Home

Awesome

Optimize, Harden, and Debloat Windows 10 and Windows 11 Deployments

Script Test CICDVirusTotal ScanPSScriptAnalyzer Sponsor

windows-optimize-harden-debloat test docker container

Introduction:

Windows 10 and Windows 11 are invasive and insecure operating system out of the box. Organizations like PrivacyTools.io, Microsoft, Cyber.mil, the Department of Defense, and the National Security Agency have recommended configuration changes to lockdown, harden, and secure the operating system. These changes cover a wide range of mitigations including blocking telemetry, macros, removing bloatware, and preventing many digital and physical attacks on a system. This script aims to automate the configurations recommended by those organizations.

Notes, Warnings, and Considerations:

WARNING:

This script should work for most, if not all, systems without issue. While @SimeonOnSecurity creates, reviews, and tests each repo intensively, we can not test every possible configuration nor does @SimeonOnSecurity take any responsibility for breaking your system. If something goes wrong, be prepared to submit an issue.

Do not run this script if you don't understand what it does. It is your responsibility to review and test the script before running it.

FOR EXAMPLE, THE FOLLOWING WILL BREAK IF YOU RUN THIS WITHOUT TAKING PREVENTATIVE STEPS:

Requirements:

Recommended reading material:

Additions, notable changes, and bugfixes:

This script adds, removes, and changes settings on your system. Please review the script before running it.

Browsers:

Powershell Modules:

Using a Laptop with Sleep

Fixing Microsoft Account, Store, or Xbox Services:

This is because we block signing into microsoft accounts. Microsoft's telemetry and identity association is frowned upon. However, if you still wish to use these services see the following issue tickets for the resolution:

If you use Thunder Bolt Devices:

You may run into issues. There are multiple vulnerabilities assosiated with using Thunderbolt and advanced USB-C type devices. Because of this we have disabled it by default. If you'd like to ignore this, please read:

SSL issues With Chocolatey

Chocolatey's servers have issues supporting the latest, and most secure, TLS 1.3 Ciphers out there. These are fixed using some of the Windows category changes. However if you opt out of those, you may run into issues. Keep in mind, this is primarily a Chocolatey issue, all fixes for this are just workarounds.

Enabling Remote Desktop (RDP) Again

This script is meant for standalone systems, STIGs and Hardening Best Practices Dictate Disabling RDP. See the Following issue for steps to enable it again: https://github.com/simeononsecurity/Windows-Optimize-Harden-Debloat/discussions/81

Editing policies in Local Group Policy after the fact:

If you need to modify or change a setting, they are most likely configurable via GPO:

A list of scripts and tools this collection utilizes:

First PartyThird PartySTIGs/SRGs AppliedAdditional Considerations
.NET-STIG-ScriptCyber.mil - Group Policy ObjectsAdobe Acrobat Pro DC Continuous V2R1BuiltByBel - PrivateZilla
Automate-SysmonMicrosoft Security Compliance Toolkit 1.0Adobe Acrobat Reader DC Continuous V2R1MelodysTweaks - Basic Tweaks
FireFox-STIG-ScriptMicrosoft Sysinternals - SysmonFirefox V5R2Dirteam - SSL Hardening
JAVA-STIG-ScriptGoogle Chrome V2R4Microsoft - Managing Windows 10 Telemetry and Callbacks
Standalone-Windows-STIG-ScriptInternet Explorer 11 V1R19Microsoft - Reduce attack surfaces with attack surface reduction rules
Windows-Defender-STIG-ScriptMicrosoft Edge V1R2Microsoft - Recommended block rules
Windows-Optimize-DebloatMicrosoft .Net Framework 4 V1R9Microsoft - Recommended driver block rules
Microsoft Office 2013 V2R1Microsoft - Spectre and Meltdown Mitigations
Microsoft Office 2016 V2R1Microsoft - Windows 10 Privacy
Microsoft Office 2019/Office 365 Pro Plus V2R3Microsoft - Windows 10 VDI Recommendations
Microsoft OneDrive STIG V2R1Microsoft - Windows Defender Application Control
Oracle JRE 8 V1R5Mirinsoft - SharpApp
Windows 10 V2R2Mirinsoft - debotnet
Windows Defender Antivirus V2R2NSACyber - Application Whitelisting Using Microsoft AppLocker
Windows Firewall V1R7NSACyber - Bitlocker Guidance
NSACyber - Hardware-and-Firmware-Security-Guidance
NSACyber - Windows Secure Host Baseline
UnderGroundWires - Privacy.S**Y
Sycnex - Windows10Debloater
The-Virtual-Desktop-Team - Virtual-Desktop-Optimization-Tool
TheVDIGuys - Windows 10 VDI Optimize
VectorBCO - windows-path-enumerate
W4H4WK - Debloat Windows 10
Whonix - Disable TCP Timestamps

Learn more about Optimizing and Hardening Windows 10 and Windows 11

How to run the script:

GUI - Guided Install:

Download the latest release here, choose the options you want and hit execute.

<img src="https://raw.githubusercontent.com/simeononsecurity/Windows-Optimize-Harden-Debloat/master/.github/images/WOHD-GUI.gif" alt="Example of Windows-Optimize-Harden-Debloat GUI Based Guided install">

Automated Install:

Use this one-liner to automatically download, unzip all supporting files, and run the latest version of the script.

iwr -useb 'https://simeononsecurity.ch/scripts/windowsoptimizeandharden.ps1'|iex

<img src="https://raw.githubusercontent.com/simeononsecurity/Windows-Optimize-Harden-Debloat/master/.github/images/w10automatic.gif" alt="Example of Windows-Optimize-Harden-Debloat automatic install">

Manual Install:

If manually downloaded, the script must be launched from an administrative powershell in the directory containing all the files from the GitHub Repository

The script "sos-optimize-windows.ps1" includes several parameters that allow for customization of the optimization process. Each parameter is a boolean value that defaults to true if not specified.

An example of how to launch the script with specific parameters would be:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
Get-ChildItem -Recurse *.ps1 | Unblock-File
powershell.exe -ExecutionPolicy ByPass -File .\sos-optimize-windows.ps1 -cleargpos:$false -installupdates:$false
<a href="https://simeononsecurity.com" target="_blank" rel="noopener noreferrer">   <h2>Explore the World of Cybersecurity</h2> </a> <a href="https://simeononsecurity.com" target="_blank" rel="noopener noreferrer">   <img src="https://simeononsecurity.com/img/banner.png" alt="SimeonOnSecurity Logo" width="300" height="300"> </a>

Links: