l4dead/W10-Optimize-and-Harden

Optimize, Harden, and Debloat Windows 10 Deployments to Windows Best Practices and DoD STIG/SRG Requirements. The ultimate Windows 10 security and privacy script!

Optimize, Harden, and Debloat Windows 10 Deployments

Download all the required files from the GitHub Repository

We are seeking help with the following .Net issue

Introduction:

Windows 10 is an invasive and insecure operating system out of the box. Organizations like PrivacyTools.io, Microsoft, Cyber.mil, the Department of Defense, and the National Security Agency have recommended configuration changes to lockdown, harden, and secure the operating system. These changes cover a wide range of mitigations including blocking telemetry, macros, removing bloatware, and preventing many physical attacks on a system.

Notes:

This script is designed for operation in both Commercial and Personal Use environments. With that in mind, certain settings are not implemented. This script is not designed to bring a system to 100% compliance. Rather it should be used as a stepping stone to complete most, if not all, the configuration changes that can be scripted while skipping past issues like branding and banners where those should not be implemented even in a hardened personal use environment.

This script is designed in such a way that the optimizations, unlike some other scripts, will not break core windows functionality.

• Features like Windows Update, Windows Defender, the Windows Store, and Cortona have been restricted, but are not in a disfunctional state like most other Windows 10 Privacy scripts.

If you seek a minimized script targeted only to commercial environments, please see this GitHub Repository

Requirements:

• Windows 10 Enterprise (Preferred) or Windows 10 Professional
  • Windows 10 Home does not allow for GPO configurations.
  • Windows 10 "N" Editions are not tested.
• Standards for a highly secure Windows 10 device
• System is fully up to date
  • Currently Windows 10 v1909 or v2004.
  • Run the Windows 10 Upgrade Assistant to be update and verify latest major release.
• Hardware Requirements
  • Hardware Requirements for Memory Integrity
  • Hardware Requirements for Windows Defender Application Guard
  • Hardware Requirements for Windows Defender Credential Guard

Recommended reading material:

• System Guard Secure Launch
• System Guard Root of Trust
• Hardware-based Isolation
• Memory integrity
• Windows Defender Application Guard
• Windows Defender Credential Guard

A list of scripts and tools this collection utilizes:

• Microsoft Security Compliance Toolkit 1.0

• Cyber.mil - Group Policy Objects

• Sycnex - Windows10Debloater

• TheVDIGuys - Windows 10 VDI Optimize

• Mirinsoft - SharpApp

• Mirinsoft - debotnet

• NSACyber - Bitlocker Guidance

• W4H4WK - Debloat Windows 10

Additional configurations were considered from:

• NSACyber - Hardware-and-Firmware-Security-Guidance

• NSACyber - Application Whitelisting Using Microsoft AppLocker

• Whonix - Disable TCP Timestamps

• CERT - IE Scripting Engine Memory Corruption

• Dirteam - SSL Hardening

• Microsoft - Specture and Meltdown Mitigations

• Microsoft - Windows 10 Privacy

• Microsoft - Managing Windows 10 Telemetry and Callbacks

• Microsoft - Windows 10 VDI Recomendations

STIGS/SRGs Applied:

• Windows 10 V1R23

• Windows Defender Antivirus V1R9

• Windows Firewall V1R7

• Internet Explorer 11 V1R19

• Adobe Reader Pro DC Continous V1R2

• Adobe Reader Pro DC Classic V1R3

• Microsoft Office 2019/Office 365 Pro Plus V1R2

• Microsoft Office 2016 V1R2

• Microsoft Office 2013 V1R5

• Google Chrome V1R19

• Firefox V4R29

• Microsoft .Net Framework 4 V1R9 - Work in Progress

• Oracle JRE 8 V1R5

How to run the script

The script may be launched from the extracted GitHub download like this:

.\W10-Optimize-and-Harden-master\optimize-standalone.ps1

The script we will be using must be launched from the directory containing all the other files from the GitHub Repository