Privacy and security baseline for personal Windows 10 and Windows 11
This will apply basic privacy and security settings for Windows 10 and Windows 11
powershell.exe -ExecutionPolicy Unrestricted -File .\Install.ps1 -Level Basic
This is a handpicked collection of privacy and security settings for standalone Windows 10 and Windows 11 systems that tries to strike a good balance between privacy, security and usability. It uses group policy and is mainly based on Microsoft's Windows security baselines and Windows Restricted Traffic Limited Functionality Baseline.
It comes with two security levels, based on your threat profile:
Contains privacy and security settings that limits sharing of your personal information and improves the security configuration without extensively reducing performance or usability.
Includes extra security settings for individuals with a higher threat profile. This includes enterprise-grade security settings and protections against physical attacks. This might reduce usability and performance, compared to the basic level.
Install the Basic security and privacy baseline:
Backup.ps1
from the Utils folder. E.g. .\Backup.ps1 -OutputDir C:\tmp\
Install.ps1
with PowerShell with administrative privileges..\Install.ps1 -Level Basic
Use another value for -Level
to select another baseline:
-Level Basic [default] Basic security and privacy
-Level HighSecurity High security settings (assumes basic security setting are in place)
Advanced use and more granular control:
-Level BasicSecurity Basic security, with no privacy settings added
-Level BasicPrivacy Basic privacy, with no security settings added
-Level HighSecurityBitlocker A subset of high security settings: Disk encryption settings
-Level HighSecurityCredGuard A subset of high security settings: Virtualization-based security
-Level HighSecurityComputer A subset of high security settings: Computer settings
-Level HighSecurityDomain A subset of high security settings: Domain computer settings
-Level ExtremePrivacy [experimental] Privacy settings that degrade security and usability
The Install script will detect your version and apply supported settings. The current versions are supported:
In both cases, the Enterprise or Education editions of Windows are recommended. Pro will partially work, but some settings, such as telemetry, cannot be set to the desired level.
Windows Home edition is not supported.
Although both CIS' and Microsoft's security baselines are great, they are geared towards organizations using domain-joined computers. This baseline is made for personal/standalone computers, and includes additional settings for increased privacy.
Both are important. This baseline tries both, but there are conflicts between them. In the following cases, privacy wins over security:
Security and usability wins in some cases too, detailed below:
No. Traffic to Microsoft is limited, but for usability and security reasons, the following services still sends information to Microsoft:
Functionality related to Microsoft accounts, Cortana, OneDrive, Store, cloud, feedback and customer experience improvement are disabled or reduced.
Everything is customizable through group policy:
To get an overview of your current settings, run gpresult.exe /h GPreport.html
with administrative privileges. Then open the report in a browser and click "Show all". Identify the setting(s) you want to change and note their path.
To change a setting, run gpedit.msc
with administrative privileges, and change the setting(s) identified in the step above. The paths in the GPreport corresponds with the gpedit tool. To reset a setting its default state, set it to "Not configured".
The High level has the following security improvements compared to the Basic level:
The privacy settings are equal in both levels.
Download Microsoft's Policy Analyzer tool from Security Compliance Toolkit, then import GPOs to view which settings they change.
No. Only the Windows operating system and built-in Windows components are covered. There are no improvements to Microsoft Edge and Internet Explorer included here.
Don't be afraid to contribute! For now, create an issue if you see room for improvement, and we'll take it from there.
The main components of this baseline are
I learned a lot from mxk's Windows 10 and Server 2019 Secure Baseline GPO and included some adjustments based on that baseline.