What's Changed

1. Added 2 new optional parameters to New-WDACConfig -MakeDefaultWindowsWithBlockRules. They are for Scenario/variant 4
2. When using Get-CommonWDACConfig, if the user configuration file is empty, the message is now different.

Related PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/119

Thanks to @dennyamarojr for the issue https://github.com/HotCakeX/Harden-Windows-Security/issues/117

Check Out The New Video Guides

What's Changed

1. Added Process mitigations for WebView 2 and Runtime broker after doing a thorough test to make sure they are fully compatible.
2. Added proper description for all of the executables in the process mitigations CSV file.
3. Removed unnecessary process mitigations for Edge and Acrobat reader because they are enabled by default by system. These changes are automatically applied when you run the Microsoft Defender category using the Harden Windows Security Module.
4. Removed direct path from the process mitigations and instead only relying on file names, this can provide better security so that if, in a hypothetical scenario, an attacker changes the location of the files or tries to run a file with the same name but from a different location, the mitigation will still apply to it and kill it.
5. Updated the descriptions in the PowerShell gallery.
6. Removed process mitigations DisableExtensionPoints for PrintDialog.exe and BlockDynamicCode for Regsvr32.exe; Could potentially prevent an edge case when user tries to print something from an RDP session, using redirected printing feature, back to the host OS. It's rare but the goal is to never break any functionality. These changes are automatically applied when you run the Microsoft Defender category using the Harden Windows Security Module.

PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/112

What's Changed

1. After performing a threat assessment, made the decision of shipping all of the important parts of the Harden Windows Security Module with itself in 1 package, so when you install it from PowerShell gallery, it no longer downloads or runs code from the GitHub, everything is available locally on your computer. This should provide more confidence and trust for the workflow of the code. Only resources such as plain text simple CSV files are downloaded from the repository. Those are explicitly and safely imported to a type defined variable.

2. Improved a requirement checks in the hardening measures after reporting a documentation issue and having it fixed:
   https://github.com/MicrosoftDocs/microsoft-365-docs/issues/12747

3. Substantially improved the displayed output of the Confirm-systemCompliance cmdlet. The values of the Compliant column, which are either True, False or N/A, are now color coded and False values blink. This makes it easier for you to quickly identify each value by simply scrolling through the result.

4. Added BitLocker check for the OS drive to make sure it's properly encrypted.

5. Removed the following items from the default security policy inf file because when they are used in Azure VMs using the Unprotect-WindowsSecurity cmdlet, they would cause problem, since Azure VMs use built-in administrator account and those accounts are renamed when you create the VM, set to the same username you choose during VM creation.

EnableAdminAccount = 0
EnableGuestAccount = 0
NewAdministratorName = "Administrator"
NewGuestName = "Guest"

7. The module and all of its features are completely and extensively tested on physical machines and virtual machines. The Harden Windows Security Module is fully compatible with Azure VM deployment and usage.

Documentation and How to use

You can find the module's documentation in here

PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/104

What's Changed

1. Added lots of new process mitigations after validating and testing them for more than a week on physical and VMs (Azure VMs and local Hyper-V VMs), you can find the full list of them in here.
2. Improved Optional Windows Features category.
3. Updated the requirement checks to convey their messages better. The hardening module is fully compatible with systems that use Microsoft Defender for Endpoint (MDE) as well.
4. Added input validation to the prompts to make sure user only enters positive integers.

PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/102

What's Changed

1. Significantly improved the Invoke-WDACSimulation cmdlet's performance. It's faster, better and outputs CSV file for the result of the simulation.
2. Added new parameter for Deploy-SignedWDAC cmdlet, called -Deploy. When used, it will deploy the signed policy on the current system, otherwise it will only create the signed policy. This is specially useful for when you want to deploy the policy somewhere else using the Citool.exe built-in tool.
3. Changed all the -Deployit parameter names to -Deploy.
4. Added -Deploy parameter for New-WDACConfig -PrepMSFTOnlyAudit and New-WDACConfig -PrepDefaultWindowsAudit. This allows you to deploy those audit policies remotely to collect audit logs.
5. Added error handling for Get-CommonWDACConfig cmdlet when the user configuration json file is nonexistent.
6. Added Filepicker UI for -CertPath parameter of all the cmdlets that use it.
7. Removed -DeployLatestDriverBlockRules parameter from New-WDACConfig cmdlet and instead added the optional -Deploy parameter to New-WDACConfig -GetDriverBlockRules, it does the same task.
8. Removed -DeployLatestBlockRules parameter from New-WDACConfig cmdlet and instead added the optional -Deploy parameter to New-WDACConfig -GetBlockRules, it does the same task.
9. The Confirm-WDACConfig now runs all 3 checks if you use it without passing any parameters.
10. Improved the UX by implementing file picker UI for when you need to browse for the SignTool.exe in Edit-SignedWDACConfig, Remove-WDACConfig and Deploy-SignedWDACConfig
11. Improved the self updating mechanism and its messages.
12. Fixed a bug in an edge case where Remove-WDACConfig cmdlet wouldn't auto complete policy names if one of the policies didn't have a friendly name.
13. Remove-WDACConfig cmdlet now shows -PolicyNames first above the -PolicyIDs for more convenience.

PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/101

What's changed

1. Completely rewrote the optional Windows features section to be faster and the code is much more readable.
2. Optional Diagnostic data moved from Miscellaneous category to Microsoft Defender category and is no longer automatically turned on unless user chooses to turn on Smart App Control or Smart App Control is already turned on, otherwise you will have an option to turn it on if Smart App Control is not already turned off. Highly recommended to do it because in the evaluation mode it needs to determine if your system is a good candidate for this AI based security and when it's turned on it requires it as well. https://github.com/HotCakeX/Harden-Windows-Security/issues/94
3. Improved the logic of optional prompts that require additional confirmation to run. The prompt that asks to implement scheduled task for fast weekly Microsoft recommended driver block rules is no longer shown if the task is already present and its state is either enabled or running.

Pull request: https://github.com/HotCakeX/Harden-Windows-Security/pull/98

What's changed

1. Added Exploit Protections / Process Mitigations for Microsoft 365 apps including OneDrive - https://github.com/HotCakeX/Harden-Windows-Security/issues/49

   • Tested the Microsoft 365 apps (Stable and insider builds) that were added to the list with their new process mitigations, on physical hardware and VMs, multiple times, used different features of each app, used OneDrive personal and business, everything works normally as expected.

2. The script now finds and adds OneDrive for business folders in addition to personal OneDrive folders to the Controlled Folder Access protections.

3. Improved OS version check.

4. Improved displayed messages.

5. Added checks to make sure Microsoft Defender is not running in Passive mode, before running the hardening measures, Basically checking to see all the requirements are met.

Related PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/91

Update v2023.8.29

1. Lowered the minimum build requirement: https://github.com/HotCakeX/Harden-Windows-Security/issues/92

PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/93

What's changed

1. Added error handling to a few cmdlets to take care of some edge cases

https://github.com/HotCakeX/Harden-Windows-Security/commit/0954b404c612da05736ba700c8e3563aa2053706

What's Changed

1. Updated Confirm-SystemCompliance and Unprotect-WindowsSecurity cmdlets to support changes in the latest Hardening script version: https://github.com/HotCakeX/Harden-Windows-Security/releases/tag/v2023.08.20

2. Some minor code improvements and visual upgrades, you can see them in here: https://www.youtube.com/watch?v=nY_DXkZOiwc

3. Adjusted the Credential providers section checks in lock screen category

https://github.com/HotCakeX/Harden-Windows-Security/commit/46df4d00195fe12dea926247f81c7f61e84d7017

What's changed

1. Added Restore point scanning to the Microsoft Defender category

2. Script now disables performance mode of Microsoft Defender that applies only to the Dev drive.

3. Added a new feature that blocks malicious connection using network protection instead of showing warnings only

4. The Microsoft Security baselines category now shows an additional option for applying it with the Optional Overrides. Previously they had their own category and the options are still the same. Now you just have better management over them and you can either choose to apply Microsoft Security Baseline only or Microsoft Security Baseline + Optional Overrides.

   • If you're using this script on Azure VMs, you definitely want to choose the option that applies both Microsoft Security Baseline AND Optional Overrides, otherwise you will lose your RDP connection due to the hardened measures. Thanks to @QueenSquishy for helping.

5. Fixed this issue with using the script on non-English system localizations

6. Minor code improvements and visual upgrades. If you want to see them make sure you use PowerShell core.

https://github.com/HotCakeX/Harden-Windows-Security/commit/78a4f34993a70dd21367ce21fec9fedf712981bc

What's changed

1. Added TPM check, Secureboot check and Latest Windows version check to the cmdlets of this module
2. Windows optional features now use the Windows PowerShell instead of PowerShell core because: https://github.com/PowerShell/PowerShell/issues/13866
3. Added hide progress for invoke webrequest and restmethod to prevent lingering progress bar effect on the console

What's changed

1. Added Unprotect-WindowsSecurity cmdlet as requested, it can undo the Hardening measures applied by Protect-WindowsSecurity cmdlet.
2. Improved the code

Module's documentation here

What's changed

1. Added -AllowFileNameFallbacks parameter by default when creating policies. It's a great parameter that helps include files that do not have an OriginalFileName.

2. Fixed the Microsoft recommended Block lists URLs in the code because they were changed and had to be updated - Thanks @mind777

3. Improved code quality (Security, readability, typos in the comments etc.)

What's changed

1. Removed the Windows Kernel Information Disclosure CVE-2023-32019 category and security measures described in the KB5028407 document page, KB5027231, because it's now enabled by default in Windows and is no longer necessary.

The resolution described in this article has been released enabled by default. To apply the enabled by default resolution, install the Windows update that is dated on or after August 8, 2023. No further user action is required.

2. Enhanced the clarity and security of the script’s code by employing single quotation marks instead of double quotation marks wherever feasible and rigorously/explicitly specifying the types of the variables.

3. Changed the security measure related to Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932. The majority of this security measure has been implemented by default in Windows now, leaving only a minor portion outstanding. This final segment is also provisional and will soon be fully activated by default as the document indicates. Once this occurs, it will become superfluous and this script will cease to incorporate it.

As always, the paramount thing you have to do is to ensure your operating system (OS) is always up to date and latest version.

4. In the Miscellaneous category, when adding all user accounts to the Hyper-V security group, the group is now detected using its SID rather than name. This makes it work on systems with non-English locales.

5. The "Restrict Unauthenticated RPC Clients" policy when set to "Authenticated without exceptions" prevents Windows Sandbox from working. So, that policy which was added 3 days ago is now removed.

   • Microsoft Security Baseline sets it to the correct secure value which is "Authenticated" but "Authenticated without exceptions" is more restrict and causes that problem.

   • All you have to do to revert it back is to run the script again, specially the Microsoft Security Baseline category, so that it will change to the correct value and you will be able to use Windows Sandbox again.

What's changed

1. The compliance checking module now uses registry instead of group policy, this was done because group policies are translated in different languages and locales so the old method couldn't be used by users using non-English system locales.

2. This also saves about 1000 lines of code, makes the compliance checking faster and generates more detailed output.

3. Overall it's a positive change.

P.S When you invoke the confirm-SystemCompliance cmdlet, the module automatically checks for updates and updates itself if a new version is available.

What's changed

1. Changed the Hyper-V Administrators security group members detection from using name to SID to make it compatible with non-English system locales.

2. Improved the code security and readability by adding explicit types to many variables and using single quotes instead of double quotes wherever possible.

P.S the module auto updates when you run it, so no manual action is needed.

What's changed

In version 0.0.4

• Updated the Compliance checks to include changes in the following Harden Windows Security update

• Changed Windows Firewall category from using cmdlets to Group policy xml parsing, fixing this bug

In version 0.0.5

• Very small update to improve the auto-updating mechanism

In version 0.0.6

• Fixed the URL for Group-Policies.json

What's changed

1. Removed Edge browser policies that are not applicable when you sign in using a persoanl Microsoft account instead of Microsoft Entra ID. This is a new security change by Microsoft that is coming into effect starting Edge version 116, few days from now. Edge Group Policies documentation, clearly mentions which policies are like that. There is nothing to be worried about, you can configure these settings from Edge browser settings page. In Edge browser versions 116 and above, the status of these policies in edge://policy/ are "Ignored" when signed in with a personal Microsoft account. You don't have to take any additional acctions, the script automatically takes care of removing them if they exist. Policies with "Ignored" status do not cause any problem, but to keep things clean, removing the following Edge browser policies from the Windows Hardening script:

   1. WebRtcLocalhostIpHandling
   2. SSLErrorOverrideAllowed
   3. PrimaryPasswordSetting
   4. PDFSecureMode
   5. NewPDFReaderEnabled

2. Removed the Top Security category and instead placed each hardening measure that was in there into its correct category. This way users have more granular control and can enable individual hardening measures instead of using all of them at once. Some of them cause inconvenience more than the others while providing security, please check out the description of each of them in the Readme.

   1. Added "Don't display last signed-in" to the Lock Screen category.
   2. Added "Blocking Untrusted Fonts" to the Miscellaneous category.
   3. Added "Automatically deny all UAC prompts on Standard accounts" to the User Account Control category.
   4. Added "Hides the entry points for Fast User Switching" to the User Account Control category.
   5. Added "Only elevate executables that are signed and validated" to the User Account Control category.

3. In the Readme, made it clear that individual hardening measures that prompt for additional confirmation before running, like the ones mentioned above, are marked with icon.

4. In the Readme, added a note to "Hides the entry points for Fast User Switching" in User Account Control Category and "Don't display last signed-in" in Lock screen category policies that require additional confirmation before running. If any of those 2 policies is used, you won't be able to use "Forgot my PIN" feature in lock screen or logon screen. If you forget your PIN, you won't be able to recover it.

   • As mentioned earlier, they were previously in the Top Security category, now they are part of their correct categories, and just like before they are not applied by default unless you manually confirm them to be applied.

5. When running the Harden Windows Security script with PowerShell core, you will see better new styling now.

6. Added a new hardening measure in the Lock screen category. It sets Windows Hello PIN as the default Credential Provider and excludes the Credential Providers listed below. We do this because if the "Don't display last signed-in" policy is used, it defaults to Password on logon screen. Smart cards are old and insecure compared to Windows Hello or WHfB, if Microsoft account password sign-in is available it defeats the purpose of having a local PIN that's tied to a device. Goes without saying that you shouldn't use this policy if local password or Smart card is the only way you use to log in. If that's the case then first connect your Windows account to Microsoft account and then use this policy. List of the Credential Providers that are blocked by this policy:

   • Smartcard Reader Selection Provider - {1b283861-754f-4022-ad47-a5eaaa618894}
   • Smartcard WinRT Provider - {1ee7337f-85ac-45e2-a23c-37c753209769}
   • Smartcard Credential Provider - {8FD7E19C-3BF7-489B-A72C-846AB3678C96}
   • WLIDCredentialProvider (Microsoft Account Password sign-in on logon screen, not applicable if your Microsoft account is password-less) - {F8A0B131-5F68-486c-8040-7E8FC3C85BB6}
   • PasswordProvider - {60b78e88-ead8-445c-9cfd-0b87f74ea6cd}

What's changed

1. Updated the Compliance checks to include changes in the following Harden Windows Security script update:
   https://github.com/HotCakeX/Harden-Windows-Security/releases/tag/v2023.08.04

No action necessary, module auto-updates

If you've already installed the Harden Windows Security Module then you don't have to do manually update it. When you run it, it can detect new versions and auto updates itself. 🫰

What's changed

1. In the Bitlocker category, hibernation will only be enabled on physical machines because virtual machines such as Hyper-V VMs have other features such as Saving VM's state, Checkpoints, Pause etc. and they do not support hibernation and throw error.

2. Added a new group policy to the Windows Networking category to clear all the entries for Remotely accessible registry paths

3. Added a new group policy to the Windows Networking category to clear all the entries for Remotely accessible registry paths and subpaths

4. In the Miscellaneous category, added a new policy for Command line process auditing

5. In the Lock Screen category, changed the anti-hammering feature for lock screen by lowering the number of subsequent failed sign-in attempts from 6 to 5.

6. In the Lock screen category, added a new policy for Account lockout threshold and set it to 5.

7. In the Lock screen category, added a new policy for Reset account lockout counter and set it to 1440 minutes or 1 day. In combination with other policies in this category, this means every 5 failed sign-in attempts will need a full day to pass before 5 more attempts can be made, otherwise Bitlocker will engage, system will be restarted and 48-digit Bitlocker code will be asked. This policy greatly prevents brute force attempts.

8. In the Lock screen category, added a new policy for Account lockout duration and set it to 1440 minutes or 1 day. In combination with other policies in this category, this means every 5 failed sign-in attempts will need a full day to pass before 5 more attempts can be made, otherwise Bitlocker will engage, system will be restarted and 48-digit Bitlocker code will be asked. This policy greatly prevents brute force attempts.

9. In the Miscellaneous category, added a new policy for enabling the RPC Endpoint Mapper Client Authentication policy

10. In the Miscellaneous category, added a new policy to set the Restrict Unauthenticated RPC Clients policy to "Authenticated without exceptions"

11. In the Lock Screen category, added the following PIN Complexity rules for Windows Hello

    1. Must include digits
    2. Expires every 180 days (default behavior is to never expire)
    3. History of the 3 most recent selected PINs is preserved to prevent the user from reusing them
    4. Must include lower-case letters

12. In the non-admin category, removed the registry keys related to security measures for disabling toast/push notifications on lock screen, because Microsoft security baselines already apply them.

13. In the non-admin category, added a new security measure for disabling "Show reminders and incoming VoIP calls on the lock screen" in the Settings > System > Notifications