Harden Windows Security | Only with official documented methods | Always up to date

[pxxb1]

You're welcome, please pay attention to this note:

Software Restriction Policies were deprecated beginning with Windows 10 build 1803 and also applies to Windows Server 2019 and above. You should use Windows Defender Application Control (WDAC) or AppLocker to control what software runs.

Software Restriction Policies

Learn about Software Restriction Policies (SRP) in Windows Server 2012 and Windows 8 and find links to technical information about SRP beginning with Windows Server 2003.

learn.microsoft.com

WDAC or Windows Defender Application Control, specially the Signed version, provides unbeatable security. one of the many benefits of it over SRP and AppLocker is that it keeps the device secure at all times, including before/during/after boot process.

Does the function "copy and paste" work in WDAG for Edge?
Last time i tried it it did not so that makes the browser uneasy to handle when it comes to saving passwords and bookmarks.

 

[SpyNetGirl]

You do realize that juat about every single one of your GitHub pages is a wall of text, right? That you have to do all that explaining on Microsoft's behalf is proof positive of poor Microsoft usability.

I already said what I had to say. Microsoft documents are high level technical docs, my wiki tried to make it consumable for broader audience, that's it.

 

[SpyNetGirl]

Does the function "copy and paste" work in WDAG for Edge?
Last time i tried it it did not so that makes the browser uneasy to handle when it comes to saving passwords and bookmarks.

I see you were quoting my WDAC comment, WDAC (Windows Defender Application Control) is completely different than WDAG (Windows Defender Application Guard).

WDAG only applies to Edge and office products. the reason copy and paste function between the isolated WDAG environment and host is disabled by default is to prevent any data leak.

You can turn it on along with other features in Windows Security app. they will however pose a security threat if you intend to visit unsafe and malware containing websites in WDAG.

 

[pxxb1]

I see you were quoting my WDAC comment, WDAC (Windows Defender Application Control) is completely different than WDAG (Windows Defender Application Guard).

WDAG only applies to Edge and office products. the reason copy and paste function between the isolated WDAG environment and host is disabled by default is to prevent any data leak.

You can turn it on along with other features in Windows Security app. they will however pose a security threat if you intend to visit unsafe and malware containing websites in WDAG.

View attachment 273026

Yeah i realized my mistake afterwards, but, you did not answer the question, does it function, nowadays?

 

[SpyNetGirl]

Yeah i realized my mistake afterwards, but, you did not answer the question, does it function, nowadays?

Ah sorry, I had to finish up my work and save before turning it on and restarting my device. Yes, I tried it just now and it works. As far as I remember, every time I turned it on and restarted, it has always worked, on Windows 10 and 11.

 

[pxxb1]

Ah sorry, I had to finish up my work and save before turning it on and restarting my device. Yes, I tried it just now and it works. As far as I remember, every time I turned it on and restarted, it has always worked, on Windows 10 and 11.

Well, if it is true for you, it should be true for me.
When that feature came out it did not work, i gave it time to - about a year afterwards, still not functioning. I gave up. Been using Home since. I will try it out now again.
I hope my thanks to you now, is not pointless. Thanks.

 

[SpyNetGirl]

Created a website based off the content on the GitHub repository

Harden Windows Security

Harden Windows safely, securely using Official Microsoft methods

hotcakex.github.io

 

[simmerskool]

Created a website based off the content on the GitHub repository

Harden Windows Security

Harden Windows safely, securely using Official Microsoft methods

hotcakex.github.io

any help for those of us stuck in win10 for hardware reasons?

 

[SpyNetGirl]

any help for those of us stuck in win10 for hardware reasons?

You can run the script on your Windows 10 and more than half of the security measures will work, the other half will either not enable since they aren't simply available or they show an error in PowerShell console because the cmdlet isn't available which you should be able to safely ignore.

How old is your hardware anyway? until recently I had super old hardware too. from first half of 2017, Intel 7700k which is 7th gen. Intel is releasing 14th gen most likely this year, so realistically, every 6-7 years a new CPU is reasonable...even a 13th gen i5 is so much more powerful than 7th gen i7 and it's cheaper.

even if you have 7th gen Intel CPU, you can join Windows insider and without any tricks, use the insider builds. but anything older is honestly just too old and needs upgrade. any piece of technology that old will struggle with today's requirements.

Lots of security features are just available in new CPUs and hardware, they weren't available few years ago, Intel and AMD CPUs are way different now compared to how they were 6 years ago, many hardware security is built into them and Windows uses them too. attackers and threat actors stepped up their game.

 

[Victor M]

Created a website based off the content on the GitHub repository

Congrats on the new web site.

 

[simmerskool]

How old is your hardware anyway?

circa 2016-17 an intel Xeon ES-3620 v3 (6 cores) Appreciate the links for info.

 

[SpyNetGirl]

Created a Blog, it contains the Wiki posts on the GitHub. It also provides RSS feeds.

Windows Security Blog

Windows Security Blog, new up to date information about security features and hardening methods

spynetgirl.github.io

 

[ThorFinn]

Hi SpyNetGirl many thanks for taking the time to create Harden Windows 11 safely.

I am having an issue and hope that you can help, I have 2 Laptops same model and spec
fresh install of windows 11 ran updates then apply Harden Windows 11 safely; everything went flawless
on the first laptop bitlocker startup pin and everything else work, Now trying the second laptop a couple of weeks later
I am getting the error below.

Bitlocker is Not enabled for the System Drive Drive, activating now...
Enter a Pin for Bitlocker startup (at least 10 characters)
************
Confirm your Bitlocker Startup Pin (at least 10 characters)
************
These errors occured, run Bitlocker category again after meeting the requirements

Write-Error: Value does not fall within the expected range.

I used uppercase lowercase letters, symbols, and numbers, For example 76:gF?ibfHH>

 

[kylprq]

Hi SpyNetGirl many thanks for taking the time to create Harden Windows 11 safely.

I am having an issue and hope that you can help, I have 2 Laptops same model and spec
fresh install of windows 11 ran updates then apply Harden Windows 11 safely; everything went flawless
on the first laptop bitlocker startup pin and everything else work, Now trying the second laptop a couple of weeks later
I am getting the error below.

Bitlocker is Not enabled for the System Drive Drive, activating now...
Enter a Pin for Bitlocker startup (at least 10 characters)
************
Confirm your Bitlocker Startup Pin (at least 10 characters)
************
These errors occured, run Bitlocker category again after meeting the requirements

Write-Error: Value does not fall within the expected range.

I used uppercase lowercase letters, symbols, and numbers, For example 76:gF?ibfHH>

U got that recovery codes after applying script? it must be placed C:\ directory

 

[SpyNetGirl]

Hi SpyNetGirl many thanks for taking the time to create Harden Windows 11 safely.

I am having an issue and hope that you can help, I have 2 Laptops same model and spec
fresh install of windows 11 ran updates then apply Harden Windows 11 safely; everything went flawless
on the first laptop bitlocker startup pin and everything else work, Now trying the second laptop a couple of weeks later
I am getting the error below.

Bitlocker is Not enabled for the System Drive Drive, activating now...
Enter a Pin for Bitlocker startup (at least 10 characters)
************
Confirm your Bitlocker Startup Pin (at least 10 characters)
************
These errors occured, run Bitlocker category again after meeting the requirements

Write-Error: Value does not fall within the expected range.

I used uppercase lowercase letters, symbols, and numbers, For example 76:gF?ibfHH>

I just tried it on a clean installation with the same example PIN you gave me and it worked, on physical hardware and VM.

You haven't used any other tools/scripts/etc. to modify policies or Windows any other way, have you?

 

[ThorFinn]

Thanks for the reply no script clean fresh install.
I run the script get the error, then quit script, restart pc
decrypt drive go into gpo reset all under bitlocker to default
restart run script bitlocker work.

 

[SpyNetGirl]

Thanks for the reply no script clean fresh install.
I run the script get the error, then quit script, restart pc
decrypt drive go into gpo reset all under bitlocker to default
restart run script bitlocker work.

I did some research, looks like the problem happens when you don't have a proper TPM. Another one is about having self-encrypting drives but you said both laptops have the same specs so that shouldn't be relevant here. I've put extra checks in the script now to make sure all the requirements are met before users attempt to run it.
try using the latest version of the script from GitHub:

irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1' | iex

GitHub - HotCakeX/Harden-Windows-Security: Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Ente

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Pers...

github.com

Do you still get error when you use a simple PIN like "12345678910" ?

just a disclaimer: I can't guarantee people use untampered Windows or what they do to their system, like bypassing Windows 11 requirements during installation etc with rufus. That's beyond the current scope of the script. I can only guarantee that the script works on a normal installation, the way it's supposed to be. I always test the script multiple times in different scenarios before introducing any changes to it and releasing it.

 

[Tume]

I noticed problem with TLS Security part. It breaks Battle.net launcher.

[BUG?] TLS Security - Break Battle.net Launcher · Issue #38 · HotCakeX/Harden-Windows-Security

 

[NormanF]

I tried this and SAC blocked Windows Security. Ouch!

SAC is smart but its not ready for prime time because with Microsoft, its an all or nothing security concept. You want the end user to be able to override an SAC decision through whitelisting. If it makes a mistake, there's currently no way to undo it.

 

[NormanF]

any help for those of us stuck in win10 for hardware reasons?

I'm running Windows 11 on a mobile workstation with an unsupported processor and 1.2 TPM. The TPM is upgradeable but the wise geniuses at Infineon elected not to provide an upgrade installer. Apart from that Windows 11 runs without issues.