Mandatory = $true, ParameterSetName = 'Capability')]
- [System.String]$CapabilityName,
- [parameter(Mandatory = $true, ParameterSetName = 'Feature')]
- [System.String]$FeatureName,
- [parameter(Mandatory = $true, ParameterSetName = 'Feature')]
- [ValidateSet('Enabling', 'Disabling')]
- [System.String]$FeatureAction
- )
- switch ($Type) {
- 'Feature' {
- if ($FeatureAction -eq 'Enabling') {
- $ActionCheck = 'disabled'
- $ActionOutput = 'enabled'
- }
- else {
- $ActionCheck = 'enabled'
- $ActionOutput = 'disabled'
- }
- Write-SmartText -CustomColor Lavender -GenericColor Yellow -InputText "`n$FeatureAction $FeatureName"
- if ((Get-WindowsOptionalFeature -Online -FeatureName $FeatureName).state -eq $ActionCheck) {
- try {
- if ($FeatureAction -eq 'Enabling') {
- Enable-WindowsOptionalFeature -Online -FeatureName $FeatureName -All -NoRestart -ErrorAction Stop
- }
- else {
- Disable-WindowsOptionalFeature -Online -FeatureName $FeatureName -NoRestart -ErrorAction Stop
- }
- # Shows the successful message only if the process was successful
- Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$FeatureName was successfully $ActionOutput"
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$FeatureName is already $ActionOutput"
- }
- break
- }
- 'Capability' {
- Write-SmartText -CustomColor Lavender -GenericColor Yellow -InputText "`nRemoving $CapabilityName"
- if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" }).state -ne 'NotPresent') {
- try {
- Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" } | Remove-WindowsCapability -Online -ErrorAction Stop
- # Shows the successful message only if the process was successful
- Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$CapabilityName was successfully removed."
- }
- catch {
- # show errors in non-terminating way
- $_
- }
- }
- else {
- Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$CapabilityName is already removed."
- }
- break
- }
- }
- }
+
Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'MicrosoftWindowsPowerShellV2'
Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'MicrosoftWindowsPowerShellV2Root'
Edit-Addons -Type Feature -FeatureAction Disabling -FeatureName 'WorkFolders-Client'
diff --git a/Version.txt b/Version.txt
index 4dbc9faf8..897f1599f 100644
--- a/Version.txt
+++ b/Version.txt
@@ -1 +1 @@
-2023.11.23
\ No newline at end of file
+2023.12.15
\ No newline at end of file
From 3475fcd003c5bac3f85d91ba21f345b167288454 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Fri, 15 Dec 2023 00:32:10 -0930
Subject: [PATCH 61/79] Removed unnecessary trailing whitespaces
---
.github/ISSUE_TEMPLATE/Bug_Report.yaml | 8 ++++----
.github/ISSUE_TEMPLATE/Security_Measure_Suggestion.yaml | 6 +++---
.github/workflows/VirusTotal.yml | 2 +-
Payload/ProcessMitigations.csv | 2 +-
Payload/Registry.csv | 2 +-
Rationale.md | 2 +-
6 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/.github/ISSUE_TEMPLATE/Bug_Report.yaml b/.github/ISSUE_TEMPLATE/Bug_Report.yaml
index dac5ec249..1552d3f02 100644
--- a/.github/ISSUE_TEMPLATE/Bug_Report.yaml
+++ b/.github/ISSUE_TEMPLATE/Bug_Report.yaml
@@ -8,18 +8,18 @@ body:
- type: markdown
attributes:
value: |
- Thanks for taking the time to fill out this bug report!
+ Thanks for taking the time to fill out this bug report!
- type: dropdown
id: version
attributes:
label: Tools category
description: Which category/tool does this bug belong to?
- options:
+ options:
- Harden Windows Security Module
- WDACConfig Module
- Harden Windows Security Script
validations:
- required: true
+ required: true
- type: checkboxes
id: Requirements
attributes:
@@ -43,4 +43,4 @@ body:
description: Please explain the bug and be as detailed as possible. 🙏
placeholder: "There is a problem with..."
validations:
- required: true
+ required: true
diff --git a/.github/ISSUE_TEMPLATE/Security_Measure_Suggestion.yaml b/.github/ISSUE_TEMPLATE/Security_Measure_Suggestion.yaml
index 0972b9c85..5337216f7 100644
--- a/.github/ISSUE_TEMPLATE/Security_Measure_Suggestion.yaml
+++ b/.github/ISSUE_TEMPLATE/Security_Measure_Suggestion.yaml
@@ -9,7 +9,7 @@ body:
- type: markdown
attributes:
value: |
- Thanks for taking the time to suggest a new Security measure!
+ Thanks for taking the time to suggest a new Security measure!
- type: checkboxes
id: Not-Duplicate
attributes:
@@ -25,5 +25,5 @@ body:
description: Please explain your new Security measure suggestion and be as detailed as possible. 🙏
placeholder: "I want to suggest..."
validations:
- required: true
-
+ required: true
+
diff --git a/.github/workflows/VirusTotal.yml b/.github/workflows/VirusTotal.yml
index 20d7d4b15..1663a2948 100644
--- a/.github/workflows/VirusTotal.yml
+++ b/.github/workflows/VirusTotal.yml
@@ -19,5 +19,5 @@ jobs:
VTAPIsecret: ${{ secrets.VTAPI }}
shell: pwsh
run: |
-
+
./.github/Workflowstuff/VirusTotal
diff --git a/Payload/ProcessMitigations.csv b/Payload/ProcessMitigations.csv
index a170060fc..dc17ec7bd 100644
--- a/Payload/ProcessMitigations.csv
+++ b/Payload/ProcessMitigations.csv
@@ -36,7 +36,7 @@ QuickAssist.exe,EnableRopCallerCheck,Enable,Quick Assist - a mitigation for retu
QuickAssist.exe,UserShadowStack,Enable,Quick Assist - user-mode Hardware-enforced Stack Protection is enabled for the process in compatibility mode. This means that the CPU verifies function return addresses at runtime by employing a shadow stack mechanism if supported by the hardware. In compatibility mode only shadow stack violations occurring in modules that are considered compatible with shadow stacks (CETCOMPAT) are fatal. For a module to be considered CETCOMPAT it needs to be either compiled with CETCOMPAT for binaries or marked using SetProcessDynamicEnforcedCetCompatibleRanges for dynamic code.
QuickAssist.exe,UserShadowStackStrictMode,Enable,Quick Assist - All shadow stack violations are fatal - No compatibility mode - See https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-process_mitigation_user_shadow_stack_policy
Acrobat.exe,ForceRelocateImages,Enable,Adobe Acrobat - Enabled by default system-wide
-Acrobat.exe,RequireInfo,Enable,Adobe Acrobat - This option blocks the loading of images that have had relocation information stripped. Some older applications strip out this information in production builds and therefore these binaries can't be rebased.
+Acrobat.exe,RequireInfo,Enable,Adobe Acrobat - This option blocks the loading of images that have had relocation information stripped. Some older applications strip out this information in production builds and therefore these binaries can't be rebased.
Acrobat.exe,StrictHandle,Enable,Adobe Acrobat - A mitigation that helps protect against an attacker using an existing handle to access a protected object.
Acrobat.exe,EnforceModuleDependencySigning,Enable,Adobe Acrobat - helps protect against attacks that attempt to substitute code for dlls that are statically linked by Windows binaries.
Acrobat.exe,DisableNonSystemFonts,Enable,Adobe Acrobat - Only fonts that are installed into the windows\fonts directory will be loaded for processing by GDI.
diff --git a/Payload/Registry.csv b/Payload/Registry.csv
index 3a0d8282d..b0f9b4f0a 100644
--- a/Payload/Registry.csv
+++ b/Payload/Registry.csv
@@ -58,4 +58,4 @@ NonAdmin,HKCU:\Software\Microsoft\Clipboard,EnableCloudClipboard,1,DWORD,AddOrMo
NonAdmin,HKCU:\Software\Microsoft\Input\Settings,EnableHwkbTextPrediction,1,DWORD,AddOrModify,turn on Show text suggestions when typing on the physical keyboard for the current user toggles the option in Windows settings
NonAdmin,HKCU:\Software\Microsoft\Input\Settings,MultilingualEnabled,1,DWORD,AddOrModify,turn on Multilingual text suggestions for the current user toggles the option in Windows settings
NonAdmin,HKCU:\Control Panel\Accessibility\StickyKeys,Flags,506,String,AddOrModify,turn off sticky key shortcut of pressing shift key 5 time fast
-NonAdmin,HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings,NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK,0,DWORD,AddOrModify,Disables show reminders and incoming VoIP calls on the lock screen in Settings > System > Notifications
\ No newline at end of file
+NonAdmin,HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings,NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK,0,DWORD,AddOrModify,Disables show reminders and incoming VoIP calls on the lock screen in Settings > System > Notifications
\ No newline at end of file
diff --git a/Rationale.md b/Rationale.md
index 8d9992358..20209cdba 100644
--- a/Rationale.md
+++ b/Rationale.md
@@ -154,7 +154,7 @@ Make sure to use Surface products that support [Device Firmware Configuration In
* Use [Strict Kernel-mode WDAC policy for complete BYOVD protection](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection)
-<br>
+<br>
<p align="center">
<b>YOUTUBE VIDEO: How to easily protect against BYOVD attack scenarios with WDAC policy in Windows</b><br><br>
From dec7620d9c4c8600f3e7afd339e679d2fa994089 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Fri, 15 Dec 2023 00:34:08 -0930
Subject: [PATCH 62/79] typo fix
---
Rationale.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Rationale.md b/Rationale.md
index 20209cdba..ab346295a 100644
--- a/Rationale.md
+++ b/Rationale.md
@@ -1,4 +1,4 @@
-# <img width="40" src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/PNGs/585563111520600091.png" alt="Emoji of a Windows eatting moomoo"> Rationale
+# <img width="40" src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/PNGs/585563111520600091.png" alt="Emoji of a Windows eating moomoo"> Rationale
This document provides the justification and objective of this GitHub repository and its contents. It outlines how it addresses various threats and how to adjust your expectations for different scenarios and environments. It also supplies additional resources.
@@ -200,7 +200,7 @@ How to properly perform a pentest and benchmark a system hardened by this reposi
> [!IMPORTANT]\
> **Always Pay attention to the [Microsoft Security Servicing Criteria for Windows](https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria), specially the Security boundaries.** There is no security boundary between Administrator to Kernel.
>
-> Some penetration testers overlook this fact, assuming it is a vulnerability that they can perform administrative tasks such as disabling security features as Administrator. This is an expected behaviour. Administrators have the power to control the security of a device and can disable security features at their discretion. This is why you need to use a Standard user account when performing a realistic penetration test.
+> Some penetration testers overlook this fact, assuming it is a vulnerability that they can perform administrative tasks such as disabling security features as Administrator. This is an expected behavior. Administrators have the power to control the security of a device and can disable security features at their discretion. This is why you need to use a Standard user account when performing a realistic penetration test.
>
> Another aspect to consider is the ambiguity in the word "Admin". There are at least two distinct types of Admins: Local Admin and Cloud Admin. For instance, when you are penetration testing a system that leverages enterprise cloud security solution such as Microsoft Defender for Endpoint (MDE), Admin access should be regarded as Cloud Admin since those devices use Microsoft Entra ID and lack Local Admin. In this situation, Cloud Admin can effortlessly disable security features as expected, rendering a pentest using Local Admin access utterly pointless. Conversely, when pentesting a system that only relies on personal security features such as Microsoft Defender, then Admin should be treated as Local Admin. In this case, the Admin can also disable any security feature for the same reasons stated above.
>
From 12f4522b9f50905530bf76617b08c7af526b7d2b Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Fri, 15 Dec 2023 00:44:05 -0930
Subject: [PATCH 63/79] Removed untrusted font blocking from the readme
---
README.md | 2 --
1 file changed, 2 deletions(-)
diff --git a/README.md b/README.md
index 3688c481c..96ba822c4 100644
--- a/README.md
+++ b/README.md
@@ -822,8 +822,6 @@ NistP384
- <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif" width="25" alt="Rotating pink checkmark denoting registry or cmdlet"> Enables **WinVerifyTrust Signature Validation**, [a security feature related to WinVerifyTrust function that handles Windows Authenticode signature verification for portable executable (PE) files.](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900)
-- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif" width="25" alt="Blue Check mark denoting Group Policy"> <img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/200iq.gif" width="35" alt="Requires Additional Confirmation"> [Blocking Untrusted Fonts](https://learn.microsoft.com/en-us/windows/security/threat-protection/block-untrusted-fonts-in-enterprise) <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif" width="15" alt="Rotating green checkmark denoting CSP"> [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-grouppolicy#fontmitigation)
-
- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif" width="25" alt="Blue Check mark denoting Group Policy"> Enables [Command line process auditing](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing) <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif" width="15" alt="Rotating green checkmark denoting CSP"> [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-auditsettings#includecmdline)
- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif" width="25" alt="Blue Check mark denoting Group Policy"> Enables the RPC Endpoint Mapper Client Authentication policy <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif" width="15" alt="Rotating green checkmark denoting CSP"> [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-remoteprocedurecall#rpcendpointmapperclientauthentication)
From 4a44b8ecae1d80c9c721ec14e1ae6f427941c9db Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Fri, 15 Dec 2023 01:24:32 -0930
Subject: [PATCH 64/79] Updated readme regarding CTRL + ALT + DEL policy
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 96ba822c4..1d8218195 100644
--- a/README.md
+++ b/README.md
@@ -590,7 +590,7 @@ NistP384
- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif" width="25" alt="Blue Check mark denoting Group Policy"> [Automatically locks device after X seconds of inactivity](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit) (just like mobile phones), which is set to 120 seconds (2 minutes) in this module, you can change that to any value you like. <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif" width="15" alt="Rotating green checkmark denoting CSP"> [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#interactivelogon_machineinactivitylimit)
-- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif" width="25" alt="Blue Check mark denoting Group Policy"> [Requires **CTRL+ALT+DEL** on the lock screen](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del), kernel protected set of key strokes. The reason and logic behind it is: <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif" width="15" alt="Rotating green checkmark denoting CSP"> [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#interactivelogon_donotrequirectrlaltdel)
+- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif" width="25" alt="Blue Check mark denoting Group Policy"> <img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/200iq.gif" width="35" alt="Requires Additional Confirmation"> [Requires **CTRL+ALT+DEL** on the lock screen](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del), kernel protected set of key strokes. The reason and logic behind it is: <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif" width="15" alt="Rotating green checkmark denoting CSP"> [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#interactivelogon_donotrequirectrlaltdel)
- A malicious user might install malware that looks like the standard sign-in dialog box for the Windows operating system and capture a user's password. The attacker can then sign into the compromised account with whatever level of user rights that user has.
From e70b56b6e00a409a32b4e5778c636ecb3875f00c Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Fri, 15 Dec 2023 01:41:58 -0930
Subject: [PATCH 65/79] Changed SecreString alias to its full type name
---
.../Resources/Harden-Windows-Security.ps1 | 28 +++++++++----------
Harden-Windows-Security.ps1 | 28 +++++++++----------
2 files changed, 28 insertions(+), 28 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
index 796db5a09..45a5b83b0 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
@@ -260,8 +260,8 @@ function Compare-SecureString {
#>
[CmdletBinding()]
param(
- [Security.SecureString]$SecureString1,
- [Security.SecureString]$SecureString2
+ [System.Security.SecureString]$SecureString1,
+ [System.Security.SecureString]$SecureString2
)
try {
$Bstr1 = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecureString1)
@@ -1395,14 +1395,14 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object "`nTPM and Start up PIN are missing, adding them now..." -ForegroundColor Cyan
do {
- [securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I "`nEnter a Pin for Bitlocker startup (between 10 to 20 characters)"; Read-Host -AsSecureString)
- [securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
+ [System.Security.SecureString]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I "`nEnter a Pin for Bitlocker startup (between 10 to 20 characters)"; Read-Host -AsSecureString)
+ [System.Security.SecureString]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
# Compare the PINs and make sure they match
[System.Boolean]$TheyMatch = Compare-SecureString -SecureString1 $Pin1 -SecureString2 $Pin2
# If the PINs match and they are at least 10 characters long, max 20 characters
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
- [securestring]$Pin = $Pin1
+ [System.Security.SecureString]$Pin = $Pin1
}
else { Write-Host -Object 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
@@ -1436,13 +1436,13 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
else {
Write-Host -Object "`nBitlocker is not enabled for the OS Drive, activating it now..." -ForegroundColor Yellow
do {
- [securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I 'Enter a Pin for Bitlocker startup (between 10 to 20 characters)'; Read-Host -AsSecureString)
- [securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
+ [System.Security.SecureString]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I 'Enter a Pin for Bitlocker startup (between 10 to 20 characters)'; Read-Host -AsSecureString)
+ [System.Security.SecureString]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
[System.Boolean]$TheyMatch = Compare-SecureString -SecureString1 $Pin1 -SecureString2 $Pin2
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
- [securestring]$Pin = $Pin1
+ [System.Security.SecureString]$Pin = $Pin1
}
else { Write-Host -Object 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
@@ -1536,14 +1536,14 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
do {
- [securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I "`nEnter a Pin for Bitlocker startup (between 10 to 20 characters)"; Read-Host -AsSecureString)
- [securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
+ [System.Security.SecureString]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I "`nEnter a Pin for Bitlocker startup (between 10 to 20 characters)"; Read-Host -AsSecureString)
+ [System.Security.SecureString]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
# Compare the PINs and make sure they match
[System.Boolean]$TheyMatch = Compare-SecureString -SecureString1 $Pin1 -SecureString2 $Pin2
# If the PINs match and they are at least 10 characters long, max 20 characters
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
- [securestring]$Pin = $Pin1
+ [System.Security.SecureString]$Pin = $Pin1
}
else { Write-Host -Object 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
@@ -1579,14 +1579,14 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object "`nBitlocker is not enabled for the OS Drive, activating it now..." -ForegroundColor Yellow
do {
- [securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I "`nEnter a Pin for Bitlocker startup (between 10 to 20 characters)"; Read-Host -AsSecureString)
- [securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
+ [System.Security.SecureString]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I "`nEnter a Pin for Bitlocker startup (between 10 to 20 characters)"; Read-Host -AsSecureString)
+ [System.Security.SecureString]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
# Compare the PINs and make sure they match
[System.Boolean]$TheyMatch = Compare-SecureString -SecureString1 $Pin1 -SecureString2 $Pin2
# If the PINs match and they are at least 10 characters long, max 20 characters
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
- [securestring]$Pin = $Pin1
+ [System.Security.SecureString]$Pin = $Pin1
}
else { Write-Host -Object 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index db35f3e1f..3b820ebf9 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -260,8 +260,8 @@ function Compare-SecureString {
#>
[CmdletBinding()]
param(
- [Security.SecureString]$SecureString1,
- [Security.SecureString]$SecureString2
+ [System.Security.SecureString]$SecureString1,
+ [System.Security.SecureString]$SecureString2
)
try {
$Bstr1 = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecureString1)
@@ -1395,14 +1395,14 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object "`nTPM and Start up PIN are missing, adding them now..." -ForegroundColor Cyan
do {
- [securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I "`nEnter a Pin for Bitlocker startup (between 10 to 20 characters)"; Read-Host -AsSecureString)
- [securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
+ [System.Security.SecureString]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I "`nEnter a Pin for Bitlocker startup (between 10 to 20 characters)"; Read-Host -AsSecureString)
+ [System.Security.SecureString]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
# Compare the PINs and make sure they match
[System.Boolean]$TheyMatch = Compare-SecureString -SecureString1 $Pin1 -SecureString2 $Pin2
# If the PINs match and they are at least 10 characters long, max 20 characters
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
- [securestring]$Pin = $Pin1
+ [System.Security.SecureString]$Pin = $Pin1
}
else { Write-Host -Object 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
@@ -1436,13 +1436,13 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
else {
Write-Host -Object "`nBitlocker is not enabled for the OS Drive, activating it now..." -ForegroundColor Yellow
do {
- [securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I 'Enter a Pin for Bitlocker startup (between 10 to 20 characters)'; Read-Host -AsSecureString)
- [securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
+ [System.Security.SecureString]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I 'Enter a Pin for Bitlocker startup (between 10 to 20 characters)'; Read-Host -AsSecureString)
+ [System.Security.SecureString]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
[System.Boolean]$TheyMatch = Compare-SecureString -SecureString1 $Pin1 -SecureString2 $Pin2
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
- [securestring]$Pin = $Pin1
+ [System.Security.SecureString]$Pin = $Pin1
}
else { Write-Host -Object 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
@@ -1536,14 +1536,14 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
}
do {
- [securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I "`nEnter a Pin for Bitlocker startup (between 10 to 20 characters)"; Read-Host -AsSecureString)
- [securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
+ [System.Security.SecureString]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I "`nEnter a Pin for Bitlocker startup (between 10 to 20 characters)"; Read-Host -AsSecureString)
+ [System.Security.SecureString]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
# Compare the PINs and make sure they match
[System.Boolean]$TheyMatch = Compare-SecureString -SecureString1 $Pin1 -SecureString2 $Pin2
# If the PINs match and they are at least 10 characters long, max 20 characters
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
- [securestring]$Pin = $Pin1
+ [System.Security.SecureString]$Pin = $Pin1
}
else { Write-Host -Object 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
@@ -1579,14 +1579,14 @@ IMPORTANT: Make sure to keep it in a safe place, e.g., in OneDrive's Personal Va
Write-Host -Object "`nBitlocker is not enabled for the OS Drive, activating it now..." -ForegroundColor Yellow
do {
- [securestring]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I "`nEnter a Pin for Bitlocker startup (between 10 to 20 characters)"; Read-Host -AsSecureString)
- [securestring]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
+ [System.Security.SecureString]$Pin1 = $(Write-SmartText -C PinkBold -G Magenta -I "`nEnter a Pin for Bitlocker startup (between 10 to 20 characters)"; Read-Host -AsSecureString)
+ [System.Security.SecureString]$Pin2 = $(Write-SmartText -C PinkBold -G Magenta -I 'Confirm your Bitlocker Startup Pin (between 10 to 20 characters)'; Read-Host -AsSecureString)
# Compare the PINs and make sure they match
[System.Boolean]$TheyMatch = Compare-SecureString -SecureString1 $Pin1 -SecureString2 $Pin2
# If the PINs match and they are at least 10 characters long, max 20 characters
if ( $TheyMatch -and ($Pin1.Length -in 10..20) -and ($Pin2.Length -in 10..20) ) {
- [securestring]$Pin = $Pin1
+ [System.Security.SecureString]$Pin = $Pin1
}
else { Write-Host -Object 'Please ensure that the PINs you entered match, and that they are between 10 to 20 characters.' -ForegroundColor red }
}
From 3664a19481ff7e3242f16b4259bf342e331fe8a4 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Fri, 15 Dec 2023 02:41:27 -0930
Subject: [PATCH 66/79] Added CSP link to Enhanced mode search policy
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 1d8218195..52ef3f5b6 100644
--- a/README.md
+++ b/README.md
@@ -777,7 +777,7 @@ NistP384
- Requires Business Windows licenses. e.g., [Windows 11 pro for Workstations](https://www.microsoft.com/en-us/windows/business/windows-11-pro-workstations), [Enterprise](https://www.microsoft.com/en-us/microsoft-365/windows/windows-11-enterprise) or [Education](https://www.microsoft.com/en-us/education/products/windows).
-- <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif" width="25" alt="Rotating pink checkmark denoting registry or cmdlet"> Turns on Enhanced mode search for Windows indexer. the default is classic mode.
+- <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif" width="25" alt="Rotating pink checkmark denoting registry or cmdlet"> Turns on Enhanced mode search for Windows indexer. The default is classic mode. <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif" width="15" alt="Rotating green checkmark denoting CSP"> [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#allowfindmyfiles)
- This causes some UI elements in the search settings in Windows settings to become unavailable for Standard user accounts to view, because it will be a managed feature by an Administrator.
- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif" width="25" alt="Blue Check mark denoting Group Policy"> [Enforce the Administrator role for adding printer drivers](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers) <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif" width="15" alt="Rotating green checkmark denoting CSP"> [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#devices_preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters)
From 417388db11736a5de947ddb744f4d296ca0ad4f9 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Fri, 15 Dec 2023 02:44:50 -0930
Subject: [PATCH 67/79] Added CSP link for Windows time sync interval policy
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 52ef3f5b6..673ae1d96 100644
--- a/README.md
+++ b/README.md
@@ -790,7 +790,7 @@ NistP384
- <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif" width="25" alt="Rotating pink checkmark denoting registry or cmdlet"> [Enables all Windows users to use Hyper-V and Windows Sandbox](https://learn.microsoft.com/en-us/archive/blogs/virtual_pc_guy/why-do-you-have-to-elevate-powershell-to-use-hyper-v-cmdlets) by adding all Windows users to the "Hyper-V Administrators" security group using its [SID](https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids). By default, only Administrators can use Hyper-V or Windows Sandbox.
-- <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif" width="25" alt="Rotating pink checkmark denoting registry or cmdlet"> Changes Windows time sync interval from the default every 7 days to every 4 days (= every 345600 seconds)
+- <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif" width="25" alt="Rotating pink checkmark denoting registry or cmdlet"> Changes Windows time sync interval from the default every 7 days to every 4 days (= every 345600 seconds) <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/green-verification.gif" width="15" alt="Rotating green checkmark denoting CSP"> [CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-w32time#w32time_policy_configure_ntpclient)
- <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/magenta-verification.gif" width="25" alt="Rotating pink checkmark denoting registry or cmdlet"> Creates custom views for [Windows Event Viewer](https://learn.microsoft.com/en-us/shows/inside/event-viewer) to help keep tabs on important security events:
From 0c84084f3b1f3dbcabb4487c6621bd6912974351 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Fri, 15 Dec 2023 03:52:46 -0930
Subject: [PATCH 68/79] Added CSP links for the policies in the CSV file
---
.../Resources/Registry resources.csv | 338 +++++++++---------
1 file changed, 169 insertions(+), 169 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv b/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv
index 49c9c9ac9..8e4abe787 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv
+++ b/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv
@@ -1,169 +1,169 @@
-Origin,Category,Key,Name,FriendlyName,Type,Value
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WTDS\Components,ServiceEnabled,Enhanced Phishing Protection,DWORD,1
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WTDS\Components,NotifyUnsafeApp,Enhanced Phishing Protection: Notify Unsafe App,DWORD,1
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WTDS\Components,NotifyPasswordReuse,Enhanced Phishing Protection: Notify Password Reuse,DWORD,1
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WTDS\Components,NotifyMalicious,Enhanced Phishing Protection: Notify Malicious,DWORD,1
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WTDS\Components,CaptureThreatWindow,Enhanced Phishing Protection: Capture Threat Window,DWORD,1
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender,PUAProtection,Detection for potentially unwanted applications,DWORD,1
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine,MpBafsExtendedTimeout,Extended cloud check (Seconds),DWORD,50
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine,MpCloudBlockLevel,Cloud Block Level,DWORD,6
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine,EnableFileHashComputation,File Hash Computation,DWORD,1
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Quarantine,PurgeItemsAfterDelay,Purge Items After Delay,DWORD,1
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection,IOAVMaxSize,Maximum size of downloaded files and attachments to be scanned,DWORD,10000000
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan,CheckForSignaturesBeforeRunningScan,Check For Signatures Before Running Scan,DWORD,1
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan,DisableScanningMappedNetworkDrivesForFullScan,Scanning Mapped Network Drives For Full Scan,DWORD,0
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan,DisableScanningNetworkFiles,Scanning Network Files,DWORD,0
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan,DisableRemovableDriveScanning,Removable Drive Scanning,DWORD,0
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan,DisableCatchupQuickScan,Catchup Quick Scan,DWORD,0
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan,DisableEmailScanning,Email Scanning,DWORD,0
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan,DisableReparsePointScanning,Reparse Point Scanning,DWORD,0
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan,ArchiveMaxDepth,Maximum depth to scan archive files,DWORD,4294967295
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Signature Updates,SignatureUpdateInterval,interval to check for security intelligence updates,DWORD,3
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Signature Updates,UpdateOnStartUp,Check for the latest virus and spyware security intelligence on startup,DWORD,1
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Signature Updates,MeteredConnectionUpdates,Allows Microsoft Defender Antivirus to update over a metered connection,DWORD,1
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Signature Updates,AVSignatureDue,Define the number of days before virus security intelligence is considered out of date,DWORD,2
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Signature Updates,ASSignatureDue,Define the number of days before spyware security intelligence is considered out of date,DWORD,2
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet,DisableBlockAtFirstSeen,Block At First Sight,DWORD,0
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet,SubmitSamplesConsent,Send file samples when further analysis is required,DWORD,3
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet,SpynetReporting,Join Microsoft MAPS (aka SpyNet),DWORD,2
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats,Threats_ThreatSeverityDefaultAction,Specify threat alert levels,DWORD,1
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,5,Severe Threat level default action = Remove,SZ,3
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,4,High Threat level default action = Remove,SZ,3
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,2,Medium Threat level default action = Quarantine,SZ,2
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,1,Low Threat level default action = Quarantine,SZ,2
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access,EnableControlledFolderAccess,Enable Controlled Folder Access,DWORD,1
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection,EnableNetworkProtection,Enable Network Protection,DWORD,1
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,Allow Diagnostic Data (Required for Smart App Control),DWORD,3
-"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection,DisableTelemetryOptInSettingsUx,Configure diagnostic data opt-in settings user interface,DWORD,1
-"Group Policy","ASR",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR,ExploitGuard_ASR_Rules,Configure Attack Surface Reduction rules,DWORD,1
-"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,DisallowStandardUserPINReset,Disallow Standard User PIN Reset,DWORD,1
-"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,UseAdvancedStartup,Require additional authentication at startup,DWORD,1
-"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,EnableBDEWithNoTPM,Don't allow Bitlocker without TPM,DWORD,0
-"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,UseTPM,Use TPM,DWORD,2
-"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,UseTPMPIN,Use TPM + PIN,DWORD,2
-"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,UseTPMKey,Use TPM + key,DWORD,2
-"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,UseTPMKeyPIN,Use TPM startup key + PIN,DWORD,2
-"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsOs,Correct Encryption method for OS drive,DWORD,7
-"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsFdv,Correct Encryption method for fixed data drives,DWORD,7
-"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsRdv,Correct Encryption method for removable drives,DWORD,7
-"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,UseEnhancedPin,Use Enhanced PIN,DWORD,1
-"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,OSEncryptionType,Full disk encryption for OS drive,DWORD,1
-"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,RDVEncryptionType,Full disk encryption for removable drives,DWORD,1
-"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,RDVDiscoveryVolumeType,Prevent access to BitLocker-protected removable data drives from earlier versions of Windows,SZ,<none>
-"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,RDVNoBitLockerToGoReader,Do not install BitLocker To Go Reader on FAT formatted removable drives,DWORD,0
-"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,MinimumPIN,Configure minimum PIN length for startup,DWORD,10
-"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,ACSettingIndex,Disallow standby states (S1-S3) when sleeping (plugged in),DWORD,0
-"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,DCSettingIndex,Disallow standby states (S1-S3) when sleeping (on battery),DWORD,0
-"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer,ShowHibernateOption,Show Hibernate Option,DWORD,1
-"Group Policy","TLS",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002,Functions,Configure the correct TLS Cipher Suites,SZ,"TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"
-"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client,DisabledByDefault,Disable TLS 1.0 client,DWORD,1
-"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client,Enabled,Disable TLS 1.0 client,DWORD,0
-"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server,DisabledByDefault,Disable TLS 1.0 server,DWORD,1
-"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server,Enabled,Disable TLS 1.0 server,DWORD,0
-"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client,DisabledByDefault,Disable TLS 1.1 client,DWORD,1
-"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client,Enabled,Disable TLS 1.1 client,DWORD,0
-"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server,DisabledByDefault,Disable TLS 1.1 server,DWORD,1
-"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server,Enabled,Disable TLS 1.1 server,DWORD,0
-"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL\,Enabled,Disable NULL Cipher Suite,DWORD,0
-"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56,Enabled,Disable 56/56 Cipher Suite,DWORD,0
-"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128,Enabled,Disable 40/128 Cipher Suite,DWORD,0
-"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128,Enabled,Disable RC2 56/128 Cipher Suite,DWORD,0
-"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128,Enabled,Disable RC2 128/128 Cipher Suite,DWORD,0
-"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128,Enabled,Disable RC4 40/128 Cipher Suite,DWORD,0
-"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128,Enabled,Disable RC4 56/128 Cipher Suite,DWORD,0
-"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128,Enabled,Disable RC4 64/128 Cipher Suite,DWORD,0
-"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128,Enabled,Disable RC4 128/128 Cipher Suite,DWORD,0
-"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168,Enabled,Disable Triple DES 168 Cipher Suite,DWORD,0
-"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5,Enabled,Disable MD5 Hashing Algorithm,DWORD,0
-"Group Policy","LockScreen",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PassportForWork\PINComplexity,Digits,Require digits in Windows Hello PIN,DWORD,1
-"Group Policy","LockScreen",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PassportForWork\PINComplexity,LowercaseLetters,Require lower case letters in Windows Hello PIN,DWORD,1
-"Group Policy","LockScreen",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PassportForWork\PINComplexity,Expiration,Set Expiration for Windows Hello PIN,DWORD,180
-"Group Policy","LockScreen",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PassportForWork\PINComplexity,History,Save history of Windows Hello PIN,DWORD,3
-"Group Policy","LockScreen",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,Don't Display Network Selection UI on lock screen,DWORD,1
-"Group Policy","UAC",HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System,HideFastUserSwitching,Hide Fast User Switching entry points,DWORD,1
-"Group Policy","Device Guard",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,Enable Virtualization Based Security,DWORD,1
-"Group Policy","Device Guard",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,Require Platform Security Features,DWORD,1
-"Group Policy","Device Guard",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,Hypervisor Enforced Code Integrity,DWORD,1
-"Group Policy","Device Guard",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,Require HVCI MAT (Memory Attribute Table),DWORD,1
-"Group Policy","Device Guard",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,Credential Guard Configuration,DWORD,1
-"Group Policy","Device Guard",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureSystemGuardLaunch,Configure System Guard Launch,DWORD,1
-"Group Policy","Device Guard",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureKernelShadowStacksLaunch,Configure Kernel Shadow Stacks Launch,DWORD,1
-"Group Policy","Device Guard",HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa,RunAsPPL,Enable Local Security Authority (LSA) process Protection with UEFI Lock,DWORD,1
-"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall,PolicyVersion,Enable Windows Firewall,DWORD,544
-"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,EnableFirewall,Enable Windows Firewall for Domain profile,DWORD,1
-"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultOutboundAction,Set Default Outbound Action for Domain profile,DWORD,1
-"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultInboundAction,Set Default Inbound Action for Domain profile,DWORD,1
-"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DoNotAllowExceptions,Block all Domain profile connections,DWORD,1
-"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFilePath,Configure Log file path for domain profile,SZ,%systemroot%\system32\logfiles\firewall\domainfirewall.log
-"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFileSize,Configure Log file size for domain profile,DWORD,32767
-"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogDroppedPackets,Log blocked connections for domain profile,DWORD,1
-"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogSuccessfulConnections,Log successful connections for domain profile,DWORD,1
-"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,EnableFirewall,Enable Windows Firewall for Private profile,DWORD,1
-"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DisableNotifications,Display notifications for Private profile,DWORD,0
-"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFileSize,Configure Log file size for Private profile,DWORD,32767
-"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogDroppedPackets,Log blocked connections for Private profile,DWORD,1
-"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFilePath,Configure Log file path for Private profile,SZ,%systemroot%\system32\logfiles\firewall\privatefirewall.log
-"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,Enable Windows Firewall for Public profile,DWORD,1
-"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DisableNotifications,Display notifications for Public profile,DWORD,0
-"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFileSize,Configure Log file size for Public profile,DWORD,32767
-"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,Log blocked connections for Public profile,DWORD,1
-"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFilePath,Configure Log file path for Public profile,SZ,%systemroot%\system32\logfiles\firewall\publicfirewall.log
-"Group Policy","Windows Networking",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient,EnableNetbios,Disable Netbios,DWORD,0
-"Group Policy","Windows Networking",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient,DisableSmartNameResolution,Disable Smart Name Resolution,DWORD,1
-"Group Policy","Windows Networking",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient,EnableMulticast,Disable Multicast,DWORD,0
-"Group Policy","Windows Networking",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers,DisableHTTPPrinting,Disable HTTP Printing,DWORD,1
-"Group Policy","Windows Networking",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers,DisableWebPnPDownload,Disable Web PnP Download,DWORD,1
-"Group Policy","Miscellaneous",HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,Include command line in process creation events,DWORD,1
-"Group Policy","Miscellaneous",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,Disable Location,DWORD,1
-"Group Policy","Miscellaneous",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors,DisableLocationScripting,Disable Location Scripting,DWORD,1
-"Group Policy","Miscellaneous",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors,DisableWindowsLocationProvider,Disable Windows Location Provider,DWORD,1
-"Group Policy","Miscellaneous",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc,EnableAuthEpResolution,Enable RPC Endpoint Mapper Client Authentication,DWORD,1
-"Group Policy","Miscellaneous",HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SCMConfig,EnableSvchostMitigationPolicy,Enable Svchost Mitigation,DWORD,1
-"Group Policy","Miscellaneous",HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,Boot-Start Driver Initialization Policy set to Good only,DWORD,8
-"Registry Keys",Miscellaneous,HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search,EnableFindMyFiles,Enable enhanced search in Window,DWORD,1
-"Registry Keys",Miscellaneous,HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062},allowautoupdatesmetered,Set Microsoft Edge (Stable) to update over Metered connections,DWORD,1
-"Registry Keys",Miscellaneous,HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{2CD8A007-E189-409D-A2C8-9AF4EF3C72AA},allowautoupdatesmetered,Set Microsoft Edge (Beta) to update over Metered connections,DWORD,1
-"Registry Keys",Miscellaneous,HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{0D50BFEC-CD6A-4F9A-964C-C7416E3ACB10},allowautoupdatesmetered,Set Microsoft Edge (Dev) to update over Metered connections,DWORD,1
-"Registry Keys",Miscellaneous,HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpClient,SpecialPollInterval,Change Windows time sync interval from every 7 days to every 4 days (= every 345600 seconds),DWORD,345600
-"Registry Keys",Miscellaneous,HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config,EnableCertPaddingCheck,WinVerifyTrust Signature Validation part 1,String,1
-"Registry Keys",Miscellaneous,HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config,EnableCertPaddingCheck,WinVerifyTrust Signature Validation part 2,String,1
-"Registry Keys",Miscellaneous,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,EncryptData,Enable SMB Encryption,DWORD,1
-"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate,AllowAutoWindowsUpdateDownloadOverMeteredNetwork,Allow updates to be downloaded automatically over metered connections,DWORD,1
-"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate,AllowTemporaryEnterpriseFeatureControl,Enable features introduced via servicing that are off by default,DWORD,1
-"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate,SetComplianceDeadline,Specify deadlines for automatic updates and restarts,DWORD,1
-"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineForQualityUpdates,Number of days before quality updates are installed on devices automatically,DWORD,0
-"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineGracePeriod,Number of grace period days before quality updates are installed on devices automatically,DWORD,1
-"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineForFeatureUpdates,Number of days before feature updates are installed on devices automatically,DWORD,0
-"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineGracePeriodForFeatureUpdates,Number of grace period days before feature updates are installed on devices automatically,DWORD,1
-"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU,NoAutoUpdate,Set the computer to receive security updates and other important downloads through Windows update,DWORD,0
-"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU,AUOptions,Automatically download updates and install them on maintenance day,DWORD,4
-"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU,AutomaticMaintenanceEnabled,Install updates during automatic maintenance,DWORD,1
-"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU,ScheduledInstallDay,Set scheduled install day to every day,DWORD,0
-"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU,ScheduledInstallTime,Set scheduled install time to any time,DWORD,24
-"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU,AllowMUUpdateService,Install updates for other Microsoft products,DWORD,1
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\Recommended,BlockThirdPartyCookies,Block 3rd party cookies,DWORD,1
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,DnsOverHttpsMode,Set Dns Over Https Mode to use system DoH settings,String,automatic
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,AutomaticHttpsDefault,Automatically upgrade HTTP connections to HTTPS,DWORD,2
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,EncryptedClientHelloEnabled,Enable Encrypted Client Hello,DWORD,1
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,BasicAuthOverHttpEnabled,Block Basic authentication for HTTP,DWORD,0
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,RendererAppContainerEnabled,Launches Renderer processes into an App Container for additional security benefits,DWORD,1
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,ExperimentationAndConfigurationServiceControl,Allow Edge to receive new features even after using policies,DWORD,2
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,AudioSandboxEnabled,Enforces the audio process to run sandboxed,DWORD,1
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\Recommended,DefaultShareAdditionalOSRegionSetting,Recommends that the share additional operating system region setting to be set to never,DWORD,2
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,1,Disable TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - (CBC - SHA1),String,0xc013
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,2,Disable TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - (CBC - SHA1),String,0xc014
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,3,Disable TLS_RSA_WITH_AES_256_CBC_SHA - (NO PFS - CBC - SHA1),String,0x0035
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,4,Disable TLS_RSA_WITH_AES_128_CBC_SHA - (NO PFS - CBC - SHA1),String,0x002f
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,5,Disable TLS_RSA_WITH_AES_128_GCM_SHA256 - (NO PFS),String,0x009c
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,6,Disable TLS_RSA_WITH_AES_256_GCM_SHA384 - (NO PFS),String,0x009d
-"Registry Keys",Non-Admin,HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,HideFileExt,Show File extensions,DWORD,0
-"Registry Keys",Non-Admin,HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Hidden,Show hidden files,DWORD,1
-"Registry Keys",Non-Admin,HKEY_CURRENT_USER\Control Panel\International\User Profile,HttpAcceptLanguageOptOut,Disable websites accessing local language list,DWORD,1
-"Registry Keys",Non-Admin,HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings,SafeSearchMode,Turn off safe search in Windows search,DWORD,0
-"Registry Keys",Non-Admin,HKEY_CURRENT_USER\Software\Microsoft\Clipboard,EnableClipboardHistory,Enable Clipboard History,DWORD,1
-"Registry Keys",Non-Admin,HKEY_CURRENT_USER\Software\Microsoft\Clipboard,CloudClipboardAutomaticUpload,Enable sync of Clipboard history in Windows between devices,DWORD,1
-"Registry Keys",Non-Admin,HKEY_CURRENT_USER\Software\Microsoft\Clipboard,EnableCloudClipboard,Enable Clipboard sync,DWORD,1
-"Registry Keys",Non-Admin,HKEY_CURRENT_USER\Software\Microsoft\Input\Settings,EnableHwkbTextPrediction,Turn on Show text suggestions when typing on the physical keyboard,DWORD,1
-"Registry Keys",Non-Admin,HKEY_CURRENT_USER\Software\Microsoft\Input\Settings,MultilingualEnabled,Turn on Multilingual text suggestions,DWORD,1
-"Registry Keys",Non-Admin,HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys,Flags,Turn off sticky key shortcut of pressing shift key 5 time fast,String,506
-"Registry Keys",Non-Admin,HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings,NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK,Disables show reminders and incoming VoIP calls on the lock screen,DWORD,0
\ No newline at end of file
+Origin,Category,Key,Name,FriendlyName,Type,Value,CSPLink
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WTDS\Components,ServiceEnabled,Enhanced Phishing Protection,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#serviceenabled
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WTDS\Components,NotifyUnsafeApp,Enhanced Phishing Protection: Notify Unsafe App,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#notifyunsafeapp
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WTDS\Components,NotifyPasswordReuse,Enhanced Phishing Protection: Notify Password Reuse,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#notifypasswordreuse
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WTDS\Components,NotifyMalicious,Enhanced Phishing Protection: Notify Malicious,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#notifymalicious
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WTDS\Components,CaptureThreatWindow,Enhanced Phishing Protection: Capture Threat Window,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#automaticdatacollection
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender,PUAProtection,Detection for potentially unwanted applications,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#puaprotection
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine,MpBafsExtendedTimeout,Extended cloud check (Seconds),DWORD,50,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#cloudextendedtimeout
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine,MpCloudBlockLevel,Cloud Block Level,DWORD,6,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#cloudblocklevel
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine,EnableFileHashComputation,File Hash Computation,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#mpengine_enablefilehashcomputation
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Quarantine,PurgeItemsAfterDelay,Purge Items After Delay,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#quarantine_purgeitemsafterdelay
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection,IOAVMaxSize,Maximum size of downloaded files and attachments to be scanned,DWORD,10000000,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#realtimeprotection_ioavmaxsize
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan,CheckForSignaturesBeforeRunningScan,Check For Signatures Before Running Scan,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#checkforsignaturesbeforerunningscan
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan,DisableScanningMappedNetworkDrivesForFullScan,Scanning Mapped Network Drives For Full Scan,DWORD,0,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowfullscanonmappednetworkdrives
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan,DisableScanningNetworkFiles,Scanning Network Files,DWORD,0,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowscanningnetworkfiles
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan,DisableRemovableDriveScanning,Removable Drive Scanning,DWORD,0,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowfullscanremovabledrivescanning
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan,DisableCatchupQuickScan,Catchup Quick Scan,DWORD,0,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#disablecatchupquickscan
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan,DisableEmailScanning,Email Scanning,DWORD,0,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowemailscanning
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan,DisableReparsePointScanning,Reparse Point Scanning,DWORD,0,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#scan_disablereparsepointscanning
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan,ArchiveMaxDepth,Maximum depth to scan archive files,DWORD,4294967295,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#scan_archivemaxdepth
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Signature Updates,SignatureUpdateInterval,interval to check for security intelligence updates,DWORD,3,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#signatureupdateinterval
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Signature Updates,UpdateOnStartUp,Check for the latest virus and spyware security intelligence on startup,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#signatureupdate_updateonstartup
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Signature Updates,MeteredConnectionUpdates,Allows Microsoft Defender Antivirus to update over a metered connection,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configurationmeteredconnectionupdates
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Signature Updates,AVSignatureDue,Define the number of days before virus security intelligence is considered out of date,DWORD,2,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#signatureupdate_avsignaturedue
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Signature Updates,ASSignatureDue,Define the number of days before spyware security intelligence is considered out of date,DWORD,2,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#signatureupdate_assignaturedue
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet,DisableBlockAtFirstSeen,Block At First Sight,DWORD,0,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#disableblockatfirstseen
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet,SubmitSamplesConsent,Send file samples when further analysis is required,DWORD,3,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#submitsamplesconsent
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet,SpynetReporting,Join Microsoft MAPS (aka SpyNet),DWORD,2,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowcloudprotection
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats,Threats_ThreatSeverityDefaultAction,Specify threat alert levels,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#threatseveritydefaultaction
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,5,Severe Threat level default action = Remove,SZ,3,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#threatseveritydefaultaction
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,4,High Threat level default action = Remove,SZ,3,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#threatseveritydefaultaction
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,2,Medium Threat level default action = Quarantine,SZ,2,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#threatseveritydefaultaction
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction,1,Low Threat level default action = Quarantine,SZ,2,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#threatseveritydefaultaction
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access,EnableControlledFolderAccess,Enable Controlled Folder Access,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#enablecontrolledfolderaccess
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection,EnableNetworkProtection,Enable Network Protection,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#enablenetworkprotection
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,Allow Diagnostic Data (Required for Smart App Control),DWORD,3,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#allowtelemetry
+"Group Policy","Microsoft Defender",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection,DisableTelemetryOptInSettingsUx,Configure diagnostic data opt-in settings user interface,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#configuretelemetryoptinsettingsux
+"Group Policy","ASR",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR,ExploitGuard_ASR_Rules,Configure Attack Surface Reduction rules,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#attacksurfacereductionrules
+"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,DisallowStandardUserPINReset,Disallow Standard User PIN Reset,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesdisallowstandarduserscanchangepin
+"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,UseAdvancedStartup,Require additional authentication at startup,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication
+"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,EnableBDEWithNoTPM,Don't allow Bitlocker without TPM,DWORD,0,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication
+"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,UseTPM,Use TPM,DWORD,2,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication
+"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,UseTPMPIN,Use TPM + PIN,DWORD,2,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication
+"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,UseTPMKey,Use TPM + key,DWORD,2,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication
+"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,UseTPMKeyPIN,Use TPM startup key + PIN,DWORD,2,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication
+"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsOs,Correct Encryption method for OS drive,DWORD,7,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype
+"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsFdv,Correct Encryption method for fixed data drives,DWORD,7,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype
+"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsRdv,Correct Encryption method for removable drives,DWORD,7,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype
+"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,UseEnhancedPin,Use Enhanced PIN,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesenhancedpin
+"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,OSEncryptionType,Full disk encryption for OS drive,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesencryptiontype
+"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,RDVEncryptionType,Full disk encryption for removable drives,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#removabledrivesencryptiontype
+"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,RDVDiscoveryVolumeType,Prevent access to BitLocker-protected removable data drives from earlier versions of Windows,SZ,<none>,
+"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,RDVNoBitLockerToGoReader,Do not install BitLocker To Go Reader on FAT formatted removable drives,DWORD,0,
+"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE,MinimumPIN,Configure minimum PIN length for startup,DWORD,10,https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesminimumpinlength
+"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,ACSettingIndex,Disallow standby states (S1-S3) when sleeping (plugged in),DWORD,0,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-power#allowstandbywhensleepingpluggedin
+"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,DCSettingIndex,Disallow standby states (S1-S3) when sleeping (on battery),DWORD,0,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingonbattery
+"Group Policy","Bitlocker",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer,ShowHibernateOption,Show Hibernate Option,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-windowsexplorer#showhibernateoption
+"Group Policy","TLS",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002,Functions,Configure the correct TLS Cipher Suites,SZ,"TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#tlsciphersuites
+"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client,DisabledByDefault,Disable TLS 1.0 client,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionclient
+"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client,Enabled,Disable TLS 1.0 client,DWORD,0,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionclient
+"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server,DisabledByDefault,Disable TLS 1.0 server,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionserver
+"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server,Enabled,Disable TLS 1.0 server,DWORD,0,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionserver
+"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client,DisabledByDefault,Disable TLS 1.1 client,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionclient
+"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client,Enabled,Disable TLS 1.1 client,DWORD,0,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionclient
+"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server,DisabledByDefault,Disable TLS 1.1 server,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionserver
+"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server,Enabled,Disable TLS 1.1 server,DWORD,0,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-cryptography#overrideminimumenabledtlsversionserver
+"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL\,Enabled,Disable NULL Cipher Suite,DWORD,0,
+"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56,Enabled,Disable 56/56 Cipher Suite,DWORD,0,
+"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128,Enabled,Disable 40/128 Cipher Suite,DWORD,0,
+"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128,Enabled,Disable RC2 56/128 Cipher Suite,DWORD,0,
+"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128,Enabled,Disable RC2 128/128 Cipher Suite,DWORD,0,
+"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128,Enabled,Disable RC4 40/128 Cipher Suite,DWORD,0,
+"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128,Enabled,Disable RC4 56/128 Cipher Suite,DWORD,0,
+"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128,Enabled,Disable RC4 64/128 Cipher Suite,DWORD,0,
+"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128,Enabled,Disable RC4 128/128 Cipher Suite,DWORD,0,
+"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168,Enabled,Disable Triple DES 168 Cipher Suite,DWORD,0,
+"Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5,Enabled,Disable MD5 Hashing Algorithm,DWORD,0,
+"Group Policy","LockScreen",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PassportForWork\PINComplexity,Digits,Require digits in Windows Hello PIN,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexitydigits
+"Group Policy","LockScreen",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PassportForWork\PINComplexity,LowercaseLetters,Require lower case letters in Windows Hello PIN,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexitylowercaseletters
+"Group Policy","LockScreen",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PassportForWork\PINComplexity,Expiration,Set Expiration for Windows Hello PIN,DWORD,180,https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityexpiration
+"Group Policy","LockScreen",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PassportForWork\PINComplexity,History,Save history of Windows Hello PIN,DWORD,3,https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityhistory
+"Group Policy","LockScreen",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,Don't Display Network Selection UI on lock screen,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon#dontdisplaynetworkselectionui
+"Group Policy","UAC",HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System,HideFastUserSwitching,Hide Fast User Switching entry points,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon#hidefastuserswitching
+"Group Policy","Device Guard",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,Enable Virtualization Based Security,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#enablevirtualizationbasedsecurity
+"Group Policy","Device Guard",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,Require Platform Security Features,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#requireplatformsecurityfeatures
+"Group Policy","Device Guard",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,Hypervisor Enforced Code Integrity,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-VirtualizationBasedTechnology?WT.mc_id=Portal-fx#hypervisorenforcedcodeintegrity
+"Group Policy","Device Guard",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,Require HVCI MAT (Memory Attribute Table),DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-VirtualizationBasedTechnology?WT.mc_id=Portal-fx#requireuefimemoryattributestable
+"Group Policy","Device Guard",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,Credential Guard Configuration,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#lsacfgflags
+"Group Policy","Device Guard",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureSystemGuardLaunch,Configure System Guard Launch,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#configuresystemguardlaunch
+"Group Policy","Device Guard",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureKernelShadowStacksLaunch,Configure Kernel Shadow Stacks Launch,DWORD,1,
+"Group Policy","Device Guard",HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa,RunAsPPL,Enable Local Security Authority (LSA) process Protection with UEFI Lock,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-lsa#configurelsaprotectedprocess
+"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall,PolicyVersion,Enable Windows Firewall,DWORD,544,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreglobalpolicyversion
+"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,EnableFirewall,Enable Windows Firewall for Domain profile,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileenablefirewall
+"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultOutboundAction,Set Default Outbound Action for Domain profile,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofiledefaultoutboundaction
+"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultInboundAction,Set Default Inbound Action for Domain profile,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofiledefaultinboundaction
+"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DoNotAllowExceptions,Block all Domain profile connections,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileshielded
+"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFilePath,Configure Log file path for domain profile,SZ,%systemroot%\system32\logfiles\firewall\domainfirewall.log,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofilelogfilepath
+"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFileSize,Configure Log file size for domain profile,DWORD,32767,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofilelogmaxfilesize
+"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogDroppedPackets,Log blocked connections for domain profile,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileenablelogdroppedpackets
+"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogSuccessfulConnections,Log successful connections for domain profile,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileenablelogsuccessconnections
+"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,EnableFirewall,Enable Windows Firewall for Private profile,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofileenablefirewall
+"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DisableNotifications,Display notifications for Private profile,DWORD,0,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofiledisableinboundnotifications
+"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFileSize,Configure Log file size for Private profile,DWORD,32767,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofilelogmaxfilesize
+"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogDroppedPackets,Log blocked connections for Private profile,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofileenablelogdroppedpackets
+"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFilePath,Configure Log file path for Private profile,SZ,%systemroot%\system32\logfiles\firewall\privatefirewall.log,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofilelogfilepath
+"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,Enable Windows Firewall for Public profile,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofileenablefirewall
+"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DisableNotifications,Display notifications for Public profile,DWORD,0,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofiledisableinboundnotifications
+"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFileSize,Configure Log file size for Public profile,DWORD,32767,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofilelogmaxfilesize
+"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,Log blocked connections for Public profile,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofileenablelogdroppedpackets
+"Group Policy","Windows Firewall",HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFilePath,Configure Log file path for Public profile,SZ,%systemroot%\system32\logfiles\firewall\publicfirewall.log,https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorepublicprofilelogfilepath
+"Group Policy","Windows Networking",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient,EnableNetbios,Disable Netbios,DWORD,0,
+"Group Policy","Windows Networking",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient,DisableSmartNameResolution,Disable Smart Name Resolution,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-dnsclient#dns_smartmultihomednameresolution
+"Group Policy","Windows Networking",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient,EnableMulticast,Disable Multicast,DWORD,0,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-dnsclient#turn_off_multicast
+"Group Policy","Windows Networking",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers,DisableHTTPPrinting,Disable HTTP Printing,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-connectivity?WT.mc_id=Portal-fx#diableprintingoverhttp
+"Group Policy","Windows Networking",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers,DisableWebPnPDownload,Disable Web PnP Download,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-icm#disablewebpnpdownload_1
+"Group Policy","Miscellaneous",HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,Include command line in process creation events,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-auditsettings#includecmdline
+"Group Policy","Miscellaneous",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,Disable Location,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-System?WT.mc_id=Portal-fx#allowlocation
+"Group Policy","Miscellaneous",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors,DisableLocationScripting,Disable Location Scripting,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-sensors#disablelocationscripting_2
+"Group Policy","Miscellaneous",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors,DisableWindowsLocationProvider,Disable Windows Location Provider,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-locationprovideradm#disablewindowslocationprovider_1
+"Group Policy","Miscellaneous",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc,EnableAuthEpResolution,Enable RPC Endpoint Mapper Client Authentication,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-remoteprocedurecall#rpcendpointmapperclientauthentication
+"Group Policy","Miscellaneous",HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SCMConfig,EnableSvchostMitigationPolicy,Enable Svchost Mitigation,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-servicecontrolmanager#svchostprocessmitigation
+"Group Policy","Miscellaneous",HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,Boot-Start Driver Initialization Policy set to Good only,DWORD,8,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#bootstartdriverinitialization
+"Registry Keys",Miscellaneous,HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search,EnableFindMyFiles,Enable enhanced search in Window,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#allowfindmyfiles
+"Registry Keys",Miscellaneous,HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062},allowautoupdatesmetered,Set Microsoft Edge (Stable) to update over Metered connections,DWORD,1,
+"Registry Keys",Miscellaneous,HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{2CD8A007-E189-409D-A2C8-9AF4EF3C72AA},allowautoupdatesmetered,Set Microsoft Edge (Beta) to update over Metered connections,DWORD,1,
+"Registry Keys",Miscellaneous,HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{0D50BFEC-CD6A-4F9A-964C-C7416E3ACB10},allowautoupdatesmetered,Set Microsoft Edge (Dev) to update over Metered connections,DWORD,1,
+"Registry Keys",Miscellaneous,HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpClient,SpecialPollInterval,Change Windows time sync interval from every 7 days to every 4 days (= every 345600 seconds),DWORD,345600,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-w32time#w32time_policy_configure_ntpclient
+"Registry Keys",Miscellaneous,HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config,EnableCertPaddingCheck,WinVerifyTrust Signature Validation part 1,String,1,
+"Registry Keys",Miscellaneous,HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config,EnableCertPaddingCheck,WinVerifyTrust Signature Validation part 2,String,1,
+"Registry Keys",Miscellaneous,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,EncryptData,Enable SMB Encryption,DWORD,1,
+"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate,AllowAutoWindowsUpdateDownloadOverMeteredNetwork,Allow updates to be downloaded automatically over metered connections,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#allowautowindowsupdatedownloadovermeterednetwork
+"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate,AllowTemporaryEnterpriseFeatureControl,Enable features introduced via servicing that are off by default,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#allowtemporaryenterprisefeaturecontrol
+"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate,SetComplianceDeadline,Specify deadlines for automatic updates and restarts,DWORD,1,
+"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineForQualityUpdates,Number of days before quality updates are installed on devices automatically,DWORD,0,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlineforqualityupdates
+"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineGracePeriod,Number of grace period days before quality updates are installed on devices automatically,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiod
+"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineForFeatureUpdates,Number of days before feature updates are installed on devices automatically,DWORD,0,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlineforfeatureupdates
+"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate,ConfigureDeadlineGracePeriodForFeatureUpdates,Number of grace period days before feature updates are installed on devices automatically,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates
+"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU,NoAutoUpdate,Set the computer to receive security updates and other important downloads through Windows update,DWORD,0,
+"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU,AUOptions,Automatically download updates and install them on maintenance day,DWORD,4,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#allowautoupdate
+"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU,AutomaticMaintenanceEnabled,Install updates during automatic maintenance,DWORD,1,
+"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU,ScheduledInstallDay,Set scheduled install day to every day,DWORD,0,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#scheduledinstallday
+"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU,ScheduledInstallTime,Set scheduled install time to any time,DWORD,24,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#scheduledinstalltime
+"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU,AllowMUUpdateService,Install updates for other Microsoft products,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#allowmuupdateservice
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\Recommended,BlockThirdPartyCookies,Block 3rd party cookies,DWORD,1,
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,DnsOverHttpsMode,Set Dns Over Https Mode to use system DoH settings,String,automatic,
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,AutomaticHttpsDefault,Automatically upgrade HTTP connections to HTTPS,DWORD,2,
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,EncryptedClientHelloEnabled,Enable Encrypted Client Hello,DWORD,1,
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,BasicAuthOverHttpEnabled,Block Basic authentication for HTTP,DWORD,0,
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,RendererAppContainerEnabled,Launches Renderer processes into an App Container for additional security benefits,DWORD,1,
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,ExperimentationAndConfigurationServiceControl,Allow Edge to receive new features even after using policies,DWORD,2,
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,AudioSandboxEnabled,Enforces the audio process to run sandboxed,DWORD,1,
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\Recommended,DefaultShareAdditionalOSRegionSetting,Recommends that the share additional operating system region setting to be set to never,DWORD,2,
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,1,Disable TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - (CBC - SHA1),String,0xc013,
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,2,Disable TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - (CBC - SHA1),String,0xc014,
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,3,Disable TLS_RSA_WITH_AES_256_CBC_SHA - (NO PFS - CBC - SHA1),String,0x0035,
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,4,Disable TLS_RSA_WITH_AES_128_CBC_SHA - (NO PFS - CBC - SHA1),String,0x002f,
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,5,Disable TLS_RSA_WITH_AES_128_GCM_SHA256 - (NO PFS),String,0x009c,
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,6,Disable TLS_RSA_WITH_AES_256_GCM_SHA384 - (NO PFS),String,0x009d,
+"Registry Keys",Non-Admin,HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,HideFileExt,Show File extensions,DWORD,0,
+"Registry Keys",Non-Admin,HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Hidden,Show hidden files,DWORD,1,
+"Registry Keys",Non-Admin,HKEY_CURRENT_USER\Control Panel\International\User Profile,HttpAcceptLanguageOptOut,Disable websites accessing local language list,DWORD,1,
+"Registry Keys",Non-Admin,HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings,SafeSearchMode,Turn off safe search in Windows search,DWORD,0,
+"Registry Keys",Non-Admin,HKEY_CURRENT_USER\Software\Microsoft\Clipboard,EnableClipboardHistory,Enable Clipboard History,DWORD,1,
+"Registry Keys",Non-Admin,HKEY_CURRENT_USER\Software\Microsoft\Clipboard,CloudClipboardAutomaticUpload,Enable sync of Clipboard history in Windows between devices,DWORD,1,
+"Registry Keys",Non-Admin,HKEY_CURRENT_USER\Software\Microsoft\Clipboard,EnableCloudClipboard,Enable Clipboard sync,DWORD,1,
+"Registry Keys",Non-Admin,HKEY_CURRENT_USER\Software\Microsoft\Input\Settings,EnableHwkbTextPrediction,Turn on Show text suggestions when typing on the physical keyboard,DWORD,1,
+"Registry Keys",Non-Admin,HKEY_CURRENT_USER\Software\Microsoft\Input\Settings,MultilingualEnabled,Turn on Multilingual text suggestions,DWORD,1,
+"Registry Keys",Non-Admin,HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys,Flags,Turn off sticky key shortcut of pressing shift key 5 time fast,String,506,
+"Registry Keys",Non-Admin,HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings,NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK,Disables show reminders and incoming VoIP calls on the lock screen,DWORD,0,
\ No newline at end of file
From 04a03cdca2655e7959a54365518099e9bad7552f Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Fri, 15 Dec 2023 04:03:40 -0930
Subject: [PATCH 69/79] Added CSP links for how to configure Edge CSPs
---
.../Resources/Registry resources.csv | 30 +++++++++----------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv b/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv
index 8e4abe787..9ff7be560 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv
+++ b/Harden-Windows-Security Module/Main files/Resources/Registry resources.csv
@@ -141,21 +141,21 @@ Origin,Category,Key,Name,FriendlyName,Type,Value,CSPLink
"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU,ScheduledInstallDay,Set scheduled install day to every day,DWORD,0,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#scheduledinstallday
"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU,ScheduledInstallTime,Set scheduled install time to any time,DWORD,24,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#scheduledinstalltime
"Group Policy","Windows Update",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU,AllowMUUpdateService,Install updates for other Microsoft products,DWORD,1,https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#allowmuupdateservice
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\Recommended,BlockThirdPartyCookies,Block 3rd party cookies,DWORD,1,
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,DnsOverHttpsMode,Set Dns Over Https Mode to use system DoH settings,String,automatic,
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,AutomaticHttpsDefault,Automatically upgrade HTTP connections to HTTPS,DWORD,2,
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,EncryptedClientHelloEnabled,Enable Encrypted Client Hello,DWORD,1,
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,BasicAuthOverHttpEnabled,Block Basic authentication for HTTP,DWORD,0,
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,RendererAppContainerEnabled,Launches Renderer processes into an App Container for additional security benefits,DWORD,1,
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,ExperimentationAndConfigurationServiceControl,Allow Edge to receive new features even after using policies,DWORD,2,
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,AudioSandboxEnabled,Enforces the audio process to run sandboxed,DWORD,1,
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\Recommended,DefaultShareAdditionalOSRegionSetting,Recommends that the share additional operating system region setting to be set to never,DWORD,2,
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,1,Disable TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - (CBC - SHA1),String,0xc013,
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,2,Disable TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - (CBC - SHA1),String,0xc014,
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,3,Disable TLS_RSA_WITH_AES_256_CBC_SHA - (NO PFS - CBC - SHA1),String,0x0035,
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,4,Disable TLS_RSA_WITH_AES_128_CBC_SHA - (NO PFS - CBC - SHA1),String,0x002f,
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,5,Disable TLS_RSA_WITH_AES_128_GCM_SHA256 - (NO PFS),String,0x009c,
-"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,6,Disable TLS_RSA_WITH_AES_256_GCM_SHA384 - (NO PFS),String,0x009d,
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\Recommended,BlockThirdPartyCookies,Block 3rd party cookies,DWORD,1,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,DnsOverHttpsMode,Set Dns Over Https Mode to use system DoH settings,String,automatic,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,AutomaticHttpsDefault,Automatically upgrade HTTP connections to HTTPS,DWORD,2,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,EncryptedClientHelloEnabled,Enable Encrypted Client Hello,DWORD,1,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,BasicAuthOverHttpEnabled,Block Basic authentication for HTTP,DWORD,0,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,RendererAppContainerEnabled,Launches Renderer processes into an App Container for additional security benefits,DWORD,1,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,ExperimentationAndConfigurationServiceControl,Allow Edge to receive new features even after using policies,DWORD,2,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge,AudioSandboxEnabled,Enforces the audio process to run sandboxed,DWORD,1,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\Recommended,DefaultShareAdditionalOSRegionSetting,Recommends that the share additional operating system region setting to be set to never,DWORD,2,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,1,Disable TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - (CBC - SHA1),String,0xc013,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,2,Disable TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - (CBC - SHA1),String,0xc014,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,3,Disable TLS_RSA_WITH_AES_256_CBC_SHA - (NO PFS - CBC - SHA1),String,0x0035,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,4,Disable TLS_RSA_WITH_AES_128_CBC_SHA - (NO PFS - CBC - SHA1),String,0x002f,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,5,Disable TLS_RSA_WITH_AES_128_GCM_SHA256 - (NO PFS),String,0x009c,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm
+"Registry Keys",Edge,HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList,6,Disable TLS_RSA_WITH_AES_256_GCM_SHA384 - (NO PFS),String,0x009d,https://learn.microsoft.com/en-us/deployedge/configure-edge-with-mdm
"Registry Keys",Non-Admin,HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,HideFileExt,Show File extensions,DWORD,0,
"Registry Keys",Non-Admin,HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Hidden,Show hidden files,DWORD,1,
"Registry Keys",Non-Admin,HKEY_CURRENT_USER\Control Panel\International\User Profile,HttpAcceptLanguageOptOut,Disable websites accessing local language list,DWORD,1,
From 494f024f826f1cff85a47aeccd5f815277ad156e Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Fri, 15 Dec 2023 04:06:13 -0930
Subject: [PATCH 70/79] Updated recommended extension in workspace file
---
.../Harden-Windows-Security Module.code-workspace | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace b/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace
index 7337c0326..651a1399e 100644
--- a/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace
+++ b/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace
@@ -14,7 +14,8 @@
},
"extensions": {
"recommendations": [
- "ms-vscode.powershell"
+ "ms-vscode.powershell",
+ "mechatroner.rainbow-csv"
]
},
"launch": {
From f36dbad9a5a0e293c3733a3d7ecd0d36738b9fb9 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Fri, 15 Dec 2023 04:29:19 -0930
Subject: [PATCH 71/79] Hide the output of optional feature removals
---
.../Main files/Resources/Harden-Windows-Security.ps1 | 6 +++---
Harden-Windows-Security.ps1 | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
index 45a5b83b0..407a8febe 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
@@ -653,10 +653,10 @@ function Edit-Addons {
if ((Get-WindowsOptionalFeature -Online -FeatureName $FeatureName).state -eq $ActionCheck) {
try {
if ($FeatureAction -eq 'Enabling') {
- Enable-WindowsOptionalFeature -Online -FeatureName $FeatureName -All -NoRestart -ErrorAction Stop
+ Enable-WindowsOptionalFeature -Online -FeatureName $FeatureName -All -NoRestart -ErrorAction Stop | Out-Null
}
else {
- Disable-WindowsOptionalFeature -Online -FeatureName $FeatureName -NoRestart -ErrorAction Stop
+ Disable-WindowsOptionalFeature -Online -FeatureName $FeatureName -NoRestart -ErrorAction Stop | Out-Null
}
# Shows the successful message only if the process was successful
Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$FeatureName was successfully $ActionOutput"
@@ -675,7 +675,7 @@ function Edit-Addons {
Write-SmartText -CustomColor Lavender -GenericColor Yellow -InputText "`nRemoving $CapabilityName"
if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" }).state -ne 'NotPresent') {
try {
- Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" } | Remove-WindowsCapability -Online -ErrorAction Stop
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" } | Remove-WindowsCapability -Online -ErrorAction Stop | Out-Null
# Shows the successful message only if the process was successful
Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$CapabilityName was successfully removed."
}
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index 3b820ebf9..24650acd0 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -653,10 +653,10 @@ function Edit-Addons {
if ((Get-WindowsOptionalFeature -Online -FeatureName $FeatureName).state -eq $ActionCheck) {
try {
if ($FeatureAction -eq 'Enabling') {
- Enable-WindowsOptionalFeature -Online -FeatureName $FeatureName -All -NoRestart -ErrorAction Stop
+ Enable-WindowsOptionalFeature -Online -FeatureName $FeatureName -All -NoRestart -ErrorAction Stop | Out-Null
}
else {
- Disable-WindowsOptionalFeature -Online -FeatureName $FeatureName -NoRestart -ErrorAction Stop
+ Disable-WindowsOptionalFeature -Online -FeatureName $FeatureName -NoRestart -ErrorAction Stop | Out-Null
}
# Shows the successful message only if the process was successful
Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$FeatureName was successfully $ActionOutput"
@@ -675,7 +675,7 @@ function Edit-Addons {
Write-SmartText -CustomColor Lavender -GenericColor Yellow -InputText "`nRemoving $CapabilityName"
if ((Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" }).state -ne 'NotPresent') {
try {
- Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" } | Remove-WindowsCapability -Online -ErrorAction Stop
+ Get-WindowsCapability -Online | Where-Object -FilterScript { $_.Name -like "*$CapabilityName*" } | Remove-WindowsCapability -Online -ErrorAction Stop | Out-Null
# Shows the successful message only if the process was successful
Write-SmartText -GenericColor Green -CustomColor NeonGreen -InputText "$CapabilityName was successfully removed."
}
From 08880cb115541da4d07b89fc538700da4f4683c7 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Fri, 15 Dec 2023 04:45:19 -0930
Subject: [PATCH 72/79] Updated a link for consistency
---
.../Main files/Resources/Harden-Windows-Security.ps1 | 2 +-
Harden-Windows-Security.ps1 | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
index 407a8febe..4a7d4f7dd 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
@@ -830,7 +830,7 @@ try {
@{url = 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/Security-Baselines-X.zip'; path = "$WorkingDir\Security-Baselines-X.zip"; tag = 'Security-Baselines-X' }
@{url = 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/Registry.csv'; path = "$WorkingDir\Registry.csv"; tag = 'Registry' }
@{url = 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/ProcessMitigations.csv'; path = "$WorkingDir\ProcessMitigations.csv"; tag = 'ProcessMitigations' }
- @{url = 'https://github.com/HotCakeX/Harden-Windows-Security/raw/main/Payload/EventViewerCustomViews.zip'; path = "$WorkingDir\EventViewerCustomViews.zip"; tag = 'EventViewerCustomViews' }
+ @{url = 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/EventViewerCustomViews.zip'; path = "$WorkingDir\EventViewerCustomViews.zip"; tag = 'EventViewerCustomViews' }
)
# Get the total number of files to download
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index 24650acd0..07320384f 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -830,7 +830,7 @@ try {
@{url = 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/Security-Baselines-X.zip'; path = "$WorkingDir\Security-Baselines-X.zip"; tag = 'Security-Baselines-X' }
@{url = 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/Registry.csv'; path = "$WorkingDir\Registry.csv"; tag = 'Registry' }
@{url = 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/ProcessMitigations.csv'; path = "$WorkingDir\ProcessMitigations.csv"; tag = 'ProcessMitigations' }
- @{url = 'https://github.com/HotCakeX/Harden-Windows-Security/raw/main/Payload/EventViewerCustomViews.zip'; path = "$WorkingDir\EventViewerCustomViews.zip"; tag = 'EventViewerCustomViews' }
+ @{url = 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Payload/EventViewerCustomViews.zip'; path = "$WorkingDir\EventViewerCustomViews.zip"; tag = 'EventViewerCustomViews' }
)
# Get the total number of files to download
From 122f306e37ad026e70896034c4b3b66e692feed9 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Fri, 15 Dec 2023 05:39:39 -0930
Subject: [PATCH 73/79] Updated workspace file with recommended extension
---
.../Harden-Windows-Security Module.code-workspace | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace b/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace
index 651a1399e..6d61b615c 100644
--- a/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace
+++ b/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace
@@ -15,7 +15,8 @@
"extensions": {
"recommendations": [
"ms-vscode.powershell",
- "mechatroner.rainbow-csv"
+ "mechatroner.rainbow-csv",
+ "streetsidesoftware.code-spell-checker"
]
},
"launch": {
From 90217d571c7703254392886fd8937a75b928820a Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Fri, 15 Dec 2023 05:49:10 -0930
Subject: [PATCH 74/79] Updated workspace file with spellchecker
---
...den-Windows-Security Module.code-workspace | 185 +++++++++++++++++-
1 file changed, 184 insertions(+), 1 deletion(-)
diff --git a/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace b/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace
index 6d61b615c..c9ae1f0d4 100644
--- a/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace
+++ b/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace
@@ -10,7 +10,190 @@
"powershell.codeFormatting.trimWhitespaceAroundPipe": true,
"powershell.codeFormatting.useConstantStrings": true,
"powershell.codeFormatting.useCorrectCasing": true,
- "powershell.codeFormatting.whitespaceBetweenParameters": true
+ "powershell.codeFormatting.whitespaceBetweenParameters": true,
+ "json.schemas": [],
+ "cSpell.userWords": [
+ "accepteula",
+ "accordignly",
+ "ADMX",
+ "Alloc",
+ "allowautoupdatesmetered",
+ "AMSI",
+ "antimalware",
+ "Antispyware",
+ "antiviruses",
+ "APNG",
+ "ASLR",
+ "authenticode",
+ "backdoors",
+ "Bafs",
+ "bcdboot",
+ "bcdedit",
+ "Betternet",
+ "Bitlocker",
+ "blocklist",
+ "blocklists",
+ "Bootable",
+ "Bstr",
+ "BYOVD",
+ "catname",
+ "CHACHA",
+ "Cipolicy",
+ "Citool",
+ "CMOS",
+ "COMPANYNAME",
+ "computername",
+ "CRSP",
+ "cyberattack",
+ "Datacenter",
+ "DFCI",
+ "DISM",
+ "DNSSEC",
+ "domainfirewall",
+ "Dont",
+ "driversipolicy",
+ "DWORD",
+ "Entra",
+ "Eventlog",
+ "experimentations",
+ "EXTERNALMODULEDEPENDENCIES",
+ "EXTERNALSCRIPTDEPENDENCIES",
+ "firewallapi",
+ "firmwares",
+ "Friendlyname",
+ "gpgsign",
+ "gpresult",
+ "Harddisk",
+ "Hashtable",
+ "hashtables",
+ "Hiber",
+ "HIPPA",
+ "HITRUST",
+ "HKEY",
+ "HKLM",
+ "hotcakex",
+ "hotspot",
+ "HVCI",
+ "HVCIMAT",
+ "Hwkb",
+ "icontains",
+ "ICONURI",
+ "Intune",
+ "IOAV",
+ "IOMMUs",
+ "IRGC",
+ "keyprotectors",
+ "keyprotectortype",
+ "Kleopatra",
+ "laggy",
+ "Lanman",
+ "LGPO",
+ "LICENSEURI",
+ "LLMNR",
+ "LMHOSTS",
+ "logfiles",
+ "lsass",
+ "Mastadon",
+ "MDAG",
+ "MDAV",
+ "mechatroner",
+ "Miracast",
+ "Mitigations",
+ "mountpoint",
+ "mountvol",
+ "msinfo",
+ "MSIX",
+ "multicloud",
+ "Multifactor",
+ "multiplatform",
+ "Netbios",
+ "nobanner",
+ "notcontains",
+ "ntdll",
+ "NTFS",
+ "OFAC",
+ "operatingsystem",
+ "OPSEC",
+ "Optane",
+ "Orcid",
+ "orpa",
+ "passwordless",
+ "pentest",
+ "pentesting",
+ "pentests",
+ "Perflib",
+ "photoshop",
+ "PKCS",
+ "Podāns's",
+ "privatefirewall",
+ "privs",
+ "PROJECTURI",
+ "pschildname",
+ "PSHOME",
+ "psscriptroot",
+ "publicfirewall",
+ "pwsh",
+ "Readline",
+ "rebootlessly",
+ "RELEASENOTES",
+ "reparse",
+ "Requiredbuild",
+ "REQUIREDSCRIPTS",
+ "Rockstar",
+ "sandboxed",
+ "Schannel",
+ "SCHTASKS",
+ "scriptblock",
+ "scriptblocks",
+ "Secureboot",
+ "securestring",
+ "Shellv",
+ "SIEM",
+ "sigcheck",
+ "Signingkey",
+ "signtool",
+ "Spynet",
+ "ssllabs",
+ "SSTP",
+ "Stackexchange",
+ "Stonks",
+ "subfolders",
+ "subpaths",
+ "svchost",
+ "Sysmon",
+ "systemroot",
+ "taskkill",
+ "tolower",
+ "tpmenabled",
+ "Tpmpin",
+ "tpmpresent",
+ "UEFI",
+ "uksouth",
+ "UMCI",
+ "Unprotect",
+ "Uplay",
+ "USERPROFILE",
+ "Vadims",
+ "VBSCRIPT",
+ "VHDX",
+ "vnet",
+ "Wayback",
+ "WDAC",
+ "webmail",
+ "webserver",
+ "WHQL",
+ "Winget",
+ "Winreg",
+ "Wireshark",
+ "Wireshark's",
+ "WTDS",
+ "XDRs",
+ "Zune"
+ ],
+ "cSpell.enableFiletypes": [
+ "*"
+ ],
+ "cSpell.maxNumberOfProblems": 200
},
"extensions": {
"recommendations": [
From 41a1bd67da236e8e9f9b3ada3a1139bd4563e714 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Fri, 15 Dec 2023 05:54:59 -0930
Subject: [PATCH 75/79] Fixed a typo
---
.../Harden-Windows-Security Module.code-workspace | 1 -
.../Azure/How to Securely Connect to Azure VMs and Use RDP.md | 2 +-
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace b/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace
index c9ae1f0d4..70cebbf1d 100644
--- a/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace
+++ b/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace
@@ -14,7 +14,6 @@
"json.schemas": [],
"cSpell.userWords": [
"accepteula",
- "accordignly",
"ADMX",
"Alloc",
"allowautoupdatesmetered",
diff --git a/Wiki posts/Azure/How to Securely Connect to Azure VMs and Use RDP.md b/Wiki posts/Azure/How to Securely Connect to Azure VMs and Use RDP.md
index e58a93ce2..1cc5be000 100644
--- a/Wiki posts/Azure/How to Securely Connect to Azure VMs and Use RDP.md
+++ b/Wiki posts/Azure/How to Securely Connect to Azure VMs and Use RDP.md
@@ -165,7 +165,7 @@ Screenshots <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pi
Create a VM in Azure and do not allow any open ports from Internet. Do not assign any public IP to the VM.
-In the Virtual Network section, choose the `VirtualNetwork1` for the VM and set its `Default` Subnet accordignly.
+In the Virtual Network section, choose the `VirtualNetwork1` for the VM and set its `Default` Subnet accordingly.
<br>
From 81ac49c9c5a8e1ecbfe7bfef4ef3a35f08872f7d Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Fri, 15 Dec 2023 06:08:55 -0930
Subject: [PATCH 76/79] Using stricter type for colors collection
Co-Authored-By: Elliot Huffman <ehuffman@elliot-labs.com>
---
.../Main files/Core/Confirm-SystemCompliance.psm1 | 2 +-
.../Main files/Resources/Harden-Windows-Security.ps1 | 2 +-
Harden-Windows-Security.ps1 | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
index 43a9a1577..f7bb75bd2 100644
--- a/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
+++ b/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
@@ -1342,7 +1342,7 @@ function Confirm-SystemCompliance {
[System.Management.Automation.ScriptBlock]$WriteRainbow2 = {
$text = $args[0]
- [System.Object[]]$colors = @(
+ [System.Drawing.Color[]]$colors = @(
[System.Drawing.Color]::Pink,
[System.Drawing.Color]::HotPink,
[System.Drawing.Color]::SkyBlue,
diff --git a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1 b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
index 4a7d4f7dd..049732823 100644
--- a/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security Module/Main files/Resources/Harden-Windows-Security.ps1
@@ -350,7 +350,7 @@ Function Write-SmartText {
'Lavender' { Write-Host -Object "$($PSStyle.Foreground.FromRgb(255,179,255))$InputText$($PSStyle.Reset)"; break }
'TeaGreenNoNewLine' { Write-Host -Object "$($PSStyle.Foreground.FromRgb(133, 222, 119))$InputText$($PSStyle.Reset)" -NoNewline; break }
'Rainbow' {
- [System.Object[]]$Colors = @(
+ [System.Drawing.Color[]]$Colors = @(
[System.Drawing.Color]::Pink,
[System.Drawing.Color]::HotPink,
[System.Drawing.Color]::SkyBlue,
diff --git a/Harden-Windows-Security.ps1 b/Harden-Windows-Security.ps1
index 07320384f..c5147cefc 100644
--- a/Harden-Windows-Security.ps1
+++ b/Harden-Windows-Security.ps1
@@ -350,7 +350,7 @@ Function Write-SmartText {
'Lavender' { Write-Host -Object "$($PSStyle.Foreground.FromRgb(255,179,255))$InputText$($PSStyle.Reset)"; break }
'TeaGreenNoNewLine' { Write-Host -Object "$($PSStyle.Foreground.FromRgb(133, 222, 119))$InputText$($PSStyle.Reset)" -NoNewline; break }
'Rainbow' {
- [System.Object[]]$Colors = @(
+ [System.Drawing.Color[]]$Colors = @(
[System.Drawing.Color]::Pink,
[System.Drawing.Color]::HotPink,
[System.Drawing.Color]::SkyBlue,
From 20986ececced3428068fcc055efdc1c540090b7e Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Fri, 15 Dec 2023 06:53:16 -0930
Subject: [PATCH 77/79] Improved variable casings and types
---
.../Core/Confirm-SystemCompliance.psm1 | 272 +++++++++---------
1 file changed, 136 insertions(+), 136 deletions(-)
diff --git a/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
index f7bb75bd2..50b7b441e 100644
--- a/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
+++ b/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
@@ -1305,24 +1305,24 @@ function Confirm-SystemCompliance {
else {
#Region Colors
- [System.Management.Automation.ScriptBlock]$WritePlum = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(221,160,221))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [System.Management.Automation.ScriptBlock]$WriteOrchid = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(218,112,214))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [System.Management.Automation.ScriptBlock]$WriteFuchsia = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,0,255))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [System.Management.Automation.ScriptBlock]$WriteMediumOrchid = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(186,85,211))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [System.Management.Automation.ScriptBlock]$WriteMediumPurple = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(147,112,219))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [System.Management.Automation.ScriptBlock]$WriteBlueViolet = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(138,43,226))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [System.Management.Automation.ScriptBlock]$AndroidGreen = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(176,191,26))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [System.Management.Automation.ScriptBlock]$WritePink = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,192,203))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [System.Management.Automation.ScriptBlock]$WriteHotPink = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,105,180))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [System.Management.Automation.ScriptBlock]$WriteDeepPink = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,20,147))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [System.Management.Automation.ScriptBlock]$WriteMintGreen = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(152,255,152))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [System.Management.Automation.ScriptBlock]$WriteOrange = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,165,0))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [System.Management.Automation.ScriptBlock]$WriteSkyBlue = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(135,206,235))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
- [System.Management.Automation.ScriptBlock]$Daffodil = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,255,49))$($PSStyle.Reverse)$($args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WritePlum = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(221,160,221))$($PSStyle.Reverse)$($Args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WriteOrchid = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(218,112,214))$($PSStyle.Reverse)$($Args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WriteFuchsia = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,0,255))$($PSStyle.Reverse)$($Args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WriteMediumOrchid = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(186,85,211))$($PSStyle.Reverse)$($Args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WriteMediumPurple = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(147,112,219))$($PSStyle.Reverse)$($Args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WriteBlueViolet = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(138,43,226))$($PSStyle.Reverse)$($Args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$AndroidGreen = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(176,191,26))$($PSStyle.Reverse)$($Args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WritePink = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,192,203))$($PSStyle.Reverse)$($Args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WriteHotPink = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,105,180))$($PSStyle.Reverse)$($Args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WriteDeepPink = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,20,147))$($PSStyle.Reverse)$($Args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WriteMintGreen = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(152,255,152))$($PSStyle.Reverse)$($Args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WriteOrange = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,165,0))$($PSStyle.Reverse)$($Args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$WriteSkyBlue = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(135,206,235))$($PSStyle.Reverse)$($Args[0])$($PSStyle.Reset)" }
+ [System.Management.Automation.ScriptBlock]$Daffodil = { Write-Output -InputObject "$($PSStyle.Foreground.FromRGB(255,255,49))$($PSStyle.Reverse)$($Args[0])$($PSStyle.Reset)" }
[System.Management.Automation.ScriptBlock]$WriteRainbow1 = {
- $text = $args[0]
- $colors = @(
+ $Text = $Args[0]
+ [System.Drawing.Color[]]$Colors = @(
[System.Drawing.Color]::Pink,
[System.Drawing.Color]::HotPink,
[System.Drawing.Color]::SkyBlue,
@@ -1333,16 +1333,16 @@ function Confirm-SystemCompliance {
)
$Output = ''
- for ($i = 0; $i -lt $text.Length; $i++) {
- $color = $colors[$i % $colors.Length]
- $Output += "$($PSStyle.Foreground.FromRGB($color.R, $color.G, $color.B))$($text[$i])$($PSStyle.Reset)"
+ for ($i = 0; $i -lt $Text.Length; $i++) {
+ $Color = $Colors[$i % $Colors.Length]
+ $Output += "$($PSStyle.Foreground.FromRGB($Color.R, $Color.G, $Color.B))$($Text[$i])$($PSStyle.Reset)"
}
Write-Output -InputObject $Output
}
[System.Management.Automation.ScriptBlock]$WriteRainbow2 = {
- $text = $args[0]
- [System.Drawing.Color[]]$colors = @(
+ $Text = $Args[0]
+ [System.Drawing.Color[]]$Colors = @(
[System.Drawing.Color]::Pink,
[System.Drawing.Color]::HotPink,
[System.Drawing.Color]::SkyBlue,
@@ -1357,9 +1357,9 @@ function Confirm-SystemCompliance {
)
[System.String]$Output = ''
- for ($i = 0; $i -lt $text.Length; $i++) {
- $color = $colors[$i % $colors.Length]
- $Output += "$($PSStyle.Foreground.FromRGB($color.R, $color.G, $color.B))$($text[$i])$($PSStyle.Reset)"
+ for ($i = 0; $i -lt $Text.Length; $i++) {
+ $Color = $Colors[$i % $Colors.Length]
+ $Output += "$($PSStyle.Foreground.FromRGB($Color.R, $Color.G, $Color.B))$($Text[$i])$($PSStyle.Reset)"
}
Write-Output -InputObject $Output
}
@@ -1375,11 +1375,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(221,160,221))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(221,160,221))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
}, Value, Name, Category, Method
@@ -1391,11 +1391,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(218,112,214))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(218,112,214))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
}, Value, Name, Category, Method
@@ -1407,11 +1407,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,0,255))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(255,0,255))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
}, Value, Name, Category, Method
@@ -1423,11 +1423,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(186,85,211))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(186,85,211))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
}, Value, Name, Category, Method
@@ -1439,11 +1439,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(147,112,219))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(147,112,219))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
}, Value, Name, Category, Method
@@ -1455,11 +1455,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(138,43,226))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(138,43,226))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
}, Value, Name, Category, Method
@@ -1471,11 +1471,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(176,191,26))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(176,191,26))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
}, Value, Name, Category, Method
@@ -1487,11 +1487,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,192,203))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(255,192,203))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
}, Value, Name, Category, Method
@@ -1503,11 +1503,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(135,206,235))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(135,206,235))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
}, Value, Name, Category, Method
@@ -1519,11 +1519,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,105,180))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(255,105,180))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
}, Value, Name, Category, Method
@@ -1535,11 +1535,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,20,147))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(255,20,147))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
}, Value, Name, Category, Method
@@ -1551,11 +1551,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(152,255,152))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(152,255,152))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
}, Value, Name, Category, Method
@@ -1567,11 +1567,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,165,0))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(255,165,0))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
}, Value, Name, Category, Method
@@ -1583,11 +1583,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,255,49))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(255,255,49))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
}, Value, Name, Category, Method
@@ -1604,11 +1604,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(221,160,221))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(221,160,221))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
} , Value -AutoSize
@@ -1621,11 +1621,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(218,112,214))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(218,112,214))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
} , Value -AutoSize
@@ -1638,11 +1638,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,0,255))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(255,0,255))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
} , Value -AutoSize
@@ -1655,11 +1655,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(186,85,211))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(186,85,211))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
} , Value -AutoSize
@@ -1672,11 +1672,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(147,112,219))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(147,112,219))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
} , Value -AutoSize
@@ -1689,11 +1689,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(138,43,226))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(138,43,226))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
} , Value -AutoSize
@@ -1706,11 +1706,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(176,191,26))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(176,191,26))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
} , Value -AutoSize
@@ -1723,11 +1723,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,192,203))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(255,192,203))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
} , Value -AutoSize
@@ -1740,11 +1740,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(135,206,235))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(135,206,235))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
} , Value -AutoSize
@@ -1757,11 +1757,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,105,180))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(255,105,180))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
} , Value -AutoSize
@@ -1774,11 +1774,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,20,147))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(255,20,147))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
} , Value -AutoSize
@@ -1791,11 +1791,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(152,255,152))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(152,255,152))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
} , Value -AutoSize
@@ -1808,11 +1808,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,165,0))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(255,165,0))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
} , Value -AutoSize
@@ -1825,11 +1825,11 @@ function Confirm-SystemCompliance {
Label = 'Compliant'
Expression =
{ switch ($_.Compliant) {
- { $_ -eq $true } { $color = "$($PSStyle.Foreground.FromRGB(255,255,49))"; break } # Use PSStyle to set the color
- { $_ -eq $false } { $color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
- { $_ -eq 'N/A' } { $color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
+ { $_ -eq $true } { $Color = "$($PSStyle.Foreground.FromRGB(255,255,49))"; break } # Use PSStyle to set the color
+ { $_ -eq $false } { $Color = "$($PSStyle.Foreground.FromRGB(229,43,80))$($PSStyle.Blink)"; break } # Use PSStyle to set the color
+ { $_ -eq 'N/A' } { $Color = "$($PSStyle.Foreground.FromRGB(238,255,204))"; break } # Use PSStyle to set the color
}
- "$color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
+ "$Color$($_.Compliant)$($PSStyle.Reset)" # Use PSStyle to reset the color
}
} , Value -AutoSize
From c19bfdbd58dfc27d157e36f920a44a8466b2a2f4 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Fri, 15 Dec 2023 07:10:54 -0930
Subject: [PATCH 78/79] Improved workspace file for spell checking
---
...den-Windows-Security Module.code-workspace | 20 ++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace b/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace
index 70cebbf1d..45eed8c1c 100644
--- a/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace
+++ b/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace
@@ -11,8 +11,14 @@
"powershell.codeFormatting.useConstantStrings": true,
"powershell.codeFormatting.useCorrectCasing": true,
"powershell.codeFormatting.whitespaceBetweenParameters": true,
- "json.schemas": [],
- "cSpell.userWords": [
+ "json.schemas": [
+
+ ],
+ "cSpell.enableFiletypes": [
+ "*"
+ ],
+ "cSpell.maxNumberOfProblems": 200,
+ "cSpell.words": [
"accepteula",
"ADMX",
"Alloc",
@@ -36,6 +42,7 @@
"Bstr",
"BYOVD",
"catname",
+ "CDROM",
"CHACHA",
"Cipolicy",
"Citool",
@@ -90,6 +97,7 @@
"LICENSEURI",
"LLMNR",
"LMHOSTS",
+ "lockstatus",
"logfiles",
"lsass",
"Mastadon",
@@ -151,6 +159,7 @@
"sigcheck",
"Signingkey",
"signtool",
+ "Sponsorsof",
"Spynet",
"ssllabs",
"SSTP",
@@ -162,6 +171,7 @@
"Sysmon",
"systemroot",
"taskkill",
+ "Tmpl",
"tolower",
"tpmenabled",
"Tpmpin",
@@ -188,11 +198,7 @@
"WTDS",
"XDRs",
"Zune"
- ],
- "cSpell.enableFiletypes": [
- "*"
- ],
- "cSpell.maxNumberOfProblems": 200
+ ]
},
"extensions": {
"recommendations": [
From 9ce985a8ceb4d1b83d5df14f19b4ee209ff885e0 Mon Sep 17 00:00:00 2001
From: Violet <spynetgirl@outlook.com>
Date: Fri, 15 Dec 2023 07:11:33 -0930
Subject: [PATCH 79/79] Update Harden-Windows-Security Module.code-workspace
---
.../Harden-Windows-Security Module.code-workspace | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace b/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace
index 45eed8c1c..36f6570eb 100644
--- a/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace
+++ b/Harden-Windows-Security Module/Harden-Windows-Security Module.code-workspace
@@ -11,9 +11,7 @@
"powershell.codeFormatting.useConstantStrings": true,
"powershell.codeFormatting.useCorrectCasing": true,
"powershell.codeFormatting.whitespaceBetweenParameters": true,
- "json.schemas": [
-
- ],
+ "json.schemas": [],
"cSpell.enableFiletypes": [
"*"
],