Windows 10 Security/Hardening Powershell Script 4.0

##########
# Win10 Initial Setup Script
# Author: Disassembler <[email protected]>
# Edited by Gr1D:
# dasm's script: https://github.com/Disassembler0/Win10-Initial-Setup-Script/

# THIS IS VERSION 4.0, error suppression is turned on. Debugging needs to be completed in add-appxpackage and Onedrive uninstall sections.
# This script leaves more MS defaults on, including MSE and smart-screen,
# but blocks a ton of domains and disables remote assistance secures java, sets up ipsec..
# (please set your own key - SEE BELOW A FEW LINES) and disables SSL. Even changes your mac. To disable skynet turn off smartscreen and antivirus.

# NOTE: READ THIS SCRIPT CAREFULLY BEFORE RUNNING IT. ADJUST COMMENTS AS APPROPRIATE.
# This script will reboot your machine when completed.
# Setting up a new machine? See http://ninite.com (for devs, http://chocolatey.org)
##########

# Ask for elevated permissions if required

$ErrorActionPreference= 'silentlycontinue'

If (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")) {
    Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs
    Exit
}


#
# PLEASE EDIT THE BELOW LINE TO SET YOUR IPSEC PASSWORD (This may be randomly generated in the future)
$ThePreSharedKey = 'PasswordCHANGEME'

##########
# Privacy Settings
##########

# Disable Telemetry
# Disable Telemetry
Write-Host "Disabling Telemetry..."
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0

# Enable Telemetry
# Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 3
# Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 3
# Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 3

# Disable Wi-Fi Sense
Write-Host "Disabling Wi-Fi Sense..."
If (!(Test-Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting")) {
    New-Item -Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" -Force | Out-Null
}
Set-ItemProperty -Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" -Name "Value" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" -Name "Value" -Type DWord -Value 0

# Enable Wi-Fi Sense
# Set-ItemProperty -Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" -Name "Value" -Type DWord -Value 1
# Set-ItemProperty -Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" -Name "Value" -Type DWord -Value 1

# Disable SmartScreen Filter
# Write-Host "Disabling SmartScreen Filter..."
# Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer" -Name "SmartScreenEnabled" -Type String -Value "Off"
# Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AppHost" -Name "EnableWebContentEvaluation" -Type DWord -Value 0

# Enable SmartScreen Filter
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer" -Name "SmartScreenEnabled" -Type String -Value "RequireAdmin"
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AppHost" -Name "EnableWebContentEvaluation"

# Disable Bing Search in Start Menu
Write-Host "Disabling Bing Search in Start Menu..."
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Search" -Name "BingSearchEnabled" -Type DWord -Value 0

# Enable Bing Search in Start Menu
# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Search" -Name "BingSearchEnabled"

# Disable Start Menu suggestions
Write-Host "Disabling Start Menu suggestions..."
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SystemPaneSuggestionsEnabled" -Type DWord -Value 0

# Enable Start Menu suggestions
# Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SystemPaneSuggestionsEnabled" -Type DWord -Value 1

# Disable Location Tracking
Write-Host "Disabling Location Tracking..."
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" -Name "SensorPermissionState" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\lfsvc\Service\Configuration" -Name "Status" -Type DWord -Value 0

# Enable Location Tracking
# Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" -Name "SensorPermissionState" -Type DWord -Value 1
# Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\lfsvc\Service\Configuration" -Name "Status" -Type DWord -Value 1

# Disable Feedback
Write-Host "Disabling Feedback..."
If (!(Test-Path "HKCU:\Software\Microsoft\Siuf\Rules")) {
    New-Item -Path "HKCU:\Software\Microsoft\Siuf\Rules" -Force | Out-Null
}
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Siuf\Rules" -Name "NumberOfSIUFInPeriod" -Type DWord -Value 0

# Enable Feedback
# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Siuf\Rules" -Name "NumberOfSIUFInPeriod"

# Disable Advertising ID
Write-Host "Disabling Advertising ID..."
If (!(Test-Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo")) {
    New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" | Out-Null
}
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" -Name "Enabled" -Type DWord -Value 0

# Enable Advertising ID
# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" -Name "Enabled"

# Disable Cortana
Write-Host "Disabling Cortana..."
If (!(Test-Path "HKCU:\Software\Microsoft\Personalization\Settings")) {
    New-Item -Path "HKCU:\Software\Microsoft\Personalization\Settings" -Force | Out-Null
}
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Personalization\Settings" -Name "AcceptedPrivacyPolicy" -Type DWord -Value 0
If (!(Test-Path "HKCU:\Software\Microsoft\InputPersonalization")) {
    New-Item -Path "HKCU:\Software\Microsoft\InputPersonalization" -Force | Out-Null
}
Set-ItemProperty -Path "HKCU:\Software\Microsoft\InputPersonalization" -Name "RestrictImplicitTextCollection" -Type DWord -Value 1
Set-ItemProperty -Path "HKCU:\Software\Microsoft\InputPersonalization" -Name "RestrictImplicitInkCollection" -Type DWord -Value 1
If (!(Test-Path "HKCU:\Software\Microsoft\InputPersonalization\TrainedDataStore")) {
    New-Item -Path "HKCU:\Software\Microsoft\InputPersonalization\TrainedDataStore" -Force | Out-Null
}
Set-ItemProperty -Path "HKCU:\Software\Microsoft\InputPersonalization\TrainedDataStore" -Name "HarvestContacts" -Type DWord -Value 0

# Enable Cortana
# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Personalization\Settings" -Name "AcceptedPrivacyPolicy"
# Set-ItemProperty -Path "HKCU:\Software\Microsoft\InputPersonalization" -Name "RestrictImplicitTextCollection" -Type DWord -Value 0
# Set-ItemProperty -Path "HKCU:\Software\Microsoft\InputPersonalization" -Name "RestrictImplicitInkCollection" -Type DWord -Value 0
# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\InputPersonalization\TrainedDataStore" -Name "HarvestContacts"

# Restrict Windows Update P2P only to local network
Write-Host "Restricting Windows Update P2P only to local network..."
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" -Name "DODownloadMode" -Type DWord -Value 1
If (!(Test-Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization")) {
    New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" | Out-Null
}
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" -Name "SystemSettingsDownloadMode" -Type DWord -Value 3

# Unrestrict Windows Update P2P
# Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" -Name "DODownloadMode"
# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" -Name "SystemSettingsDownloadMode"

# Remove AutoLogger file and restrict directory
Write-Host "Removing AutoLogger file and restricting directory..."
$autoLoggerDir = "$env:PROGRAMDATA\Microsoft\Diagnosis\ETLLogs\AutoLogger"
If (Test-Path "$autoLoggerDir\AutoLogger-Diagtrack-Listener.etl") {
    Remove-Item "$autoLoggerDir\AutoLogger-Diagtrack-Listener.etl"
}
icacls $autoLoggerDir /deny SYSTEM:`(OI`)`(CI`)F | Out-Null

# Unrestrict AutoLogger directory
# $autoLoggerDir = "$env:PROGRAMDATA\Microsoft\Diagnosis\ETLLogs\AutoLogger"
# icacls $autoLoggerDir /grant:r SYSTEM:`(OI`)`(CI`)F | Out-Null

# Stop and disable Diagnostics Tracking Service
Write-Host "Stopping and disabling Diagnostics Tracking Service..."
Stop-Service "DiagTrack"
Set-Service "DiagTrack" -StartupType Disabled

# Enable and start Diagnostics Tracking Service
# Set-Service "DiagTrack" -StartupType Automatic
# Start-Service "DiagTrack"

# Stop and disable WAP Push Service
Write-Host "Stopping and disabling WAP Push Service..."
Stop-Service "dmwappushservice"
Set-Service "dmwappushservice" -StartupType Disabled

# Enable and start WAP Push Service
# Set-Service "dmwappushservice" -StartupType Automatic
# Start-Service "dmwappushservice"
# Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\dmwappushservice" -Name "DelayedAutoStart" -Type DWord -Value 1


##########
# Service Tweaks
##########

# Lower UAC level
# Write-Host "Lowering UAC level..."
# Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Type DWord -Value 0
# Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Type DWord -Value 0

# Raise UAC level
# Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Type DWord -Value 5
# Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Type DWord -Value 1

# Enable sharing mapped drives between users
# Write-Host "Enabling sharing mapped drives between users..."
# Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLinkedConnections" -Type DWord -Value 1

# Disable sharing mapped drives between users
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLinkedConnections"

# Disable Firewall
# Write-Host "Disabling Firewall..."
# Set-NetFirewallProfile -Profile * -Enabled False

# Enable Firewall
Set-NetFirewallProfile -Profile * -Enabled True

# Disable Windows Defender
# Write-Host "Disabling Windows Defender..."
# Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Type DWord -Value 1

# Enable Windows Defender
Remove-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware"

# Disable Windows Update automatic restart
Write-Host "Disabling Windows Update automatic restart..."
Set-ItemProperty -Path "HKLM:\Software\Microsoft\WindowsUpdate\UX\Settings" -Name "UxOption" -Type DWord -Value 1

# Enable Windows Update automatic restart
# Set-ItemProperty -Path "HKLM:\Software\Microsoft\WindowsUpdate\UX\Settings" -Name "UxOption" -Type DWord -Value 0

# Stop and disable Home Groups services
Write-Host "Stopping and disabling Home Groups services..."
Stop-Service "HomeGroupListener"
Set-Service "HomeGroupListener" -StartupType Disabled
Stop-Service "HomeGroupProvider"
Set-Service "HomeGroupProvider" -StartupType Disabled

# Enable and start Home Groups services
# Set-Service "HomeGroupListener" -StartupType Manual
# Set-Service "HomeGroupProvider" -StartupType Manual
# Start-Service "HomeGroupProvider"

# Disable Remote Assistance
Write-Host "Disabling Remote Assistance..."
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Remote Assistance" -Name "fAllowToGetHelp" -Type DWord -Value 0

# Enable Remote Assistance
# Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Remote Assistance" -Name "fAllowToGetHelp" -Type DWord -Value 1

# Enable Remote Desktop w/o Network Level Authentication
# Write-Host "Enabling Remote Desktop w/o Network Level Authentication..."
# Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Type DWord -Value 0
# Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Type DWord -Value 0

# Disable Remote Desktop
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Type DWord -Value 1
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Type DWord -Value 1


##########
# UI Tweaks
##########

# Disable Action Center
Write-Host "Disabling Action Center..."
If (!(Test-Path "HKCU:\Software\Policies\Microsoft\Windows\Explorer")) {
  New-Item -Path "HKCU:\Software\Policies\Microsoft\Windows\Explorer" | Out-Null
}
Set-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\Explorer" -Name "DisableNotificationCenter" -Type DWord -Value 1
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\PushNotifications" -Name "ToastEnabled" -Type DWord -Value 0

# Enable Action Center
# Remove-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\Explorer" -Name "DisableNotificationCenter"
# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\PushNotifications" -Name "ToastEnabled"

# Disable Lock screen
# Write-Host "Disabling Lock screen..."
# If (!(Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization")) {
#   New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization" | Out-Null
# }
# Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization" -Name "NoLockScreen" -Type DWord -Value 1

# Enable Lock screen
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization" -Name "NoLockScreen"

# Disable Lock screen (Anniversary Update workaround)
#If ([System.Environment]::OSVersion.Version.Build -gt 14392) { # Apply only for Redstone 1 or newer
#   $service = New-Object -com Schedule.Service
#   $service.Connect()
#   $task = $service.NewTask(0)
#   $task.Settings.DisallowStartIfOnBatteries = $false
#   $trigger = $task.Triggers.Create(9)
#   $trigger = $task.Triggers.Create(11)
#   $trigger.StateChange = 8
#   $action = $task.Actions.Create(0)
#   $action.Path = "reg.exe"
#   $action.Arguments = "add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData /t REG_DWORD /v AllowLockScreen /d 0 /f"
#   $service.GetFolder("\").RegisterTaskDefinition("Disable LockScreen", $task, 6, "NT AUTHORITY\SYSTEM", $null, 4) | Out-Null
#}

# Enable Lock screen (Anniversary Update workaround)
#If ([System.Environment]::OSVersion.Version.Build -gt 14392) { # Apply only for Redstone 1 or newer
#   Unregister-ScheduledTask -TaskName "Disable LockScreen" -Confirm:$false -ErrorAction SilentlyContinue
#}

# Disable Autoplay
Write-Host "Disabling Autoplay..."
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers" -Name "DisableAutoplay" -Type DWord -Value 1

# Enable Autoplay
# Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers" -Name "DisableAutoplay" -Type DWord -Value 0

# Disable Autorun for all drives
Write-Host "Disabling Autorun for all drives..."
If (!(Test-Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer")) {
  New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" | Out-Null
}
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "NoDriveTypeAutoRun" -Type DWord -Value 255

# Enable Autorun
# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "NoDriveTypeAutoRun"

#Disable Sticky keys prompt
Write-Host "Disabling Sticky keys prompt..."
Set-ItemProperty -Path "HKCU:\Control Panel\Accessibility\StickyKeys" -Name "Flags" -Type String -Value "506"

# Enable Sticky keys prompt
# Set-ItemProperty -Path "HKCU:\Control Panel\Accessibility\StickyKeys" -Name "Flags" -Type String -Value "510"

# Hide Search button / box
Write-Host "Hiding Search Box / Button..."
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Search" -Name "SearchboxTaskbarMode" -Type DWord -Value 0

# Show Search button / box
# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Search" -Name "SearchboxTaskbarMode"

# Hide Task View button
# Write-Host "Hiding Task View button..."
# Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "ShowTaskViewButton" -Type DWord -Value 0

# Show Task View button
# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "ShowTaskViewButton"

# Show small icons in taskbar
# Write-Host "Showing small icons in taskbar..."
# Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "TaskbarSmallIcons" -Type DWord -Value 1

# Show large icons in taskbar
# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "TaskbarSmallIcons"

# Show titles in taskbar
# Write-Host "Showing titles in taskbar..."
# Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "TaskbarGlomLevel" -Type DWord -Value 1

# Hide titles in taskbar
# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "TaskbarGlomLevel"

# Show all tray icons
# write-Host "Showing all tray icons..."
# Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer" -Name "EnableAutoTray" -Type DWord -Value 0

# Hide tray icons as needed
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer" -Name "EnableAutoTray"

# Show known file extensions
Write-Host "Showing known file extensions..."
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "HideFileExt" -Type DWord -Value 0

# Hide known file extensions
# Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "HideFileExt" -Type DWord -Value 1

# Show hidden files
Write-Host "Showing hidden files..."
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "Hidden" -Type DWord -Value 1

# Hide hidden files
# Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "Hidden" -Type DWord -Value 2

# Change default Explorer view to "Computer"
Write-Host "Changing default Explorer view to `"Computer`"..."
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "LaunchTo" -Type DWord -Value 1

# Change default Explorer view to "Quick Access"
# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "LaunchTo"

# Show Computer shortcut on desktop
Write-Host "Showing Computer shortcut on desktop..."
If (!(Test-Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu")) {
  New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" | Out-Null
}
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" -Type DWord -Value 0
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" -Type DWord -Value 0

# Hide Computer shortcut from desktop
# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"

# Remove Desktop icon from computer namespace
# Write-Host "Removing Desktop icon from computer namespace..."
# Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}" -Recurse -ErrorAction SilentlyContinue

# Add Desktop icon to computer namespace
# New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}"

# Remove Documents icon from computer namespace
# Write-Host "Removing Documents icon from computer namespace..."
# Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{d3162b92-9365-467a-956b-92703aca08af}" -Recurse -ErrorAction SilentlyContinue
# Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}" -Recurse -ErrorAction SilentlyContinue

# Add Documents icon to computer namespace
# New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{d3162b92-9365-467a-956b-92703aca08af}"
# New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}"

# Remove Downloads icon from computer namespace
# Write-Host "Removing Downloads icon from computer namespace..."
# Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{088e3905-0323-4b02-9826-5d99428e115f}" -Recurse -ErrorAction SilentlyContinue
# Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{374DE290-123F-4565-9164-39C4925E467B}" -Recurse -ErrorAction SilentlyContinue

# Add Downloads icon to computer namespace
# New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{088e3905-0323-4b02-9826-5d99428e115f}"
# New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{374DE290-123F-4565-9164-39C4925E467B}"

# Remove Music icon from computer namespace
# Write-Host "Removing Music icon from computer namespace..."
# Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}" -Recurse -ErrorAction SilentlyContinue
# Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{1CF1260C-4DD0-4ebb-811F-33C572699FDE}" -Recurse -ErrorAction SilentlyContinue

# Add Music icon to computer namespace
# New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}"
# New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{1CF1260C-4DD0-4ebb-811F-33C572699FDE}"

# Remove Pictures icon from computer namespace
# Write-Host "Removing Pictures icon from computer namespace..."
# Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{24ad3ad4-a569-4530-98e1-ab02f9417aa8}" -Recurse -ErrorAction SilentlyContinue
# Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA}" -Recurse -ErrorAction SilentlyContinue

# Add Pictures icon to computer namespace
# New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{24ad3ad4-a569-4530-98e1-ab02f9417aa8}"
# New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA}"

# Remove Videos icon from computer namespace
# Write-Host "Removing Videos icon from computer namespace..."
# Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a}" -Recurse -ErrorAction SilentlyContinue
# Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{A0953C92-50DC-43bf-BE83-3742FED03C9C}" -Recurse -ErrorAction SilentlyContinue

# Add Videos icon to computer namespace
# New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a}"
# New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{A0953C92-50DC-43bf-BE83-3742FED03C9C}"

## Add secondary en-US keyboard
#Write-Host "Adding secondary en-US keyboard..."
#$langs = Get-WinUserLanguageList
#$langs.Add("en-US")
#Set-WinUserLanguageList $langs -Force

# Remove secondary en-US keyboard
Set-WinUserLanguageList En-US -Force


##########
# Remove unwanted applications
##########

# Disable OneDrive
Write-Host "Disabling OneDrive..."
If (!(Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive")) {
    New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive" | Out-Null
}
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive" -Name "DisableFileSyncNGSC" -Type DWord -Value 1

# Enable OneDrive
# Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive" -Name "DisableFileSyncNGSC"

# Uninstall OneDrive
Write-Host "Uninstalling OneDrive... May sometimes hang"
Stop-Process -Name OneDrive -ErrorAction SilentlyContinue
Start-Sleep -s 3
$onedrive = "$env:SYSTEMROOT\SysWOW64\OneDriveSetup.exe"
If (!(Test-Path $onedrive)) {
    $onedrive = "$env:SYSTEMROOT\System32\OneDriveSetup.exe"
}
Start-Process $onedrive "/uninstall" -NoNewWindow -Wait
Start-Sleep -s 3
Stop-Process -Name explorer -ErrorAction SilentlyContinue
Start-Sleep -s 3
Remove-Item "$env:USERPROFILE\OneDrive" -Force -Recurse -ErrorAction SilentlyContinue
Remove-Item "$env:LOCALAPPDATA\Microsoft\OneDrive" -Force -Recurse -ErrorAction SilentlyContinue
Remove-Item "$env:PROGRAMDATA\Microsoft OneDrive" -Force -Recurse -ErrorAction SilentlyContinue
If (Test-Path "$env:SYSTEMDRIVE\OneDriveTemp") {
    Remove-Item "$env:SYSTEMDRIVE\OneDriveTemp" -Force -Recurse -ErrorAction SilentlyContinue
}
If (!(Test-Path "HKCR:")) {
    New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null
}
Remove-Item -Path "HKCR:\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" -Recurse -ErrorAction SilentlyContinue
Remove-Item -Path "HKCR:\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" -Recurse -ErrorAction SilentlyContinue

# Install OneDrive
# $onedrive = "$env:SYSTEMROOT\SysWOW64\OneDriveSetup.exe"
# If (!(Test-Path $onedrive)) {
#   $onedrive = "$env:SYSTEMROOT\System32\OneDriveSetup.exe"
# }
# Start-Process $onedrive -NoNewWindow

# Uninstall default bloatware... Needs to be checked
Write-Host "Uninstalling default bloatware..."
Get-AppxPackage "Microsoft.3DBuilder" | Remove-AppxPackage
Get-AppxPackage "Microsoft.Advertising.Xaml" | Remove-AppxPackage
# Get-AppxPackage "Microsoft.Windows.Cortana" | Remove-AppxPackage (Remove through features)
# Get-AppxPackage "Microsoft.MicrosoftEdge" | Remove-AppxPackage (Remove through features)
Get-AppxPackage "Microsoft.Services.Store.Engagement" | Remove-AppxPackage
Get-AppxPackage "51518DarkProjekt.DarkNote" | Remove-AppxPackage
Get-AppxPackage "AFF540DC.CurrencyConverter" | Remove-AppxPackage
# Get-AppxPackage "Microsoft.XboxIdentityProvider" | Remove-AppxPackag (Cant be removed for some reason now?)
Get-AppxPackage "Microsoft.StorePurchaseApp" | Remove-AppxPackage
# Get-AppxPackage "Microsoft.WindowsStore" | Remove-AppxPackage
# Get-AppxPackage "Windows.MiracastView" | Remove-AppxPackage (Remove through features)
# Get-AppxPackage "Windows.ContactSupport" | Remove-AppxPackage (Remove through features)
# Get-AppxPackage "Microsoft.XboxGameCallableUI" | Remove-AppxPackage (Remove through features)
# Get-AppxPackage "Microsoft.Windows.SecondaryTileExperience" | Remove-AppxPackage
# Get-AppxPackage "Microsoft.Windows.ParentalControls" | Remove-AppxPackage (Remove through features)
Get-AppxPackage "Microsoft.BingFinance" | Remove-AppxPackage
# Get-AppxPackage "Microsoft.BingNews" | Remove-AppxPackage
Get-AppxPackage "Microsoft.BingSports" | Remove-AppxPackage
Get-AppxPackage "Microsoft.BingWeather" | Remove-AppxPackage
Get-AppxPackage "Microsoft.Getstarted" | Remove-AppxPackage
Get-AppxPackage "Microsoft.MicrosoftOfficeHub" | Remove-AppxPackage
Get-AppxPackage "Microsoft.MicrosoftSolitaireCollection" | Remove-AppxPackage
Get-AppxPackage "Microsoft.Office.OneNote" | Remove-AppxPackage
Get-AppxPackage "Microsoft.People" | Remove-AppxPackage
Get-AppxPackage "Microsoft.SkypeApp" | Remove-AppxPackage
# Get-AppxPackage "Microsoft.Windows.Photos" | Remove-AppxPackage
Get-AppxPackage "Microsoft.WindowsAlarms" | Remove-AppxPackage
Get-AppxPackage "Microsoft.WindowsCamera" | Remove-AppxPackage
# Get-AppxPackage "microsoft.windowscommunicationsapps" | Remove-AppxPackage (This is windows Mail)
Get-AppxPackage "Microsoft.WindowsMaps" | Remove-AppxPackage
Get-AppxPackage "Microsoft.WindowsPhone" | Remove-AppxPackage
Get-AppxPackage "Microsoft.WindowsSoundRecorder" | Remove-AppxPackage
Get-AppxPackage "Microsoft.XboxApp" | Remove-AppxPackage
Get-AppxPackage "Microsoft.ZuneMusic" | Remove-AppxPackage
Get-AppxPackage "Microsoft.ZuneVideo" | Remove-AppxPackage
Get-AppxPackage "Microsoft.AppConnector" | Remove-AppxPackage
Get-AppxPackage "Microsoft.ConnectivityStore" | Remove-AppxPackage
Get-AppxPackage "Microsoft.Office.Sway" | Remove-AppxPackage
Get-AppxPackage "Microsoft.Messaging" | Remove-AppxPackage
Get-AppxPackage "Microsoft.CommsPhone" | Remove-AppxPackage
Get-AppxPackage "9E2F88E3.Twitter" | Remove-AppxPackage
Get-AppxPackage "king.com.CandyCrushSodaSaga" | Remove-AppxPackage
Get-AppxPackage "4DF9E0F8.Netflix" | Remove-AppxPackage
Get-AppxPackage "Drawboard.DrawboardPDF" | Remove-AppxPackage
# Get-AppxPackage "Microsoft.MicrosoftStickyNotes" | Remove-AppxPackage
Get-AppxPackage "Microsoft.OneConnect" | Remove-AppxPackage
Get-AppxPackage "D52A8D61.FarmVille2CountryEscape" | Remove-AppxPackage
Get-AppxPackage "GAMELOFTSA.Asphalt8Airborne" | Remove-AppxPackage
Get-AppxPackage "Microsoft.WindowsFeedbackHub" | Remove-AppxPackage

# Install default Microsoft applications..
Write-Host "Needs to be checked... Installing packages"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.3DBuilder").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.BingFinance").InstallLocation)\AppXManifest.xml"
Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.BingNews").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.BingSports").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.BingWeather").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.Getstarted").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.MicrosoftOfficeHub").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.MicrosoftSolitaireCollection").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.Office.OneNote").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.People").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.SkypeApp").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.Windows.Photos").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.WindowsAlarms").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.WindowsCamera").InstallLocation)\AppXManifest.xml"
Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.windowscommunicationsapps").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.WindowsMaps").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.WindowsPhone").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.WindowsSoundRecorder").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.XboxApp").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.ZuneMusic").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.ZuneVideo").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.AppConnector").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.ConnectivityStore").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.Office.Sway").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.Messaging").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.CommsPhone").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "9E2F88E3.Twitter").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "king.com.CandyCrushSodaSaga").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "4DF9E0F8.Netflix").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Drawboard.DrawboardPDF").InstallLocation)\AppXManifest.xml"
Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.MicrosoftStickyNotes").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.OneConnect").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "D52A8D61.FarmVille2CountryEscape").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "GAMELOFTSA.Asphalt8Airborne").InstallLocation)\AppXManifest.xml"
# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.WindowsFeedbackHub").InstallLocation)\AppXManifest.xml"
# In case you have removed them for good, you can try to restore the files using installation medium as follows
# New-Item C:\Mnt -Type Directory | Out-Null
# dism /Mount-Image /ImageFile:D:\sources\install.wim /index:1 /ReadOnly /MountDir:C:\Mnt
# robocopy /S /SEC /R:0 "C:\Mnt\Program Files\WindowsApps" "C:\Program Files\WindowsApps"
# dism /Unmount-Image /Discard /MountDir:C:\Mnt
# Remove-Item -Path C:\Mnt -Recurse

# Disable Xbox DVR
# New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR" | Out-Null (fix this)
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR" -Name "AllowGameDVR" -Type DWord -Value 0

# Enable Xbox DVR
# New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR" | Out-Null
# Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR" -Name "AllowGameDVR" -ErrorAction SilentlyContinue

# Uninstall Windows Media Player
# Write-Host "Uninstalling Windows Media Player..."
# dism /online /Disable-Feature /FeatureName:MediaPlayback /Quiet /NoRestart

# Install Windows Media Player
# dism /online /Enable-Feature /FeatureName:MediaPlayback /Quiet /NoRestart

# Uninstall Work Folders Client
Write-Host "Uninstalling Work Folders Client..."
dism /online /Disable-Feature /FeatureName:WorkFolders-Client /Quiet /NoRestart

# Install Work Folders Client
# dism /online /Enable-Feature /FeatureName:WorkFolders-Client /Quiet /NoRestart

# Set Photo Viewer as default for bmp, gif, jpg and png
Write-Host "Setting Photo Viewer as default for bmp, gif, jpg, png and tif..."
If (!(Test-Path "HKCR:")) {
    New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null
}
ForEach ($type in @("Paint.Picture", "giffile", "jpegfile", "pngfile")) {
    New-Item -Path $("HKCR:\$type\shell\open") -Force | Out-Null
    New-Item -Path $("HKCR:\$type\shell\open\command") | Out-Null
    Set-ItemProperty -Path $("HKCR:\$type\shell\open") -Name "MuiVerb" -Type ExpandString -Value "@%ProgramFiles%\Windows Photo Viewer\photoviewer.dll,-3043"
    Set-ItemProperty -Path $("HKCR:\$type\shell\open\command") -Name "(Default)" -Type ExpandString -Value "%SystemRoot%\System32\rundll32.exe `"%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll`", ImageView_Fullscreen %1"
}

# Remove or reset default open action for bmp, gif, jpg and png
If (!(Test-Path "HKCR:")) {
  New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null
}
Remove-Item -Path "HKCR:\Paint.Picture\shell\open" -Recurse
Remove-ItemProperty -Path "HKCR:\giffile\shell\open" -Name "MuiVerb"
Set-ItemProperty -Path "HKCR:\giffile\shell\open" -Name "CommandId" -Type String -Value "IE.File"
Set-ItemProperty -Path "HKCR:\giffile\shell\open\command" -Name "(Default)" -Type String -Value "`"$env:SystemDrive\Program Files\Internet Explorer\iexplore.exe`" %1"
Set-ItemProperty -Path "HKCR:\giffile\shell\open\command" -Name "DelegateExecute" -Type String -Value "{17FE9752-0B5A-4665-84CD-569794602F5C}"
Remove-Item -Path "HKCR:\jpegfile\shell\open" -Recurse
Remove-Item -Path "HKCR:\pngfile\shell\open" -Recurse

# Show Photo Viewer in "Open with..."
Write-Host "Showing Photo Viewer in `"Open with...`""
If (!(Test-Path "HKCR:")) {
    New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null
}
New-Item -Path "HKCR:\Applications\photoviewer.dll\shell\open\command" -Force | Out-Null
New-Item -Path "HKCR:\Applications\photoviewer.dll\shell\open\DropTarget" -Force | Out-Null
Set-ItemProperty -Path "HKCR:\Applications\photoviewer.dll\shell\open" -Name "MuiVerb" -Type String -Value "@photoviewer.dll,-3043"
Set-ItemProperty -Path "HKCR:\Applications\photoviewer.dll\shell\open\command" -Name "(Default)" -Type ExpandString -Value "%SystemRoot%\System32\rundll32.exe `"%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll`", ImageView_Fullscreen %1"
Set-ItemProperty -Path "HKCR:\Applications\photoviewer.dll\shell\open\DropTarget" -Name "Clsid" -Type String -Value "{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A}"

# Remove Photo Viewer from "Open with..."
# If (!(Test-Path "HKCR:")) {
#   New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null
# }
# Remove-Item -Path "HKCR:\Applications\photoviewer.dll\shell\open" -Recurse

# Enable F8 boot menu options
# Write-Host "Enabling F8 boot menu options..."
# bcdedit /set `{current`} bootmenupolicy Legacy | Out-Null

# Disable F8 boot menu options
# bcdedit /set `{current`} bootmenupolicy Standard | Out-Null

# Install Powershell man pages locally (low priority, uses bandwidth)
# Update-Help

# Install Packages to edit Hosts file.
Write-Host "Installing PsHosts CMDlet to edit hosts file. Please be Patient. This may be slow sometimes buggy"
install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force

Write-Host "Seting up Repository"
Set-PSRepository -Name "PSGallery" -InstallationPolicy Trusted

Write-Host "Installing PSHosts Module"
install-module PsHosts

Write-Host "Importing PSHosts Module"
import-module PsHosts

# Hosts to block are below
Write-Host "Editing Hosts File..."

# Clean old Hosts file
Remove-HostEntry *

# Add Hosts Entries
Add-HostEntry vortex.data.microsoft.com 127.0.0.1
Add-HostEntry vortex-win.data.microsoft.com 127.0.0.1
Add-HostEntry telecommand.telemetry.microsoft.com 127.0.0.1
Add-HostEntry telecommand.telemetry.microsoft.com.nsatc.net 127.0.0.1
Add-HostEntry oca.telemetry.microsoft.com 127.0.0.1
Add-HostEntry oca.telemetry.microsoft.com.nsatc.net 127.0.0.1
Add-HostEntry sqm.telemetry.microsoft.com 127.0.0.1
Add-HostEntry sqm.telemetry.microsoft.com.nsatc.net 127.0.0.1
Add-HostEntry watson.telemetry.microsoft.com 127.0.0.1
Add-HostEntry watson.telemetry.microsoft.com.nsatc.net 127.0.0.1
Add-HostEntry redir.metaservices.microsoft.com 127.0.0.1
Add-HostEntry choice.microsoft.com 127.0.0.1
Add-HostEntry choice.microsoft.com.nsatc.net 127.0.0.1
Add-HostEntry df.telemetry.microsoft.com 127.0.0.1
Add-HostEntry reports.wes.df.telemetry.microsoft.com 127.0.0.1
Add-HostEntry wes.df.telemetry.microsoft.com 127.0.0.1
Add-HostEntry services.wes.df.telemetry.microsoft.com 127.0.0.1
Add-HostEntry sqm.df.telemetry.microsoft.com 127.0.0.1
Add-HostEntry telemetry.microsoft.com 127.0.0.1
Add-HostEntry watson.ppe.telemetry.microsoft.com 127.0.0.1
Add-HostEntry telemetry.appex.bing.net 127.0.0.1
Add-HostEntry telemetry.urs.microsoft.com 127.0.0.1
Add-HostEntry telemetry.appex.bing.net:443 127.0.0.1
Add-HostEntry settings-sandbox.data.microsoft.com 127.0.0.1
Add-HostEntry vortex-sandbox.data.microsoft.com 127.0.0.1
Add-HostEntry survey.watson.microsoft.com 127.0.0.1
Add-HostEntry watson.live.com 127.0.0.1
Add-HostEntry watson.microsoft.com 127.0.0.1
Add-HostEntry statsfe2.ws.microsoft.com 127.0.0.1
Add-HostEntry corpext.msitadfs.glbdns2.microsoft.com 127.0.0.1
Add-HostEntry compatexchange.buttapp.net 127.0.0.1
Add-HostEntry cs1.wpc.v0cdn.net 127.0.0.1
Add-HostEntry a-0001.a-msedge.net 127.0.0.1
Add-HostEntry statsfe2.update.microsoft.com.akadns.net 127.0.0.1
Add-HostEntry sls.update.microsoft.com.akadns.net 127.0.0.1
Add-HostEntry fe2.update.microsoft.com.akadns.net 127.0.0.1
Add-HostEntry diagnostics.support.microsoft.com 127.0.0.1
Add-HostEntry corp.sts.microsoft.com 127.0.0.1
Add-HostEntry statsfe1.ws.microsoft.com 127.0.0.1
Add-HostEntry pre.footprintpredict.com 127.0.0.1
Add-HostEntry i1.services.social.microsoft.com 127.0.0.1
Add-HostEntry i1.services.social.microsoft.com.nsatc.net 127.0.0.1
Add-HostEntry feedback.windows.com 127.0.0.1
Add-HostEntry feedback.microsoft-hohm.com 127.0.0.1
Add-HostEntry feedback.search.microsoft.com 127.0.0.1
Add-HostEntry ad.doubleclick.net 127.0.0.1
Add-HostEntry ads.msn.com 127.0.0.1
Add-HostEntry ads1.msads.net 127.0.0.1
Add-HostEntry ads1.msn.com 127.0.0.1
Add-HostEntry a.ads1.msn.com 127.0.0.1
Add-HostEntry a.ads2.msn.com 127.0.0.1
Add-HostEntry adnexus.net 127.0.0.1
Add-HostEntry adnxs.com 127.0.0.1
Add-HostEntry aidps.atdmt.com 127.0.0.1
Add-HostEntry apps.skype.com 127.0.0.1
Add-HostEntry az361816.vo.msecnd.net 127.0.0.1
Add-HostEntry az512334.vo.msecnd.net 127.0.0.1
Add-HostEntry a.rad.msn.com 127.0.0.1
Add-HostEntry a.ads2.msads.net 127.0.0.1
Add-HostEntry ac3.msn.com 127.0.0.1
Add-HostEntry aka-cdn-ns.adtech.de 127.0.0.1
Add-HostEntry b.rad.msn.com 127.0.0.1
Add-HostEntry b.ads2.msads.net 127.0.0.1
Add-HostEntry b.ads1.msn.com 127.0.0.1
Add-HostEntry bs.serving-sys.com 127.0.0.1
Add-HostEntry c.msn.com 127.0.0.1
Add-HostEntry cdn.atdmt.com 127.0.0.1
Add-HostEntry cds26.ams9.msecn.net 127.0.0.1
Add-HostEntry c.atdmt.com 127.0.0.1
Add-HostEntry db3aqu.atdmt.com 127.0.0.1
Add-HostEntry ec.atdmt.com 127.0.0.1
Add-HostEntry flex.msn.com 127.0.0.1
Add-HostEntry g.msn.com 127.0.0.1
Add-HostEntry h2.msn.com 127.0.0.1
Add-HostEntry h1.msn.com 127.0.0.1
Add-HostEntry live.rads.msn.com 127.0.0.1
Add-HostEntry msntest.serving-sys.com 127.0.0.1
Add-HostEntry m.adnxs.com 127.0.0.1
Add-HostEntry m.hotmail.com 127.0.0.1
Add-HostEntry preview.msn.com 127.0.0.1
Add-HostEntry pricelist.skype.com 127.0.0.1
Add-HostEntry rad.msn.com 127.0.0.1
Add-HostEntry rad.live.com 127.0.0.1
Add-HostEntry secure.flashtalking.com 127.0.0.1
Add-HostEntry static.2mdn.net 127.0.0.1
Add-HostEntry s.gateway.messenger.live.com 127.0.0.1
Add-HostEntry secure.adnxs.com 127.0.0.1
Add-HostEntry sO.2mdn.net 127.0.0.1
Add-HostEntry ui.skype.com 127.0.0.1
Add-HostEntry view.atdmt.com 127.0.0.1
# The Below two domains may impact your network connectivity detection.
Add-HostEntry www.msftncsi.com 127.0.0.1
Add-HostEntry msftncsi.com 127.0.0.1


# Edit Group Policy to set Chrome settings that cannot be set through registry.
# Refer to https://www.powershellgallery.com/packages/PolicyFileEditor/2.0.2
Write-Host "Installing PolicyFileEditor Module"
Install-Module -Name PolicyFileEditor

Write-Host "Importing PolicyFileEditor Module"
import-module -Name PolicyFileEditor

Write-Host "Setting Chrome Settings.. The Below is experimental still."

$MachineDir = "$env:windir\system32\GroupPolicy\Machine\registry.pol"
$RegPath = 'Software\Policies\Google\Chrome'
$RegName = 'AutoFillEnabled'
$RegData = '0'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'
$RegName = 'HomepageLocation'
$RegData = 'https://www.google.com'
$RegType = 'String'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'
$RegName = 'ProxyServerMode'
$RegData = '0'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'
$RegName = 'SafeBrowsingEnabled'
$RegData = '1'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'
$RegName = 'SavingBrowserHistoryDisabled'
$RegData = '0'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'
$RegName = 'SearchSuggestEnabled'
$RegData = '0'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'
$RegName = 'SyncDisabled'
$RegData = '1'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'
$RegName = 'MetricsReportingEnabled'
$RegData = '0'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

# Use * to disable all plugins in place of DISABLEDPLUGINID
# To add more than one disabled plugin, copy the 5 lines below and mark the regname as 2..3..4..5 and so on after re-pasting.
$RegPath = 'Software\Policies\Google\Chrome\DisabledPlugins'
$RegName = '1'
$RegData = 'DISABLEDPLUGINID'
$RegType = 'String'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

# Use * to disable all extensions in place of DISABLEDEXTENSIONID
# To add more than one disabled extension, copy the 5 lines below and mark the regname as 2..3..4..5 and so on after re-pasting.
$RegPath = 'Software\Policies\Google\Chrome\ExtensionInstallBlacklist'
$RegName = '1'
$RegData = 'DISABLEDEXTENSIONID'
$RegType = 'String'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

# Use * to ENABLE all extensions in place of ENABLEDEXTENSIONID
# To add more than one enabled extension, copy the 5 lines below and mark the regname as 2..3..4..5 and so on after re-pasting.
$RegPath = 'Software\Policies\Google\Chrome\ExtensionInstallWhitelist'
$RegName = '1'
$RegData = 'ENABLEDEXTENSIONID'
$RegType = 'String'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

# Use the below to blacklist URLs in chrome. You could probably use * to blacklist everything.
# To add more than one URL, copy the 5 lines below and append regname with the next number in the list.. 2..3..4..5 and so on.
$RegPath = 'Software\Policies\Google\Chrome\URLBlacklist'
$RegName = '1'
$RegData = 'www.tacos.com'
$RegType = 'String'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

# Use the below to whitelist URLs in chrome.
# To add more than one URL, copy the 5 lines below and append regname with the next number in the list.. 2..3..4..5 and so on.
$RegPath = 'Software\Policies\Google\Chrome\URLWhitelist'
$RegName = '1'
$RegData = '*'
$RegType = 'String'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

# Use the below to make a list of forced installed extensions, This will also delete any values to remove any rogue extensions as a security feature if they are within the
# list of 1-10 in the policy.
# To add more than one force installed extension, copy the 5 lines below and mark the regname as 2..3..4..5 and so on after re-pasting.
$RegPath = 'Software\Policies\Google\Chrome\ExtensionInstallForcelist'
$RegName = '1'
$RegData = 'EXTENSIONID'
$RegType = 'String'
Remove-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName 1
Remove-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName 2
Remove-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName 3
Remove-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName 4
Remove-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName 5
Remove-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName 6
Remove-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName 7
Remove-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName 8
Remove-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName 9
Remove-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName 10
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType


$RegPath = 'Software\Policies\Google\Chrome'
$RegName = '0'
$RegData = 'AllowOutdatedPlugins'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'
$RegName = '0'
$RegData = 'BackgroundModeEnabled'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'
$RegName = '1'
$RegData = 'BookmarkBarEnabled'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'
$RegName = '1'
$RegData = 'DefaultBrowserSettingEnabled'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'
$RegName = '1'
$RegData = 'DeveloperToolsDisabled'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'
$RegName = '1'
$RegData = 'EnableMediaRouter'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'
$RegName = '1'
$RegData = 'ForceGoogleSafeSearch'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'
$RegName = '0'
$RegData = 'FullscreenAllowed'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'
$RegName = '2'
$RegData = 'NetworkPredictionOptions'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'
$RegName = '1'
$RegData = 'SafeBrowsingEnabled'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'
$RegName = '0'
$RegData = 'SafeBrowsingExtendedReportingOptInAllowed'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'
$RegName = '0'
$RegData = 'SearchSuggestEnabled'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'
$RegName = '0'
$RegData = 'SpellCheckServiceEnabled'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'
$RegName = 'tls1'
$RegData = 'SSLVersionMin'
$RegType = 'String'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'
$RegName = '0'
$RegData = 'WelcomePageOnOSUpgradeEnabled'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

# End Chrome GP Settings
#
# Begin Adobe Acrobat/Reader DC Settings

$RegPath = 'Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockdown'
$RegName = '1'
$RegData = 'bProtectedMode'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockdown'
$RegName = '1'
$RegData = 'bUsageMeasurement'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockdown\cIPM'
$RegName = '1'
$RegData = 'bDontShowMsgWhenViewingDoc'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockdown\cIPM'
$RegName = '0'
$RegData = 'bShowMsgAtLaunch'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Adobe\Adobe Acrobat\2015\FeatureLockdown'
$RegName = '1'
$RegData = 'bUsageMeasurement'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Adobe\Adobe Acrobat\2015\FeatureLockdown'
$RegName = '2'
$RegData = 'iProtectedView'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Adobe\Adobe Acrobat\2015\FeatureLockdown\cIPM'
$RegName = '0'
$RegData = 'bShowMsgAtLaunch'
$RegType = 'DWord'
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

# End Adobe Acrobat and Reader DC Settings
#

# Force DEP to always on for every application (available options are: AlwaysOff, AlwaysOn, OptIn, OptOut)
Write-Host "Turning on DEP for all applications."
bcdedit /set nx AlwaysON

# Enable SEHOP (Exception write-protection function of DEP.)
Write-Host "Enable Exception Write-Protection SEHOP"
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel" /v DisableExceptionChainValidation /t REG_DWORD /d 0 /f

# Check Cryptography Protection
Write-Host "Checking Cryptography Protection."

# If the following query shows that MasterKeyLegacyCompliance is set to a non-zero number,
# then it is bad sign that hackers or malware have set this value deliberately to weaken
# the security of DPAPI-protected secrets like cached passwords or private keys.
reg query HKLM\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb /v MasterKeyLegacyCompliance

# Run the following command to delete the MasterKeyLegacyCompliance value, which
# is the default on Windows XP and later, and is best for security.
reg delete HKLM\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb /v MasterKeyLegacyCompliance /f

# Disable NetBios (Forces File Sharing over port 445 DirectSMB/stops various worms.)
Write-Host "Disabling Outdated NetBIOS Protocol..."
sc.exe config netbt start= disabled

# Reset NerBios Configuration to Default.
# sc.exe config netbt start= system

# Set LAN connection to DHCP and renew.
# netsh.exe int ip set address "Local Area Connection" dhcp
# netsh.exe int ip set dns "Local Area Connection" dhcp
# ipconfig /renew

# Set LAN connection to static and release.
# ipconfig /release
# netsh.exe int ip set dns "Local Area Connection" static 10.4.1.1
# netsh.exe int ip set address "Local Area Connection" static 10.4.1.1 255.255.0.0

# Enable IPsec NAT
Write-Host "Enabling IPSec NAT..."
reg add "HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent" /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 00000002 /f

# Use these commands to audit logging policies.
# auditpol.exe /get /category:*
# auditpol.exe /get /subcategory:"MPSSVC rule-level Policy Change,Filtering Platform policy change,IPsec Main Mode,IPsec Quick Mode,IPsec Extended Mode,IPsec Driver,Other System Events,Filtering Platform Packet Drop,Filtering Platform Connection"

# Disable a lot of security logging (See end of command)
# auditpol.exe /set /subcategory:"MPSSVC rule-level Policy Change,Filtering Platform policy change,IPsec Main Mode,IPsec Quick Mode,IPsec Extended Mode,IPsec Driver,Other System Events,Filtering Platform Packet Drop,Filtering Platform Connection" /success:Disable /failure:Disable

# Enable a lot of security logging (See end of command)
auditpol.exe /set /subcategory:"MPSSVC rule-level Policy Change,Filtering Platform policy change,IPsec Main Mode,IPsec Quick Mode,IPsec Extended Mode,IPsec Driver,Other System Events,Filtering Platform Packet Drop,Filtering Platform Connection" /success:Enable /failure:Enable

# Enable oakley IPSec Diagnostics logging.
reg add "HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley" /v EnableLogging /t REG_DWORD /d 00000001 /f

# Enable Local IPSec Connections for ports 3389,135,139,445,21,20,23
Write-Host "Enabling Local Network IPSEC on this machine if supported."
netsh.exe advfirewall consec add rule name=Testing-IPSec-NETSH endpoint1=any port1=any endpoint2=localsubnet port2=3389,135,139,445,21,20,23 protocol=tcp profile=any action=requireinrequestout interfacetype=any auth1=computerpsk auth1psk=$ThePreSharedKey enable=yes

# Disable Local IPSec Connections for ports 3389,135,139,445,21,20,23
# Write-Host "Disabling Local Network IPSEC on this machine if supported."
# netsh.exe advfirewall consec add rule name=Testing-IPSec-NETSH endpoint1=any port1=any endpoint2=localsubnet port2=3389,135,139,445,21,20,23 protocol=tcp profile=any action=requireinrequestout interfacetype=any auth1=computerpsk auth1psk=$ThePreSharedKey enable=no

#
#
# The Two Lines Below Enable Superfectch and Prefetch
Write-Host "Enabling Superfetch and Prefetch..."
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnableSuperfetch /t REG_DWORD /d 00000003 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnablePrefetcher /t REG_DWORD /d 00000003 /f

# The Lines Below Disable SSL!!!
Write-Host "Disabling SSL..."
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v DisabledByDefault /t REG_DWORD /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v Enabled /t REG_DWORD /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v DisabledByDefault /t REG_DWORD /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v Enabled /t REG_DWORD /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v DisabledByDefault /t REG_DWORD /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 00000000 /f

# The Lines Below Force And Enable TLS!!!
Write-Host "Forcing and Enabling TLS!!!"
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v DisabledByDefault /t REG_DWORD /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 0xffffffff /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v DisabledByDefault /t REG_DWORD /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 0xffffffff /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v DisabledByDefault /t REG_DWORD /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v Enabled /t REG_DWORD /d 0xffffffff /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v DisabledByDefault /t REG_DWORD /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 0xffffffff /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 0xffffffff /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v DisabledByDefault /t REG_DWORD /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 0xffffffff /f

# The Registry Parameters Below are for TCP Security, I'm not sure what some of them do.
Write-Host "Upgrading TCP Security..."
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v IPEnableRouter /t REG_DWORD /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableICMPRedirect /t REG_DWORD /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v SynAttackProtect /t REG_DWORD /d 00000002 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxHalfOpen /t REG_DWORD /d 00000064 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxHalfOpenRetried /t REG_DWORD /d 00000050 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v DisableIPSourceRouting /t REG_DWORD /d 00000002 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v NoNameReleaseOnDemand /t REG_DWORD /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableDeadGWDetect /t REG_DWORD /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v KeepAliveTime /t REG_DWORD /d 0x000493E0 /f

# Disable NTFS Last-Access Timestamp
# Write-Host "Disabling NTFS Last-Access Timestamps..."
# reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v NtfsDisableLastAccessUpdate /t REG_DWORD /d 00000001 /f

# Enable NTFS Last-Access Timestamp
Write-Host "Enabling NTFS Last-Access Timestamps..."
reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v NtfsDisableLastAccessUpdate /t REG_DWORD /d 00000000 /f

# Disable IPV6
Write-Host "Disabling IPV6..."
reg add "HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters" /v DisabledComponents /t REG_DWORD /d 0xffffffff /f

# Enable IPV6
# Write-Host "EnTabling IPV6..."
# reg add "HKLM\SYSEM\CurrentControlSet\services\TCPIP6\Parameters" /v DisabledComponents /t REG_DWORD /d 0 /f

# Force High Level of Remote Desktop Encryption and TLS Authentication.
Write-Host "Requiring Strong Remote Desktop Encryption if enabled... And forcing TLS Authentication"
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t REG_DWORD /d 00000003 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 00000002 /f

# Disabling TCP/IP AutoTuning (see http://technet.microsoft.com/en-us/magazine/2007.01.cableguy.aspx)
Write-Host "Disabling TCP/IP Auto-Tuning..."
netsh.exe interface tcp set global autotuninglevel= disabled

# Enabling TCP/IP AutoTuning
# netsh.exe interface tcp set global autotuninglevel= normal

# Reset Firewall To factory Defaults!!!
# netsh.exe firewall reset
#


# Begin Java Security Setting Script
#
#

Write-host "The next bit of code will either enable or disable java system-wide."

# Construct the strings for the deployment.properties file.
# Be mindful of the below property, setting webjava to false will unisntall java and you will need to manually re-enable in IE.

$propertiesfile = "deployment.webjava.enabled=true "

# Default to locking the security level and browser plug-in state, i.e., they are visible but greyed out in Java Control Panel.
$propertiesfile += "`ndeployment.webjava.enabled.locked `ndeployment.security.level.locked "

# Default to security level being set to VERY_HIGH (see Security tab of Java Control Panel).
$propertiesfile += "`ndeployment.security.level=VERY_HIGH"


# Possibly delete the configuration files and exit, but leave the folder alone though.
write-host "Deleting system-wide Java configuration files, if they exist..."
remove-item $env:WinDir\Sun\Java\Deployment\deployment.config -Force
remove-item $env:WinDir\Sun\Java\Deployment\deployment.properties -Force


# Create the $env:WinDir\Sun\Java\Deployment folder for the system-wide Java configuration files.
New-Item -Path $env:WinDir\Sun\Java\Deployment -ItemType Directory -Force | Out-Null

# Create the deployment.config file.
"deployment.system.config=$env:WinDir\Sun\Java\Deployment\deployment.properties" |
    Out-File -FilePath $env:WinDir\Sun\Java\Deployment\deployment.config -Force -Encoding ASCII
if (-not $? -or -not $(Test-Path $env:WinDir\Sun\Java\Deployment\deployment.config))
   { "`nCould not create the deployment.config file, exiting.`n" ; exit -1 }


# Create the deployment.properties file.
$propertiesfile | Out-File -FilePath $env:WinDir\Sun\Java\Deployment\deployment.properties -Force -Encoding ASCII
if (-not $? -or -not $(Test-Path $env:WinDir\Sun\Java\Deployment\deployment.properties))
   { "`nCould not create the deployment.properties file, exiting.`n" ; exit -1 }


# Show system-wide deployment.properties file contents FYI.
"`nCurrent contents of the deployment.properties file:`n"
get-content $env:WinDir\Sun\Java\Deployment\deployment.properties ; "`n"


# Run latest ssvagent.exe for both x86 and x64, but not on Java Platform 6 or earlier, and
# hope future Javas support these switches (man, what a mess, doomed to rewrites...):
if ($propertiesfile -like '*deployment.webjava.enabled=false*')
{
    # Try the x64 version, if any:
    $ssvagent = $null
    if (Test-Path -Path "$env:ProgramFiles\Java\")
    {
        $ssvagent = dir "$env:ProgramFiles\Java\*.exe" -Recurse |
                where { $_.name -eq 'ssvagent.exe' -and $_.fullname -notmatch '\\jre[1-6]\\'} |
                sort LastWriteTimeUtc -desc | select -first 1
    }

    if ($ssvagent -ne $null)
    {
        $expression = $ssvagent.FullName.Replace("Program Files","'Program Files'") + " -disablewebjava"
        "Executing: $expression `n"
        invoke-expression -command $expression
    }


    # Now for the x86 version second, because this is the Oracle-preferred:
    $ssvagent = $null
    if (Test-Path -Path "${env:ProgramFiles(x86)}\Java\")
    {
        $ssvagent = dir "${env:ProgramFiles(x86)}\Java\*.exe" -Recurse |
                where { $_.name -eq 'ssvagent.exe' -and $_.fullname -notmatch '\\jre[1-6]\\'} |
                sort LastWriteTimeUtc -desc | select -first 1
    }

    if ($ssvagent -ne $null)
    {
        $expression = $ssvagent.FullName.Replace("Program Files (x86)","'Program Files (x86)'") + " -disablewebjava"
        "Executing: $expression `n"
        invoke-expression -command $expression
    }
}
elseif ($propertiesfile -like '*deployment.webjava.enabled=true*')
{
    # Try the x64 version, if any:
    $ssvagent = $null
    $ssvagent = dir "$env:ProgramFiles\Java\*.exe" -Recurse |
                where { $_.name -eq 'ssvagent.exe' -and $_.fullname -notmatch '\\jre[1-6]\\'} |
                sort LastWriteTimeUtc -desc | select -first 1
    if ($ssvagent -ne $null)
    {
        $expression = $ssvagent.FullName.Replace("Program Files","'Program Files'") + " -forceinstall -register -new -high"  #Only -high exists?
        "Executing: $expression `n"
        invoke-expression -command $expression
    }

    # Now for the x86 version second, to let it possibly overwrite x64 settings, since x86 is Oracle-preferred:
    $ssvagent = $null
    $ssvagent = dir "${env:ProgramFiles(x86)}\Java\*.exe" -Recurse |
                where { $_.name -eq 'ssvagent.exe' -and $_.fullname -notmatch '\\jre[1-6]\\'} |
                sort LastWriteTimeUtc -desc | select -first 1
    if ($ssvagent -ne $null)
    {
        $expression = $ssvagent.FullName.Replace("Program Files (x86)","'Program Files (x86)'") + " -forceinstall -register -new -high"  #Only -high exists?
        "Executing: $expression `n"
        invoke-expression -command $expression
    }
}

# End Java Security Settings Script
#
#


#
#
# Change Mac Menu

$Title = "Welcome"
$Info = "To Change Or Not Change Your Mac (May not support Hyper-V)"

$options = [System.Management.Automation.Host.ChoiceDescription[]] @("&Yes", "&No", "&Quit")
[int]$defaultchoice = 1
$opt =  $host.UI.PromptForChoice($Title , $Info , $Options,$defaultchoice)
switch($opt)
{
0 {
#
#
# The Below Script Enable a random mac on wifi. This may not work on all computers!!! (Especially HYPER-V)

Write-Host "Enabling Random MAC address on WIFI!!! Please be patient... This may not work on all computers!!! (Especially HYPER-V)"
function random-mac ($ManufacturerName, $ManufacturerID, $Delimiter, [Switch] $TotallyRandom, [Switch] $LocallyAdministered, [Switch] $Multicast)
{
    # $mac will be padded with random hex later, but add a random vendor ID by default.
    if ($TotallyRandom) { $mac = "" }
    else
    {
        # First three bytes will come from the manufacturer ID number.
        # Some input checking of the manufacturer selection...
        if ($ManufacturerName -and $ManufacturerName.StartsWith("3")) { $ManufacturerName = "ThreeCom" }
        if ($ManufacturerName -and $ManufacturerName.ToUpper().StartsWith("D-")) { $ManufacturerName = "DLink" }
        if ($ManufacturerID -and $ManufacturerID.ToString().length -gt 12) { $ManufacturerID = $ManufacturerID.ToString().SubString(0,12) }

        # Manufacturer identifiers last updated on 5.Feb.2011:
        $vendor = @{
            "Netgear" = "0024B2 0026F2 30469A A021B7 C03F0E C43DC7 E0469A E091F5 000FB5 00146C 00184D 001B2F 001E2A 001F33 00223F 00095B" ;
            "DLink" = "00055D 000D88 000F3D 001195 001346 0015E9 00179A 00195B 001B11 001CF0 001E58 002191 0022B0 002401 00265A 0050BA 0080C8 14D64D 1CAFF7 1CBDB9 340804 5CD998 F07D68" ;
            "ThreeCom" = "000102 000103 00029C 00040B 00051A 00068C 000A04 000A5E 000BAC 000D54 000E6A 000FCB 00104B 00105A 0012A9 00147C 0016E0 00186E 001AC1 001CC5 001EC1 0020AF 002257 002473 002654 00301E 005004 005099 0050DA 006008 00608C 006097 009004 00A024 00D096 00D0D8 02608C 02C08C 08004E 20FDF1 4001C6" ;
            "Intel" = "0002B3 000347 000423 0007E9 000CF1 000E0C 000E35 001111 0012F0 001302 001320 0013CE 0013E8 001500 001517 00166F 001676 0016EA 0016EB 0018DE 0019D1 0019D2 001B21 001B77 001CBF 001CC0 001DE0 001DE1 001E64 001E65 001E67 001F3B 001F3C 00207B 00215C 00215D 00216A 00216B 0022FA 0022FB 002314 002315 0024D6 0024D7 0026C6 0026C7 00270E 002710 0050F1 009027 00A0C9 00AA00 00AA01 00AA02 00D0B7 081196 0CD292 100BA9 183DA2 247703 4025C2 448500 4C8093 502DA2 58946B 648099 64D4DA 685D43 74E50B 78929C 809B20 88532E 8CA982 A088B4 AC7289 BC7737 DCA971" ;
            "HP" = "0001E6 0001E7 0002A5 0004EA 000802 000883 0008C7 000A57 000BCD 000D9D 000E7F 000EB3 000F20 000F61 001083 0010E3 00110A 001185 001279 001321 001438 0014C2 001560 001635 001708 0017A4 001871 0018FE 0019BB 001A4B 001B78 001CC4 001E0B 001F29 00215A 002264 00237D 002481 0025B3 002655 00306E 0030C1 00508B 0060B0 00805F 0080A0 080009 18A905 1CC1DE 2C27D7 3C4A92 643150 68B599 78ACC0 78E3B5 78E7D1 984BE1 B499BA B8AF67 D48564 D8D385 F4CE46" ;
            "Apple" = "000393 000502 000A27 000A95 000D93 0010FA 001124 001451 0016CB 0017F2 0019E3 001B63 001CB3 001D4F 001E52 001EC2 001F5B 001FF3 0021E9 002241 002312 002332 00236C 0023DF 002436 002500 00254B 0025BC 002608 00264A 0026B0 0026BB 003065 0050E4 00A040 041E64 080007 1093E9 109ADD 18E7F4 24AB81 28E7CF 34159E 3C0754 40A6D9 40D32D 442A60 581FAA 5855CA 58B035 5C5948 60334B 60FB42 64B9E8 70CD60 78CA39 7C6D62 7CC537 7CF05F 88C663 8C5877 8C7B9D 9027E4 90840D 9803D8 A46706 A4B197 B8FF61 C42C03 C82A14 C8BCC8 CC08E0 D49A20 D83062 D89E3F D8A25E DC2B61 E0F847 E4CE8F E80688 F0B479 F81EDF" ;
            "AlliedTelesis" = "0000CD 0000F4 000941 000A79 000DDA 001130 001577 001AEB 002687 009099 00A0D2 ECCD6D" ;
            "QLogic" = "000E1E 001B32 0024FF 00C0DD 00E08B"
        }

        # Check that $ManufacturerName actually matches one of the valid $vendors here.
        if ($ManufacturerName -and ($vendor.keys -notcontains $ManufacturerName))
        { throw "`nYou must choose a vendor from this list:`n" + $vendor.keys }

        # Generate the first three bytes of the MAC or use the $ManufacturerID instead.
        if ($ManufacturerID) { $mac = $ManufacturerID.ToString().ToUpper() -replace '[^A-F0-9]',"" }
        elseif ($ManufacturerName) { $mac = get-random -input @($vendor.$ManufacturerName -split " ") }
        else { $mac = get-random -input @($vendor.$(get-random -input @($vendor.keys)) -split " ") }
    }

    # Now padright with random hex characters until we have twelve chars.
    while ($mac.length -lt 12)
    {
        $mac += "{0:X}" -f $(get-random -min 0 -max 16)
    }

    # Now set the unicast/multicast flag bit.
    # First low-order bit (right-most bit): 0 = unicast, 1 = multicast
    # For the bit flags, see http://en.wikipedia.org/wiki/MAC_address
    [Byte] $firstbyte = "0x" + $mac.substring(0,2)      # Convert first two hex chars to a byte.

    if ($multicast)
    {
        $firstbyte = [Byte] $firstbyte -bor [Byte] 1     # Set low-order bit to 1: multicast
        $mac = ("{0:X}" -f $firstbyte).padleft(2,"0") + $mac.substring(2)
    }
    else
    {
        $firstbyte = [Byte] $firstbyte -band [Byte] 254  # Set low-order bit to 0: unicast
        $mac = ("{0:X}" -f $firstbyte).padleft(2,"0") + $mac.substring(2)
    }


    # Now set the vendor-unique/locally-administered flag.
    # Next-to-low-order bit (second from right): 0 = unique vendor, 1 = locally administered
    if ($locallyadministered)
    {
        $firstbyte = [Byte] $firstbyte -bor [Byte] 2     # Set second low-order bit to 1: locally
        $mac = ("{0:X}" -f $firstbyte).padleft(2,"0") + $mac.substring(2)
    }
    else
    {
        $firstbyte = [Byte] $firstbyte -band [Byte] 253  # Set second low-order bit to 0: vendor unique
        $mac = ("{0:X}" -f $firstbyte).padleft(2,"0") + $mac.substring(2)
    }


    # Add delimiter, if any, and return the $mac.
    if ($Delimiter)
    {
        for ($i = 0 ; $i -le 10 ; $i += 2)
        { $newmac += $mac.substring($i,2) + $Delimiter }
        $newmac.substring(0,$($newmac.length - $Delimiter.length))
    }
    else
    { $mac }
}


# Get the NICs which are not tunnels, not for virtual machines, and not for bluetooth.
$nics = @(Get-WmiObject -Query "select * from win32_networkadapter where adaptertype != 'Tunnel' and adaptertype is not null" | `
where { $_.description -notmatch 'VMware|Virtual|WAN Miniport|ISATAP|RAS Async|Teredo|Windows Mobile Remote|6to4|Bluetooth' } )

# If more than one physical NIC, prompt the user to select one, if the index number was not given.
if ($nics.count -eq 0) { "`nCannot identify a valid network interface device, quitting...`n" ; exit }
elseif ($nics.count -eq 1 -and -not $InterfaceIndexNumber) { $index = $nics[0].index }
else
{
    if ($InterfaceIndexNumber) { $index = $InterfaceIndexNumber }
    else
    {
        # Print a list of interfaces and prompt user to choose one.
        "`n"; $nics | format-table index,macaddress,netconnectionid,description -autosize
        $index = read-host -prompt "`nEnter the index number of the desired interface"
    }
}

# Check that a valid index number was actually entered.
$good = $false; switch ($nics | foreach {$_.index}) { $index { $good = $true } }
if (-not $good) { "`n$index is not a valid index number, quitting...`n" ; exit }

# Confirm that you can get the NIC by the index number, so that it can be disabled/enabled later too.
$thenic = Get-WmiObject -Query "select * from win32_networkadapter where deviceid = $index"
if (-not $?) { "`nThere was a problem getting the interface, quitting...`n" ; exit }

# The registry key for the nic always has four digits, so padleft, then get the key.
$index = $index.tostring().padleft(4,"0")
$regkey = get-item "hklm:\system\CurrentControlSet\control\class\{4D36E972-E325-11CE-BFC1-08002BE10318}\$index"
if (-not $?) { "`nThere was a problem getting the registry key, quitting...`n" ; exit }

# Show how WMI sees the current MAC address.
("`nWMI reports the current MAC address for interface $index as " + $thenic.macaddress + ".").replace(":","")

# Show current registry value for MAC address, if any.
$macaddress = $regkey.getvalue("NetworkAddress")
if ($macaddress -eq $null) {"Custom MAC address registry value does not exist for interface index $index."}
else {"Current registry MAC value for interface $index is $macaddress."}

# If requested, delete the registry value for a custom MAC, which resets to the default burnt-in
# MAC; otherwise, set the registry value for a custom MAC address.
if ($resetdefault)
{
    if ($macaddress -ne $null)
    {
        "Deleting registry value for a custom MAC, which resets to the default MAC address."
        $regpath = "hklm:\system\CurrentControlSet\control\class\{4D36E972-E325-11CE-BFC1-08002BE10318}\$index"
        remove-itemproperty -path $regpath -name "NetworkAddress"
        if (-not $?) { "`nFAILED to delete the registry value for the MAC address!`n" ; exit }
    }
}
else
{
    # Set new value for MAC address.
    $regpath = "hklm:\system\CurrentControlSet\control\class\{4D36E972-E325-11CE-BFC1-08002BE10318}\$index"
    if ($wireless)
    {
        set-itemproperty -path $regpath -name "NetworkAddress" -value $(random-mac -locallyadministered)
    }
    else
    {
        set-itemproperty -path $regpath -name "NetworkAddress" -value $(random-mac)
    }
    if (-not $?) { "`nFAILED to set the registry value for the MAC address!`n" ; exit }

    # Show new registry value for MAC address.
    $macaddress = $regkey.getvalue("NetworkAddress")
    if ($macaddress -eq $null) { "`nFAILED to change the registry value for a custom MAC address`n" ; exit }
    else {"The new registry MAC value for interface $index is $macaddress."}
}

# Release DHCP leases, disable the interface, re-enable, renew DHCP.
if ($DoNotResetInterface)
{   "Changes will not take effect until after the interface has been disabled and enabled.`n" }
else
{
    "Refreshing the interface, this may take a few seconds..."
    ipconfig.exe /release """$($thenic.netconnectionid)"""   | out-null
    ipconfig.exe /release6 """$($thenic.netconnectionid)"""  | out-null
    $thenic.disable() | out-null
    if (-not $?) { "FAILED to disable the interface!" }
    $thenic.enable() | out-null
    if (-not $?) { "FAILED to enable the interface!" }
    ipconfig.exe /renew """$($thenic.netconnectionid)"""  | out-null
    ipconfig.exe /renew6 """$($thenic.netconnectionid)""" | out-null
    "...done refreshing the interface."

    # Confirm through WMI again that the change actually took effect.
    $thenic = Get-WmiObject -Query "select * from win32_networkadapter where deviceid = $index"
    ("WMI reports the current MAC address for interface $index as " + $thenic.macaddress + ".`n").replace(":","")
}

# END-MAC-SCRIPT

##########
# Restart
##########
Write-Host
Write-Host "Press any key to restart your system..." -ForegroundColor Black -BackgroundColor White
$key = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
Write-Host "Restarting..."
Restart-Computer
}

1 {
Write-Host
Write-Host "Press any key to restart your system..." -ForegroundColor Black -BackgroundColor White
$key = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
Write-Host "Restarting..."
Restart-Computer
}
}