##########

# Win10 Initial Setup Script

# Author: Disassembler, Gr1d:, TheRoc

# Edited by Gr1D:

# dasm's script: https://github.com/Disassembler0/Win10-Initial-Setup-Script/

# Gr1D:'s Script: https://gist.github.com/TheRoboKitten/98b5b25345105a5e79f56d61eec4bc65

# TheROC's E.T. Disable script: https://gist.github.com/thoroc/86d354d029dda303598a

# THIS IS VERSION 5.5, error suppression is turned on. PLEASE be patient and PLEASE restart after running the script.

# This script leaves more MS defaults on, including MSE and smart-screen, 

# but blocks a ton of domains and disables remote assistance secures java, sets up ipsec..

# (please set your own key - SEE BELOW A FEW LINES) and disables SSL. Even changes your mac and takes steps to secure Google Chrome,

# Adobe Acrobat and Adobe Reader DC. To disable skynet turn off smartscreen and antivirus.

# NOTE: READ THIS SCRIPT CAREFULLY BEFORE RUNNING IT. ADJUST COMMENTS AS APPROPRIATE.

# This script will reboot your machine when completed.

# Setting up a new machine? See http://ninite.com (for devs, http://chocolatey.org)

##########

# Ask for elevated permissions if required

$ErrorActionPreference= 'silentlycontinue'

If (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")) {

    Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs

    Exit

}

#

# PLEASE EDIT THE BELOW LINE TO SET YOUR IPSEC PASSWORD (This may be randomly generated in the future)

$ThePreSharedKey = 'PasswordCHANGEME'

Write-Progress -Activity "Backing up registry. This may take awhile..." -Status "Progress:" -PercentComplete 1

del C:\registry-backup-hklm.reg

del C:\registry-backup-hkcu.reg

del C:\registry-backup-hkcr.reg

reg export HKLM C:\registry-backup-hklm.reg | Out-Null

reg export HKCU C:\registry-backup-hkcu.reg | Out-Null

reg export HKCR C:\registry-backup-hkcr.reg | Out-Null

Write-Progress -Activity "Backing up registry. This may take awhile..." -Status "Progress:" -PercentComplete 100

##########

# Privacy Settings

##########

Write-Progress -Activity "Setting some privacy settings..." -Status "Progress:" -PercentComplete 1

# Disable Telemetry

# Disable Telemetry

Write-Host "Disabling Telemetry..."

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0

Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0

# Enable Telemetry

# Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 3

# Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 3

# Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 3

# Disable Wi-Fi Sense

Write-Host "Disabling Wi-Fi Sense..."

If (!(Test-Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting")) {

    New-Item -Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" -Force | Out-Null

}

Set-ItemProperty -Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" -Name "Value" -Type DWord -Value 0

Set-ItemProperty -Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" -Name "Value" -Type DWord -Value 0

Write-Progress -Activity "Setting some privacy settings..." -Status "Progress:" -PercentComplete 15

# Enable Wi-Fi Sense

# Set-ItemProperty -Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" -Name "Value" -Type DWord -Value 1

# Set-ItemProperty -Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" -Name "Value" -Type DWord -Value 1

# Disable SmartScreen Filter

# Write-Host "Disabling SmartScreen Filter..."

# Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer" -Name "SmartScreenEnabled" -Type String -Value "Off"

# Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AppHost" -Name "EnableWebContentEvaluation" -Type DWord -Value 0

# Enable SmartScreen Filter

Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer" -Name "SmartScreenEnabled" -Type String -Value "RequireAdmin"

Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AppHost" -Name "EnableWebContentEvaluation"

# Disable Bing Search in Start Menu

Write-Host "Disabling Bing Search in Start Menu..."

Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Search" -Name "BingSearchEnabled" -Type DWord -Value 0

# Enable Bing Search in Start Menu

# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Search" -Name "BingSearchEnabled"

Write-Progress -Activity "Setting some privacy settings..." -Status "Progress:" -PercentComplete 30

# Disable Start Menu suggestions

# Write-Host "Disabling Start Menu suggestions..."

# Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SystemPaneSuggestionsEnabled" -Type DWord -Value 0

# Enable Start Menu suggestions

Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SystemPaneSuggestionsEnabled" -Type DWord -Value 1

# Disable Location Tracking

Write-Host "Disabling Location Tracking..."

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" -Name "SensorPermissionState" -Type DWord -Value 0

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\lfsvc\Service\Configuration" -Name "Status" -Type DWord -Value 0

# Enable Location Tracking

# Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" -Name "SensorPermissionState" -Type DWord -Value 1

# Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\lfsvc\Service\Configuration" -Name "Status" -Type DWord -Value 1

Write-Progress -Activity "Setting some privacy settings..." -Status "Progress:" -PercentComplete 45

# Disable Feedback

Write-Host "Disabling Feedback..."

If (!(Test-Path "HKCU:\Software\Microsoft\Siuf\Rules")) {

    New-Item -Path "HKCU:\Software\Microsoft\Siuf\Rules" -Force | Out-Null

}

Set-ItemProperty -Path "HKCU:\Software\Microsoft\Siuf\Rules" -Name "NumberOfSIUFInPeriod" -Type DWord -Value 0

# Enable Feedback

# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Siuf\Rules" -Name "NumberOfSIUFInPeriod"

# Disable Advertising ID

Write-Host "Disabling Advertising ID..."

If (!(Test-Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo")) {

    New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" | Out-Null

}

Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" -Name "Enabled" -Type DWord -Value 0

# Enable Advertising ID

# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" -Name "Enabled"

Write-Progress -Activity "Setting some privacy settings..." -Status "Progress:" -PercentComplete 60

# Disable Cortana

Write-Host "Disabling Cortana..."

If (!(Test-Path "HKCU:\Software\Microsoft\Personalization\Settings")) {

    New-Item -Path "HKCU:\Software\Microsoft\Personalization\Settings" -Force | Out-Null

}

Set-ItemProperty -Path "HKCU:\Software\Microsoft\Personalization\Settings" -Name "AcceptedPrivacyPolicy" -Type DWord -Value 0

If (!(Test-Path "HKCU:\Software\Microsoft\InputPersonalization")) {

    New-Item -Path "HKCU:\Software\Microsoft\InputPersonalization" -Force | Out-Null

}

Set-ItemProperty -Path "HKCU:\Software\Microsoft\InputPersonalization" -Name "RestrictImplicitTextCollection" -Type DWord -Value 1

Set-ItemProperty -Path "HKCU:\Software\Microsoft\InputPersonalization" -Name "RestrictImplicitInkCollection" -Type DWord -Value 1

If (!(Test-Path "HKCU:\Software\Microsoft\InputPersonalization\TrainedDataStore")) {

    New-Item -Path "HKCU:\Software\Microsoft\InputPersonalization\TrainedDataStore" -Force | Out-Null

}

Set-ItemProperty -Path "HKCU:\Software\Microsoft\InputPersonalization\TrainedDataStore" -Name "HarvestContacts" -Type DWord -Value 0

# Enable Cortana

# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Personalization\Settings" -Name "AcceptedPrivacyPolicy"

# Set-ItemProperty -Path "HKCU:\Software\Microsoft\InputPersonalization" -Name "RestrictImplicitTextCollection" -Type DWord -Value 0

# Set-ItemProperty -Path "HKCU:\Software\Microsoft\InputPersonalization" -Name "RestrictImplicitInkCollection" -Type DWord -Value 0

# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\InputPersonalization\TrainedDataStore" -Name "HarvestContacts"

# Restrict Windows Update P2P only to local network

Write-Host "Restricting Windows Update P2P only to local network..."

Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" -Name "DODownloadMode" -Type DWord -Value 1

If (!(Test-Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization")) {

    New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" | Out-Null

}

Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" -Name "SystemSettingsDownloadMode" -Type DWord -Value 3

 Write-Progress -Activity "Setting some privacy settings..." -Status "Progress:" -PercentComplete 75

# Unrestrict Windows Update P2P

# Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" -Name "DODownloadMode"

# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" -Name "SystemSettingsDownloadMode"

# Remove AutoLogger file and restrict directory

Write-Host "Removing AutoLogger file and restricting directory..."

$autoLoggerDir = "$env:PROGRAMDATA\Microsoft\Diagnosis\ETLLogs\AutoLogger"

If (Test-Path "$autoLoggerDir\AutoLogger-Diagtrack-Listener.etl") {

    Remove-Item "$autoLoggerDir\AutoLogger-Diagtrack-Listener.etl"

}

icacls $autoLoggerDir /deny SYSTEM:`(OI`)`(CI`)F | Out-Null

# Unrestrict AutoLogger directory

# $autoLoggerDir = "$env:PROGRAMDATA\Microsoft\Diagnosis\ETLLogs\AutoLogger"

# icacls $autoLoggerDir /grant:r SYSTEM:`(OI`)`(CI`)F | Out-Null

# Stop and disable Diagnostics Tracking Service

Write-Host "Stopping and disabling Diagnostics Tracking Service..."

Stop-Service "DiagTrack"

Set-Service "DiagTrack" -StartupType Disabled

# Enable and start Diagnostics Tracking Service

# Set-Service "DiagTrack" -StartupType Automatic

# Start-Service "DiagTrack"

Write-Progress -Activity "Setting some privacy settings..." -Status "Progress:" -PercentComplete 90

# Stop and disable WAP Push Service

Write-Host "Stopping and disabling WAP Push Service..."

Stop-Service "dmwappushservice"

Set-Service "dmwappushservice" -StartupType Disabled

# Enable and start WAP Push Service

# Set-Service "dmwappushservice" -StartupType Automatic

# Start-Service "dmwappushservice"

# Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\dmwappushservice" -Name "DelayedAutoStart" -Type DWord -Value 1

Write-Progress -Activity "Setting some privacy settings..." -Status "Progress:" -PercentComplete 100

##########

# Service Tweaks

##########

Write-Progress -Activity "Setting some service tweaks..." -Status "Progress:" -PercentComplete 1

# Lower UAC level

# Write-Host "Lowering UAC level..."

# Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Type DWord -Value 0

# Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Type DWord -Value 0

# Raise UAC level

Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Type DWord -Value 5

Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Type DWord -Value 1

# Enable sharing mapped drives between users

# Write-Host "Enabling sharing mapped drives between users..."

# Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLinkedConnections" -Type DWord -Value 1

# Disable sharing mapped drives between users

Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLinkedConnections"

# Disable Firewall

# Write-Host "Disabling Firewall..."

# Set-NetFirewallProfile -Profile * -Enabled False

# Enable Firewall

Set-NetFirewallProfile -Profile * -Enabled True

# Disable Windows Defender

# Write-Host "Disabling Windows Defender..."

# Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Type DWord -Value 1

#### Configure the two below options when NOT running windows defender. (These sound pretty shady.. SKYNET!)

# Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" -ValueName **del.SpynetReporting -Type String -Data ""

# Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" -ValueName SubmitSamplesConsent -Type DWord -Data 2

# Enable Windows Defender

Remove-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware"

Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Type DWord -Value 0

Write-Progress -Activity "Setting some service tweaks..." -Status "Progress:" -PercentComplete 45

# Disable Windows Update automatic restart

Write-Host "Disabling Windows Update automatic restart..def."

Set-ItemProperty -Path "HKLM:\Software\Microsoft\WindowsUpdate\UX\Settings" -Name "UxOption" -Type DWord -Value 1

# Enable Windows Update automatic restart

# Set-ItemProperty -Path "HKLM:\Software\Microsoft\WindowsUpdate\UX\Settings" -Name "UxOption" -Type DWord -Value 0

# Stop and disable Home Groups services

Write-Host "Stopping and disabling Home Groups services..."

Stop-Service "HomeGroupListener"

Set-Service "HomeGroupListener" -StartupType Disabled

Write-Progress -Activity "Setting some service tweaks..." -Status "Progress:" -PercentComplete 80

Stop-Service "HomeGroupProvider"

Set-Service "HomeGroupProvider" -StartupType Disabled

# Enable and start Home Groups services

# Set-Service "HomeGroupListener" -StartupType Manual

# Set-Service "HomeGroupProvider" -StartupType Manual

# Start-Service "HomeGroupProvider"

# Disable Remote Assistance

Write-Host "Disabling Remote Assistance..."

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Remote Assistance" -Name "fAllowToGetHelp" -Type DWord -Value 0

Write-Progress -Activity "Setting some service tweaks..." -Status "Progress:" -PercentComplete 80

# Enable Remote Assistance

# Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Remote Assistance" -Name "fAllowToGetHelp" -Type DWord -Value 1

# Enable Remote Desktop w/o Network Level Authentication

# Write-Host "Enabling Remote Desktop w/o Network Level Authentication..."

# Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Type DWord -Value 0

# Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Type DWord -Value 0

# Disable Remote Desktop

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Type DWord -Value 1

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Type DWord -Value 1

Write-Progress -Activity "Setting some service tweaks..." -Status "Progress:" -PercentComplete 100

##########

# UI Tweaks

##########

Write-Progress -Activity "Setting some UI tweaks..." -Status "Progress:" -PercentComplete 1

# Disable Action Center

Write-Host "Disabling Action Center..."

If (!(Test-Path "HKCU:\Software\Policies\Microsoft\Windows\Explorer")) {

  New-Item -Path "HKCU:\Software\Policies\Microsoft\Windows\Explorer" | Out-Null

}

Set-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\Explorer" -Name "DisableNotificationCenter" -Type DWord -Value 1

Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\PushNotifications" -Name "ToastEnabled" -Type DWord -Value 0

# Enable Action Center

# Remove-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\Explorer" -Name "DisableNotificationCenter"

# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\PushNotifications" -Name "ToastEnabled"

# Disable Lock screen

# Write-Host "Disabling Lock screen..."

# If (!(Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization")) {

# 	New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization" | Out-Null

# }

# Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization" -Name "NoLockScreen" -Type DWord -Value 1

# Enable Lock screen

Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization" -Name "NoLockScreen"

# Disable Lock screen (Anniversary Update workaround)

#If ([System.Environment]::OSVersion.Version.Build -gt 14392) { # Apply only for Redstone 1 or newer

#	$service = New-Object -com Schedule.Service

#	$service.Connect()

#	$task = $service.NewTask(0)

#	$task.Settings.DisallowStartIfOnBatteries = $false

#	$trigger = $task.Triggers.Create(9)

#	$trigger = $task.Triggers.Create(11)

#	$trigger.StateChange = 8

#	$action = $task.Actions.Create(0)

#	$action.Path = "reg.exe"

#	$action.Arguments = "add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData /t REG_DWORD /v AllowLockScreen /d 0 /f"

#	$service.GetFolder("\").RegisterTaskDefinition("Disable LockScreen", $task, 6, "NT AUTHORITY\SYSTEM", $null, 4) | Out-Null

#}

# Enable Lock screen (Anniversary Update workaround)

#If ([System.Environment]::OSVersion.Version.Build -gt 14392) { # Apply only for Redstone 1 or newer

#	Unregister-ScheduledTask -TaskName "Disable LockScreen" -Confirm:$false -ErrorAction SilentlyContinue

#}

Write-Progress -Activity "Setting some UI tweaks..." -Status "Progress:" -PercentComplete 15

# Disable Autoplay

Write-Host "Disabling Autoplay..."

Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers" -Name "DisableAutoplay" -Type DWord -Value 1

# Enable Autoplay

# Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers" -Name "DisableAutoplay" -Type DWord -Value 0

# Disable Autorun for all drives

Write-Host "Disabling Autorun for all drives..."

If (!(Test-Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer")) {

  New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" | Out-Null

}

Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "NoDriveTypeAutoRun" -Type DWord -Value 255

# Enable Autorun

# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "NoDriveTypeAutoRun"

Write-Progress -Activity "Setting some UI tweaks..." -Status "Progress:" -PercentComplete 30

#Disable Sticky keys prompt

Write-Host "Disabling Sticky keys prompt..." 

Set-ItemProperty -Path "HKCU:\Control Panel\Accessibility\StickyKeys" -Name "Flags" -Type String -Value "506"

# Enable Sticky keys prompt

# Set-ItemProperty -Path "HKCU:\Control Panel\Accessibility\StickyKeys" -Name "Flags" -Type String -Value "510"

# Hide Search button / box I THINK THIS BREAKS OR THE DEVICEACCESS KEYS

# Write-Host "Hiding Search Box / Button..."

# Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Search" -Name "SearchboxTaskbarMode" -Type DWord -Value 0

# Show Search button / box

Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Search" -Name "SearchboxTaskbarMode"

# Hide Task View button

# Write-Host "Hiding Task View button..."

# Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "ShowTaskViewButton" -Type DWord -Value 0

# Show Task View button

# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "ShowTaskViewButton"

# Show small icons in taskbar

# Write-Host "Showing small icons in taskbar..."

# Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "TaskbarSmallIcons" -Type DWord -Value 1

# Show large icons in taskbar

# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "TaskbarSmallIcons"

# Show titles in taskbar

# Write-Host "Showing titles in taskbar..."

# Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "TaskbarGlomLevel" -Type DWord -Value 1

# Hide titles in taskbar

# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "TaskbarGlomLevel"

# Show all tray icons

# write-Host "Showing all tray icons..."

# Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer" -Name "EnableAutoTray" -Type DWord -Value 0

# Hide tray icons as needed

Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer" -Name "EnableAutoTray"

Write-Progress -Activity "Setting some UI tweaks..." -Status "Progress:" -PercentComplete 45

# Show known file extensions

Write-Host "Showing known file extensions..."

Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "HideFileExt" -Type DWord -Value 0

# Hide known file extensions

# Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "HideFileExt" -Type DWord -Value 1

# Show hidden files

Write-Host "Showing hidden files..."

Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "Hidden" -Type DWord -Value 1

# Hide hidden files

# Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "Hidden" -Type DWord -Value 2

# Change default Explorer view to "Computer"

Write-Host "Changing default Explorer view to `"Computer`"..."

Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "LaunchTo" -Type DWord -Value 1

Write-Progress -Activity "Setting some UI tweaks..." -Status "Progress:" -PercentComplete 75

# Change default Explorer view to "Quick Access"

# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "LaunchTo"

# Show Computer shortcut on desktop

Write-Host "Showing Computer shortcut on desktop..."

If (!(Test-Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu")) {

  New-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" | Out-Null

}

Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" -Type DWord -Value 0

Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" -Type DWord -Value 0

Write-Progress -Activity "Setting some UI tweaks..." -Status "Progress:" -PercentComplete 100

# Hide Computer shortcut from desktop

# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"

# Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" -Name "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"

# Remove Desktop icon from computer namespace

# Write-Host "Removing Desktop icon from computer namespace..."

# Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}" -Recurse -ErrorAction SilentlyContinue

# Add Desktop icon to computer namespace

# New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}"

# Remove Documents icon from computer namespace

# Write-Host "Removing Documents icon from computer namespace..."

# Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{d3162b92-9365-467a-956b-92703aca08af}" -Recurse -ErrorAction SilentlyContinue

# Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}" -Recurse -ErrorAction SilentlyContinue

# Add Documents icon to computer namespace

# New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{d3162b92-9365-467a-956b-92703aca08af}"

# New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}"

# Remove Downloads icon from computer namespace

# Write-Host "Removing Downloads icon from computer namespace..."

# Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{088e3905-0323-4b02-9826-5d99428e115f}" -Recurse -ErrorAction SilentlyContinue

# Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{374DE290-123F-4565-9164-39C4925E467B}" -Recurse -ErrorAction SilentlyContinue

# Add Downloads icon to computer namespace

# New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{088e3905-0323-4b02-9826-5d99428e115f}"

# New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{374DE290-123F-4565-9164-39C4925E467B}"

# Remove Music icon from computer namespace

# Write-Host "Removing Music icon from computer namespace..."

# Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}" -Recurse -ErrorAction SilentlyContinue

# Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{1CF1260C-4DD0-4ebb-811F-33C572699FDE}" -Recurse -ErrorAction SilentlyContinue

# Add Music icon to computer namespace

# New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}"

# New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{1CF1260C-4DD0-4ebb-811F-33C572699FDE}"

# Remove Pictures icon from computer namespace

# Write-Host "Removing Pictures icon from computer namespace..."

# Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{24ad3ad4-a569-4530-98e1-ab02f9417aa8}" -Recurse -ErrorAction SilentlyContinue

# Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA}" -Recurse -ErrorAction SilentlyContinue

# Add Pictures icon to computer namespace

# New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{24ad3ad4-a569-4530-98e1-ab02f9417aa8}"

# New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA}"

# Remove Videos icon from computer namespace

# Write-Host "Removing Videos icon from computer namespace..."

# Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a}" -Recurse -ErrorAction SilentlyContinue

# Remove-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{A0953C92-50DC-43bf-BE83-3742FED03C9C}" -Recurse -ErrorAction SilentlyContinue

# Add Videos icon to computer namespace

# New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a}"

# New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{A0953C92-50DC-43bf-BE83-3742FED03C9C}"

## Add secondary en-US keyboard

#Write-Host "Adding secondary en-US keyboard..."

#$langs = Get-WinUserLanguageList

#$langs.Add("en-US")

#Set-WinUserLanguageList $langs -Force

# Remove secondary en-US keyboard

Set-WinUserLanguageList En-US -Force

##########

# Remove unwanted applications

##########

Write-Progress -Activity "Removing Unwanted Apps" -Status "Progress:" -PercentComplete 1

# Disable OneDrive

Write-Host "Disabling OneDrive..."

If (!(Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive")) {

    New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive" | Out-Null

}

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive" -Name "DisableFileSyncNGSC" -Type DWord -Value 1

# Enable OneDrive

# Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive" -Name "DisableFileSyncNGSC"

# Uninstall OneDrive

Write-Host "Uninstalling OneDrive... May sometimes hang"

Stop-Process -Name OneDrive -ErrorAction SilentlyContinue

Start-Sleep -s 3

$onedrive = "$env:SYSTEMROOT\SysWOW64\OneDriveSetup.exe"

If (!(Test-Path $onedrive)) {

    $onedrive = "$env:SYSTEMROOT\System32\OneDriveSetup.exe"

}

Start-Process $onedrive "/uninstall" -NoNewWindow -Wait

Start-Sleep -s 3

Stop-Process -Name explorer -ErrorAction SilentlyContinue

Start-Sleep -s 3

Remove-Item "$env:USERPROFILE\OneDrive" -Force -Recurse -ErrorAction SilentlyContinue

Remove-Item "$env:LOCALAPPDATA\Microsoft\OneDrive" -Force -Recurse -ErrorAction SilentlyContinue

Remove-Item "$env:PROGRAMDATA\Microsoft OneDrive" -Force -Recurse -ErrorAction SilentlyContinue

If (Test-Path "$env:SYSTEMDRIVE\OneDriveTemp") {

    Remove-Item "$env:SYSTEMDRIVE\OneDriveTemp" -Force -Recurse -ErrorAction SilentlyContinue

}

If (!(Test-Path "HKCR:")) {

    New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null

}

Remove-Item -Path "HKCR:\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" -Recurse -ErrorAction SilentlyContinue

Remove-Item -Path "HKCR:\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" -Recurse -ErrorAction SilentlyContinue

# Install OneDrive

# $onedrive = "$env:SYSTEMROOT\SysWOW64\OneDriveSetup.exe"

# If (!(Test-Path $onedrive)) {

#   $onedrive = "$env:SYSTEMROOT\System32\OneDriveSetup.exe"

# }

# Start-Process $onedrive -NoNewWindow

# Uninstall Almost Everything.

Write-Progress -Activity "Removing Unwanted Apps" -Status "Progress:" -PercentComplete 75

# Install default Microsoft applications..

Write-Progress -Activity "Installing Wanted Apps" -Status "Progress:" -PercentComplete 15

Write-Progress -Activity "Installing Wanted Apps" -Status "Progress:" -PercentComplete 30

# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.WindowsMaps").InstallLocation)\AppXManifest.xml"

# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.ZuneVideo").InstallLocation)\AppXManifest.xml"

# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.Office.Sway").InstallLocation)\AppXManifest.xml"

# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.Messaging").InstallLocation)\AppXManifest.xml"

# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.CommsPhone").InstallLocation)\AppXManifest.xml"

Write-Progress -Activity "Installing Wanted Apps" -Status "Progress:" -PercentComplete 45

# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "9E2F88E3.Twitter").InstallLocation)\AppXManifest.xml"

# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "king.com.CandyCrushSodaSaga").InstallLocation)\AppXManifest.xml"

# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "4DF9E0F8.Netflix").InstallLocation)\AppXManifest.xml"

# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Drawboard.DrawboardPDF").InstallLocation)\AppXManifest.xml"

Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.MicrosoftStickyNotes").InstallLocation)\AppXManifest.xml"

# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.OneConnect").InstallLocation)\AppXManifest.xml"

Write-Progress -Activity "Installing Wanted Apps" -Status "Progress:" -PercentComplete 60

# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "D52A8D61.FarmVille2CountryEscape").InstallLocation)\AppXManifest.xml"

# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "GAMELOFTSA.Asphalt8Airborne").InstallLocation)\AppXManifest.xml"

# Add-AppxPackage -DisableDevelopmentMode -Register "$($(Get-AppXPackage -AllUsers "Microsoft.WindowsFeedbackHub").InstallLocation)\AppXManifest.xml"

# In case you have removed them for good, you can try to restore the files using installation medium as follows

# New-Item C:\Mnt -Type Directory | Out-Null

# dism /Mount-Image /ImageFile:D:\sources\install.wim /index:1 /ReadOnly /MountDir:C:\Mnt

# robocopy /S /SEC /R:0 "C:\Mnt\Program Files\WindowsApps" "C:\Program Files\WindowsApps"

# dism /Unmount-Image /Discard /MountDir:C:\Mnt

# Remove-Item -Path C:\Mnt -Recurse

Write-Progress -Activity "Installing Wanted Apps" -Status "Progress:" -PercentComplete 75

#Install .net

Dism /online /Enable-feature /featurename:NetFx3 /All

Get-AppxPackage -allusers Microsoft.NET.* | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)\AppXManifest.xml”}

# Disable Xbox DVR

# New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR" | Out-Null (fix this)

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR" -Name "AllowGameDVR" -Type DWord -Value 0

# Enable Xbox DVR

# New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR" | Out-Null

# Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR" -Name "AllowGameDVR" -ErrorAction SilentlyContinue

# Uninstall Windows Media Player

# Write-Host "Uninstalling Windows Media Player..."

# dism /online /Disable-Feature /FeatureName:MediaPlayback /Quiet /NoRestart

# Install Windows Media Player

# dism /online /Enable-Feature /FeatureName:MediaPlayback /Quiet /NoRestart

# Uninstall Work Folders Client

Write-Host "Uninstalling Work Folders Client..."

dism /online /Disable-Feature /FeatureName:WorkFolders-Client /Quiet /NoRestart

# Install Work Folders Client

# dism /online /Enable-Feature /FeatureName:WorkFolders-Client /Quiet /NoRestart

Write-Progress -Activity "Installing Wanted Apps" -Status "Progress:" -PercentComplete 100

# Set Photo Viewer as default for bmp, gif, jpg and png

Write-Host "Setting Photo Viewer as default for bmp, gif, jpg, png and tif..."

If (!(Test-Path "HKCR:")) {

    New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null

}

ForEach ($type in @("Paint.Picture", "giffile", "jpegfile", "pngfile")) {

    New-Item -Path $("HKCR:\$type\shell\open") -Force | Out-Null

    New-Item -Path $("HKCR:\$type\shell\open\command") | Out-Null

    Set-ItemProperty -Path $("HKCR:\$type\shell\open") -Name "MuiVerb" -Type ExpandString -Value "@%ProgramFiles%\Windows Photo Viewer\photoviewer.dll,-3043"

    Set-ItemProperty -Path $("HKCR:\$type\shell\open\command") -Name "(Default)" -Type ExpandString -Value "%SystemRoot%\System32\rundll32.exe `"%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll`", ImageView_Fullscreen %1"

}

# Remove or reset default open action for bmp, gif, jpg and png

If (!(Test-Path "HKCR:")) {

  New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null

}

Remove-Item -Path "HKCR:\Paint.Picture\shell\open" -Recurse

Remove-ItemProperty -Path "HKCR:\giffile\shell\open" -Name "MuiVerb"

Set-ItemProperty -Path "HKCR:\giffile\shell\open" -Name "CommandId" -Type String -Value "IE.File"

Set-ItemProperty -Path "HKCR:\giffile\shell\open\command" -Name "(Default)" -Type String -Value "`"$env:SystemDrive\Program Files\Internet Explorer\iexplore.exe`" %1"

Set-ItemProperty -Path "HKCR:\giffile\shell\open\command" -Name "DelegateExecute" -Type String -Value "{17FE9752-0B5A-4665-84CD-569794602F5C}"

Remove-Item -Path "HKCR:\jpegfile\shell\open" -Recurse

Remove-Item -Path "HKCR:\pngfile\shell\open" -Recurse

# Show Photo Viewer in "Open with..."

Write-Host "Showing Photo Viewer in `"Open with...`""

If (!(Test-Path "HKCR:")) {

    New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null

}

New-Item -Path "HKCR:\Applications\photoviewer.dll\shell\open\command" -Force | Out-Null

New-Item -Path "HKCR:\Applications\photoviewer.dll\shell\open\DropTarget" -Force | Out-Null

Set-ItemProperty -Path "HKCR:\Applications\photoviewer.dll\shell\open" -Name "MuiVerb" -Type String -Value "@photoviewer.dll,-3043"

Set-ItemProperty -Path "HKCR:\Applications\photoviewer.dll\shell\open\command" -Name "(Default)" -Type ExpandString -Value "%SystemRoot%\System32\rundll32.exe `"%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll`", ImageView_Fullscreen %1"

Set-ItemProperty -Path "HKCR:\Applications\photoviewer.dll\shell\open\DropTarget" -Name "Clsid" -Type String -Value "{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A}"

# Remove Photo Viewer from "Open with..."

# If (!(Test-Path "HKCR:")) {

#   New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null

# }

# Remove-Item -Path "HKCR:\Applications\photoviewer.dll\shell\open" -Recurse

# Enable F8 boot menu options

# Write-Host "Enabling F8 boot menu options..."

# bcdedit /set `{current`} bootmenupolicy Legacy | Out-Null

# Disable F8 boot menu options

# bcdedit /set `{current`} bootmenupolicy Standard | Out-Null

# Install Powershell man pages locally (low priority, uses bandwidth)

# Update-Help

Write-Progress -Activity "Editing Hosts File" -Status "Progress:" -PercentComplete 1

# Install Packages to edit Hosts file.

Write-Host "Installing PsHosts CMDlet to edit hosts file. Please be Patient. This may be slow sometimes buggy"

install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force

Write-Progress -Activity "Editing Hosts File" -Status "Progress:" -PercentComplete 10

Write-Host "Seting up Repository"

Set-PSRepository -Name "PSGallery" -InstallationPolicy Trusted

Write-Progress -Activity "Editing Hosts File" -Status "Progress:" -PercentComplete 20

Write-Host "Installing PSHosts Module"

install-module PsHosts

Write-Progress -Activity "Editing Hosts File" -Status "Progress:" -PercentComplete 30

Write-Host "Importing PSHosts Module"

import-module PsHosts

Write-Progress -Activity "Editing Hosts File" -Status "Progress:" -PercentComplete 40

# Hosts to block are below

Write-Host "Editing Hosts File..."

Write-Progress -Activity "Editing Hosts File" -Status "Progress:" -PercentComplete 50

# Clean old Hosts file

Remove-HostEntry *

# Add Hosts Entries

Add-HostEntry vortex.data.microsoft.com 127.0.0.1

Add-HostEntry vortex-win.data.microsoft.com 127.0.0.1

Add-HostEntry telecommand.telemetry.microsoft.com 127.0.0.1

Add-HostEntry telecommand.telemetry.microsoft.com.nsatc.net 127.0.0.1

Add-HostEntry oca.telemetry.microsoft.com 127.0.0.1

Add-HostEntry oca.telemetry.microsoft.com.nsatc.net 127.0.0.1

Add-HostEntry sqm.telemetry.microsoft.com 127.0.0.1

Add-HostEntry sqm.telemetry.microsoft.com.nsatc.net 127.0.0.1

Add-HostEntry watson.telemetry.microsoft.com 127.0.0.1

Add-HostEntry watson.telemetry.microsoft.com.nsatc.net 127.0.0.1

Write-Progress -Activity "Editing Hosts File" -Status "Progress:" -PercentComplete 60

Add-HostEntry redir.metaservices.microsoft.com 127.0.0.1

Add-HostEntry choice.microsoft.com 127.0.0.1

Add-HostEntry choice.microsoft.com.nsatc.net 127.0.0.1

Add-HostEntry df.telemetry.microsoft.com 127.0.0.1

Add-HostEntry reports.wes.df.telemetry.microsoft.com 127.0.0.1

Add-HostEntry wes.df.telemetry.microsoft.com 127.0.0.1

Add-HostEntry services.wes.df.telemetry.microsoft.com 127.0.0.1

Add-HostEntry sqm.df.telemetry.microsoft.com 127.0.0.1

Add-HostEntry telemetry.microsoft.com 127.0.0.1

Add-HostEntry watson.ppe.telemetry.microsoft.com 127.0.0.1

Add-HostEntry telemetry.appex.bing.net 127.0.0.1

Add-HostEntry telemetry.urs.microsoft.com 127.0.0.1

Add-HostEntry telemetry.appex.bing.net:443 127.0.0.1

Write-Progress -Activity "Editing Hosts File" -Status "Progress:" -PercentComplete 70

Add-HostEntry settings-sandbox.data.microsoft.com 127.0.0.1

Add-HostEntry vortex-sandbox.data.microsoft.com 127.0.0.1

Add-HostEntry survey.watson.microsoft.com 127.0.0.1

Add-HostEntry watson.live.com 127.0.0.1

Add-HostEntry watson.microsoft.com 127.0.0.1

Add-HostEntry statsfe2.ws.microsoft.com 127.0.0.1

Add-HostEntry corpext.msitadfs.glbdns2.microsoft.com 127.0.0.1

Add-HostEntry compatexchange.buttapp.net 127.0.0.1

Add-HostEntry cs1.wpc.v0cdn.net 127.0.0.1

Add-HostEntry a-0001.a-msedge.net 127.0.0.1

Add-HostEntry statsfe2.update.microsoft.com.akadns.net 127.0.0.1

Add-HostEntry sls.update.microsoft.com.akadns.net 127.0.0.1

Add-HostEntry fe2.update.microsoft.com.akadns.net 127.0.0.1

Add-HostEntry diagnostics.support.microsoft.com 127.0.0.1

Add-HostEntry corp.sts.microsoft.com 127.0.0.1

Add-HostEntry statsfe1.ws.microsoft.com 127.0.0.1

Write-Progress -Activity "Editing Hosts File" -Status "Progress:" -PercentComplete 75

Add-HostEntry pre.footprintpredict.com 127.0.0.1

Add-HostEntry i1.services.social.microsoft.com 127.0.0.1

Add-HostEntry i1.services.social.microsoft.com.nsatc.net 127.0.0.1

Add-HostEntry feedback.windows.com 127.0.0.1

Add-HostEntry feedback.microsoft-hohm.com 127.0.0.1

Add-HostEntry feedback.search.microsoft.com 127.0.0.1

Add-HostEntry ad.doubleclick.net 127.0.0.1

Add-HostEntry ads.msn.com 127.0.0.1

Add-HostEntry ads1.msads.net 127.0.0.1

Add-HostEntry ads1.msn.com 127.0.0.1

Add-HostEntry a.ads1.msn.com 127.0.0.1

Add-HostEntry a.ads2.msn.com 127.0.0.1

Add-HostEntry adnexus.net 127.0.0.1

Add-HostEntry adnxs.com 127.0.0.1

Add-HostEntry aidps.atdmt.com 127.0.0.1

Add-HostEntry apps.skype.com 127.0.0.1

Add-HostEntry az361816.vo.msecnd.net 127.0.0.1

Add-HostEntry az512334.vo.msecnd.net 127.0.0.1

Add-HostEntry a.rad.msn.com 127.0.0.1

Add-HostEntry a.ads2.msads.net 127.0.0.1

Add-HostEntry ac3.msn.com 127.0.0.1

Write-Progress -Activity "Editing Hosts File" -Status "Progress:" -PercentComplete 80

Add-HostEntry aka-cdn-ns.adtech.de 127.0.0.1

Add-HostEntry b.rad.msn.com 127.0.0.1

Add-HostEntry b.ads2.msads.net 127.0.0.1

Add-HostEntry b.ads1.msn.com 127.0.0.1

Add-HostEntry bs.serving-sys.com 127.0.0.1

Add-HostEntry c.msn.com 127.0.0.1

Add-HostEntry cdn.atdmt.com 127.0.0.1

Add-HostEntry cds26.ams9.msecn.net 127.0.0.1

Add-HostEntry c.atdmt.com 127.0.0.1

Add-HostEntry db3aqu.atdmt.com 127.0.0.1

Add-HostEntry ec.atdmt.com 127.0.0.1

Add-HostEntry flex.msn.com 127.0.0.1

Add-HostEntry g.msn.com 127.0.0.1

Add-HostEntry h2.msn.com 127.0.0.1

Add-HostEntry h1.msn.com 127.0.0.1

Add-HostEntry live.rads.msn.com 127.0.0.1

Write-Progress -Activity "Editing Hosts File" -Status "Progress:" -PercentComplete 85

Add-HostEntry msntest.serving-sys.com 127.0.0.1

Add-HostEntry m.adnxs.com 127.0.0.1

Add-HostEntry m.hotmail.com 127.0.0.1

Add-HostEntry preview.msn.com 127.0.0.1

Add-HostEntry pricelist.skype.com 127.0.0.1

Add-HostEntry rad.msn.com 127.0.0.1

Add-HostEntry rad.live.com 127.0.0.1

Add-HostEntry secure.flashtalking.com 127.0.0.1

Add-HostEntry static.2mdn.net 127.0.0.1

Add-HostEntry s.gateway.messenger.live.com 127.0.0.1

Add-HostEntry secure.adnxs.com 127.0.0.1

Write-Progress -Activity "Editing Hosts File" -Status "Progress:" -PercentComplete 90

Add-HostEntry sO.2mdn.net 127.0.0.1

Add-HostEntry ui.skype.com 127.0.0.1

Add-HostEntry view.atdmt.com 127.0.0.1

# The Below two domains may impact your network connectivity detection.

Add-HostEntry www.msftncsi.com 127.0.0.1

Add-HostEntry msftncsi.com 127.0.0.1

Write-Progress -Activity "Editing Hosts File" -Status "Progress:" -PercentComplete 100

# Edit Group Policy to set Chrome settings that cannot be set through registry.

# Refer to https://www.powershellgallery.com/packages/PolicyFileEditor/2.0.2

Write-Host "Installing PolicyFileEditor Module"

Install-Module -Name PolicyFileEditor

Write-Host "Importing PolicyFileEditor Module"

import-module -Name PolicyFileEditor

If (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")) {

    Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs

    Exit

}

Write-Host "Setting Chrome Settings..."

$MachineDir = "$env:systemroot\system32\GroupPolicy\Machine\registry.pol"

$RegPath = 'Software\Policies\Google\Chrome'

$RegName = 'AutoFillEnabled'

$RegData = '0'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'

$RegName = 'HomepageLocation'

$RegData = 'https://www.google.com'

$RegType = 'String'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'

$RegName = 'ProxyServerMode'

$RegData = '0'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'

$RegName = 'SafeBrowsingEnabled'

$RegData = '1'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'

$RegName = 'SavingBrowserHistoryDisabled'

$RegData = '0'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'

$RegName = 'SearchSuggestEnabled'

$RegData = '0'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'

$RegName = 'SyncDisabled'

$RegData = '1'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'

$RegName = 'MetricsReportingEnabled'

$RegData = '0'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

# Use * to disable all plugins in place of DISABLEDPLUGINID

# To add more than one disabled plugin, copy the 5 lines below and mark the regname as 2..3..4..5 and so on after re-pasting.

$RegPath = 'Software\Policies\Google\Chrome\DisabledPlugins'

$RegName = '1'

$RegData = 'DISABLEDPLUGINID'

$RegType = 'String'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

# Use * to disable all extensions in place of DISABLEDEXTENSIONID

# To add more than one disabled extension, copy the 5 lines below and mark the regname as 2..3..4..5 and so on after re-pasting.

$RegPath = 'Software\Policies\Google\Chrome\ExtensionInstallBlacklist'

$RegName = '1'

$RegData = 'DISABLEDEXTENSIONID'

$RegType = 'String'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

# Use * to ENABLE all extensions in place of ENABLEDEXTENSIONID

# To add more than one enabled extension, copy the 5 lines below and mark the regname as 2..3..4..5 and so on after re-pasting.

$RegPath = 'Software\Policies\Google\Chrome\ExtensionInstallWhitelist'

$RegName = '1'

$RegData = 'ENABLEDEXTENSIONID'

$RegType = 'String'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

# Use the below to blacklist URLs in chrome. You could probably use * to blacklist everything.

# To add more than one URL, copy the 5 lines below and append regname with the next number in the list.. 2..3..4..5 and so on.

$RegPath = 'Software\Policies\Google\Chrome\URLBlacklist'

$RegName = '1'

$RegData = 'www.tacos.com'

$RegType = 'String'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

# Use the below to whitelist URLs in chrome.

# To add more than one URL, copy the 5 lines below and append regname with the next number in the list.. 2..3..4..5 and so on.

$RegPath = 'Software\Policies\Google\Chrome\URLWhitelist'

$RegName = '1'

$RegData = '*'

$RegType = 'String'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

# Use the below to make a list of forced installed extensions, This will also delete any values to remove any rogue extensions as a security feature if they are within the

# list of 1-10 in the policy.

# To add more than one force installed extension, copy the 5 lines below and mark the regname as 2..3..4..5 and so on after re-pasting.

$RegPath = 'Software\Policies\Google\Chrome\ExtensionInstallForcelist'

$RegName = '1'

$RegData = 'EXTENSIONID'

$RegType = 'String'

Remove-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName 1

Remove-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName 2

Remove-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName 3

Remove-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName 4

Remove-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName 5

Remove-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName 6

Remove-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName 7

Remove-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName 8

Remove-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName 9

Remove-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName 10

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'

$RegName = 'AllowOutdatedPlugins'

$RegData = '0'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'

$RegName = 'BackgroundModeEnabled'

$RegData = '0'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'

$RegName = 'BookmarkBarEnabled'

$RegData = '1'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'

$RegName = 'DefaultBrowserSettingEnabled'

$RegData = '1'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'

$RegName = 'DeveloperToolsDisabled'

$RegData = '1'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'

$RegName = 'EnableMediaRouter'

$RegData = '1'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'

$RegName = 'ForceGoogleSafeSearch'

$RegData = '1'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'

$RegName = 'FullscreenAllowed'

$RegData = '0'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'

$RegName = 'NetworkPredictionOptions'

$RegData = '2'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'

$RegName = 'SafeBrowsingEnabled'

$RegData = '1'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'

$RegName = 'SafeBrowsingExtendedReportingOptInAllowed'

$RegData = '0'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'

$RegName = 'SearchSuggestEnabled'

$RegData = '0'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'

$RegName = 'SpellCheckServiceEnabled'

$RegData = '0'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'

$RegName = 'SSLVersionMin'

$RegData = 'tls1'

$RegType = 'String'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Google\Chrome'

$RegName = 'WelcomePageOnOSUpgradeEnabled'

$RegData = '0'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

# End Chrome GP Settings

#

# Begin Adobe Acrobat/Reader DC Settings

$RegPath = 'Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockdown'

$RegName = 'bProtectedMode'

$RegData = '1'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockdown'

$RegName = 'bUsageMeasurement'

$RegData = '1'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockdown\cIPM'

$RegName = 'bDontShowMsgWhenViewingDoc'

$RegData = '1'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockdown\cIPM'

$RegName = 'bShowMsgAtLaunch'

$RegData = '0'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Adobe\Adobe Acrobat\2015\FeatureLockdown'

$RegName = 'bUsageMeasurement'

$RegData = '1'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Adobe\Adobe Acrobat\2015\FeatureLockdown'

$RegName = 'iProtectedView'

$RegData = '2'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

$RegPath = 'Software\Policies\Adobe\Adobe Acrobat\2015\FeatureLockdown\cIPM'

$RegName = 'bShowMsgAtLaunch'

$RegData = '0'

$RegType = 'DWord'

Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

# End Adobe Acrobat and Reader DC Settings

#

# Force DEP to always on for every application (available options are: AlwaysOff, AlwaysOn, OptIn, OptOut)

Write-Host "Turning on DEP for all applications."

bcdedit /set nx AlwaysON

# Enable SEHOP (Exception write-protection function of DEP.)

Write-Host "Enable Exception Write-Protection SEHOP"

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel" /v DisableExceptionChainValidation /t REG_DWORD /d 0 /f

# Check Cryptography Protection

Write-Host "Checking Cryptography Protection."

# If the following query shows that MasterKeyLegacyCompliance is set to a non-zero number,

# then it is bad sign that hackers or malware have set this value deliberately to weaken

# the security of DPAPI-protected secrets like cached passwords or private keys.

reg query HKLM\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb /v MasterKeyLegacyCompliance

# Run the following command to delete the MasterKeyLegacyCompliance value, which

# is the default on Windows XP and later, and is best for security.

reg delete HKLM\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb /v MasterKeyLegacyCompliance /f

# Disable NetBios (Forces File Sharing over port 445 DirectSMB/stops various worms.)

Write-Host "Disabling Outdated NetBIOS Protocol..."

sc.exe config netbt start= disabled 

# Reset NerBios Configuration to Default.

# sc.exe config netbt start= system

# Set LAN connection to DHCP and renew.

# netsh.exe int ip set address "Local Area Connection" dhcp

# netsh.exe int ip set dns "Local Area Connection" dhcp

# ipconfig /renew

# Set LAN connection to static and release.

# ipconfig /release

# netsh.exe int ip set dns "Local Area Connection" static 10.4.1.1 

# netsh.exe int ip set address "Local Area Connection" static 10.4.1.1 255.255.0.0 

# Enable IPsec NAT

Write-Host "Enabling IPSec NAT..."

reg add "HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent" /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 00000002 /f

# Use these commands to audit logging policies.

# auditpol.exe /get /category:*

# auditpol.exe /get /subcategory:"MPSSVC rule-level Policy Change,Filtering Platform policy change,IPsec Main Mode,IPsec Quick Mode,IPsec Extended Mode,IPsec Driver,Other System Events,Filtering Platform Packet Drop,Filtering Platform Connection"

# Disable a lot of security logging (See end of command)

# auditpol.exe /set /subcategory:"MPSSVC rule-level Policy Change,Filtering Platform policy change,IPsec Main Mode,IPsec Quick Mode,IPsec Extended Mode,IPsec Driver,Other System Events,Filtering Platform Packet Drop,Filtering Platform Connection" /success:Disable /failure:Disable

# Enable a lot of security logging (See end of command)

auditpol.exe /set /subcategory:"MPSSVC rule-level Policy Change,Filtering Platform policy change,IPsec Main Mode,IPsec Quick Mode,IPsec Extended Mode,IPsec Driver,Other System Events,Filtering Platform Packet Drop,Filtering Platform Connection" /success:Enable /failure:Enable

# Enable oakley IPSec Diagnostics logging.

reg add "HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley" /v EnableLogging /t REG_DWORD /d 00000001 /f

# Enable Local IPSec Connections for ports 3389,135,139,445,21,20,23

Write-Host "Enabling Local Network IPSEC on this machine if supported."

netsh.exe advfirewall consec add rule name=Testing-IPSec-NETSH endpoint1=any port1=any endpoint2=localsubnet port2=3389,135,139,445,21,20,23 protocol=tcp profile=any action=requireinrequestout interfacetype=any auth1=computerpsk auth1psk=$ThePreSharedKey enable=yes

# Disable Local IPSec Connections for ports 3389,135,139,445,21,20,23

# Write-Host "Disabling Local Network IPSEC on this machine if supported."

# netsh.exe advfirewall consec add rule name=Testing-IPSec-NETSH endpoint1=any port1=any endpoint2=localsubnet port2=3389,135,139,445,21,20,23 protocol=tcp profile=any action=requireinrequestout interfacetype=any auth1=computerpsk auth1psk=$ThePreSharedKey enable=no

Write-Progress -Activity "Configuring SSL/TLS" -Status "Progress:" -PercentComplete 1

#

# 

# The Two Lines Below Enable Superfectch and Prefetch

Write-Host "Enabling Superfetch and Prefetch..."

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnableSuperfetch /t REG_DWORD /d 00000003 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnablePrefetcher /t REG_DWORD /d 00000003 /f

# The Lines Below Disable SSL!!!

Write-Host "Disabling SSL..."

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v DisabledByDefault /t REG_DWORD /d 00000001 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v Enabled /t REG_DWORD /d 00000000 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 00000001 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 00000000 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v DisabledByDefault /t REG_DWORD /d 00000001 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v Enabled /t REG_DWORD /d 00000000 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v DisabledByDefault /t REG_DWORD /d 00000001 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 00000000 /f

Write-Progress -Activity "Configuring SSL/TLS" -Status "Progress:" -PercentComplete 25

# The Lines Below Force And Enable TLS!!!

Write-Host "Forcing and Enabling TLS!!!"

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v DisabledByDefault /t REG_DWORD /d 00000000 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 0xffffffff /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v DisabledByDefault /t REG_DWORD /d 00000000 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 0xffffffff /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v DisabledByDefault /t REG_DWORD /d 00000000 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v Enabled /t REG_DWORD /d 0xffffffff /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v DisabledByDefault /t REG_DWORD /d 00000000 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 0xffffffff /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 00000000 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 0xffffffff /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v DisabledByDefault /t REG_DWORD /d 00000000 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 0xffffffff /f

Write-Progress -Activity "Configuring SSL/TLS" -Status "Progress:" -PercentComplete 70

# The Registry Parameters Below are for TCP Security, I'm not sure what some of them do.

Write-Host "Upgrading TCP Security..."

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v IPEnableRouter /t REG_DWORD /d 00000000 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableICMPRedirect /t REG_DWORD /d 00000000 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v SynAttackProtect /t REG_DWORD /d 00000002 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxHalfOpen /t REG_DWORD /d 00000064 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpMaxHalfOpenRetried /t REG_DWORD /d 00000050 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v DisableIPSourceRouting /t REG_DWORD /d 00000002 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v NoNameReleaseOnDemand /t REG_DWORD /d 00000001 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableDeadGWDetect /t REG_DWORD /d 00000000 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v KeepAliveTime /t REG_DWORD /d 0x000493E0 /f

Write-Progress -Activity "Configuring SSL/TLS" -Status "Progress:" -PercentComplete 100

# Disable NTFS Last-Access Timestamp

# Write-Host "Disabling NTFS Last-Access Timestamps..."

# reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v NtfsDisableLastAccessUpdate /t REG_DWORD /d 00000001 /f

# Enable NTFS Last-Access Timestamp

Write-Host "Enabling NTFS Last-Access Timestamps..."

reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v NtfsDisableLastAccessUpdate /t REG_DWORD /d 00000000 /f

# Disable IPV6

Write-Host "Disabling IPV6..."

reg add "HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters" /v DisabledComponents /t REG_DWORD /d 0xffffffff /f

# Enable IPV6

# Write-Host "EnTabling IPV6..."

# reg add "HKLM\SYSEM\CurrentControlSet\services\TCPIP6\Parameters" /v DisabledComponents /t REG_DWORD /d 0 /f

# Force High Level of Remote Desktop Encryption and TLS Authentication.

Write-Host "Requiring Strong Remote Desktop Encryption if enabled... And forcing TLS Authentication"

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t REG_DWORD /d 00000003 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 00000002 /f

# Disabling TCP/IP AutoTuning (see http://technet.microsoft.com/en-us/magazine/2007.01.cableguy.aspx)

Write-Host "Disabling TCP/IP Auto-Tuning..."

netsh.exe interface tcp set global autotuninglevel= disabled

# Enabling TCP/IP AutoTuning

# netsh.exe interface tcp set global autotuninglevel= normal

# Reset Firewall To factory Defaults!!!

# netsh.exe firewall reset

#

# Begin Java Security Setting Script

#

#

Write-host "The next bit of code will either enable or disable java system-wide."

# Construct the strings for the deployment.properties file.

# Be mindful of the below property, setting webjava to false will unisntall java and you will need to manually re-enable in IE.

$propertiesfile = "deployment.webjava.enabled=true "

# Default to locking the security level and browser plug-in state, i.e., they are visible but greyed out in Java Control Panel.

$propertiesfile += "`ndeployment.webjava.enabled.locked `ndeployment.security.level.locked "

# Default to security level being set to VERY_HIGH (see Security tab of Java Control Panel).

$propertiesfile += "`ndeployment.security.level=VERY_HIGH" 

# Possibly delete the configuration files and exit, but leave the folder alone though.

write-host "Deleting system-wide Java configuration files, if they exist..."

remove-item $env:WinDir\Sun\Java\Deployment\deployment.config -Force

remove-item $env:WinDir\Sun\Java\Deployment\deployment.properties -Force

# Create the $env:WinDir\Sun\Java\Deployment folder for the system-wide Java configuration files.

New-Item -Path $env:WinDir\Sun\Java\Deployment -ItemType Directory -Force | Out-Null

# Create the deployment.config file.

"deployment.system.config=$env:WinDir\Sun\Java\Deployment\deployment.properties" | 

    Out-File -FilePath $env:WinDir\Sun\Java\Deployment\deployment.config -Force -Encoding ASCII

if (-not $? -or -not $(Test-Path $env:WinDir\Sun\Java\Deployment\deployment.config))

   { "`nCould not create the deployment.config file, exiting.`n" ; exit -1 } 

# Create the deployment.properties file.

$propertiesfile | Out-File -FilePath $env:WinDir\Sun\Java\Deployment\deployment.properties -Force -Encoding ASCII

if (-not $? -or -not $(Test-Path $env:WinDir\Sun\Java\Deployment\deployment.properties))

   { "`nCould not create the deployment.properties file, exiting.`n" ; exit -1 } 

# Show system-wide deployment.properties file contents FYI.

"`nCurrent contents of the deployment.properties file:`n"

get-content $env:WinDir\Sun\Java\Deployment\deployment.properties ; "`n"

# Run latest ssvagent.exe for both x86 and x64, but not on Java Platform 6 or earlier, and 

# hope future Javas support these switches (man, what a mess, doomed to rewrites...):

if ($propertiesfile -like '*deployment.webjava.enabled=false*')

{

    # Try the x64 version, if any:

    $ssvagent = $null

    if (Test-Path -Path "$env:ProgramFiles\Java\")

    {

        $ssvagent = dir "$env:ProgramFiles\Java\*.exe" -Recurse | 

                where { $_.name -eq 'ssvagent.exe' -and $_.fullname -notmatch '\\jre[1-6]\\'} | 

                sort LastWriteTimeUtc -desc | select -first 1 

    }

    if ($ssvagent -ne $null) 

    { 

        $expression = $ssvagent.FullName.Replace("Program Files","'Program Files'") + " -disablewebjava"

        "Executing: $expression `n"

        invoke-expression -command $expression

    }

    # Now for the x86 version second, because this is the Oracle-preferred:

    $ssvagent = $null

    if (Test-Path -Path "${env:ProgramFiles(x86)}\Java\")

    {

        $ssvagent = dir "${env:ProgramFiles(x86)}\Java\*.exe" -Recurse | 

                where { $_.name -eq 'ssvagent.exe' -and $_.fullname -notmatch '\\jre[1-6]\\'} | 

                sort LastWriteTimeUtc -desc | select -first 1 

    }

    if ($ssvagent -ne $null) 

    { 

        $expression = $ssvagent.FullName.Replace("Program Files (x86)","'Program Files (x86)'") + " -disablewebjava"

        "Executing: $expression `n"

        invoke-expression -command $expression

    }

}

elseif ($propertiesfile -like '*deployment.webjava.enabled=true*')

{

    # Try the x64 version, if any:

    $ssvagent = $null

    $ssvagent = dir "$env:ProgramFiles\Java\*.exe" -Recurse | 

                where { $_.name -eq 'ssvagent.exe' -and $_.fullname -notmatch '\\jre[1-6]\\'} | 

                sort LastWriteTimeUtc -desc | select -first 1 

    if ($ssvagent -ne $null) 

    { 

        $expression = $ssvagent.FullName.Replace("Program Files","'Program Files'") + " -forceinstall -register -new -high"  #Only -high exists?

        "Executing: $expression `n"

        invoke-expression -command $expression

    }

    # Now for the x86 version second, to let it possibly overwrite x64 settings, since x86 is Oracle-preferred:

    $ssvagent = $null

    $ssvagent = dir "${env:ProgramFiles(x86)}\Java\*.exe" -Recurse | 

                where { $_.name -eq 'ssvagent.exe' -and $_.fullname -notmatch '\\jre[1-6]\\'} | 

                sort LastWriteTimeUtc -desc | select -first 1 

    if ($ssvagent -ne $null) 

    { 

        $expression = $ssvagent.FullName.Replace("Program Files (x86)","'Program Files (x86)'") + " -forceinstall -register -new -high"  #Only -high exists?

        "Executing: $expression `n"

        invoke-expression -command $expression

    }

}

# End Java Security Settings Script

#

#

# Disable scheduled tasks

Write-Progress -Activity "Disabling scheduled tasks" -Status "Progress:" -PercentComplete 0

schtasks /Change /TN "Microsoft\Office\Office 15 Subscription Heartbeat" /Disable

schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /Disable

schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /Disable

schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable

schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable

schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable

schtasks /Change /TN "Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /Disable

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /Disable

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" /Disable

Write-Progress -Activity "Disabling scheduled tasks" -Status "Progress:" -PercentComplete 25

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable

schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable

schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable

schtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable

schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /Disable

schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /Disable

schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /Disable

schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /Disable

schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable

Write-Progress -Activity "Disabling scheduled tasks" -Status "Progress:" -PercentComplete 50

# Network stuff

schtasks /Change /TN "Microsoft\Windows\NetCfg\BindingWorkItemQueueHandler" /Disable

schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable

schtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable

schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable

schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable

schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefresh" /Disable

schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyUpload" /Disable

schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable

Write-Progress -Activity "Disabling scheduled tasks" -Status "Progress:" -PercentComplete 75

schtasks /Change /TN "Microsoft\Windows\TextServicesFramework\MsCtfMonitor" /Disable

schtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable

schtasks /Change /TN "Microsoft\Windows\Windows Media Sharing\UpdateLibrary" /Disable

schtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable

# Maintenanace Tasks

# schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable

# schtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable

# schtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable

# schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable

# schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable

# schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable

schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable

# schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable

# schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable

# schtasks /Change /TN "Microsoft\Windows\Shell\IndexerAutomaticMaintenance" /Disable

Write-Progress -Activity "Disabling scheduled tasks" -Status "Progress:" -PercentComplete 80

# Smartscreen

# schtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable

# Defender

# schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

# schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

# schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

# schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

# Some random scheduled task that is alittle fishy but halts the script

# Unregister-ScheduledTask -TaskName BackgroundUploadTask -Confirm:$false

Write-Progress -Activity "Disabling scheduled tasks" -Status "Progress:" -PercentComplete 100

Write-Progress -Activity "Disabling services" -Status "Progress:" -PercentComplete 0

cmd /c sc config DiagTrack start= disabled | out-null

cmd /c sc config dmwappushservice start= disabled | out-null

cmd /c sc config diagnosticshub.standardcollector.service start= disabled | out-null

cmd /c sc config TrkWks start= disabled | out-null

cmd /c sc config WMPNetworkSvc start= disabled | out-null # Shouldn't exist but just making sure ...

# Making sure the DiagTrack log is empty (tinfoil)

Set-Content C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl -Value "" -Force

Write-Progress -Activity "Disabling services" -Status "Progress:" -PercentComplete 100

# Tweak settings app

Write-Progress -Activity "Tweaking settings app" -Status "Progress:" -PercentComplete 0

# Privacy -> General -> let websites provide locally relevant content by accessing my language list

Remove-ItemProperty -Path "HKCU:SOFTWARE\Microsoft\Internet Explorer\International" -Name "AcceptLanguage" -Force

Set-ItemProperty -ErrorAction SilentlyContinue -Path "HKCU:Control Panel\International\User Profile" -Name HttpAcceptLanguageOptOut -Value 1 | Out-Null

# Privacy -> General -> turn on smartscreen filter to check web content that windows store apps use

Set-ItemProperty -ErrorAction SilentlyContinue -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost\" -Name EnableWebContentEvaluation -Value 0 -Force | Out-Null

# Privacy -> Camera -> let apps use my camera

Set-ItemProperty -ErrorAction SilentlyContinue -Path "HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E5323777-F976-4f5b-9B55-B94699C46E44}" -Name "Value" -Type String -Value "Deny" | Out-Null

# Privacy -> Microphone -> let apps use my microphone

Set-ItemProperty -ErrorAction SilentlyContinue -Path "HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2EEF81BE-33FA-4800-9670-1CD474972C3F}\" -Name "Value" -Type String -Value "Deny" | Out-Null

# Privacy -> Account info -> let apps access my name, picture and other account info

Set-ItemProperty -ErrorAction SilentlyContinue -Path "HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}\" -Name "Value" -Type String -Value "Deny" | Out-Null

# Privacy -> Calendar -> let apps access my calendar

Set-ItemProperty -ErrorAction SilentlyContinue -Path "HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{D89823BA-7180-4B81-B50C-7E471E6121A3}\" -Name "Value" -Type String -Value "Deny" | Out-Null

# Privacy -> Messaging -> let apps read or send sms and text messages

Set-ItemProperty -ErrorAction SilentlyContinue -Path "HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{992AFA70-6F47-4148-B3E9-3003349C1548}\" -Name "Value" -Type String -Value "Deny" | Out-Null

# Privacy -> Radio -> let apps control radios

Set-ItemProperty -ErrorAction SilentlyContinue -Path "HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{A8804298-2D5F-42E3-9531-9C8C39EB29CE}\" -Name "Value" -Type String -Value "Deny" | Out-Null

# Privacy -> Other devices -> sync with devices

Set-ItemProperty -ErrorAction SilentlyContinue -Path "HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled\" -Name "Value" -Type String -Value "Deny" | Out-Null

# Privacy -> Feedback & Diagnostics -> feedback frequency

New-Item -ErrorAction SilentlyContinue -Path "HKCU:SOFTWARE\Microsoft\Siuf\Rules" -Force | Out-Null

Set-ItemProperty -ErrorAction SilentlyContinue -Path "HKCU:SOFTWARE\Microsoft\Siuf\Rules" -Name NumberOfSIUFInPeriod -Value 0 -Force | Out-Null

Remove-ItemProperty -Path "HKCU:SOFTWARE\Microsoft\Siuf\Rules" -Name PeriodInNanoSeconds

# Ease of Access -> Other options -> Visual options -> play animations

Set-ItemProperty -ErrorAction SilentlyContinue -Path "HKCU:Control Panel\Desktop\WindowMetrics" -Name MinAnimate -Value 0 | Out-Null

# Update & Security -> Windows Update -> Advanced -> Choose how updates are delviered -> Updates from more than one place (this is a GUI bug, registry is set properly even though it may show 'ON')

New-ItemProperty -ErrorAction SilentlyContinue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" -Name "DownloadMode" -PropertyType DWORD -Value 0 | Out-Null

Set-ItemProperty -ErrorAction SilentlyContinue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" -Name "DODownloadMode" -Value 0 | Out-Null

Set-ItemProperty -ErrorAction SilentlyContinue -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\" -Name "SystemSettingsDownloadMode" -Value 0 | Out-Null

Write-Progress -Activity "Tweaking settings app" -Status "Progress:" -PercentComplete 100

#

#

# More Group Policy Tweaks

Write-Progress -Activity "Securing local group policy for privacy (this might take a minute or two)" -Status "Progress:" -PercentComplete 1

# The reason I'm waiting 1s after each edit is to let the filesystem make necessary edits in the background, without the delay this will break local policies

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\DataCollection" -ValueName AllowTelemetry -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar" -ValueName TurnOffSidebar -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Assistance\Client\1.0" -ValueName NoActiveHelp -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Biometrics" -ValueName Enabled -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Conferencing" -ValueName NoRDS -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\InputPersonalization" -ValueName AllowInputPersonalization -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Internet Explorer\Geolocation" -ValueName PolicyDisableGeolocation -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions" -ValueName NoUpdateCheck -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Internet Explorer\Main" -ValueName DoNotTrack -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Internet Explorer\Privacy" -ValueName EnableInPrivateBrowsing -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Internet Explorer\SQM" -ValueName DisableCustomerImprovementProgram -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Messenger\Client" -ValueName CEIP -Type DWord -Data 2

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Messenger\Client" -ValueName PreventAutoRun -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" -ValueName Cookies -Type DWord -Data 2

Start-Sleep 1

Write-Progress -Activity "Securing local group policy for privacy (this might take a minute or two)" -Status "Progress:" -PercentComplete 10

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting" -ValueName DoReport -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting" -ValueName ForceQueueMode -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\DW" -ValueName DWFileTreeRoot -Type String -Data ""

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\DW" -ValueName DWNoExternalURL -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\DW" -ValueName DWNoFileCollection -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\DW" -ValueName DWNoSecondLevelCollection -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\DW" -ValueName DWReporteeName -Type String -Data ""

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\SearchCompanion" -ValueName DisableContentFileUpdates -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\SQMClient\Windows" -ValueName CEIPEnable -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\010103000F0000F0080000000F0000F0D0B4EB5D3C24F17D10AE531C7DCEF4A94F4A085AD0D4C88B75082573E36F857A" -ValueName Category -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\010103000F0000F0080000000F0000F0D0B4EB5D3C24F17D10AE531C7DCEF4A94F4A085AD0D4C88B75082573E36F857A" -ValueName CategoryReadOnly -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" -ValueName NoGenTicket -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows NT\IIS" -ValueName PreventIISInstall -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows NT\Printers" -ValueName PhysicalLocation -Type String -Data anonymous

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" -ValueName DisabledByGroupPolicy -Type DWord -Data 1

Start-Sleep 1

Write-Progress -Activity "Securing local group policy for privacy (this might take a minute or two)" -Status "Progress:" -PercentComplete 20

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\AppCompat" -ValueName AITEnable -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\AppCompat" -ValueName DisableInventory -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\AppCompat" -ValueName DisableUAR -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\Device Metadata" -ValueName PreventDeviceMetadataFromNetwork -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Settings" -ValueName DisableSendGenericDriverNotFoundToWER -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Settings" -ValueName DisableSendRequestAdditionalSoftwareToWER -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\Explorer" -ValueName NoUseStoreOpenWith -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\GameUX" -ValueName DownloadGameInfo -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\GameUX" -ValueName GameUpdateOptions -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\GameUX" -ValueName ListRecentlyPlayed -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard" -ValueName ExitOnMSICW -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" -ValueName DisableLocation -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\OneDrive" -ValueName DisableFileSyncNGSC -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\PowerShell" -ValueName EnableScripts -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\PowerShell" -ValueName ExecutionPolicy -Type String -Data "RemoteSigned"

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" -ValueName **del.EnableExperimentation -Type String -Data ""

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" -ValueName AllowBuildPreview -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" -ValueName EnableConfigFlighting -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\System" -ValueName AsyncScriptDelay -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\System" -ValueName EnableLogonScriptDelay -Type DWord -Data 1

Start-Sleep 1

Write-Progress -Activity "Securing local group policy for privacy (this might take a minute or two)" -Status "Progress:" -PercentComplete 50

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\WDI\{186f47ef-626c-4670-800a-4a30756babad}" -ValueName ScenarioExecutionEnabled -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\WDI\{2698178D-FDAD-40AE-9D3C-1371703ADC5B}" -ValueName **del.EnabledScenarioExecutionLevel -Type String -Data ""

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\WDI\{2698178D-FDAD-40AE-9D3C-1371703ADC5B}" -ValueName ScenarioExecutionEnabled -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\WDI\{67144949-5132-4859-8036-a737b43825d8}" -ValueName **del.EnabledScenarioExecutionLevel -Type String -Data ""

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\WDI\{67144949-5132-4859-8036-a737b43825d8}" -ValueName ScenarioExecutionEnabled -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}" -ValueName ScenarioExecutionEnabled -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" -ValueName ScenarioExecutionEnabled -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\WDI\{a7a5847a-7511-4e4e-90b1-45ad2a002f51}" -ValueName **del.EnabledScenarioExecutionLevel -Type String -Data ""

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\WDI\{a7a5847a-7511-4e4e-90b1-45ad2a002f51}" -ValueName ScenarioExecutionEnabled -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\WDI\{C295FBBA-FD47-46ac-8BEE-B1715EC634E5}" -ValueName ScenarioExecutionEnabled -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\WDI\{dc42ff48-e40d-4a60-8675-e71f7e64aa9a}" -ValueName EnabledScenarioExecutionLevel -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\WDI\{dc42ff48-e40d-4a60-8675-e71f7e64aa9a}" -ValueName ScenarioExecutionEnabled -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\WDI\{ecfb03d1-58ee-4cc7-a1b5-9bc6febcb915}" -ValueName ScenarioExecutionEnabled -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\WDI\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}" -ValueName **del.EnabledScenarioExecutionLevel -Type String -Data ""

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\WDI\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}" -ValueName ScenarioExecutionEnabled -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" -ValueName Disabled -Type DWord -Data 1

Start-Sleep 1

Write-Progress -Activity "Securing local group policy for privacy (this might take a minute or two)" -Status "Progress:" -PercentComplete 60

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" -ValueName DontSendAdditionalData -Type DWord -Data 1

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\Windows Search" -ValueName AllowCortana -Type DWord -Data 0

Start-Sleep 1

Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\Windows Search" -ValueName AllowSearchToUseLocation -Type DWord -Data 0