Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
Added progress bar to the Unprotect-WindowsSecurity cmdlet, now all the cmdlets of the module have progress bars!
The Unprotect-WindowsSecurity cmdlet now prompts for confirmation using native PowerShell methods. This prompt can be bypassed if you use the familiar -Force parameter, useful when not running this module interactively.
Removed untrusted font blocking which was an optional additional policy in the Miscellaneous category. The reason for its removal is mentioned here and its removal was suggested a while ago in this repo as well. The reason why it's finally being removed is that it can cause some blocked fonts logs to be generated for 1st party inbox apps such as OneDrive.
Removed the UAC: Behavior of the elevation prompt for standard users policy from the User Account Control (UAC) category because it's already being applied by Microsoft Security Baselines. The security baselines correctly prevent any elevation of request on Standard user accounts.
The compliance checking and verification for this policy continues to exist in Confirm-SystemCompliance cmdlet.
For highly secure scenarios, use Standard account for regular everyday tasks, and if you want to perform administrative tasks such as installing a program system-wide or changing system settings, completely log out of the Standard account and log into an Administrator account, perform the tasks, then completely log out and log back into the Standard account to continue your work. No fast user switching.
The module now supports environments where C is not the OS drive's label.
Made the policy that requires CTRL + ALT + DEL at lock screen optional for accessibility reasons. It's in lock screen category.
Added CSP links for the policies included in the compliance checking CSV file.
What's Changed
Improved best practices in the code.
Added progress bar to the
Unprotect-WindowsSecuritycmdlet, now all the cmdlets of the module have progress bars!The
Unprotect-WindowsSecuritycmdlet now prompts for confirmation using native PowerShell methods. This prompt can be bypassed if you use the familiar-Forceparameter, useful when not running this module interactively.Removed untrusted font blocking which was an optional additional policy in the Miscellaneous category. The reason for its removal is mentioned here and its removal was suggested a while ago in this repo as well. The reason why it's finally being removed is that it can cause some blocked fonts logs to be generated for 1st party inbox apps such as OneDrive.
Removed the
UAC: Behavior of the elevation prompt for standard userspolicy from the User Account Control (UAC) category because it's already being applied by Microsoft Security Baselines. The security baselines correctly prevent any elevation of request on Standard user accounts.The compliance checking and verification for this policy continues to exist in
Confirm-SystemCompliancecmdlet.For highly secure scenarios, use Standard account for regular everyday tasks, and if you want to perform administrative tasks such as installing a program system-wide or changing system settings, completely log out of the Standard account and log into an Administrator account, perform the tasks, then completely log out and log back into the Standard account to continue your work. No fast user switching.
The module now supports environments where
Cis not the OS drive's label.Made the policy that requires CTRL + ALT + DEL at lock screen optional for accessibility reasons. It's in lock screen category.
Added CSP links for the policies included in the compliance checking CSV file.