Harden Windows Security | Only with official documented methods | Always up to date

pxxb1

Level 9
Verified
Well-known
Jan 17, 2018
436
You're welcome, please pay attention to this note:

Software Restriction Policies were deprecated beginning with Windows 10 build 1803 and also applies to Windows Server 2019 and above. You should use Windows Defender Application Control (WDAC) or AppLocker to control what software runs.


WDAC or Windows Defender Application Control, specially the Signed version, provides unbeatable security. one of the many benefits of it over SRP and AppLocker is that it keeps the device secure at all times, including before/during/after boot process.

Does the function "copy and paste" work in WDAG for Edge?
Last time i tried it it did not so that makes the browser uneasy to handle when it comes to saving passwords and bookmarks.
 

SpyNetGirl

Level 3
Thread author
Jan 30, 2023
96
You do realize that juat about every single one of your GitHub pages is a wall of text, right? That you have to do all that explaining on Microsoft's behalf is proof positive of poor Microsoft usability.

I already said what I had to say. Microsoft documents are high level technical docs, my wiki tried to make it consumable for broader audience, that's it.
 

SpyNetGirl

Level 3
Thread author
Jan 30, 2023
96
Does the function "copy and paste" work in WDAG for Edge?
Last time i tried it it did not so that makes the browser uneasy to handle when it comes to saving passwords and bookmarks.

I see you were quoting my WDAC comment, WDAC (Windows Defender Application Control) is completely different than WDAG (Windows Defender Application Guard).

WDAG only applies to Edge and office products. the reason copy and paste function between the isolated WDAG environment and host is disabled by default is to prevent any data leak.

You can turn it on along with other features in Windows Security app. they will however pose a security threat if you intend to visit unsafe and malware containing websites in WDAG.

1676801137618.png
 

pxxb1

Level 9
Verified
Well-known
Jan 17, 2018
436
I see you were quoting my WDAC comment, WDAC (Windows Defender Application Control) is completely different than WDAG (Windows Defender Application Guard).

WDAG only applies to Edge and office products. the reason copy and paste function between the isolated WDAG environment and host is disabled by default is to prevent any data leak.

You can turn it on along with other features in Windows Security app. they will however pose a security threat if you intend to visit unsafe and malware containing websites in WDAG.

View attachment 273026

Yeah i realized my mistake afterwards, but, you did not answer the question, does it function, nowadays?
 
  • Like
Reactions: kylprq

pxxb1

Level 9
Verified
Well-known
Jan 17, 2018
436
Ah sorry, I had to finish up my work and save before turning it on and restarting my device. Yes, I tried it just now and it works. As far as I remember, every time I turned it on and restarted, it has always worked, on Windows 10 and 11.

Well, if it is true for you, it should be true for me.
When that feature came out it did not work, i gave it time to - about a year afterwards, still not functioning. I gave up. Been using Home since. I will try it out now again.
I hope my thanks to you now, is not pointless. Thanks.
 

SpyNetGirl

Level 3
Thread author
Jan 30, 2023
96
any help for those of us stuck in win10 for hardware reasons?

You can run the script on your Windows 10 and more than half of the security measures will work, the other half will either not enable since they aren't simply available or they show an error in PowerShell console because the cmdlet isn't available which you should be able to safely ignore.

How old is your hardware anyway? until recently I had super old hardware too. from first half of 2017, Intel 7700k which is 7th gen. Intel is releasing 14th gen most likely this year, so realistically, every 6-7 years a new CPU is reasonable...even a 13th gen i5 is so much more powerful than 7th gen i7 and it's cheaper.

even if you have 7th gen Intel CPU, you can join Windows insider and without any tricks, use the insider builds. but anything older is honestly just too old and needs upgrade. any piece of technology that old will struggle with today's requirements.

Lots of security features are just available in new CPUs and hardware, they weren't available few years ago, Intel and AMD CPUs are way different now compared to how they were 6 years ago, many hardware security is built into them and Windows uses them too. attackers and threat actors stepped up their game.
 

ThorFinn

New Member
Feb 16, 2023
3
Hi SpyNetGirl many thanks for taking the time to create Harden Windows 11 safely.

I am having an issue and hope that you can help, I have 2 Laptops same model and spec
fresh install of windows 11 ran updates then apply Harden Windows 11 safely; everything went flawless
on the first laptop bitlocker startup pin and everything else work, Now trying the second laptop a couple of weeks later
I am getting the error below.

Bitlocker is Not enabled for the System Drive Drive, activating now...
Enter a Pin for Bitlocker startup (at least 10 characters)
************
Confirm your Bitlocker Startup Pin (at least 10 characters)
************
These errors occured, run Bitlocker category again after meeting the requirements

Write-Error: Value does not fall within the expected range.

I used uppercase lowercase letters, symbols, and numbers, For example 76:gF?ibfHH>
 
  • Sad
Reactions: kylprq

kylprq

Level 4
Verified
Jul 26, 2018
146
Hi SpyNetGirl many thanks for taking the time to create Harden Windows 11 safely.

I am having an issue and hope that you can help, I have 2 Laptops same model and spec
fresh install of windows 11 ran updates then apply Harden Windows 11 safely; everything went flawless
on the first laptop bitlocker startup pin and everything else work, Now trying the second laptop a couple of weeks later
I am getting the error below.

Bitlocker is Not enabled for the System Drive Drive, activating now...
Enter a Pin for Bitlocker startup (at least 10 characters)
************
Confirm your Bitlocker Startup Pin (at least 10 characters)
************
These errors occured, run Bitlocker category again after meeting the requirements

Write-Error: Value does not fall within the expected range.

I used uppercase lowercase letters, symbols, and numbers, For example 76:gF?ibfHH>
U got that recovery codes after applying script? it must be placed C:\ directory
 

SpyNetGirl

Level 3
Thread author
Jan 30, 2023
96
Hi SpyNetGirl many thanks for taking the time to create Harden Windows 11 safely.

I am having an issue and hope that you can help, I have 2 Laptops same model and spec
fresh install of windows 11 ran updates then apply Harden Windows 11 safely; everything went flawless
on the first laptop bitlocker startup pin and everything else work, Now trying the second laptop a couple of weeks later
I am getting the error below.

Bitlocker is Not enabled for the System Drive Drive, activating now...
Enter a Pin for Bitlocker startup (at least 10 characters)
************
Confirm your Bitlocker Startup Pin (at least 10 characters)
************
These errors occured, run Bitlocker category again after meeting the requirements

Write-Error: Value does not fall within the expected range.

I used uppercase lowercase letters, symbols, and numbers, For example 76:gF?ibfHH>

I just tried it on a clean installation with the same example PIN you gave me and it worked, on physical hardware and VM.

You haven't used any other tools/scripts/etc. to modify policies or Windows any other way, have you?
 

ThorFinn

New Member
Feb 16, 2023
3
Thanks for the reply no script clean fresh install.
I run the script get the error, then quit script, restart pc
decrypt drive go into gpo reset all under bitlocker to default
restart run script bitlocker work.
 
  • Like
Reactions: oldschool

SpyNetGirl

Level 3
Thread author
Jan 30, 2023
96
Thanks for the reply no script clean fresh install.
I run the script get the error, then quit script, restart pc
decrypt drive go into gpo reset all under bitlocker to default
restart run script bitlocker work.

I did some research, looks like the problem happens when you don't have a proper TPM. Another one is about having self-encrypting drives but you said both laptops have the same specs so that shouldn't be relevant here. I've put extra checks in the script now to make sure all the requirements are met before users attempt to run it.
try using the latest version of the script from GitHub:

irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1' | iex


Do you still get error when you use a simple PIN like "12345678910" ?

just a disclaimer: I can't guarantee people use untampered Windows or what they do to their system, like bypassing Windows 11 requirements during installation etc with rufus. That's beyond the current scope of the script. I can only guarantee that the script works on a normal installation, the way it's supposed to be. I always test the script multiple times in different scenarios before introducing any changes to it and releasing it.
 

NormanF

Level 7
Verified
Jan 11, 2018
343
any help for those of us stuck in win10 for hardware reasons?

I'm running Windows 11 on a mobile workstation with an unsupported processor and 1.2 TPM. The TPM is upgradeable but the wise geniuses at Infineon elected not to provide an upgrade installer. Apart from that Windows 11 runs without issues.
 
  • Like
Reactions: simmerskool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top