Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
Fixed a bug that could happen in rare cases where a user's PC name and username are the same, for example your PC name is admin and your username is admin as well. This would throw an error when creating the scheduled task to automatically update the Microsoft recommended driver block rules in Microsoft Defender category. I also made improvements to this process. The scheduled task now registers (using SID) and runs under the SYSTEM account, and is no longer bound to the current Administrator account or its name. This gives the task resiliency so if you delete your current Admin account or change it, the scheduled task will remain intact and continue to function properly. While fixing this bug, I also found an issue and submitted a feedback for it in Feedback hub.
Improved the overall verbosity of the module by reducing items shown on the PowerShell console. Any errors or unexpected behaviors are clearly shown to the user.
Increased the required build number to 22621.2428, in preparation for 23H2 features infusion. That build was released almost a month ago so users have had ample time to keep their OS up to date.
Certificate Padding Check or WinVerifyTrust that used to be applied using registry (In the Miscellaneous category) is now applied by group policy. Microsoft Security Baselines 23H2 added templates for this.
Removed the optional policy from Lock Screen Category that would offer to set Windows Hello PIN as the default credential provider and would also disable Password and WLID (Windows Live ID) credential providers. The reason for this removal is that it's no longer necessary to apply it.
If your personal device has fingerprint scanner and/or camera used with Windows Hello and you're using the Don't display last signed-in from the Lock screen category, you will be able to easily use your face or fingerprint to sign into Windows, even though the lock screen doesn't reveal which user accounts exist on the computer and asks you to supply both username + password.
The removal of password credential provider would prevent you from using RDP to connect to Azure VMs.
This optional policy was not reliable enough because it set PIN as the credential provider whereas maybe the user preferred to use face or fingerprint as the default authentication method.
What's Changed
22621.2428, in preparation for 23H2 features infusion. That build was released almost a month ago so users have had ample time to keep their OS up to date.