Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
MIT License
Bot releases are hidden (Show)
Published by HotCakeX 9 months ago
Revamped the architecture of the Harden Windows Security script. The new versatile design enables a single file to function as an independent script and as a component of the Harden Windows Security module, at the same time.
The Harden Windows Security module now supports headless or silent mode of operation. This mode enables you to run the module without any interaction on the PowerShell console. You simply choose the categories you wish to apply automatically, and the module will perform them for you. If a selected category requires Administrator privileges and the module is running with Standard privileges, that category is skipped.
This modification, in conjunction with other improvements in this version, prepare the Harden Windows Security module for deployments at a large scale.
Protect-WindowsSecurity [[-Categories] <String[]>] [<CommonParameters>]
The following parameters are only for the headless/silent mode of operation.
-Categories
: Optional; Specify the hardening categories that you want to apply. This will tell the module to operate in non-interactive or headless/silent mode which won't ask for confirmation before running each selected categories. You can specify multiple categories by separating them with a comma. If you don't specify any category, the cmdlet will run in interactive mode. Use this parameter for deployments at a large scale. If a selected category requires Administrator privileges and the module is running with Standard privileges, that category is skipped.
Tab
key to see the available categories.-Verbose
: Optional; Shows verbose messages on the console about what the cmdlet is doing.
[!NOTE]
You can further control the sub-categories of each category by using the following switch parameters. Pay attention to the naming convention of them. They are named after the category they belong to. For example, the switch parameter-MSFTDefender_SAC
belongs to theMicrosoftDefender
category. The switch parameters are dynamic and will only appear if you specify the corresponding category in the-Categories
parameter. For example, if you don't specify theMicrosoftDefender
category in the-Categories
parameter, the switch parameters related to it won't appear. The following table shows the available switch parameters and their corresponding categories.
Parameter Name | Description | Required Category |
---|---|---|
-SecBaselines_NoOverrides | Applies the Microsoft Security Baselines without the optional overrides | MicrosoftSecurityBaselines |
-MSFTDefender_SAC | Enables Smart App Control | MicrosoftDefender |
-MSFTDefender_NoDiagData | Will not enable optional diagnostics data required for Smart App Control (Does not have any effect if Smart App Control is already turned on) | MicrosoftDefender |
-MSFTDefender_NoScheduledTask | Will not create scheduled task for fast MSFT driver block rules | MicrosoftDefender |
-MSFTDefender_BetaChannels | Set Defender Engine and Intelligence update channels to beta | MicrosoftDefender |
-LockScreen_CtrlAltDel | Require CTRL + ALT + Delete at lock screen | LockScreen |
-LockScreen_NoLastSignedIn | Will not display the last signed in user at the lock screen | LockScreen |
-UAC_NoFastSwitching | Hide entry points for fast user switching | UserAccountControl |
-UAC_OnlyElevateSigned | Only elevate signed and validated executables | UserAccountControl |
-CountryIPBlocking_OFAC | Include the IP ranges of OFAC Sanctioned Countries in the firewall block rules | CountryIPBlocking |
If you do not specify any sub-categories using the switch parameters above, the following sub-category configuration will be applied when the corresponding category exists in the -Categories
parameter.
Indicator | Sub-Category Status |
---|---|
Is Applied | |
Is Not Applied |
[!IMPORTANT]
It is highly recommended to always include the Microsoft Security Baselines category and place it first as it forms the foundation of all subsequent categories.
If you run the module like this without specifying any categories, the module will run in interactive mode and the usual beautiful prompts will be displayed to the user.
Protect-WindowsSecurity
If you run the module like this, the 2 categories will be executed automatically without requiring any user input. The results will be displayed on the console.
Protect-WindowsSecurity -Categories MicrosoftDefender, AttackSurfaceReductionRules
This example will apply the Microsoft Defender category with the Smart App Control sub-category, without the need for user interaction, and will show verbose messages.
Protect-WindowsSecurity -Categories MicrosoftDefender -MSFTDefender_SAC -Verbose
This example will apply the Microsoft Security Baselines, BitLocker, User Account Control, Lock Screen and Downloads Defense Measures categories. It will also apply the "Only Elevate Signed and Validated Executables" sub-category of the User Account Control category, and the "Require CTRL + ALT + DEL on Lock Screen" sub-category of the Lock Screen category.
Protect-WindowsSecurity -Categories MicrosoftSecurityBaselines,BitLockerSettings,UserAccountControl,LockScreen,DownloadsDefenseMeasures -UAC_OnlyElevateSigned -LockScreen_CtrlAltDel
The previous design necessitated downloading the essential files from the GitHub repository regardless of the execution mode, either as a script or as a module's cmdlets. The current design optimizes this process by only fetching the vital payload files when the script is invoked from GitHub as follows:
irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1' | iex
By installing and utilizing the Harden Windows Security module via the Protect-WindowsSecurity
command, the essential files are pre-included in the module and thus eliminate the need for downloading them separately. This enhances the security level and offers more peace of mind to the users.
The new code excludes support for the old Windows PowerShell version 5.1, the default version installed with Windows. It was impeding the advancement and innovation in the code due to lack of compatibility with new features. Consequently, the new code base is more concise than before (despite offering more functionalities), more intelligent and more legible.
It is extremely easy to install the new modern PowerShell. The safest, fastest and best way to do so is through ποΈ Microsoft Store.
By default, Windows Store packages run in an application sandbox that virtualizes access to some filesystem and registry locations. Changes to virtualized file and registry locations don't persist outside of the application sandbox.
This sandbox blocks all changes to the application's root folder. Any system-level configuration settings stored in $PSHOME can't be modified.
Winget install Microsoft.PowerShell
PowerShell is modern and leverages the most recent .NET version and features. It is widely adopted in business and enterprise environments, and it eliminates the need and the rationale for relying on the archaic and old Windows PowerShell.
To combat the threat of more sophisticated malware, a preemptive measure is taken by creating and deploying a WDAC policy on the system. This policy blocks the execution of executables and other potentially harmful file types in the Downloads folder, using the WDACConfig module.
This policy defends the system from malware that can launch itself automatically after being downloaded from the Internet. The user must ensure the file's safety and explicitly transfer it to a different folder before running it.
The WDAC policy employs a wildcard pattern to prevent any file from running in the Downloads folder. Additionally, it verifies that the system downloads folder in the user directory matches the downloads folder in the Edge browser's settings. If there is a discrepancy, a warning message is displayed on the console.
The policy can be removed by the Unprotect-WindowsSecurity or Remove-WDACConfig cmdlets.
It is an ongoing process so expect more WDAC integrations like this in the Harden Windows Security module.
Whenever you execute any of the cmdlets, the Harden Windows Security module will verify if there is a newer version available and update itself automatically if needed. You no longer have to repeat your command after the update, as it will resume seamlessly.
[!NOTE]
When auto updating from version 0.2.7 to 0.2.8, you will see the message "Update successful, please run the cmdlet again.", instead of doing that, please close and reopen your PowerShell tab/window, otherwise you may encounter an error. It is totally harmless though and you won't see it anymore. This is due to a bug in version 0.2.7 that prevents it from properly disposing the secure constant variables. This bug is resolved in version 0.2.8.
-Verbose
parameter with each cmdlet.Confirm-SystemCompliance
.Protect-WindowsSecurity
cmdletFeel free to open pull requests if you want to contribute by implementing any of the mentioned features.
PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/177
Published by HotCakeX 10 months ago
Build-WDACCertificate
to automate the entire process in just few seconds. The certificate's private π will be securely stored on the system using Virtualization based Security π.New-DenyWDACConfig -PathWildCards
. This unveils many new opportunities. One of them is deploying a deny policy that blocks anything from executing in the Downloads directory, so if you inadvertently download a malware that is programmed to autorun after downloading then it will fail because nothing will be executed in the Downloads directory. You will have to manually transfer a trustworthy file to another location and then execute it. Of course, you can diversify and use this special policy with other kinds of policies on the system. You can also use this kind of policy with guidelines from my other repository that is for Privacy, Anonymity and Compartmentalization, by creating wildcard block rules for directory paths that contain files that are only intended to run in their assigned Windows Sandboxes and shouldn't be permitted to run on the host.PRs:
Published by HotCakeX 10 months ago
Deploy-SignedWDACConfig
before deploying the signed policy on the system.New-DenyWDACConfig
before deploying the deny base policy for Appx based apps. Shows the details of the select appx package based on the user input and allows for confirming or denying it before proceeding.New-SupplementalWDACConfig
before deploying the supplemental policy for Appx based apps. Shows the details of the select appx package based on the user input and allows for confirming or denying it before proceeding.Remove-WDACConfig -SignedBase
before deploying the signed policy in unsigned mode.-Force
parameter. This allows the WDACConfig module to be used non-interactively for remote administration.New-WDACConfig
cmdlet.Edit-WDACConfig
cmdlet.Edit-SignedWDACConfig
cmdlet.Remove-WDACConfig -UnsignedOrSupplemental
cmdlet and parameter.Set-CommonWDACConfig
cmdlet.New-SupplementalWDACConfig
cmdlet.New-DenyWDACConfig
cmdlet.Deploy-SignedWDACConfig
cmdlet.Edit-SignedWDACConfig
and Edit-WDACConfig
cmdlets, changed the name of the -PolicyPaths
parameter to -PolicyPath
because those cmdlets only work on one base policy at a time and realistically there is no need for more than 1 base policy to allow files. The documentation also has been updated.
New-KernelModeWDACConfig
cmdlet.Assert-WDACConfigIntegrity
, used to verify the integrity of the WDACConfig module with the most secure available hashing algo: SHA2 512. Will switch to SHA3 hashes that are available in .NET 8 and later once they are available in stable builds Windows. They are currently available in insider channels. The documentation of this new cmdlet can be found here.
[!NOTE]
When the module automatically updates to version0.2.8
there might be a one-time error because of a bug (that is fixed in this version but present in version0.2.7
). You can safely ignore it by closing the PowerShell tab and reopening it again to continue using the new version of the module. Alternatively you can manually update the WDACConfig module by running the following command:
Update-Module -Name WDACConfig -Force
The bug π is related to constant variables being used and the inability of the v0.2.7 to empty them when the module updates to a new version.
.ps1
and .psm1
files that bear the cryptographic signature of my local certificate authority's (CA) certificate. The module incorporates mechanisms to automatically ascertain the integrity of the module files and prevent any unauthorized modifications. The module manifest, .psd1
file, on the other hand, lacks a signature due to the installation error that arises from the PowerShell gallery when it is signed with a self-signed certificate.PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/165
Published by HotCakeX 10 months ago
Improved best practices in the code.
Added progress bar to the Unprotect-WindowsSecurity
cmdlet, now all the cmdlets of the module have progress bars!
The Unprotect-WindowsSecurity
cmdlet now prompts for confirmation using native PowerShell methods. This prompt can be bypassed if you use the familiar -Force
parameter, useful when not running this module interactively.
Removed untrusted font blocking which was an optional additional policy in the Miscellaneous category. The reason for its removal is mentioned here and its removal was suggested a while ago in this repo as well. The reason why it's finally being removed is that it can cause some blocked fonts logs to be generated for 1st party inbox apps such as OneDrive.
Removed the UAC: Behavior of the elevation prompt for standard users
policy from the User Account Control (UAC) category because it's already being applied by Microsoft Security Baselines. The security baselines correctly prevent any elevation of request on Standard user accounts.
The compliance checking and verification for this policy continues to exist in Confirm-SystemCompliance
cmdlet.
For highly secure scenarios, use Standard account for regular everyday tasks, and if you want to perform administrative tasks such as installing a program system-wide or changing system settings, completely log out of the Standard account and log into an Administrator account, perform the tasks, then completely log out and log back into the Standard account to continue your work. No fast user switching.
The module now supports environments where C
is not the OS drive's label.
Made the policy that requires CTRL + ALT + DEL at lock screen optional for accessibility reasons. It's in lock screen category.
Added CSP links for the policies included in the compliance checking CSV file.
PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/161
Published by HotCakeX 10 months ago
Invoke-WDACSimulation
is now a lot faster and supports more file rules.Invoke-WDACSimulation
. More cmdlets will have it in the future.-Verbose
with each cmdlet to get extra messages about what's happening under the hood.-Debug
parameter to be displayed when -Verbose
is used.7.4.0
due to the new features implemented.SignTool.exe
to 10.0.22621.2428
which is available in the latest SDK
PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/160
Published by HotCakeX 11 months ago
Bcdedit
, using the new PowerShell cmdlets. This allows the NX bit value detection to work with any locale and system language. Previously this detection only worked with EN-US locales.Confirm-SystemCompliance
cmdlet. The new method of BCD NX value verification and detection causes Controlled Folder Access to show notification about pwsh.exe getting blocked so the new change prevents this from happening by dynamically adding pwsh.exe exe to the exclusion list before running the function and then restoring the exclusion list back to exactly how it was at the end of the operation. This is safely done to ensure that even if user pressed ctrl + c
to prematurely exit the operation or if there is an error, the exclusion list restoration will still happen.Svchost.exe
security mitigation removal to the Unprotect-WindowsSecurity
cmdlet. It's a tattooed policy so simply setting it to not configured won't revert it.XTSAES256
which is currently the most secure type, a warning will be displayed. The module/script doesn't do anything else, but if you like to fix that, you will need to manually decrypt each drive, wait for it to be fully decrypted, and then run the BitLocker category again to encrypt them with the most secure algorithm. Your OS or non-OS drive that is BitLocker encrypted might be using a less secure encryption method if you didn't encrypt it properly. Another potential cause is if your SSD is SED (Self Encrypting Drive) and uses Opal 2, in this case it might automatically pick a different algorithm such as XTSAES128
. The Harden Windows Security module always uses XTSAES256
until a more secure encryption method becomes available.I'm going to explain 2 known issues in Windows that are not related to the Harden Windows Security module or script, nevertheless, I want to make you aware of them because they can cause complications. You might not be affected by them at all. I've found these issues through long debugging sessions.
In the Miscellaneous category, there is a policy called svchost.exe mitigations., it applies process mitigations for Svchost.exe
process, you can read more about what it does in the linked page but the most important thing is that it requires all binaries loaded in Svchost.exe
process to be signed by Microsoft.
So far so good, right? so where is the problem?
There is a file located at:
C:\Windows\System32\gameplatformservices.dll
It's part of the Windows OS but it hasn't been digitally signed for about 2 months now. It was signed before but since about 2 months ago it was released as an unsigned dll.
When you use the Miscellaneous category and you have at least Windows 11 pro for workstation edition, that security policy prevents gameplatformservices.dll
from loading and as a result of that, Code Integrity Operational logs begin to generate in an unprecedented rate, sometimes up to 500 logs every 10 seconds. They essentially pollute that important event category and also cause high CPU usage. Microsoft Store is one of the triggers of this problem. When it checks for app updates or if you manually check for app updates, the problem starts happening, CPU usage goes up and Microsoft Store gets stuck at checking for updates forever. Using Xbox apps and services can potentially help this problem manifest itself better or faster.
Smart App Control also detects this file as unsigned and blocks it. I've reported this in Feedback hub multiple times (1 - 2 - 3) but so far no changes have been made.
As a workaround, you can manually turn off this policy if you are affected by this issue. It's a tattooed policy, meaning it's not enough to simply set it to "Not Configured" state, you need to change or delete the registry key related to that policy too.
Based on my findings, there is a potential issue when you try to use BitLocker, OneDrive Personal Vault and ReFS volume at the same time.
If your OS volume is BitLocker encrypted and you have at least one ReFS volume that is also BitLocker encrypted then OneDrive's Personal Vault fails when you try to unlock or initialize it.
It fails by getting stuck at step 12 and when that happens, some normal operations of the OS get stuck and stop functioning.
This only happens if the ReFS volume is unlocked. If the ReFS volume is BitLocker encrypted but locked when you try to unlock OneDrive's personal vault, then this problem won't happen.
It doesn't matter how many other BitLocker encrypted ReFS, NTFS or non-BitLocker encrypted volumes are available on the system.
The ReFS volume can have recovery password, auto unlock or password key protector, either way this problem is reproducible.
PRs: https://github.com/HotCakeX/Harden-Windows-Security/pull/158 - https://github.com/HotCakeX/Harden-Windows-Security/pull/155 - https://github.com/HotCakeX/Harden-Windows-Security/pull/156
Published by HotCakeX 11 months ago
Added Multifactor Authentication to the BitLocker category. When you run the BitLocker category, you will be presented with the option to choose between Normal and Enhanced security levels. The Normal security level is the previous method where the OS drive (your device) needed TPM + Startup PIN to be unlocked. The Enhanced security level adds one more factor to the authentication, requiring an external flash drive containing a special encryption key to be inserted into your device prior to the authentication.
Fixed a problem with OneDrive's Personal Vault, it wouldn't be initialized if a certain policy related to BitLocker was active. The policy was "Full disk encryption for fixed data drives" and it's now removed in this update. The policy is used to enforce encryption of the full space of the disk rather than only the used space. The Microsoft Security Baselines don't enable this policy. After careful consideration, came to the conclusion that it should be removed to fix the OneDrive Personal Vault initialization problem, and also it's not necessary to be enabled because the Harden Windows Security Module and script already encrypt the drives with full disk space (Used space + free space) to ensure maximum protection and confidentiality of the data at rest.
Enable-BitLocker
PowerShell cmdlet encrypts the entire disk by default unless the [-UsedSpaceOnly]
optional parameter is used, which is not the case in the module/script.The latest Microsoft Security Baselines 23H2 mentions to have added support for WinVerifyTrust Signature Validation policy (aka certificate padding) but they haven't implemented it properly. More info in the comments section of this Microsoft Tech Community article. This is why this update uses registry keys to apply the Certificate padding check until that problem is officially resolved.
When using Unprotect-WindowsSecurity
cmdlet, during the restoration of security group policies, the cmdlet now only restores settings that were changed by the Protect-WindowsSecurity
cmdlet, excluding the ones applied by the Microsoft Security Baselines. This allows for a more surgical and careful restoration of the settings and will prevent any accidental changes to the settings.
The BitLocker category now saves the recovery password in the same format as Windows does when using the GUI to encrypt a drive.
The BitLocker category now has a much better UX and logic.
Fixed hibernate file size detection logic.
The Scheduled task for updating Microsoft recommended driver block rules now only runs if there is a network connection, which makes sense because it needs to download the latest block list from the official MSFT servers and apply them on the system. It also restarts itself if it fails, every 6 hours, up to 4 tries.
Improved variable types to be more explicit and safe. Using full variable type names instead of their aliases.
Using 'Unrestricted' instead of 'Bypass' when setting the execution policy for the current process. Unrestricted is more secure than Bypass because if a script is code signed then tampered, you will see an error, but in bypass mode, no code sign tamper detection happens. The execution policy is also saved prior to running the script and is restored at the end.
Improved Hyper-V group member detection by using SIDs instead of account names. This makes it more robust and the comparison logic has also been improved. This change makes everything more inclusive by working in situations where the usernames contain non-English alphabets, lots of spaces and such. Or when the username is the same as the computer name.
The required PowerShell Core version is now the latest version which is 7.4.0. It has many new features, one of which is having -ProgressAction
common parameter. Using this new common parameter and setting it to SilentlyContinue
for Invoke-WebRequest
and Invoke-restMethod
cmdlets allows for the removal of the customInvoke-WithoutProgress
function since it renders it unnecessary.
PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/154
Published by HotCakeX 12 months ago
Confirm-SystemCompliance
cmdlet now verifies and shows the encryption status of the non-OS drives as well to ensure they are properly encrypted with BitLocker.Confirm-SystemCompliance
cmdlet by reducing the number of times Get-MpComputerStatus
and Get-MpPreference
cmdlets were called.PrintDialog.exe
that was a placeholder for the script and module to remove its process mitigations. It was a graceful removal. Reminder that you can run the "Unprotect-WindowsSecurity -OnlyProcessMitigations" to remove only the process mitigations.7.3.8
PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/153
Published by HotCakeX 12 months ago
22621.2428
, in preparation for 23H2 features infusion. That build was released almost a month ago so users have had ample time to keep their OS up to date.PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/150
Published by HotCakeX 12 months ago
LGPO.exe
on the PowerShell console; It no longer displays the same message over and over again when applying policies because using Quiet mode now. This doesn't suppress errors or anything else.PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/148
Published by HotCakeX 12 months ago
Confirm-SystemCompliance
cmdlet.Added thorough explanations to each process mitigation in the CSV file, that will explain why they are used.
This approach logically considers each use case of the mitigations and only implements them if there is enough information about that process that guarantees it will work 100% with the mitigation and also it makes sense to apply that mitigation in terms of security while also considering usability.
You can always find more info about them in here: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exploit-protection-reference
Removed ForceRelocateImages
and RequireInfo
from all 1st party executables in the process mitigations list.
RequireInfo
still exist for 3rd party programs such as Adobe Acrobat but for 1st party programs released by Microsoft it's removed, because 1st party programs do not need it and even if hypothetically some 1st party program was missing RequireInfo
, it still would do more harm than good by crashing that 1st party program.Removed EnableExportAddressFilter
and EnableExportAddressFilterPlus
from some processes that might not be compatible with it.
This mitigation is primarily an issue for applications such as debuggers, sandboxed applications, applications using DRM, or applications that implement anti-debugging technology.
Those processes that used them are likely to fall in the categories mentioned above, so to prevent any possible issues or crashes in the future, removed them from the process mitigations as a pre-emptive measure.
Import Address Filtering should ideally be used in conjunction with Export Address filtering in order for it to be effective. If an attacker knows you are using Import Address Filtering without Export Address Filtering, they "could" use the export method to get the address(s) for their shellcode, and vice versa.
Removed DisableNonSystemFonts
from Edge browser process mitigations because it uses DirectWrite instead of GDI and this mitigation is not required for it.
Removed EnableRopSimExec
as it only applies to 32-bit applications. Quick Assist and Adobe Acrobat that were using it are 64-bit.
Added Hardware Enforced Shadow Stack Protection Strict mode to Edge browser and Quick Assist.
PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/146
Published by HotCakeX almost 1 year ago
PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/143
Published by HotCakeX about 1 year ago
-OnlyProcessMitigations
optional parameter to the Unprotect-WindowsSecurity
cmdlet. When used, it will only remove process mitigations applied by the Protect-WindowsSecurity
cmdlet. You can read more about it in the module document.PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/140
Published by HotCakeX about 1 year ago
PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/135
Published by HotCakeX about 1 year ago
Significantly improved the Invoke-WDACSimulation
cmdlet. The WDAC policy simulation is now out of the beta phase and is working very well. I've run it on more than 100k unique files belonging to multiple programs, the results have all been correct.
Invoke-WDACSimulation
cmdletHave a WDAC policy and you want to test whether all of the files of a program will be allowed by the policy without running the program first? Use this WDAC simulation to find out.
Employ this simulation method to discover files that are not explicitly specified in the WDAC policy but are still authorized to run by it. When you scan a folder to create a Supplemental policy for the files inside it, some files might not require to be mentioned in the xml policy file because they are already sanctioned using their certificate details by other files, so it would not be possible to check their availability merely by examining the XML file. Using this simulation, you will be able to confirm their eligibility and whether or not they are permitted by the WDAC policy, using robust automated methods of verification.
Identify files that have hash mismatch and will not be permitted by WDAC engine using signature. These files are typically found in questionable software because they are tampered with. They are still incorporated into the WDAC policy based on their certificate signature but when you execute them you will receive a blocked message. Use this WDAC simulation feature to detect them without running them first.
And more.
Continue reading about this cmdlet in this document
Related PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/134
Published by HotCakeX about 1 year ago
Remove-CommonWDACConfig
, used for removing individual items from the user configurations Json file. You can read more about this new cmdlet here.Confirm-WDACConfig
cmdlet by incorporating dynamic parameters.Deploy-SignedWDACConfig
cmdlet. It's smarter now when dealing with signing and deploying the strict kernel mode policies.Get-commonWDACConfig
, Set-CommonWDACConfig
and Remove-CommonWDACConfig
do not perform module update checks.New-KernelModeWDACConfig
cmdlet, specially for when you just want to create a Strict kernel mode policy and then use the Deploy-SignedWDACConfig
cmdlet to sign and deploy it. Lots of automation and abstractions have been added to make the process as automated and smooth as possible.Remove-WDACConfig
cmdlet to be only shown if -Debug
parameter is used.-DeleteUserConfig
parameter from Set-CommonWDACConfig
cmdlet, because all deletion/removal operations related to User Config file is now handled by Remove-CommonWDACConfig
cmdlet.Related PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/133
Published by HotCakeX about 1 year ago
An Edge browser policy named WebRtcRespectOsRoutingTableEnabled
is being removed. Its value in the registry changes to Delete, so that when you run the Edge category next time, it will be removed from your Edge policies.
It causes problem when using Discord voice chat (WebRTC) in Edge browser while using a VPN such as Mullvad that has tight kill switch and anti-leak functionality.
You can read more about that policy here: https://learn.microsoft.com/en-us/deployedge/microsoft-edge-vpn-split-tunneling
The problem is mainly caused by 3rd party VPN software and their features. As you can see in the official article linked above, the policy is used to allow split tunneling using corporate VPNs, the ones built in Windows such as SSTP or IKEv2.
You can use Protect-WindowsSecurity
cmdlet and run the Edge browser category to apply the change if you are using a VPN + Discord in Edge browser + Voice chat and getting "no route" error.
If you aren't experiencing that issue then there is nothing you need to do.
This change doesn't decrease security whatsoever.
PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/132
Published by HotCakeX about 1 year ago
PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/128
Published by HotCakeX about 1 year ago
This update improves the overall experience of the WDACConfig module, makes it easier to work with and implements various new checks to ensure user error is minimal. The goal is to minimize accidental user errors as much as possible by implementing useful and intelligent checks in multiple parts of the module.
Deploy-SignedWDACConfig
to sign and deploy a WDAC policy, you will only see the prompt asking to add the signed policy to the user configurations, if the policy you are signing and deploying is a base policy.New-SupplementalWDACConfig
cmdlet, changed the parameter name -FilePathWildCards
to PathWildCards
to better reflect its purpose.New-SupplementalWDACConfig
cmdlet, changed the parameter name -WildCardPath
to FolderPath
to better reflect its purpose.New-SupplementalWDACConfig -PathWildCards -Path
, it automatically adds a *
wildcard at the end of the path and you can add extra wildcards to anywhere in the selected folder path too.-Deploy
parameter with New-SupplementalWDACConfig
cmdlet, if the selected base policy is a Signed policy, you will see an error stating that you should use Deploy-SignedWDACConfig
cmdlet to deploy Signed policies.UserConfigurations.json
file since Defender already scans all of the files on access.Set-CommonWDACConfig
cmdlet to be easier to work with.New-WDACConfig
cmdlet.Published by HotCakeX about 1 year ago
Protect-WindowsSecurity
cmdlet to apply them, Fixing this issue: https://github.com/HotCakeX/Harden-Windows-Security/issues/121 - Thanks @mbcomptech