Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
Added a default file name which is based on the current date for when you select the Log Path button on the Protect tab. Previously the name was empty and if you wanted to quickly press the button to save the logs, you'd have to type something randomly, but now a meaningful name is available by default, reducing the need for pressing extra keys.
Added a new button to the Logs tab, it's called "Clear Logs" and will clear the logs on the GUI screen if pressed.
Added the ability to enable Sudo to the optional overrides of the Microsoft Security baselines. The baselines for 24H2 disable the ability to use Sudo. This override does not enable Sudo, it simply allows the user to enable Sudo from Windows Settings if they want to. When Microsoft Security Baselines disable Sudo, it becomes hidden from Windows Settings too. Enabling Sudo requires Administrator privileges, Standard (unelevated) users cannot enable Sudo.
Windows Networking
Added 2 new policies that set the minimum required version of SMB for clients and servers to be the latest version which currently is 3.1.1. Microsoft Security Baselines for 24H2 configure this policy to 3.0.0 which is too old. 3.1.1 was introduced many years ago with Windows 10 and it is the most secure SMB version.
Added a new policy to block NTLM completely for SMB.
Added a new policy to require encryption for SMB clients.
Moved the policy that enables SMB server encryption, from the Miscellaneous category, to the Windows Networking category, so it can be next to the rest of the relevant policies.
Device Guard
The Device Guard category is available again. It was previously removed and was only available for Compliance checks, because all of its security measures were applied by Microsoft Security Baselines 23H2 and later, but in build 24H2, there is a new security measure available called Machine Identity Isolation Configuration, and in this update, it is set to Enforcement mode.
The Device Guard category is also completely added to the Readme page with improvements. It was previously available as a Wiki page.
The Device Guard category is almost completely self-sufficient and doesn't rely on whether you used Microsoft Security Baselines category first or not except for 1 policy which is LSA with UEFI lock and that is applied by the Microsoft Security baselines.
The category has been added to the PowerShell CLI experience And GUI (Graphical User Interface) experience when applying protections.
What's New
Added a default file name which is based on the current date for when you select the Log Path button on the Protect tab. Previously the name was empty and if you wanted to quickly press the button to save the logs, you'd have to type something randomly, but now a meaningful name is available by default, reducing the need for pressing extra keys.
Added a new button to the Logs tab, it's called "Clear Logs" and will clear the logs on the GUI screen if pressed.
Added the ability to enable Sudo to the optional overrides of the Microsoft Security baselines. The baselines for 24H2 disable the ability to use Sudo. This override does not enable Sudo, it simply allows the user to enable Sudo from Windows Settings if they want to. When Microsoft Security Baselines disable Sudo, it becomes hidden from Windows Settings too. Enabling Sudo requires Administrator privileges, Standard (unelevated) users cannot enable Sudo.
Windows Networking
Added 2 new policies that set the minimum required version of SMB for clients and servers to be the latest version which currently is
3.1.1
. Microsoft Security Baselines for 24H2 configure this policy to3.0.0
which is too old.3.1.1
was introduced many years ago with Windows 10 and it is the most secure SMB version.Added a new policy to block NTLM completely for SMB.
Added a new policy to require encryption for SMB clients.
Moved the policy that enables SMB server encryption, from the Miscellaneous category, to the Windows Networking category, so it can be next to the rest of the relevant policies.
Device Guard
The Device Guard category is available again. It was previously removed and was only available for Compliance checks, because all of its security measures were applied by Microsoft Security Baselines 23H2 and later, but in build 24H2, there is a new security measure available called Machine Identity Isolation Configuration, and in this update, it is set to Enforcement mode.
The Device Guard category is also completely added to the Readme page with improvements. It was previously available as a Wiki page.
The Device Guard category is almost completely self-sufficient and doesn't rely on whether you used Microsoft Security Baselines category first or not except for 1 policy which is LSA with UEFI lock and that is applied by the Microsoft Security baselines.
The category has been added to the PowerShell CLI experience And GUI (Graphical User Interface) experience when applying protections.