|
|
|
# Description:
|
|
|
|
# This script will try to fix many of the privacy settings for the user. This
|
|
|
|
# is work in progress!
|
|
|
|
|
|
|
|
Import-Module -DisableNameChecking $PSScriptRoot\..\lib\force-mkdir.psm1
|
|
|
|
Import-Module -DisableNameChecking $PSScriptRoot\..\lib\take-own.psm1
|
|
|
|
|
|
|
|
echo "Elevating priviledges for this process"
|
|
|
|
do {} until (Elevate-Privileges SeTakeOwnershipPrivilege)
|
|
|
|
|
|
|
|
echo "Defuse Windows search settings"
|
|
|
|
Set-WindowsSearchSetting -EnableWebResultsSetting $false
|
|
|
|
|
|
|
|
echo "Set general privacy options"
|
|
|
|
sp "HKCU:\Control Panel\International\User Profile" "HttpAcceptLanguageOptOut" 1
|
|
|
|
force-mkdir "HKCU:\Printers\Defaults"
|
|
|
|
sp "HKCU:\Printers\Defaults" "NetID" "{00000000-0000-0000-0000-000000000000}"
|
|
|
|
force-mkdir "HKCU:\SOFTWARE\Microsoft\Input\TIPC"
|
|
|
|
sp "HKCU:\SOFTWARE\Microsoft\Input\TIPC" "Enabled" 0
|
|
|
|
force-mkdir "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo"
|
|
|
|
sp "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" "Enabled" 0
|
|
|
|
sp "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" "EnableWebContentEvaluation" 0
|
|
|
|
|
|
|
|
echo "Disable synchronisation of settings"
|
|
|
|
sp "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync" "BackupPolicy" 0x3c
|
|
|
|
sp "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync" "DeviceMetadataUploaded" 0
|
|
|
|
sp "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync" "PriorLogons" 1
|
|
|
|
$groups = @(
|
|
|
|
"Accessibility"
|
|
|
|
"AppSync"
|
|
|
|
"BrowserSettings"
|
|
|
|
"Credentials"
|
|
|
|
"DesktopTheme"
|
|
|
|
"Language"
|
|
|
|
"PackageState"
|
|
|
|
"Personalization"
|
|
|
|
"StartLayout"
|
|
|
|
"Windows"
|
|
|
|
)
|
|
|
|
foreach ($group in $groups) {
|
|
|
|
force-mkdir "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\$group"
|
|
|
|
sp "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\$group" "Enabled" 0
|
|
|
|
}
|
|
|
|
|
|
|
|
echo "Set privacy policy accepted state to 0"
|
|
|
|
force-mkdir "HKCU:\SOFTWARE\Microsoft\Personalization\Settings"
|
|
|
|
sp "HKCU:\SOFTWARE\Microsoft\Personalization\Settings" "AcceptedPrivacyPolicy" 0
|
|
|
|
|
|
|
|
echo "Do not scan contact informations"
|
|
|
|
force-mkdir "HKCU:\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore"
|
|
|
|
sp "HKCU:\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" "HarvestContacts" 0
|
|
|
|
|
|
|
|
echo "Inking and typing settings"
|
|
|
|
force-mkdir "HKCU:\SOFTWARE\Microsoft\InputPersonalization"
|
|
|
|
sp "HKCU:\SOFTWARE\Microsoft\InputPersonalization" "RestrictImplicitInkCollection" 1
|
|
|
|
sp "HKCU:\SOFTWARE\Microsoft\InputPersonalization" "RestrictImplicitTextCollection" 1
|
|
|
|
|
|
|
|
echo "Microsoft Edge settings"
|
|
|
|
force-mkdir "HKCU:\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main"
|
|
|
|
sp "HKCU:\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main" "DoNotTrack" 1
|
|
|
|
force-mkdir "HKCU:\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default\SearchScopes"
|
|
|
|
sp "HKCU:\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default\SearchScopes" "ShowSearchSuggestionsGlobal" 0
|
|
|
|
force-mkdir "HKCU:\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead"
|
|
|
|
sp "HKCU:\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead" "FPEnabled" 0
|
|
|
|
force-mkdir "HKCU:\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter"
|
|
|
|
sp "HKCU:\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" "EnabledV9" 0
|
|
|
|
|
|
|
|
echo "Disable background access of default apps"
|
|
|
|
foreach ($key in (ls "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications")) {
|
|
|
|
sp ("HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\" + $key.PSChildName) "Disabled" 1
|
|
|
|
}
|
|
|
|
|
|
|
|
echo "Denying device access"
|
|
|
|
sp "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" "Type" "LooselyCoupled"
|
|
|
|
sp "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" "Value" "Deny"
|
|
|
|
sp "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" "InitialAppValue" "Unspecified"
|
|
|
|
foreach ($key in (ls "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global")) {
|
|
|
|
if ($key.PSChildName -EQ "LooselyCoupled") {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
sp ("HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\" + $key.PSChildName) "Type" "InterfaceClass"
|
|
|
|
sp ("HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\" + $key.PSChildName) "Value" "Deny"
|
|
|
|
sp ("HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\" + $key.PSChildName) "InitialAppValue" "Unspecified"
|
|
|
|
}
|
|
|
|
|
|
|
|
echo "Disable location sensor"
|
|
|
|
force-mkdir "HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Permissions\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}"
|
|
|
|
sp "HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Permissions\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" "SensorPermissionState" 0
|
|
|
|
|
|
|
|
echo "Disable submission of Windows Defender findings (w/ elevated privileges)"
|
|
|
|
Takeown-Registry("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet")
|
|
|
|
sp "HKLM:\SOFTWARE\Microsoft\Windows Defender\Spynet" "SpyNetReporting" 0 # write-protected even after takeown ?!
|
|
|
|
sp "HKLM:\SOFTWARE\Microsoft\Windows Defender\Spynet" "SubmitSamplesConsent" 0
|
|
|
|
|
|
|
|
echo "Do not share wifi networks"
|
|
|
|
$user = New-Object System.Security.Principal.NTAccount($env:UserName)
|
|
|
|
$sid = $user.Translate([System.Security.Principal.SecurityIdentifier]).value
|
|
|
|
force-mkdir ("HKLM:\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\features\" + $sid)
|
|
|
|
sp ("HKLM:\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\features\" + $sid) "FeatureStates" 0x33c
|
|
|
|
sp "HKLM:\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\features" "WiFiSenseCredShared" 0
|
|
|
|
sp "HKLM:\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\features" "WiFiSenseOpen" 0
|