Windows Overview #287

oppressor1761 · 2024-10-26T05:14:02Z

including security and privacy overview.

Signed-off-by: oppressor1761 <163018825+oppressor1761@users.noreply.github.com>

netlify · 2024-10-26T05:14:21Z

✅ Deploy Preview for privsec-dev ready!

Built without sensitive environment variables

Name	Link
🔨 Latest commit	`b675715`
🔍 Latest deploy log	https://app.netlify.com/sites/privsec-dev/deploys/6747e13ebd5b64000878b2bc
😎 Deploy Preview	https://deploy-preview-287--privsec-dev.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

oppressor1761 · 2024-10-26T05:23:12Z

this need to be updated to show 24H2 improvements

wj25czxj47bu6q

Some of this is good, but some of it is questionable or insufficiently explained.

For example, why should optional diagnostic data be allowed?

Also, we are not going to accept any commands or instructions regarding activation. It is fine to recommend specific editions of Windows, but that's about it.

Signed-off-by: oppressor1761 <163018825+oppressor1761@users.noreply.github.com>

nihil-admirari · 2025-04-08T10:32:07Z

In-depth analysis of Windows architecture and telemetry: https://www.bsi.bund.de/EN/Service-Navi/Publikationen/Studien/SiSyPHuS_Win10/SiSyPHuS_node.html. Some worthy mentions:

Analysis of Windows 10 - OS Architecture (all in English except the introduction)
Analysis of Telemetry (analysis in English except the introduction, configuration in German)

They recommend making a hard link for svchost.exe, changing DiagTrack to use that hardlink, and then blocking harklink's access to internet using built-in firewall.

A more hardcore version would be to change Windows Update service to use the hardlink and block all outbound completely, with the exception of Windows Update.

nihil-admirari · 2025-07-17T15:26:20Z

Back in 2012, Windows used non-validating DNSSEC aware local resolver. Have things improved since then? Should I run Unbound locally or in a Linux VM (like with chrony) to do DNSSEC validation?

oppressor1761 · 2025-07-25T05:51:46Z

I think it's better to harden Windows using lgpo, .ppkg and answer files rather than alter group policies one by one manually. It's not easy to remember every custom policies you ever applied without a lgpo.
I have audited the most of Windows group policies and already built my own lgpo.txt guide. However I'm not sure how to explain every items in it cause it contains hundreds of items.

nihil-admirari · 2025-07-25T08:09:36Z

LGPO text files support comments, e.g.:

; \Control Panel\Personalization
; Prevent enabling lock screen camera
; Enabled
Computer
Software\Policies\Microsoft\Windows\Personalization
NoLockScreenCamera
DWORD:1

oppressor1761 · 2025-07-25T12:36:37Z

this lgpo can be applied without caution.

; LGPO-text file, used with LGPO.exe.

; Smart App Control
Computer
SYSTEM\CurrentControlSet\Control\CI\Policy
VerifiedAndReputablePolicyState
DWORD:1

; Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
Computer
SOFTWARE\Policies\Microsoft\FVE
EncryptionMethodWithXtsOs
DWORD:7

; Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
Computer
SOFTWARE\Policies\Microsoft\FVE
EncryptionMethodWithXtsFdv
DWORD:7

; Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
Computer
SOFTWARE\Policies\Microsoft\FVE
EncryptionMethodWithXtsRdv
DWORD:4

; Require additional authentication at startup
Computer
SOFTWARE\Policies\Microsoft\FVE
UseAdvancedStartup
DWORD:1

; Require additional authentication at startup
Computer
SOFTWARE\Policies\Microsoft\FVE
EnableBDEWithNoTPM
DWORD:0

; Require additional authentication at startup
Computer
SOFTWARE\Policies\Microsoft\FVE
UseTPMKey
DWORD:2

; Require additional authentication at startup
Computer
SOFTWARE\Policies\Microsoft\FVE
UseTPMPIN
DWORD:2

; Require additional authentication at startup
Computer
SOFTWARE\Policies\Microsoft\FVE
UseTPMKeyPIN
DWORD:2

; Require additional authentication at startup
Computer
SOFTWARE\Policies\Microsoft\FVE
UseTPM
DWORD:2

; Disallow standard users from changing the PIN or password
Computer
SOFTWARE\Policies\Microsoft\FVE
DisallowStandardUserPINReset
DWORD:1

; Interactive logon: Don't display last signed-in
Computer
Software\Microsoft\Windows\CurrentVersion\Policies\System
DontDisplayLastUserName
DWORD:1

; Interactive logon: Don’t display username at sign-in
Computer
Software\Microsoft\Windows\CurrentVersion\Policies\System
DontDisplayUserName
DWORD:1

; Interactive logon: Machine account lockout threshold
Computer
Software\Microsoft\Windows\CurrentVersion\Policies\System
MaxDevicePasswordFailedAttempts
DWORD:10

; Interactive logon: Do not require CTRL+ALT+DEL
Computer
Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCAD
DWORD:0

; Do not display network selection UI
Computer
Software\Policies\Microsoft\Windows\System
DontDisplayNetworkSelectionUI
DWORD:1

; Network access: Remotely accessible registry paths
Computer
System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths
Machine
MULTISZ:

; Network access: Remotely accessible registry paths and sub-paths
Computer
System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths
Machine
MULTISZ:

; Enable Certificate Padding
Computer
Software\Microsoft\Cryptography\Wintrust\Config
EnableCertPaddingCheck
DWORD:1

; Enable Certificate Padding
Computer
Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config
EnableCertPaddingCheck
DWORD:1

; Configure Attack Surface Reduction rules
Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
56a863a9-875e-4185-98a7-b882c64b5ce5
SZ:6

; Configure Attack Surface Reduction rules
Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
SZ:6

; Configure Attack Surface Reduction rules
Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
d4f940ab-401b-4efc-aadc-ad5f3c50688a
SZ:6

; Configure Attack Surface Reduction rules
Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
SZ:6

; Configure Attack Surface Reduction rules
Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
be9ba2d9-53ea-4cdc-84e5-9b1eeee46550
SZ:6

; Configure Attack Surface Reduction rules
Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
01443614-cd74-433a-b99e-2ecdc07bfc25
SZ:6

; Configure Attack Surface Reduction rules
Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
5beb7efe-fd9a-4556-801d-275e5ffc04cc
SZ:6

; Configure Attack Surface Reduction rules
Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
d3e037e1-3eb8-44c8-a917-57927947596d
SZ:6

; Configure Attack Surface Reduction rules
Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
3b576869-a4ec-4529-8536-b80a7769e899
SZ:6

; Configure Attack Surface Reduction rules
Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84
SZ:6

; Configure Attack Surface Reduction rules
Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
26190899-1602-49e8-8b27-eb1d0a1ce869
SZ:6

; Configure Attack Surface Reduction rules
Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
e6db77e5-3df2-4cf1-b95a-636979351e5b
SZ:6

; Configure Attack Surface Reduction rules
Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
d1e49aac-8f56-4280-b9ba-993a6d77406c
SZ:6

; Configure Attack Surface Reduction rules
Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
33ddedf1-c6e0-47cb-833e-de6133960387
SZ:6

; Configure Attack Surface Reduction rules
Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
SZ:6

; Configure Attack Surface Reduction rules
Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb
SZ:6

; Configure Attack Surface Reduction rules
Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
a8f5898e-1dc8-49a9-9878-85004b8a61e6
SZ:6

; Configure Attack Surface Reduction rules
Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b
SZ:6

; Configure Attack Surface Reduction rules
Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
c1db55ab-c21a-4637-bb3f-a12568109d35
SZ:6

; KB5032314
Computer
SOFTWARE\Microsoft\Ole\AppCompat\OLELinkConversionFromOLESTREAMToIStorage
Disabled
DWORD:1

; Allow Diagnostic Data
Computer
Software\Policies\Microsoft\Windows\DataCollection
AllowTelemetry
DWORD:0

; Accounts: Block Microsoft accounts
Computer
Software\Microsoft\Windows\CurrentVersion\Policies\System
NoConnectedUser
DWORD:1

; Allow Cortana
Computer
SOFTWARE\Policies\Microsoft\Windows\Windows Search
AllowCortana
DWORD:0

; Allow Cloud Search
Computer
SOFTWARE\Policies\Microsoft\Windows\Windows Search
AllowCloudSearch
DWORD:0

; Allow search and Cortana to use location
Computer
SOFTWARE\Policies\Microsoft\Windows\Windows Search
AllowSearchToUseLocation
DWORD:0

; Do not allow web search
Computer
SOFTWARE\Policies\Microsoft\Windows\Windows Search
DisableWebSearch
DWORD:1

; Don't search the web or display web results in Search
Computer
SOFTWARE\Policies\Microsoft\Windows\Windows Search
ConnectedSearchUseWeb
DWORD:0

; Do not show Windows tips
Computer
Software\Policies\Microsoft\Windows\CloudContent
DisableSoftLanding
DWORD:1

; Turn off cloud consumer account state content
Computer
Software\Policies\Microsoft\Windows\CloudContent
DisableConsumerAccountStateContent
DWORD:1

; Turn off cloud optimized content
Computer
Software\Policies\Microsoft\Windows\CloudContent
DisableCloudOptimizedContent
DWORD:1

; Do not use diagnostic data for tailored experiences
User
Software\Policies\Microsoft\Windows\CloudContent
DisableTailoredExperiencesWithDiagnosticData
DWORD:1

; Turn off the Windows Welcome Experience
User
Software\Policies\Microsoft\Windows\CloudContent
DisableWindowsSpotlightWindowsWelcomeExperience
DWORD:1

; Turn off all Windows spotlight features
User
Software\Policies\Microsoft\Windows\CloudContent
DisableWindowsSpotlightFeatures
DWORD:1

; Turn off account-based insights recent favorite and recommended files in File Explorer
Computer
Software\Policies\Microsoft\Windows\Explorer
DisableGraphRecentItems
DWORD:1

; Turn off display of recent search entries in the File Explorer search box
User
Software\Policies\Microsoft\Windows\Explorer
DisableSearchBoxSuggestions
DWORD:1

; Do not display the Welcome Center at user logon
User
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
RestrictWelcomeCenter
DWORD:1

; Hide the dropdown list of recent files
User
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
NoFileMru
DWORD:1

; Allow Online Tips
Computer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
AllowOnlineTips
DWORD:0

; Remove Personalized Website Recommendations from the Recommended section in the Start Menu
Computer
Software\Policies\Microsoft\Windows\Explorer
HideRecommendedPersonalizedSites
DWORD:1

; Remove "Recently added" list from Start Menu
Computer
Software\Policies\Microsoft\Windows\Explorer
HideRecentlyAddedApps
DWORD:1

; Do not keep history of recently opened documents
Computer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRecentDocsHistory
DWORD:1

; Show or hide "Most used" list from Start menu
Computer
Software\Policies\Microsoft\Windows\Explorer
ShowOrHideMostUsedApps
DWORD:2

; Remove Recommended section from Start Menu
Computer
Software\Policies\Microsoft\Windows\Explorer
HideRecommendedSection
DWORD:1

; Turn off KMS Client Online AVS Validation
Computer
Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform
NoGenTicket
DWORD:1

; Continue experiences on this device
Computer
Software\Policies\Microsoft\Windows\System
EnableCdp
DWORD:0

; Allow Message Service Cloud Sync
Computer
Software\Policies\Microsoft\Windows\Messaging
AllowMessageSync
DWORD:0

; CloudServiceSyncEnabled
User
SOFTWARE\Microsoft\Messaging
CloudServiceSyncEnabled
DWORD:0

; DontReportInfectionInformation
Computer
Software\Policies\Microsoft\MRT
DontReportInfectionInformation
DWORD:1

; Configure Watson events
Computer
Software\Policies\Microsoft\Windows Defender\Reporting
DisableGenericRePorts
DWORD:1

; Download Mode
Computer
SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization
DODownloadMode
DWORD:99

; EnableFeeds
Computer
SOFTWARE\Policies\Microsoft\Windows\Windows Feeds
EnableFeeds
DWORD:0

; Turn off Windows Copilot
User
SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot
TurnOffWindowsCopilot
DWORD:1

; Prevent OneDrive from generating network traffic until the user signs in to OneDrive
Computer
SOFTWARE\Microsoft\OneDrive
PreventNetworkTrafficPreUserSignIn
DWORD:1

; Configure browser process code integrity guard setting
Computer
Software\Policies\Microsoft\Edge
BrowserCodeIntegritySetting
DWORD:2

; Dynamic Code Settings
Computer
Software\Policies\Microsoft\Edge
DynamicCodeSettings
DWORD:1

; Enable online OCSP/CRL checks
Computer
Software\Policies\Microsoft\Edge
EnableOnlineRevocationChecks
DWORD:1

; Enable the network service sandbox
Computer
Software\Policies\Microsoft\Edge
NetworkServiceSandboxEnabled
DWORD:1

; Enable built-in PDF reader powered by Adobe Acrobat for WebView2
Computer
Software\Policies\Microsoft\Edge\WebView2\NewPDFReaderWebView2List
*
SZ:true

; Restrict exposure of local IP address by WebRTC
Computer
Software\Policies\Microsoft\Edge
WebRtcLocalhostIpHandling
SZ:disable_non_proxied_udp

; Control Manifest v2 extension availability
Computer
Software\Policies\Microsoft\Edge
ExtensionManifestV2Availability
DWORD:1

; Microsoft Edge built-in PDF reader powered by Adobe Acrobat enabled
Computer
Software\Policies\Microsoft\Edge
NewPDFReaderEnabled
DWORD:1

; Shows button on native PDF viewer in Microsoft Edge that allows users to sign up for Adobe Acrobat subscription
Computer
Software\Policies\Microsoft\Edge
ShowAcrobatSubscriptionButton
DWORD:0

; Send required and optional diagnostic data about browser usage
Computer
Software\Policies\Microsoft\Edge
DiagnosticData
DWORD:0

; Browser sign-in settings
Computer
Software\Policies\Microsoft\Edge
BrowserSignin
DWORD:0

; Configure whether a user always has a default profile automatically signed in with their work or school account
Computer
Software\Policies\Microsoft\Edge
NonRemovableProfileEnabled
DWORD:0

; Edge 3P SERP Telemetry Enabled
Computer
Software\Policies\Microsoft\Edge
Edge3PSerpTelemetryEnabled
DWORD:0

; Hide App Launcher on Microsoft Edge new tab page
Computer
Software\Policies\Microsoft\Edge
NewTabPageAppLauncherEnabled
DWORD:0

; Disable Bing chat entry-points on Microsoft Edge Enterprise new tab page
Computer
Software\Policies\Microsoft\Edge
NewTabPageBingChatEnabled
DWORD:0

; Allow Microsoft content on the new tab page
Computer
Software\Policies\Microsoft\Edge
NewTabPageContentEnabled
DWORD:0

; Enable network prediction
Computer
Software\Policies\Microsoft\Edge
NetworkPredictionOptions
DWORD:2

; Enable Google Cast
Computer
Software\Policies\Microsoft\Edge
EnableMediaRouter
DWORD:0

; Secure mode and Certificate-based Digital Signature validation in native PDF reader
Computer
Software\Policies\Microsoft\Edge
PDFSecureMode
DWORD:1

; Choose whether users can receive customized background images and text suggestions notifications and tips for Microsoft services
Computer
Software\Policies\Microsoft\Edge
SpotlightExperiencesAndRecommendationsEnabled
DWORD:0

; Microsoft Edge management enabled
Computer
Software\Policies\Microsoft\Edge
EdgeManagementEnabled
DWORD:0

; Configure InPrivate mode availability
Computer
Software\Policies\Microsoft\Edge
InPrivateModeAvailability
DWORD:2

; Configure App Install Control
Computer
Software\Policies\Microsoft\Windows Defender\SmartScreen
ConfigureAppInstallControlEnabled
DWORD:1

; Configure App Install Control
Computer
Software\Policies\Microsoft\Windows Defender\SmartScreen
ConfigureAppInstallControl
SZ:PreferStore

; Configure the level of client software diagnostic data sent by Office to Microsoft
User
software\policies\microsoft\office\common\clienttelemetry
sendtelemetry
DWORD:3

; Block signing into Office
User
software\policies\microsoft\office\16.0\common\signin
signinoptions
DWORD:3

; Allow the use of connected experiences in Office
User
software\policies\microsoft\office\16.0\common\privacy
disconnectedstate
DWORD:2

; Configure Controlled folder access
Computer
Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access
EnableControlledFolderAccess
DWORD:1

; Show Hubs Sidebar
Computer
Software\Policies\Microsoft\Edge
HubsSidebarEnabled
DWORD:0

; Configure Microsoft Defender SmartScreen
Computer
Software\Policies\Microsoft\Edge
SmartScreenEnabled
DWORD:1

; Configure Microsoft Defender SmartScreen to block potentially unwanted apps
Computer
Software\Policies\Microsoft\Edge
SmartScreenPuaEnabled
DWORD:1

; Turn on telemetry for Defender core service
Computer
Software\Policies\Microsoft\Windows Defender\Features
DisableCoreService1DSTelemetry
DWORD:1

; Show hibernate in the power options menu
Computer
Software\Policies\Microsoft\Windows\Explorer
ShowHibernateOption
DWORD:1

; Shutdown: Clear virtual memory pagefile
Computer
System\CurrentControlSet\Control\Session Manager\Memory Management
ClearPageFileAtShutdown
DWORD:1

; Enable optional updates
Computer
Software\Policies\Microsoft\Windows\WindowsUpdate
SetAllowOptionalContent
DWORD:1

; Enable optional updates
Computer
Software\Policies\Microsoft\Windows\WindowsUpdate
AllowOptionalContent
DWORD:1

; Automatic Data Collection
Computer
Software\Policies\Microsoft\Windows\WTDS\Components
CaptureThreatWindow
DWORD:0

; Turn on asynchronous inspection
Computer
Software\Policies\Microsoft\Windows Defender\NIS
AllowSwitchToAsyncInspection
DWORD:1

; Configure Remote Encryption Protection Mode
Computer
Software\Policies\Microsoft\Windows Defender\Remediation\Behavioral Network Blocks\Brute Force Protection
BruteForceProtectionConfiguredState
DWORD:1

; Configure Remote Encryption Protection Mode
Computer
Software\Policies\Microsoft\Windows Defender\Remediation\Behavioral Network Blocks\Remote Encryption Protection
RemoteEncryptionProtectionConfiguredState
DWORD:1

; Allow antimalware service to remain running always
Computer
Software\Policies\Microsoft\Windows Defender
ServiceKeepAlive
DWORD:1


; KB5058189
Computer
SYSTEM\CurrentControlSet\Policies
EnforceDirectoryChangeNotificationPermissionCheck
DWORD:1


; Do not display the password reveal button
Computer
Software\Policies\Microsoft\Windows\CredUI
DisablePasswordReveal
DWORD:1


; Turn off Help and Support Center "Did you know?" content
Computer
Software\Policies\Microsoft\PCHealth\HelpSvc
Headlines
DWORD:0


; Turn off the "Order Prints" picture task
Computer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoOnlinePrintsWizard
DWORD:1


; Turn off the "Publish to Web" task for files and folders
Computer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoPublishingWizard
DWORD:1


; Turn off Help and Support Center Microsoft Knowledge Base search
Computer
Software\Policies\Microsoft\PCHealth\HelpSvc
MicrosoftKBSearch
DWORD:0


; Turn off Windows Customer Experience Improvement Program
Computer
Software\Policies\Microsoft\SQMClient\Windows
CEIPEnable
DWORD:0


; Turn off Help Experience Improvement Program
User
Software\Policies\Microsoft\Assistance\Client\1.0
NoImplicitFeedback
DWORD:1


; Turn off Help Ratings
User
Software\Policies\Microsoft\Assistance\Client\1.0
NoExplicitFeedback
DWORD:1


; Turn off Windows Online
User
Software\Policies\Microsoft\Assistance\Client\1.0
NoOnlineAssist
DWORD:1


; Turn off Windows Error Reporting
Computer
Software\Policies\Microsoft\PCHealth\ErrorReporting
DoReport
DWORD:0


; Turn off Windows Error Reporting
Computer
Software\Policies\Microsoft\Windows\Windows Error Reporting
Disabled
DWORD:1


; Turn off the Windows Messenger Customer Experience Improvement Program
Computer
Software\Policies\Microsoft\Messenger\Client
CEIP
DWORD:2


; Turn off smart multi-homed name resolution
Computer
Software\Policies\Microsoft\Windows NT\DNSClient
DisableSmartNameResolution
DWORD:1


; Configure NetBIOS settings
Computer
Software\Policies\Microsoft\Windows NT\DNSClient
EnableNetbios
DWORD:0

; Configure Edge Scareware Blocker Protection
Computer
Software\Policies\Microsoft\Edge
ScarewareBlockerProtectionEnabled
DWORD:1

; Enable AutoFill for addresses
Computer
Software\Policies\Microsoft\Edge
AutofillAddressEnabled
DWORD:0

; Enable AutoFill for payment instruments
Computer
Software\Policies\Microsoft\Edge
AutofillCreditCardEnabled
DWORD:0

; Enable saving passwords to the password manager
Computer
Software\Policies\Microsoft\Edge
PasswordManagerEnabled
DWORD:0

; Save and fill memberships
Computer
Software\Policies\Microsoft\Edge
AutofillMembershipsEnabled
DWORD:0

; Configure the list of domains for which the password manager UI (Save and Fill) will be disabled
Computer
Software\Policies\Microsoft\Edge\PasswordManagerBlocklist
1
SZ:*

; Machine learning powered autofill suggestions
Computer
Software\Policies\Microsoft\Edge
EdgeAutofillMlEnabled
DWORD:0

; Enable Windows to search local Microsoft Edge browsing data
Computer
Software\Policies\Microsoft\Edge
LocalBrowserDataShareEnabled
DWORD:0

; Web To Browser Sign-in Enabled
Computer
Software\Policies\Microsoft\Edge
WebToBrowserSignInEnabled
DWORD:0

; Enable proactive authentication
Computer
Software\Policies\Microsoft\Edge
ProactiveAuthWorkflowEnabled
DWORD:0

; Allow single sign-on for Microsoft personal sites using this profile
Computer
Software\Policies\Microsoft\Edge
MSAWebSiteSSOUsingThisProfileAllowed
DWORD:0

; Single sign-on for work or school sites using this profile enabled
Computer
Software\Policies\Microsoft\Edge
AADWebSiteSSOUsingThisProfileEnabled
DWORD:0

; Configure Windows protected print
Computer
Software\Policies\Microsoft\Windows NT\Printers\WPP
WindowsProtectedPrintGroupPolicyState
DWORD:1

; Turn off Windows AI User Data Analysis
User
SOFTWARE\Policies\Microsoft\Windows\WindowsAI
DisableAIDataAnalysis
DWORD:1

; Enable the Designer for Image Editor feature
Computer
Software\Policies\Microsoft\Edge
ImageEditorServiceEnabled
DWORD:0

; Allow Recall to be enabled
User
SOFTWARE\Policies\Microsoft\Windows\WindowsAI
AllowRecallEnablement
DWORD:0

; Configure cookies
Computer
Software\Policies\Microsoft\Edge
DefaultCookiesSetting
DWORD:4

; Configure users ability to override feature flags
Computer
Software\Policies\Microsoft\Edge
FeatureFlagOverridesControl
DWORD:0

; Enable Gamer Mode
Computer
Software\Policies\Microsoft\Edge
GamerModeEnabled
DWORD:0

; Enable preload of the new tab page for faster rendering
Computer
Software\Policies\Microsoft\Edge
NewTabPagePrerenderEnabled
DWORD:0

; Show Home button on toolbar
Computer
Software\Policies\Microsoft\Edge
ShowHomeButton
DWORD:0

; Enables DALL-E themes generation
Computer
Software\Policies\Microsoft\Edge
AIGenThemesEnabled
DWORD:0

; Let screen reader users get image descriptions from Microsoft
Computer
Software\Policies\Microsoft\Edge
AccessibilityImageLabelsEnabled
DWORD:0

; Enable additional search box in browser
Computer
Software\Policies\Microsoft\Edge
AdditionalSearchBoxEnabled
DWORD:0

; Enable Microsoft Bing trending suggestions in the address bar
Computer
Software\Policies\Microsoft\Edge
AddressBarTrendingSuggestEnabled
DWORD:0

; Enable Work Search suggestions in the address bar
Computer
Software\Policies\Microsoft\Edge
AddressBarWorkSearchResultsEnabled
DWORD:0

; Allow the audio sandbox to run
Computer
Software\Policies\Microsoft\Edge
AudioSandboxEnabled
DWORD:1

; Disable synchronization of data using Microsoft sync services
Computer
Software\Policies\Microsoft\Edge
SyncDisabled
DWORD:1

; Enable automatic HTTPS upgrades
Computer
Software\Policies\Microsoft\Edge
HttpsUpgradesEnabled
DWORD:1

; Continue running background apps after Microsoft Edge closes
Computer
Software\Policies\Microsoft\Edge
BackgroundModeEnabled
DWORD:0

; Block all ads on Bing search results
Computer
Software\Policies\Microsoft\Edge
BingAdsSuppression
DWORD:1

; Block third party cookies
Computer
Software\Policies\Microsoft\Edge
BlockThirdPartyCookies
DWORD:1

; Clear browsing data when Microsoft Edge closes
Computer
Software\Policies\Microsoft\Edge
ClearBrowsingDataOnExit
DWORD:1

; DNS interception checks enabled
Computer
Software\Policies\Microsoft\Edge
DNSInterceptionChecksEnabled
DWORD:0

; Enables default browser settings campaigns
Computer
Software\Policies\Microsoft\Edge
DefaultBrowserSettingsCampaignEnabled
DWORD:0

; Set the default "share additional operating system region" setting
Computer
Software\Policies\Microsoft\Edge
DefaultShareAdditionalOSRegionSetting
DWORD:2

; Enable Drop feature in Microsoft Edge
Computer
Software\Policies\Microsoft\Edge
EdgeEDropEnabled
DWORD:0

; Shopping in Microsoft Edge Enabled
Computer
Software\Policies\Microsoft\Edge
EdgeShoppingAssistantEnabled
DWORD:0

; Enable Wallet Checkout feature
Computer
Software\Policies\Microsoft\Edge
EdgeWalletCheckoutEnabled
DWORD:0

; Edge Wallet E-Tree Enabled
Computer
Software\Policies\Microsoft\Edge
EdgeWalletEtreeEnabled
DWORD:0

; Enhance the security state in Microsoft Edge
Computer
Software\Policies\Microsoft\Edge
EnhanceSecurityMode
DWORD:2

; Enable favorites bar
Computer
Software\Policies\Microsoft\Edge
FavoritesBarEnabled
DWORD:0

; Allow suggestions from local providers
Computer
Software\Policies\Microsoft\Edge
LocalProvidersEnabled
DWORD:0

; Microsoft Edge Insider Promotion Enabled
Computer
Software\Policies\Microsoft\Edge
MicrosoftEdgeInsiderPromotionEnabled
DWORD:0

; Allow personalization of ads, Microsoft Edge, search, news and other Microsoft services by sending browsing history, favorites and collections, usage and other browsing data to Microsoft
Computer
Software\Policies\Microsoft\Edge
PersonalizationReportingEnabled
DWORD:0

; Enable post-quantum key agreement for TLS
Computer
Software\Policies\Microsoft\Edge
PostQuantumKeyAgreementEnabled
DWORD:1

; Enable search suggestions
Computer
Software\Policies\Microsoft\Edge
SearchSuggestEnabled
DWORD:0

; Enable the Search bar
Computer
Software\Policies\Microsoft\Edge
SearchbarAllowed
DWORD:0

; Show links shared from Microsoft 365 apps in History
Computer
Software\Policies\Microsoft\Edge
SharedLinksEnabled
DWORD:0

; Show Microsoft Rewards experiences
Computer
Software\Policies\Microsoft\Edge
ShowMicrosoftRewards
DWORD:0

; Allow feature recommendations and browser assistance notifications from Microsoft Edge
Computer
Software\Policies\Microsoft\Edge
ShowRecommendationsEnabled
DWORD:0

; Text prediction enabled by default
Computer
Software\Policies\Microsoft\Edge
TextPredictionEnabled
DWORD:0

; Block tracking of users' web-browsing activity
Computer
Software\Policies\Microsoft\Edge
TrackingPrevention
DWORD:3

; Allow user feedback
Computer
Software\Policies\Microsoft\Edge
UserFeedbackAllowed
DWORD:0

; Wallet Donation Enabled
Computer
Software\Policies\Microsoft\Edge
WalletDonationEnabled
DWORD:0

; Personalize my top sites in Customize Sidebar enabled by default
Computer
Software\Policies\Microsoft\Edge
PersonalizeTopSitesInCustomizeSidebarEnabled
DWORD:0

; Spell checking provided by Microsoft Editor
Computer
Software\Policies\Microsoft\Edge
MicrosoftEditorProofingEnabled
DWORD:0

; Synonyms are provided when using Microsoft Editor spell checker
Computer
Software\Policies\Microsoft\Edge
MicrosoftEditorSynonymsEnabled
DWORD:0

; Turn off Windows Startup sound
Computer
Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableStartupSound
DWORD:1

; Exclude credential providers
Computer
Software\Microsoft\Windows\CurrentVersion\Policies\System
ExcludedCredentialProviders
SZ:{F8A0B131-5F68-486c-8040-7E8FC3C85BB6}

; Allow users to connect remotely by using Remote Desktop Services
Computer
SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
fDenyTSConnections
DWORD:1

; Remove Recent Items menu from Start Menu
User
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRecentDocsMenu
DWORD:1

; Clear history of recently opened documents on exit
User
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ClearRecentDocsOnExit
DWORD:1

; Add Search Internet link to Start Menu
User
Software\Policies\Microsoft\Windows\Explorer
AddSearchInternetLinkInStartMenu
DWORD:0

; Clear the recent programs list for new users
User
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ClearRecentProgForNewUserInStartMenu
DWORD:1

; Remove the People Bar from the taskbar
User
Software\Policies\Microsoft\Windows\Explorer
HidePeopleBar
DWORD:1

; Turn off user tracking
User
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoInstrumentation
DWORD:1

; Remove frequent programs list from the Start Menu
Computer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoStartMenuMFUprogramsList
DWORD:1

; Do not display or track items in Jump Lists from remote locations
User
Software\Policies\Microsoft\Windows\Explorer
NoRemoteDestinations
DWORD:1

; Allow Clipboard synchronization across devices
Computer
Software\Policies\Microsoft\Windows\System
AllowCrossDeviceClipboard
DWORD:0

; Allow users to get a strong password suggestion whenever they are creating an account online
Computer
Software\Policies\Microsoft\Edge
PasswordGeneratorEnabled
DWORD:0

; Allow users to proceed from the HTTPS warning page
Computer
Software\Policies\Microsoft\Edge
SSLErrorOverrideAllowed
DELETE

; Control which extensions cannot be installed
Computer
Software\Policies\Microsoft\Edge
ExtensionInstallBlocklist
DELETE

; Prevent bypassing Microsoft Defender SmartScreen prompts for sites
Computer
Software\Policies\Microsoft\Edge
PreventSmartScreenPromptOverride
DELETE

; Deny write access to removable drives not protected by BitLocker
Computer
System\CurrentControlSet\Policies\Microsoft\FVE
RDVDenyWriteAccess
DELETE

; Deny write access to removable drives not protected by BitLocker
Computer
System\CurrentControlSet\Policies\Microsoft\FVE
RDVDenyCrossOrg
DELETE

; Prevent bypassing SmartScreen Filter warnings
Computer
Software\Policies\Microsoft\Internet Explorer\PhishingFilter
PreventOverride
DELETE

; Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet
Computer
Software\Policies\Microsoft\Internet Explorer\PhishingFilter
PreventOverrideAppRepUnknown
DELETE

; Control whether exclusions are visible to local users
Computer
Software\Policies\Microsoft\Windows Defender
HideExclusionsFromLocalUsers
DELETE

; Control whether or not exclusions are visible to Local Admins
Computer
Software\Policies\Microsoft\Windows Defender
HideExclusionsFromLocalAdmins
DELETE

; Configure Windows Defender SmartScreen
Computer
Software\Policies\Microsoft\Windows\System
ShellSmartScreenLevel
SZ:Warn

; Allow Clipboard History
Computer
Software\Policies\Microsoft\Windows\System
AllowClipboardHistory
DWORD:0

; Allow publishing of User Activities
Computer
Software\Policies\Microsoft\Windows\System
PublishUserActivities
DWORD:0

; Allow upload of User Activities
Computer
Software\Policies\Microsoft\Windows\System
UploadUserActivities
DWORD:0

; Enables Activity Feed
Computer
Software\Policies\Microsoft\Windows\System
EnableActivityFeed
DWORD:0

; Prevent the usage of OneDrive for file storage
Computer
Software\Policies\Microsoft\Windows\OneDrive
DisableFileSyncNGSC
DWORD:1

; Save documents to OneDrive by default
Computer
Software\Policies\Microsoft\Windows\OneDrive
DisableLibrariesDefaultSaveToOneDrive
DWORD:0

; DisableSettingSync
Computer
Software\Policies\Microsoft\Windows\SettingSync
DisableSettingSync
DWORD:2

; Do not sync
Computer
Software\Policies\Microsoft\Windows\SettingSync
DisableSettingSyncUserOverride
DWORD:1

; Improve inking and typing recognition
Computer
Software\Microsoft\Windows\CurrentVersion\Policies\TextInput
AllowLinguisticDataCollection
DWORD:0

; Set what information is shared in Search
Computer
SOFTWARE\Policies\Microsoft\Windows\Windows Search
ConnectedSearchPrivacy
DWORD:3

; fullPathAddress
User
Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
FullPathAddress
DWORD:1

; hidden
User
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
DWORD:0

; HideFileExt
User
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
DWORD:0

; ShowSuperHidden
User
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
DWORD:1

; UserSetting_DisableStartupSound
Computer
SOFTWARE\Microsoft\Windows\CurrentVersion\EditionOverrides
UserSetting_DisableStartupSound
DWORD:1

; Enable features introduced via servicing that are off by default
Computer
Software\Policies\Microsoft\Windows\WindowsUpdate
AllowTemporaryEnterpriseFeatureControl
DWORD:1

; Disable Click to Do
Computer
SOFTWARE\Policies\Microsoft\Windows\WindowsAI
DisableClickToDo
DWORD:1

; Enable support for Windows OS routing table rules when making peer to peer connections via WebRTC
Computer
Software\Policies\Microsoft\Edge
WebRtcRespectOsRoutingTableEnabled
DWORD:1

; Disable MDM Enrollment
Computer
Software\Policies\Microsoft\Windows\CurrentVersion\MDM
DisableRegistration
DWORD:1

; Allow companion device for secondary authentication
Computer
SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor
AllowSecondaryAuthenticationDevice
DWORD:0

; Disable remote Desktop Sharing
Computer
Software\Policies\Microsoft\Conferencing
NoRDS
DWORD:1

; Do not allow Windows Messenger to be run
Computer
Software\Policies\Microsoft\Messenger\Client
PreventRun
DWORD:1

; Turn off Windows Mobility Center
Computer
Software\Microsoft\Windows\CurrentVersion\Policies\MobilityCenter
NoMobilityCenter
DWORD:1

; Allow Remote Shell Access
Computer
Software\Policies\Microsoft\Windows\WinRM\Service\WinRS
AllowRemoteShellAccess
DWORD:0

; Turn On/Off Find My Device
Computer
SOFTWARE\Policies\Microsoft\FindMyDevice
AllowFindMyDevice
DWORD:0

; Prevent the computer from joining a homegroup
Computer
Software\Policies\Microsoft\Windows\HomeGroup
DisableHomeGroup
DWORD:1

; Require pin for pairing
Computer
Software\Policies\Microsoft\Windows\Connect
RequirePinForPairing
DWORD:2

; Configures the Chat icon on the taskbar
Computer
Software\Policies\Microsoft\Windows\Windows Chat
ChatIcon
DWORD:3

; Register domain joined computers as devices
Computer
Software\Policies\Microsoft\Windows\WorkplaceJoin
autoWorkplaceJoin
DWORD:0

; Do not show feedback notifications
Computer
Software\Policies\Microsoft\Windows\DataCollection
DoNotShowFeedbackNotifications
DWORD:1

; Turn off Active Help
Computer
Software\Policies\Microsoft\Assistance\Client\1.0
NoActiveHelp
DWORD:1

; Turn off Push To Install service
Computer
Software\Policies\Microsoft\PushToInstall
DisablePushToInstall
DWORD:1

; Turn off API Sampling
Computer
Software\Policies\Microsoft\Windows\AppCompat
DisableAPISamping
DWORD:1

; Turn off Application Footprint
Computer
Software\Policies\Microsoft\Windows\AppCompat
DisableApplicationFootprint
DWORD:1

; Turn off compatibility scan for backed up applications
Computer
Software\Policies\Microsoft\Windows\AppCompat
DisableWin32AppBackup
DWORD:1

; Turn off Install Tracing
Computer
Software\Policies\Microsoft\Windows\AppCompat
DisableInstallTracing
DWORD:1

; Turn off Automatic Download and Install of updates
Computer
Software\Policies\Microsoft\WindowsStore
AutoDownload
DWORD:4

; Turn off automatic learning
Computer
SOFTWARE\Policies\Microsoft\InputPersonalization
RestrictImplicitTextCollection
DWORD:1

; Turn off automatic learning
Computer
SOFTWARE\Policies\Microsoft\InputPersonalization
RestrictImplicitInkCollection
DWORD:1

; Enable Hotspot Authentication
Computer
Software\Policies\Microsoft\Windows\HotspotAuthentication
Enabled
DWORD:0

; Require PIN pairing
Computer
SOFTWARE\Policies\Microsoft\WirelessDisplay
EnforcePinBasedPairing
DWORD:1

; Turn off app notifications on the lock screen
Computer
Software\Policies\Microsoft\Windows\System
DisableLockScreenAppNotifications
DWORD:1

; Turn on security key sign-in
Computer
Software\Policies\Microsoft\FIDO
EnableFIDODeviceLogon
DWORD:1

; Block user from showing account details on sign-in
Computer
Software\Policies\Microsoft\Windows\System
BlockUserFromShowingAccountDetailsOnSignin
DWORD:1

; Enable Device Health Attestation Monitoring and Reporting
Computer
Software\Policies\Microsoft\DeviceHealthAttestationService
EnableDeviceHealthAttestationService
DWORD:0

; Phone-PC linking on this device
Computer
Software\Policies\Microsoft\Windows\System
EnableMmx
DWORD:0

; Turn off tracking of app usage
User
Software\Policies\Microsoft\Windows\EdgeUI
DisableMFUTracking
DWORD:1

; Turn off custom dictionary
User
software\policies\microsoft\ime\shared
UserDict
DWORD:0

; Turn off Internet search integration
User
software\policies\microsoft\ime\shared
SearchPlugin
DWORD:0

; Turn on cloud candidate
User
Software\Policies\Microsoft\InputMethod\Settings\Shared
Enable Cloud Candidate
DWORD:0

; Turn on cloud candidate for CHS
User
Software\Policies\Microsoft\InputMethod\Settings\CHS
Enable Cloud Candidate
DWORD:0

; Turn off storage and display of search history
User
SOFTWARE\Policies\Microsoft\Windows\Explorer
DisableSearchHistory
DWORD:1

; Prevent users from sharing files within their profile.
User
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoInplaceSharing
DWORD:1

; Turn off account notifications in Start
User
SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AccountNotifications
DisableAccountNotifications
DWORD:1

; Turn off Aero Shake window minimizing mouse gesture
User
Software\Policies\Microsoft\Windows\Explorer
NoWindowMinimizingShortcuts
DWORD:1

; Allow a Windows app to share application data between users
Computer
Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager
AllowSharedLocalAppData
DWORD:0

; Do not search Internet
User
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSearchInternetInStartMenu
DWORD:1

; Turn off feature advertisement balloon notifications
User
Software\Policies\Microsoft\Windows\Explorer
NoBalloonFeatureAdvertisements
DWORD:1

; No Computers Near Me in Network Locations
User
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoComputersNearMe
DWORD:1

; No Entire Network in Network Locations
User
Software\Microsoft\Windows\CurrentVersion\Policies\Network
NoEntireNetwork
DWORD:1

; Disable local training of all features for the computer.
Computer
software\policies\microsoft\office\16.0\common\ai\training\general
disabletraining
DWORD:1

; Disable local content safety in general for the computer.
Computer
software\policies\microsoft\office\16.0\common\ai\contentsafety\general
disablecontentsafety
DWORD:1

; Management of Microsoft 365 Apps for enterprise
Computer
software\policies\microsoft\office\16.0\common\officeupdate
officemgmtcom
DWORD:0

; Don’t install a background service for Microsoft Search in Bing
Computer
software\policies\microsoft\office\16.0\common\officeupdate
preventbinginstall
DWORD:1

; Disable Roaming Office User Settings
User
software\policies\microsoft\office\16.0\common\roaming
roamingsettingsdisabled
DWORD:1

; Online Content Options
User
software\policies\microsoft\office\16.0\common\internet
useonlinecontent
DWORD:0

; Conversion Service Options
User
software\policies\microsoft\office\16.0\common\internet
useconversionservices
DWORD:0

; Stop reporting error messages
User
software\policies\microsoft\office\16.0\common\alerts
noalertreporting
DWORD:1

; Turn on telemetry data collection
User
software\policies\microsoft\office\16.0\osm
enablelogging
DWORD:0

; Allow users to receive and respond to in-product surveys from Microsoft
User
software\policies\microsoft\office\16.0\common\feedback
surveyenabled
DWORD:0

; Allow users to submit feedback to Microsoft
User
software\policies\microsoft\office\16.0\common\feedback
enabled
DWORD:0

; Enable Customer Experience Improvement Program
User
software\policies\microsoft\office\16.0\common
qmenable
DWORD:0

; Send personal information
User
software\policies\microsoft\office\16.0\common
sendcustomerdata
DWORD:0

; Show in-product notifications for the Microsoft Workplace Discount Program
User
software\policies\microsoft\office\16.0\common\personalization
homeuseprogram
DWORD:0

; Show OneDrive Sign In
User
software\policies\microsoft\office\16.0\common\general
skydrivesigninoption
DWORD:0

; Show the option for Microsoft 365 Insider
User
software\policies\microsoft\office\16.0\common
insiderslabbehavior
DWORD:2

; Hide Microsoft cloud-based file locations in the Backstage view
User
software\policies\microsoft\office\16.0\common\internet
onlinestorage
DWORD:4294967295

; Hide the Learn more about SharePoint Hyperlink
User
software\policies\microsoft\office\16.0\common\sharepointintegration
hidelearnmorelink
DWORD:1

; Show LinkedIn features in Office applications
User
software\policies\microsoft\office\16.0\common
linkedin
DWORD:0

; Show recommended files on the File tab or start page
User
software\policies\microsoft\office\16.0\common\general
recommendeddocumentsenabled
DWORD:0

; PreventDeviceEncryption
Computer
SYSTEM\CurrentControlSet\Control\BitLocker
PreventDeviceEncryption
DWORD:1

; Allow users to manage installed CA certificates
Computer
Software\Policies\Microsoft\Edge
CACertificateManagementAllowed
DWORD:2

; Use user-added TLS certificates from platform trust stores for server authentication
Computer
Software\Policies\Microsoft\Edge
CAPlatformIntegrationEnabled
DWORD:0

; Control where developer tools can be used
Computer
Software\Policies\Microsoft\Edge
DeveloperToolsAvailability
DWORD:2

; Settings for GenAI local foundational model
Computer
Software\Policies\Microsoft\Edge
GenAILocalFoundationalModelSettings
DWORD:1

; Mobile App Management Enabled
Computer
Software\Policies\Microsoft\Edge
MAMEnabled
DWORD:0

; Hide the default top sites from the new tab page
Computer
Software\Policies\Microsoft\Edge
NewTabPageHideDefaultTopSites
DWORD:1

; Allow quick links on the new tab page
Computer
Software\Policies\Microsoft\Edge
NewTabPageQuickLinksEnabled
DWORD:0

; Configure the new tab page search box experience
Computer
Software\Policies\Microsoft\Edge
NewTabPageSearchBox
SZ:redirect

; Enable startup boost
Computer
Software\Policies\Microsoft\Edge
StartupBoostEnabled
DWORD:0

; Allow pages with Cache-Control: no-store header to enter back/forward cache
Computer
Software\Policies\Microsoft\Edge
AllowBackForwardCacheForCacheControlNoStorePageEnabled
DWORD:0

; Suggest similar pages when a webpage can't be found
Computer
Software\Policies\Microsoft\Edge
AlternateErrorPagesEnabled
DWORD:0

; Compose is enabled for writing on the web
Computer
Software\Policies\Microsoft\Edge
ComposeInlineEnabled
DWORD:0

; Configure Online Text To Speech
Computer
Software\Policies\Microsoft\Edge
ConfigureOnlineTextToSpeech
DWORD:0

; Configure Speech Recognition
Computer
Software\Policies\Microsoft\Edge
SpeechRecognitionEnabled
DWORD:0

; Configure Do Not Track
Computer
Software\Policies\Microsoft\Edge
ConfigureDoNotTrack
DWORD:1

; Allow users to configure Family safety and Kids Mode
Computer
Software\Policies\Microsoft\Edge
FamilySafetySettingsEnabled
DWORD:0

; Allow websites to query for available payment methods
Computer
Software\Policies\Microsoft\Edge
PaymentMethodQueryEnabled
DWORD:0

; Enables Microsoft Edge mini menu
Computer
Software\Policies\Microsoft\Edge
QuickSearchShowMiniMenu
DWORD:0

; Allow remote debugging
Computer
Software\Policies\Microsoft\Edge
RemoteDebuggingAllowed
DWORD:0

; Enable resolution of navigation errors using a web service
Computer
Software\Policies\Microsoft\Edge
ResolveNavigationErrorsUseWebService
DWORD:0

; Super Drag Drop Enabled
Computer
Software\Policies\Microsoft\Edge
SuperDragDropEnabled
DWORD:0

; Enable using roaming copies for Microsoft Edge profile data
Computer
Software\Policies\Microsoft\Edge
RoamingProfileSupportEnabled
DWORD:0

; Enable tab organization suggestions
Computer
Software\Policies\Microsoft\Edge
TabServicesEnabled
DWORD:0

; TLS Encrypted ClientHello Enabled
Computer
Software\Policies\Microsoft\Edge
EncryptedClientHelloEnabled
DWORD:1

; Enable upload files from mobile in Microsoft Edge desktop
Computer
Software\Policies\Microsoft\Edge
UploadFromPhoneEnabled
DWORD:0

; Visual search enabled
Computer
Software\Policies\Microsoft\Edge
VisualSearchEnabled
DWORD:0

; Configure the default paste format of URLs copied from Microsoft Edge, and determine if additional formats will be available to users
Computer
Software\Policies\Microsoft\Edge
ConfigureFriendlyURLFormat
DWORD:1

; Allow pages to use the built-in AI APIs.
Computer
Software\Policies\Microsoft\Edge
BuiltInAIAPIsEnabled
DWORD:0

; Control access to AI-enhanced search in History
Computer
Software\Policies\Microsoft\Edge
EdgeHistoryAISearchEnabled
DWORD:0

; Specifies whether to block requests from public websites to devices on a user's local network
Computer
Software\Policies\Microsoft\Edge
LocalNetworkAccessRestrictionsEnabled
DWORD:1

; Blocklist for extension install types
Computer
Software\Policies\Microsoft\Edge\ExtensionInstallTypeBlocklist
1
SZ:command_line

; DisableWpbtExecution
Computer
SYSTEM\CurrentControlSet\Control\Session Manager
DisableWpbtExecution
DWORD:1

; DisableAIFeatures
Computer
SOFTWARE\Policies\WindowsNotepad
DisableAIFeatures
DWORD:1

; MP_FORCE_USE_SANDBOX
Computer
SYSTEM\CurrentControlSet\Control\Session Manager\Environment
MP_FORCE_USE_SANDBOX
SZ:1

; DOTNET_CLI_TELEMETRY_OPTOUT
Computer
SYSTEM\CurrentControlSet\Control\Session Manager\Environment
DOTNET_CLI_TELEMETRY_OPTOUT
SZ:1

; POWERSHELL_TELEMETRY_OPTOUT
Computer
SYSTEM\CurrentControlSet\Control\Session Manager\Environment
POWERSHELL_TELEMETRY_OPTOUT
SZ:1

; MSEDGEDRIVER_TELEMETRY_OPTOUT
Computer
SYSTEM\CurrentControlSet\Control\Session Manager\Environment
MSEDGEDRIVER_TELEMETRY_OPTOUT
SZ:1

oppressor1761 · 2025-07-25T12:37:37Z

This lgpo must be applied with caution

; LGPO-text file, used with LGPO.exe.

; Disable new DMA devices when this computer is locked. Endabled in the Baseline. need to be disabled when DMA Protection is on.
Computer
Software\Policies\Microsoft\FVE
DisableExternalDMAUnderLock
DELETE

; Secured-core PC
Computer
SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios
SecureBiometrics
DWORD:1

; Secured-core PC
Computer
SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios
SecureFingerprint
DWORD:1

; KB4073119
Computer
SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
FeatureSettingsOverrideMask
DWORD:3

; KB4073119
Computer
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization
MinVmVersionForCpuBasedMitigations
SZ:1.0

; KB4073119
Computer
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization
RetsPredictedFromRsbOnly
DWORD:1

; KB4073119 Intel SMT
Computer
SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
FeatureSettingsOverride
DWORD:0x00800048

; KB4073119 Intel w/o SMT
Computer
SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
FeatureSettingsOverride
DWORD:0x00802048

; KB4073119 AMD
Computer
SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
FeatureSettingsOverride
DWORD:0x05000048

; KB4073119 ARM
Computer
SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
FeatureSettingsOverride
64

; Require UEFI Memory Attributes Table
Computer
SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
HVCIMATRequired
DWORD:0

; Machine Identity Isolation
Computer
SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
MachineIdentityIsolation
DWORD:2

; VBS (and memory integrity) in mandatory mode
Computer
SYSTEM\CurrentControlSet\Control\DeviceGuard
Mandatory
DWORD:1

; VBS with UEFI lock
Computer
SYSTEM\CurrentControlSet\Control\DeviceGuard
Locked
DWORD:1

; ActivePolicyCode
Computer
SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess
ActivePolicyCode
SZ:zh

; Intel TDT Integration Level
Computer
Software\Policies\Microsoft\Windows Defender\Features
TDTFeatureEnabled
DWORD:1

; Add workstations to domain
; delete all

oppressor1761 · 2025-07-25T12:39:14Z

this is the answer file for arm64 devices

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="specialize">
        <component name="Microsoft-Windows-DeviceAccess" processorArchitecture="arm64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <SetRegionSpecificPrivacyAccessPolicy>zh</SetRegionSpecificPrivacyAccessPolicy>
        </component>
        <component name="Microsoft-Windows-ErrorReportingCore" processorArchitecture="arm64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <DisableWER>1</DisableWER>
        </component>
    </settings>
    <settings pass="oobeSystem">
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="arm64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <OOBE>
                <HideOnlineAccountScreens>true</HideOnlineAccountScreens>
            </OOBE>
        </component>
    </settings>
</unattend>

oppressor1761 · 2025-07-25T12:39:54Z

this is the provision package

<?xml version="1.0" encoding="utf-8"?>
<WindowsCustomizations>
  <PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0">
    <ID>{c4a4a019-4fc1-4872-9ecd-83c966856d86}</ID>
    <Name>profile</Name>
    <Version>1.2</Version>
    <OwnerType>ITAdmin</OwnerType>
    <Rank>0</Rank>
    <Notes></Notes>
  </PackageConfig>
  <Settings xmlns="urn:schemas-microsoft-com:windows-provisioning">
    <Customizations>
      <Common>
        <CountryAndRegion>
          <CountryCodeForExtendedCapabilityPrompts>China</CountryCodeForExtendedCapabilityPrompts>
        </CountryAndRegion>
        <DeviceManagement>
          <MemoryDump>
            <AllowCrashDump>Not allowed</AllowCrashDump>
            <AllowLiveDump>Not allowed</AllowLiveDump>
          </MemoryDump>
        </DeviceManagement>
        <FederatedAuthentication>
          <EnableWebSignInForPrimaryUser>Disabled</EnableWebSignInForPrimaryUser>
        </FederatedAuthentication>
        <Licensing>
          <DisallowKMSClientOnlineAVSValidation>True</DisallowKMSClientOnlineAVSValidation>
        </Licensing>
        <OOBE>
          <Desktop>
            <EnableCortanaVoice>False</EnableCortanaVoice>
          </Desktop>
        </OOBE>
        <Policies>
          <AboveLock>
            <AllowToasts>No</AllowToasts>
          </AboveLock>
          <Bluetooth>
            <AllowAdvertising>No</AllowAdvertising>
            <AllowPrepairing>No</AllowPrepairing>
            <AllowPromptedProximalConnections>No</AllowPromptedProximalConnections>
          </Bluetooth>
          <DeviceManagement>
            <DisableMDMEnrollment>Yes</DisableMDMEnrollment>
          </DeviceManagement>
          <Experience>
            <AllowCortana>No</AllowCortana>
            <AllowFindMyDevice>No</AllowFindMyDevice>
            <AllowSyncMySettings>No</AllowSyncMySettings>
            <AllowTailoredExperiencesWithDiagnosticData>No</AllowTailoredExperiencesWithDiagnosticData>
            <DoNotShowFeedbackNotifications>Do not show</DoNotShowFeedbackNotifications>
          </Experience>
          <Games>
            <AllowAdvancedGamingServices>No</AllowAdvancedGamingServices>
          </Games>
          <MemoryDump>
            <AllowCrashDump>Not allowed</AllowCrashDump>
            <AllowLiveDump>Not allowed</AllowLiveDump>
          </MemoryDump>
          <Privacy>
            <AllowInputPersonalization>No</AllowInputPersonalization>
            <DisableAdvertisingId>Yes</DisableAdvertisingId>
          </Privacy>
          <Search>
            <AllowSearchHighlights>Disable</AllowSearchHighlights>
            <AllowSearchToUseLocation>No</AllowSearchToUseLocation>
            <DoNotUseWebResults>Prevent web search</DoNotUseWebResults>
            <PreventRemoteQueries>Yes</PreventRemoteQueries>
          </Search>
          <Start>
            <AllowPinnedFolderMusic>Enforced off</AllowPinnedFolderMusic>
            <AllowPinnedFolderPictures>Enforced off</AllowPinnedFolderPictures>
            <AllowPinnedFolderVideos>Enforced off</AllowPinnedFolderVideos>
            <HideFrequentlyUsedApps>Yes</HideFrequentlyUsedApps>
            <HideRecentJumplists>Yes</HideRecentJumplists>
            <HideRecentlyAddedApps>Yes</HideRecentlyAddedApps>
            <HideRecommendedSection>Yes</HideRecommendedSection>
            <ShowOrHideMostUsedApps>Hide</ShowOrHideMostUsedApps>
          </Start>
          <System>
            <AllowBuildPreview>Not allowed</AllowBuildPreview>
            <DisableOneDriveFileSync>Yes</DisableOneDriveFileSync>
            <LimitDiagnosticLogCollection>Enable Policy</LimitDiagnosticLogCollection>
            <LimitDumpCollection>Enable Policy</LimitDumpCollection>
            <LimitEnhancedDiagnosticDataWindowsAnalytics>Disable Windows Analytics collection</LimitEnhancedDiagnosticDataWindowsAnalytics>
            <TurnOffFileHistory>Turn off</TurnOffFileHistory>
          </System>
          <TextInput>
            <AllowIMELogging>No</AllowIMELogging>
            <AllowIMENetworkAccess>No</AllowIMENetworkAccess>
            <AllowKeyboardTextSuggestions>No</AllowKeyboardTextSuggestions>
            <AllowLinguisticDataCollection>No</AllowLinguisticDataCollection>
          </TextInput>
          <WiFi>
            <AllowAutoConnectToWiFiSenseHotspots>No</AllowAutoConnectToWiFiSenseHotspots>
          </WiFi>
          <WindowsAI>
            <DisableAIDataAnalysis>Disabled Data Analysis for Windows AI.</DisableAIDataAnalysis>
            <TurnOffWindowsCopilot>Disabled Windows Copilot</TurnOffWindowsCopilot>
          </WindowsAI>
          <WindowsInkWorkspace>
            <AllowSuggestedAppsInWindowsInkWorkspace>No</AllowSuggestedAppsInWindowsInkWorkspace>
          </WindowsInkWorkspace>
          <WindowsLogon>
            <DisableLockScreenAppNotifications>Enable this policy</DisableLockScreenAppNotifications>
            <EnableFirstLogonAnimation>No</EnableFirstLogonAnimation>
          </WindowsLogon>
        </Policies>
        <Privacy>
          <LetAppsActivateWithVoice>Force Deny</LetAppsActivateWithVoice>
          <LetAppsActivateWithVoiceAboveLock>Force Deny</LetAppsActivateWithVoiceAboveLock>
        </Privacy>
      </Common>
    </Customizations>
  </Settings>
</WindowsCustomizations>

nihil-admirari · 2025-07-26T07:34:55Z

unattend.xml settings are for ARM only and contain local paths to install.wim:

<cpi:offlineImage cpi:source="wim:c:/users/gerbil1183/desktop/install.wim#Windows 11 Pro" xmlns:cpi="urn:schemas-microsoft-com:cpi" />

oppressor1761 added 2 commits October 26, 2024 13:10

Create Windows Overview.md

802ed46

Signed-off-by: oppressor1761 <163018825+oppressor1761@users.noreply.github.com>

Create _index.md

c7fe2b2

Signed-off-by: oppressor1761 <163018825+oppressor1761@users.noreply.github.com>

wj25czxj47bu6q marked this pull request as draft October 28, 2024 19:16

wj25czxj47bu6q changed the title ~~add Windows overview~~ Windows Overview Oct 28, 2024

wj25czxj47bu6q added [c] new content Pull requests that add an entirely new article [z] wait to merge For internal use by team members labels Oct 28, 2024

This comment was marked as resolved.

Sign in to view

wj25czxj47bu6q requested changes Oct 28, 2024

View reviewed changes

wj25czxj47bu6q removed the [z] wait to merge For internal use by team members label Oct 30, 2024

oppressor1761 added 3 commits November 27, 2024 23:02

Hardware and Firmware Security

656e10e

Signed-off-by: oppressor1761 <163018825+oppressor1761@users.noreply.github.com>

Update Windows Overview.md

0417ff5

Signed-off-by: oppressor1761 <163018825+oppressor1761@users.noreply.github.com>

Update Windows Overview.md

b675715

Signed-off-by: oppressor1761 <163018825+oppressor1761@users.noreply.github.com>

nihil-admirari mentioned this pull request Apr 8, 2025

Add macOS Security Overview #270

Open

Windows Overview #287

Are you sure you want to change the base?

Windows Overview #287

Uh oh!

Conversation

oppressor1761 commented Oct 26, 2024

Uh oh!

netlify bot commented Oct 26, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Deploy Preview for privsec-dev ready!

Uh oh!

oppressor1761 commented Oct 26, 2024

Uh oh!

This comment was marked as resolved.

wj25czxj47bu6q left a comment

Choose a reason for hiding this comment

Uh oh!

nihil-admirari commented Apr 8, 2025

Uh oh!

nihil-admirari commented Jul 17, 2025

Uh oh!

oppressor1761 commented Jul 25, 2025

Uh oh!

nihil-admirari commented Jul 25, 2025

Uh oh!

oppressor1761 commented Jul 25, 2025

Uh oh!

oppressor1761 commented Jul 25, 2025

Uh oh!

oppressor1761 commented Jul 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

oppressor1761 commented Jul 25, 2025

Uh oh!

nihil-admirari commented Jul 26, 2025

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

3 participants

netlify bot commented Oct 26, 2024 •

edited

Loading

oppressor1761 commented Jul 25, 2025 •

edited

Loading