Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
Added Multifactor Authentication to the BitLocker category. When you run the BitLocker category, you will be presented with the option to choose between Normal and Enhanced security levels. The Normal security level is the previous method where the OS drive (your device) needed TPM + Startup PIN to be unlocked. The Enhanced security level adds one more factor to the authentication, requiring an external flash drive containing a special encryption key to be inserted into your device prior to the authentication.
So, with Enhanced security level of the BitLocker, you will have to enter a Startup PIN And have a flash drive containing a special key, in order to unlock your device. The TPM also needs to attest to the authenticity of the BitLocker encryption key. These 3 factors result in multifactor authentication and make it nearly impossible for any unauthorized person to access your device. The Readme has also been updated with information regarding this additional feature.
Fixed a problem with OneDrive's Personal Vault, it wouldn't be initialized if a certain policy related to BitLocker was active. The policy was "Full disk encryption for fixed data drives" and it's now removed in this update. The policy is used to enforce encryption of the full space of the disk rather than only the used space. The Microsoft Security Baselines don't enable this policy. After careful consideration, came to the conclusion that it should be removed to fix the OneDrive Personal Vault initialization problem, and also it's not necessary to be enabled because the Harden Windows Security Module and script already encrypt the drives with full disk space (Used space + free space) to ensure maximum protection and confidentiality of the data at rest.
Enable-BitLocker PowerShell cmdlet encrypts the entire disk by default unless the [-UsedSpaceOnly] optional parameter is used, which is not the case in the module/script.
More info
The latest Microsoft Security Baselines 23H2 mentions to have added support for WinVerifyTrust Signature Validation policy (aka certificate padding) but they haven't implemented it properly. More info in the comments section of this Microsoft Tech Community article. This is why this update uses registry keys to apply the Certificate padding check until that problem is officially resolved.
When using Unprotect-WindowsSecurity cmdlet, during the restoration of security group policies, the cmdlet now only restores settings that were changed by the Protect-WindowsSecurity cmdlet, excluding the ones applied by the Microsoft Security Baselines. This allows for a more surgical and careful restoration of the settings and will prevent any accidental changes to the settings.
The BitLocker category now saves the recovery password in the same format as Windows does when using the GUI to encrypt a drive.
The BitLocker category now has a much better UX and logic.
Fixed hibernate file size detection logic.
The Scheduled task for updating Microsoft recommended driver block rules now only runs if there is a network connection, which makes sense because it needs to download the latest block list from the official MSFT servers and apply them on the system. It also restarts itself if it fails, every 6 hours, up to 4 tries.
Improved variable types to be more explicit and safe. Using full variable type names instead of their aliases.
Using 'Unrestricted' instead of 'Bypass' when setting the execution policy for the current process. Unrestricted is more secure than Bypass because if a script is code signed then tampered, you will see an error, but in bypass mode, no code sign tamper detection happens. The execution policy is also saved prior to running the script and is restored at the end.
Improved Hyper-V group member detection by using SIDs instead of account names. This makes it more robust and the comparison logic has also been improved. This change makes everything more inclusive by working in situations where the usernames contain non-English alphabets, lots of spaces and such. Or when the username is the same as the computer name.
The required PowerShell Core version is now the latest version which is 7.4.0. It has many new features, one of which is having -ProgressAction common parameter. Using this new common parameter and setting it to SilentlyContinue for Invoke-WebRequest and Invoke-restMethod cmdlets allows for the removal of the customInvoke-WithoutProgress function since it renders it unnecessary.
Added Steps recorder removal to the Optional Windows Features category. It's deprecated.
What's Changed
Added Multifactor Authentication to the BitLocker category. When you run the BitLocker category, you will be presented with the option to choose between Normal and Enhanced security levels. The Normal security level is the previous method where the OS drive (your device) needed TPM + Startup PIN to be unlocked. The Enhanced security level adds one more factor to the authentication, requiring an external flash drive containing a special encryption key to be inserted into your device prior to the authentication.
Fixed a problem with OneDrive's Personal Vault, it wouldn't be initialized if a certain policy related to BitLocker was active. The policy was "Full disk encryption for fixed data drives" and it's now removed in this update. The policy is used to enforce encryption of the full space of the disk rather than only the used space. The Microsoft Security Baselines don't enable this policy. After careful consideration, came to the conclusion that it should be removed to fix the OneDrive Personal Vault initialization problem, and also it's not necessary to be enabled because the Harden Windows Security Module and script already encrypt the drives with full disk space (Used space + free space) to ensure maximum protection and confidentiality of the data at rest.
Enable-BitLocker
PowerShell cmdlet encrypts the entire disk by default unless the[-UsedSpaceOnly]
optional parameter is used, which is not the case in the module/script.More info
The latest Microsoft Security Baselines 23H2 mentions to have added support for WinVerifyTrust Signature Validation policy (aka certificate padding) but they haven't implemented it properly. More info in the comments section of this Microsoft Tech Community article. This is why this update uses registry keys to apply the Certificate padding check until that problem is officially resolved.
When using
Unprotect-WindowsSecurity
cmdlet, during the restoration of security group policies, the cmdlet now only restores settings that were changed by theProtect-WindowsSecurity
cmdlet, excluding the ones applied by the Microsoft Security Baselines. This allows for a more surgical and careful restoration of the settings and will prevent any accidental changes to the settings.The BitLocker category now saves the recovery password in the same format as Windows does when using the GUI to encrypt a drive.
The BitLocker category now has a much better UX and logic.
Fixed hibernate file size detection logic.
The Scheduled task for updating Microsoft recommended driver block rules now only runs if there is a network connection, which makes sense because it needs to download the latest block list from the official MSFT servers and apply them on the system. It also restarts itself if it fails, every 6 hours, up to 4 tries.
Improved variable types to be more explicit and safe. Using full variable type names instead of their aliases.
Using 'Unrestricted' instead of 'Bypass' when setting the execution policy for the current process. Unrestricted is more secure than Bypass because if a script is code signed then tampered, you will see an error, but in bypass mode, no code sign tamper detection happens. The execution policy is also saved prior to running the script and is restored at the end.
Improved Hyper-V group member detection by using SIDs instead of account names. This makes it more robust and the comparison logic has also been improved. This change makes everything more inclusive by working in situations where the usernames contain non-English alphabets, lots of spaces and such. Or when the username is the same as the computer name.
The required PowerShell Core version is now the latest version which is 7.4.0. It has many new features, one of which is having
-ProgressAction
common parameter. Using this new common parameter and setting it toSilentlyContinue
forInvoke-WebRequest
andInvoke-restMethod
cmdlets allows for the removal of the customInvoke-WithoutProgress
function since it renders it unnecessary.Added Steps recorder removal to the Optional Windows Features category. It's deprecated.