Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
Added Intune policies to the repository for enterprise folks who want to quickly and easily add the same policies described in the Readme page to their environment. They are clear-text JSON files supported natively in the Intune portal. In the future this can be automated by the Harden Windows Security module.
Added device compliance policy to the repository which can be used via Microsoft Graph API to import it to your Intune portal for secure device compliance policy for Windows OS devices.
Blog/Wiki post coming soon.
Added preliminary code for support of compliance checking using the Confirm-SystemCompliance for enterprise systems that have Intune policies applied to them. So far only the Attack Surface Reduction category is fully supported.
in the very near future, all of the applicable categories will be supported.
Fixed a bug where if you used cd to change the directory in PowerShell after loading the module, there would be an error in Confirm-SystemCompliance cmdlet due to relative path usage. -> https://github.com/HotCakeX/Harden-Windows-Security/issues/298
Fixed a typo: Synching -> Syncing
The TLS Category items in the Confirm-SystemCompliance results have more descriptive names.
Updated the Bitlocker group policy to disallow TPM-only encryption for the OS drive. The TPM-only encryption is insecure and needs to be coupled with Startup PIN, Startup key or both and the Harden Windows Security module offers them.
Before:
After:
[!important]\
"Do not allow TPM" means "do not allow TPM-only encryption".
What's New
Added Intune policies to the repository for enterprise folks who want to quickly and easily add the same policies described in the Readme page to their environment. They are clear-text JSON files supported natively in the Intune portal. In the future this can be automated by the Harden Windows Security module.
Added device compliance policy to the repository which can be used via Microsoft Graph API to import it to your Intune portal for secure device compliance policy for Windows OS devices.
Added preliminary code for support of compliance checking using the Confirm-SystemCompliance for enterprise systems that have Intune policies applied to them. So far only the Attack Surface Reduction category is fully supported.
Fixed a bug where if you used
cdto change the directory in PowerShell after loading the module, there would be an error inConfirm-SystemCompliancecmdlet due to relative path usage. -> https://github.com/HotCakeX/Harden-Windows-Security/issues/298Fixed a typo: Synching -> Syncing
The TLS Category items in the
Confirm-SystemComplianceresults have more descriptive names.Updated the Bitlocker group policy to disallow TPM-only encryption for the OS drive. The TPM-only encryption is insecure and needs to be coupled with Startup PIN, Startup key or both and the Harden Windows Security module offers them.
Before:
After: