WindowsConfig.ps1

1. # Windows 10 Inital Setup configuration script
2. ##
3.  
4. # DISCLAMER: This script is provided "as-is" and must be modified to fit your envrionment
5. # The original developer cannot be held accountable for your failure to read the fine print
6. ##
7.  
8. Write-Host
9. Write-Host "WARNING!!! Serious system instability can ocour if this script is interrupted" -ForegroundColor Black -BackgroundColor White
10. Write-Host "Please take this time to create a restore image of your system, so that if this script fails, you can restore to a fresh install" -ForegroundColor Black -BackgroundColor White
11. Write-Host
12. Write-Host "DISCLAMER: This script is provided 'as-is' and must be modified to fit your envrionment" -ForegroundColor Black -BackgroundColor White
13. Write-Host "The original developer cannot be held accountable for your failure to read the fine print" -ForegroundColor Black -BackgroundColor White
14. Write-Host "By pressing 'Enter' you accept these terms, If you do not agree, end this program" -ForegroundColor Black -BackgroundColor White
15. $key = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
16.  
17. # Ask for elevated permission
18. ##
19. If (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")) {
20.     Start-Process powershell.exe "-noProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs
21.     Exit
22. }
23.  
24. ##
25. # Privicy Settings
26. ##
27.  
28. Write-Host
29. Write-Host "##"
30. Write-Host "# Modifing Privicy Settings #"
31. Write-Host "##"
32. Write-Host
33.  
34. # Disable Telemetry
35. ##
36. Write-Host "Disabling Telemetry"
37.  
38. Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0
39. Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0
40. Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0
41.  
42. # Disable Wi-Fi Sense
43. ##
44. Write-Host "Disabling WiFi Sense"
45.  
46. If (!(Test-Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting")) {
47.     New-Item -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" -Force | Out-Null
48. }
49. Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" -Name "Value" -Type DWord -Value 0
50. Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" -Name "Value" -Type DWord -Value 0
51.  
52. # Enable Windows SmartScreen Filter
53. ##
54. Write-Host "Enabling Windows SmartScreen Filter"
55.  
56. Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer" -Name "SmartScreenEnabled" -Type String -Value "RequireAdmin"
57. Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AppHost" -Name "EnableWebContentEvaluation"
58.  
59. # Raise UAC Level
60. ##
61. Write-host "Rasing UAC Level"
62.  
63. Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConcentPromptBehaviorAdmin" -Type DWord -Value 1
64. Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConcentPromptBehaviorUser" -Type DWord -Value 3
65. Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Type DWord -Value 1
66.  
67. # Disable Bing Search in Start Menu
68. ##
69. Write-Host "Disabling Bing Search in Start Menu"
70.  
71. Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" -Name "BingSearchEnabled" -Type Dword -Value 0
72.  
73. # Disable Start Menu Suggestions
74. ##
75. Write-Host "Disabling Start Menu Suggestions"
76.  
77. Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SystemPaneSuggestionsEnabled" -Type DWord -Value 0
78.  
79. # Disable Location Tracking
80. ##
81. Write-Host "Disabling Location Tracking"
82.  
83. Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" -Name "SensorPermissionState" -Type DWord -Value 0
84. Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" -Name "Status" -Type DWord -Value 0
85.  
86. # Disable Feedback
87. ##
88. Write-Host "Disabling Feedback"
89.  
90. If (!(Test-Path "HKCU:\SOFTWARE\Microsoft\Siuf\Rules")) {
91.     New-Item -Path "HKCU:\SOFTWARE\Microsoft\Siuf\Rules" -Force | Out-Null
92. }
93. Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Siuf\Rules" -Name "NumberOfSIUFInPeriod" -Type DWord -Value 0
94.  
95. # Disable Advertising ID
96. ##
97. Write-Host "Disabling Advertising ID"
98.  
99. If (!(Test-Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo")) {
100.     New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" | Out-Null
101. }
102. Set-ItemProperty "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" -Name "Enabled" -Type DWord -Value 0
103.  
104. # Disable Cortana
105. ##
106. Write-Host "Disabling Cortana"
107.  
108. If (!(Test-Path "HKCU:\SOFTWARE\Microsoft\Personalization\Settings")) {
109.     New-Item -Path "HKCU:\SOFTWARE\Microsoft\Personalization\Settings" -Force | Out-Null
110. }
111. Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Personalization\Settings" -Name "AcceptedPrivicyPolicy" -Type DWord -Value 0
112. If (!(Test-Path "HKCU:\SOFTWARE\Microsoft\InputPersonalization")) {
113.     New-Item -Path "HKCU:\SOFTWARE\Microsoft\InputPersonalization" -Force | Out-Null
114. }
115. Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\InputPersonalization" -Name "RestrictImplicitTextCollection" -Type DWord -Value 1
116. Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\InputPersonalization" -Name "RestrictImplicitInkCollection" -Type DWord -Value 1
117. If (!(Test-Path "HKCU:\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore")) {
118.     New-Item -Path "HKCU:\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" -Force | Out-Null
119. }
120. Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" -Name "HarvestContacts" -Type DWord -Value 0
121. If (!(Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search")) {
122.     New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" -Force | Out-Null
123. }
124. New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" -Name "AllowCortana" -PropertyType DWord -Value 0 -Force | Out-Null
125.  
126. # Restrict Windows Update to Internet Download only
127. ##
128. Write-Host "Restricting Windows Update to Internet Download only"
129.  
130. Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" -Name "DODownloadMode" -Type DWord -Value 0
131. If (!(Test-Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization")) {
132.     New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization" | Out-Null
133. }
134. Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization" -Name "SystemSettingsDownloadMode" -Type DWord -Value 0
135.  
136. # Remove AutoLogger and restrict directory
137. ##
138. Write-Host "Removing AutoLogger and restrict directoy"
139.  
140. $autoLoggerDir = "$env:PROGRAMDATA\Microsoft\Diagnosis\ETLLogs\AutoLogger"
141. If (Test-Path "$autoLoggerDir\AutoLogger-Diagtrack-Listener.etl") {
142.     Remove-Item "$autoLoggerDir\AutoLogger-Diagtrack-Listener.etl"
143. }
144. icacls $autoLoggerDir /deny SYSTEM:`(OI`)`(CI`)F | Out-Null
145.  
146. # Stop and disable Diagnostics Tracking
147. ##
148. Write-Host "Disabling Diagnostics Tracking"
149.  
150. Stop-Service "DiagTrack"
151. Set-Service "DiagTrack" -StartupType Disabled
152.  
153. # Stop and disable WAP Push Service
154. ##
155. Write-Host "Disabling WAP Push Service"
156.  
157. Stop-Service "dmwappushservice"
158. Set-Service "dmwappushservice" -StartupType Disabled
159.  
160. # Disable Microsoft Suggested Apps
161. ##
162. Write-Host "Disabling Microsoft Suggested Apps"
163.  
164. Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SystemPaneSuggestionsEnabled" -Type DWord -Value 0
165.  
166. # Disable Windows Tips and Feedback
167. ##
168. Write-Host "Disabling Windows Tips and feedback"
169.  
170. Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SoftLandingEnabled" -Type DWord -Value 0
171.  
172. # Disable Windows Lockscreen Spotlight
173. ##
174. #Write-host "Disabling Windows Lockscreen Spotlight"
175.  
176. #Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "RotatingLockScreenEnabled" -Type DWord -Value 0
177.  
178. # Enable Windows Powershell remoting without domain
179. ##
180. Write-Host "Enabling Windows Powershell remoting without domain"
181.  
182. Set-item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force
183.  
184. ##
185. # Service Tasks
186. ##
187.  
188. Write-Host
189. Write-Host "##"
190. Write-Host "# Modifing Service Tasks #"
191. Write-Host "##"
192. Write-Host
193.  
194. # Enable Firewall
195. ##
196. Write-Host "Enabling Windows Firewall"
197.  
198. Set-NetFirewallProfile -Profile * -Enabled True
199.  
200. # Configure Windows Defender
201. ##
202.  
203. Write-Host "Configuring Windows Defender"
204.  
205. Set-MpPreference -CheckForSignaturesBeforeRunningScan $True
206. Set-MpPreference -DisableArchiveScanning $False
207. Set-MpPreference -DisableBehaviorMonitoring $False
208. Set-MpPreference -DisableBlockAtFirstSeen $False
209. Set-MpPreference -DisableEmailScanning $False
210. Set-MpPreference -DisableIOAVProtection $False
211. Set-MpPreference -DisableIntrusionPreventionSystem $False
212. Set-MpPreference -DisableRealtimeMonitoring $False
213. Set-MpPreference -DisableRemovableDriveScanning $False
214. Set-MpPreference -DisableScriptScanning $False
215. Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan $True
216. Set-MpPreference -DisableScanningNetworkFiles $True
217. Set-MpPreference -HighThreatDefaultAction Quarantine
218. Set-MpPreference -LowThreatDefaultAction Quarantine
219. Set-MpPreference -MAPSReporting Advanced
220. Set-MpPreference -ModerateThreatDefaultAction Quarantine
221. Set-MpPreference -PUAProtection Enabled
222. Set-MpPreference -RealTimeScanDirection Both
223. Set-MpPreference -ScanParameters QuickScan
224. Set-MpPreference -ScanScheduleDay Everyday
225. Set-MpPreference -SevereThreatDefaultAction Quarantine
226. Set-MpPreference -SignatureScheduleDay Everyday
227. Set-MpPreference -SignatureScheduleTime 60
228. Set-MpPreference -SubmitSamplesConsent Always
229. Set-MpPreference -UnknownThreatDefaultAction Quarantine
230.  
231. Get-MpPreference >> C:\WindowsDefenderSettings.txt
232.  
233. # Disable Windows Update Automatic restart
234. ##
235. Write-Host "Disabling Window Update Automatic restart"
236.  
237. Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" -Name "UxOption" -Type DWord -Value 1
238.  
239. # Stop and disable Home Group services
240. ##
241. Write-Host "Disabling Home Group services"
242.  
243. Stop-Service "HomeGroupListener"
244. Set-Service "HomeGroupListener" -StartupType Disabled
245. Stop-Service "HomeGroupProvider"
246. Set-Service "HomeGroupProvider" -StartupType Disabled
247.  
248. # Disable Lock Screen (Anniversary Update workaround)
249. ##
250. Write-Host "Disabling Lock Screen (Anniversary Update workaround)"
251.  
252. If ([System.Environment]::OSVersion.Build -gt 14392) {
253.        $service = New-Object -com Schedule.Service
254.        $service.Connect()
255.        $task = $service.NewTask(0)
256.        $task.Settings.DisallowStartIfOnBatteries = $False
257.        $trigger = $task.Triggers.Create(9)
258.        $trigger = $task.Triggers.Create(11)
259.        $trigger.StateChange = 8
260.        $action = $task.Actions.Create(0)
261.        $action.Path = "reg.exe"
262.        $action.Arguments = "add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData /t REG_DWORD /v AllowLockScreen /d 0 /f"
263.        $service.GetFolder("\").RegisterTaskDevinition("Disable LockScreen", $task, 6, "NT AUTHORITY\SYSTEM", $null, 4) | Out-Null
264. }
265.  
266. ##
267. # Remove Unwanted Applications
268. ##
269.  
270. Write-Host
271. Write-Host "##"
272. Write-Host "# Removing Unwanted Applications #"
273. Write-Host "##"
274. Write-Host
275.  
276. # Remove OneDrive
277. ##
278. Write-Host "Removing OneDrive"
279.  
280. Stop-Process -Name OneDrive -ErrorAction SilentlyContinue
281. Start-Sleep -s 3
282. $oneDrive = "$env:SYSTEMROOT\SysWOW64\OneDriveSetup.exe"
283. If (!(Test-Path $oneDrive)) {
284.     $oneDrive = "$env:SYSTEMROOT\System32\OneDriveSetup.exe"
285. }
286. Start-Process $oneDrive "/uninstall" -NoNewWindow -Wait
287. Start-Sleep -s 3
288. Stop-Process -Name Explorer -ErrorAction SilentlyContinue
289. Start-Sleep -s 3
290. Remove-Item "$env:USERPROFILE\OneDrive" -Force -Recurse -ErrorAction SilentlyContinue
291. Remove-Item "$env:LOCAPAPPDATA\Microsoft\OneDrive" -Force -Recurse -ErrorAction SilentlyContinue
292. Remove-Item "$env:PROGRAMDATA\Microsoft\Microsoft Onedrive" -Force -Recurse -ErrorAction SilentlyContinue
293. If (Test-Path "$env:SYSTEMDRIVE\OneDriveTemp") {
294.     Remove-item "$env:SYSTEMDRIVE\OneDriveTemp" -Force -Recurse -ErrorAction SilentlyContinue
295. }
296. If (!(Test-Path "HKCR:")) {
297.     New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null
298. }
299. Remove-Item -Path "HKCR:\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" -Recurse -ErrorAction SilentlyContinue
300. Remove-Item -Path "HKCR:\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" -Recurse -ErrorAction SilentlyContinue
301.  
302. # Remove OneDrive ads being displayed in Explorer (Creators Update)
303. ##
304. Write-Host "Removing OneDrive ads being displayed in Explorer (Creators Update)"
305.  
306. New-ItemProperty -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ -name ShowSyncProviderNotifications -Value 0
307.  
308. # Remove Default bloatware
309. ##
310. Write-Host "Removing default bloatware"
311.  
312. Write-Host "Removing BingWeather"
313. Get-AppxPackage *BingWeather* | Remove-AppxPackage
314.  
315. Write-Host "Removing WindowsMaps"
316. Get-AppxPackage *WindowsMaps* | Remove-AppxPackage
317.  
318. Write-Host "Removing OneConnect"
319. Get-AppxPackage *OneConnect* | Remove-AppxPackage
320.  
321. Write-Host "Removing Messaging"
322. Get-AppxPackage *Messaging* | Remove-AppxPackage
323.  
324. Write-Host "Removing 3DBuilder"
325. Get-AppxPackage *3DBuilder* | Remove-AppxPackage
326.  
327. Write-Host "Removing MiracastView"
328. Get-AppxPackage *MiracastView* | Remove-AppxPackage
329.  
330. Write-Host "Removing ContactSupport"
331. Get-AppxPackage *ContactSupport* | Remove-AppxPackage
332.  
333. Write-Host "Removing WindowsFeedbackHub"
334. Get-AppxPackage *WindowsFeedbackHub* | Remove-AppxPackage
335.  
336. Write-Host "Removing WindowsCamera"
337. Get-AppxPackage *WindowsCamera* | Remove-AppxPackage
338.  
339. Write-Host "Removing GetStarted"
340. Get-AppxPackage *GetStarted* | Remove-AppxPackage
341.  
342. Write-Host "Removing ZuneVideo"
343. Get-AppxPackage *ZuneVideo* | Remove-AppxPackage
344.  
345. Write-Host "Removing Twitter"
346. Get-AppxPackage *Twitter* | Remove-AppxPackage
347.  
348. Write-Host "Removing Netflix"
349. Get-AppxPackage *Netflix* | Remove-AppxPackage
350.  
351. Write-Host "Removing People"
352. Get-AppxPackage *People* | Remove-AppxPackage
353.  
354. Write-Host "Removing ZuneMusic"
355. Get-AppxPackage *ZuneMusic* | Remove-AppxPackage
356.  
357. Write-Host "Removing SkypeApp"
358. Get-AppxPackage *SkypeApp* | Remove-AppxPackage
359.  
360. Write-Host "Removing WindowsSoundRecorder"
361. Get-AppxPackage *WindowsSoundRecorder* | Remove-AppxPackage
362.  
363. Write-Host "Removing MicrosoftStickyNotes"
364. Get-AppxPackage *MicrosoftStickyNotes* | Remove-AppxPackage
365.  
366. Write-Host "Removing WindowsAlarms"
367. Get-AppxPackage *WindowsAlarms* | Remove-AppxPackage
368.  
369. Write-Host "Removing OneNote"
370. Get-AppxPackage *OneNote* | Remove-AppxPackage
371.  
372. Write-Host "Removing MicrosoftOfficeHub"
373. Get-AppxPackage *MicrosoftOfficeHub* | Remove-AppxPackage
374.  
375. Write-Host "Removing OneNote"
376. Get-AppxPackage *Office.OneNote* | Remove-AppxPackage
377.  
378. Write-Host "Removing MicrosoftSolitaireCollection"
379. Get-AppxPackage *MicrosoftSolitaireCollection* | Remove-AppxPackage
380.  
381. Write-host "Removing Facebook"
382. Get-AppxPackage *Facebook* | Remove-AppxPackage
383.  
384. Write-host "Removing Minecraft"
385. Get-AppxPackage *Minecraft* | Remove-AppxPackage
386.  
387. Write-Host "Removing CandyCrush"
388. Get-AppxPackage *CandyCrush* | Remove-AppxPackage
389.  
390. ##
391. # Windows End-of-script tasks
392. ##
393.  
394. Write-Host
395. Write-Host "##"
396. Write-Host "# End-of-script tasks #"
397. Write-Host "##"
398. Write-Host
399.  
400. # Enable boot menu
401. ##
402. Write-Host "Enabling boot menu"
403.  
404. bcdedit --% /set {bootmgr} displaybootmenu true
405. bcdedit --% /set {bootmgr} timeout 7
406.  
407. # Restart
408. ##
409. Write-Host
410. Write-Host "Press any key to restart your system..." -ForegroundColor Black -BackgroundColor White
411. $key = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
412. Write-Host "Restarting..."
413. Restart-Computer