diff --git a/src/application/collections/windows.yaml b/src/application/collections/windows.yaml index f090128d..169ca1d2 100644 --- a/src/application/collections/windows.yaml +++ b/src/application/collections/windows.yaml @@ -860,20 +860,34 @@ actions: name: Clear offline Visual Studio usage telemetry data recommend: standard docs: |- - This script clears offline telemetry data in Visual Studio. These telemetry data, known as SQM (*Service Quality Monitoring* - or *Software Quality Metrics* [2]) files, contain details about application usage, errors, and performance [1]. + This script removes offline telemetry data in Visual Studio to enhance privacy and potentially + improve system performance. + These telemetry files, known as SQM (*Service Quality Monitoring* or *Software Quality Metrics* [2]), + contain details about application usage, errors, and performance [1]. SQM files are created and used by Microsoft to gather data for the Microsoft Customer Experience Improvement Program [2]. - When Visual Studio is offline, it stores these SQM files locally in `%LOCALAPPDATA%\Microsoft\VSCommon\\SQM` [3]. + When offline, Visual Studio stores these files in the user's local application data folder [3]. + + Removing these files helps protect user privacy by deleting usage data. + Removing this data may improve Visual Studio's performance, as the accumulation of these files can potentially slow + down the application [3]. + + ### Technical Details - Accumulation of these files can significantly slow down Visual Studio. - Removing these files can speed up the Visual Studio, as reported by the user community [3]. + Visual Studio stores these SQM files locally in the `%LOCALAPPDATA%\Microsoft\VSCommon\\SQM` folder [3]. + This script removes data for Visual Studio versions 2015 through 2022 [4]: - By clearing these files, this script helps mitigate potential privacy concerns and maintain application efficiency. + | Version | Product | + |:-------:|--------------------| + | 14.0 | Visual Studio 2015 | + | 15.0 | Visual Studio 2017 | + | 16.0 | Visual Studio 2019 | + | 17.0 | Visual Studio 2022 | [1]: https://web.archive.org/web/20231206212243/https://file.org/extension/sqm "SQM File: How to open SQM file (and what it is) | file.org" [2]: https://web.archive.org/web/20231206212102/https://devblogs.microsoft.com/oldnewthing/20100406-00/?p=14393 "Microspeak: SQMmed - The Old New Thing | devblogs.microsoft.com" [3]: https://web.archive.org/web/20240314062704/https://stackoverflow.com/questions/17643535/slow-visual-studio-related-to-sqmclient/38862596#38862596 "Process monitor - Slow Visual Studio, related to SQMClient? | Stack Overflow | stackoverflow.com" + [4]: https://web.archive.org/web/20240808200605/https://en.wikipedia.org/wiki/Visual_Studio#History "Visual Studio - Wikipedia | en.wikipedia.org" call: - function: ClearDirectoryContents @@ -1018,7 +1032,7 @@ actions: [1]: https://web.archive.org/web/20240731003406/https://learn.microsoft.com/en-us/visualstudio/get-started/visual-studio-ide?view=vs-2022 "What is the Visual Studio IDE? | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20231124133613/https://stackoverflow.com/questions/12465361/how-to-change-visual-studio-2012-2013-or-2015-license-key "How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow" [3]: https://web.archive.org/web/20231124133613/https://stackoverflow.com/questions/12465361/how-to-change-visual-studio-2012-2013-or-2015-license-key/14810695#14810695 "How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow | stackoverflow.com" - [4]: https://github.com/privacysexy-forks/VSCELicense/blob/master/VSCELicense.psm1 "VSCELicense/VSCELicense.psm1 at master · privacysexy-forks/VSCELicense | github.com" + [4]: https://web.archive.org/web/20240809125330/https://github.com/privacysexy-forks/VSCELicense/blob/master/VSCELicense.psm1 "VSCELicense/VSCELicense.psm1 at master · privacysexy-forks/VSCELicense | github.com" [5]: https://web.archive.org/web/20240731111715/https://github.com/privacysexy-forks/VSKeyExtractor "privacysexy-forks/VSKeyExtractor: A small tool to extract the license key that was used to activate your local installation of Visual Studio | github.com" children: - @@ -1045,7 +1059,7 @@ actions: [1]: https://web.archive.org/web/20240731092747/https://www.microsoft.com/en-ie/download/details.aspx?id=10142 "Download Visual Studio 2010 Professional Whitepaper from Official Microsoft Download Center | www.microsoft.com" [2]: https://web.archive.org/web/20240731092804/https://learn.microsoft.com/en-us/lifecycle/products/visual-studio-2010 "Visual Studio 2010 - Microsoft Lifecycle | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20231124133613/https://stackoverflow.com/questions/12465361/how-to-change-visual-studio-2012-2013-or-2015-license-key/14810695#14810695 "How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow | stackoverflow.com" - [4]: https://github.com/privacysexy-forks/VSKeyExtractor/blob/main/Program.cs "VSKeyExtractor/Program.cs at main · privacysexy-forks/VSKeyExtractor | github.com" + [4]: https://web.archive.org/web/20240809125530/https://github.com/privacysexy-forks/VSKeyExtractor/blob/main/Program.cs "VSKeyExtractor/Program.cs at main · privacysexy-forks/VSKeyExtractor | github.com" call: function: DeleteVisualStudioLicense @@ -1076,9 +1090,9 @@ actions: [1]: https://web.archive.org/web/20150111085353/http://channel9.msdn.com/Events/Visual-Studio/Launch-2013/VS101 "What's New in Visual Studio 2013 Integrated Developer Environment (IDE) | Visual Studio 2013 Launch | Channel 9 | channel9.msdn.com" [2]: https://web.archive.org/web/20240731095411/https://learn.microsoft.com/en-us/visualstudio/releasenotes/vs2013-rtm-vs "Visual Studio 2013 Release Notes | Microsoft Learn | learn.microsoft.com" - [3]: https://github.com/privacysexy-forks/VSCELicense/blob/master/VSCELicense.psm1 "VSCELicense/VSCELicense.psm1 at master · privacysexy-forks/VSCELicense | github.com" + [3]: https://web.archive.org/web/20240809125330/https://github.com/privacysexy-forks/VSCELicense/blob/master/VSCELicense.psm1 "VSCELicense/VSCELicense.psm1 at master · privacysexy-forks/VSCELicense | github.com" [4]: https://web.archive.org/web/20240731002659/https://stackoverflow.com/questions/12465361/how-to-change-visual-studio-2012-2013-or-2015-license-key/22258088#22258088 "How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow | stackoverflow.com" - [5]: https://github.com/privacysexy-forks/VSKeyExtractor/blob/main/Program.cs "VSKeyExtractor/Program.cs at main · privacysexy-forks/VSKeyExtractor | github.com" + [5]: https://web.archive.org/web/20240809125530/https://github.com/privacysexy-forks/VSKeyExtractor/blob/main/Program.cs "VSKeyExtractor/Program.cs at main · privacysexy-forks/VSKeyExtractor | github.com" call: function: DeleteVisualStudioLicense parameters: @@ -1115,8 +1129,8 @@ actions: [2]: https://web.archive.org/web/20240731100217/https://learn.microsoft.com/en-us/visualstudio/releasenotes/vs2015-rtm-vs "Visual Studio 2015 Release Notes | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240731100226/https://learn.microsoft.com/en-us/lifecycle/products/visual-studio-2015 "Visual Studio 2015 - Microsoft Lifecycle | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20231124133749/https://stackoverflow.com/questions/12465361/how-to-change-visual-studio-2012-2013-or-2015-license-key/32482322#32482322 "How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow | stackoverflow.com" - [5]: https://github.com/privacysexy-forks/VSKeyExtractor/blob/main/Program.cs "VSKeyExtractor/Program.cs at main · privacysexy-forks/VSKeyExtractor | github.com" - [6]: https://github.com/privacysexy-forks/VSCELicense/blob/master/VSCELicense.psm1 "VSCELicense/VSCELicense.psm1 at master · privacysexy-forks/VSCELicense | github.com" + [5]: https://web.archive.org/web/20240809125530/https://github.com/privacysexy-forks/VSKeyExtractor/blob/main/Program.cs "VSKeyExtractor/Program.cs at main · privacysexy-forks/VSKeyExtractor | github.com" + [6]: https://web.archive.org/web/20240809125330/https://github.com/privacysexy-forks/VSCELicense/blob/master/VSCELicense.psm1 "VSCELicense/VSCELicense.psm1 at master · privacysexy-forks/VSCELicense | github.com" call: function: DeleteVisualStudioLicense parameters: @@ -1148,9 +1162,9 @@ actions: [1]: https://web.archive.org/web/20240731102312/https://devblogs.microsoft.com/visualstudio/announcing-visual-studio-2017-general-availability-and-more/ "Announcing Visual Studio 2017 General Availability... and more - Visual Studio Blog | devblogs.microsoft.com" [2]: https://web.archive.org/web/20240731102317/https://learn.microsoft.com/en-us/visualstudio/releasenotes/vs2017-relnotes-history "Visual Studio 2017 Release History | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20240731102322/https://learn.microsoft.com/en-us/lifecycle/products/visual-studio-2017 "Visual Studio 2017 - Microsoft Lifecycle | Microsoft Learn | learn.microsoft.com" - [4]: https://github.com/privacysexy-forks/VSCELicense/blob/master/VSCELicense.psm1 "VSCELicense/VSCELicense.psm1 at master · privacysexy-forks/VSCELicense | github.com" + [4]: https://web.archive.org/web/20240809125330/https://github.com/privacysexy-forks/VSCELicense/blob/master/VSCELicense.psm1 "VSCELicense/VSCELicense.psm1 at master · privacysexy-forks/VSCELicense | github.com" [5]: https://web.archive.org/web/20231124134032/https://stackoverflow.com/questions/43390466/is-visual-studio-community-a-30-day-trial/51570570#51570570 "Is Visual Studio Community a 30 day trial? | Stack Overflow | stackoverflow.com" - [6]: https://github.com/privacysexy-forks/VSKeyExtractor/blob/main/Program.cs "VSKeyExtractor/Program.cs at main · privacysexy-forks/VSKeyExtractor | github.com" + [6]: https://web.archive.org/web/20240809125530/https://github.com/privacysexy-forks/VSKeyExtractor/blob/main/Program.cs "VSKeyExtractor/Program.cs at main · privacysexy-forks/VSKeyExtractor | github.com" call: function: DeleteVisualStudioLicense parameters: @@ -1183,8 +1197,8 @@ actions: [1]: https://web.archive.org/web/20240731103501/https://learn.microsoft.com/en-us/visualstudio/ide/whats-new-visual-studio-2019?view=vs-2019 "What's new in Visual Studio 2019 | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240731103505/https://learn.microsoft.com/en-us/lifecycle/products/visual-studio-2019 "Visual Studio 2019 - Microsoft Lifecycle | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20231124134207/https://stackoverflow.com/questions/46731291/how-to-change-visual-studio-2017-license-key/46974337#46974337 "How to change Visual Studio 2017 License Key? | Stack Overflow | stackoverflow.com" - [4]: https://github.com/privacysexy-forks/VSKeyExtractor/blob/main/Program.cs "VSKeyExtractor/Program.cs at main · privacysexy-forks/VSKeyExtractor | github.com" - [5]: https://github.com/privacysexy-forks/VSCELicense/blob/master/VSCELicense.psm1 "VSCELicense/VSCELicense.psm1 at master · privacysexy-forks/VSCELicense | github.com" + [4]: https://web.archive.org/web/20240809125530/https://github.com/privacysexy-forks/VSKeyExtractor/blob/main/Program.cs "VSKeyExtractor/Program.cs at main · privacysexy-forks/VSKeyExtractor | github.com" + [5]: https://web.archive.org/web/20240809125330/https://github.com/privacysexy-forks/VSCELicense/blob/master/VSCELicense.psm1 "VSCELicense/VSCELicense.psm1 at master · privacysexy-forks/VSCELicense | github.com" call: function: DeleteVisualStudioLicense parameters: @@ -1227,7 +1241,7 @@ actions: [3]: https://web.archive.org/web/20231124134314/https://github.com/beatcracker/VSCELicense/issues/14 "VS 2022 Key Discussion | beatcracker/VSCELicense | GitHub | github.com" [4]: https://web.archive.org/web/20231124134431/https://learn.microsoft.com/en-us/answers/questions/673243/how-do-i-remove-a-license-from-visual-studio-2022 "MSFT Answer | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20231124134322/https://stackoverflow.com/questions/46731291/how-to-change-visual-studio-2017-license-key/71624750#71624750 "How to change Visual Studio 2017 License Key? | Stack Overflow | stackoverflow.com" - [6]: https://github.com/privacysexy-forks/VSKeyExtractor/blob/main/Program.cs "VSKeyExtractor/Program.cs at main · privacysexy-forks/VSKeyExtractor | github.com" + [6]: https://web.archive.org/web/20240809125530/https://github.com/privacysexy-forks/VSKeyExtractor/blob/main/Program.cs "VSKeyExtractor/Program.cs at main · privacysexy-forks/VSKeyExtractor | github.com" call: - function: DeleteVisualStudioLicense @@ -2261,11 +2275,13 @@ actions: [2]: https://web.archive.org/web/20230806160827/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/clean-up-the-winsxs-folder?view=windows-11 "Clean Up the WinSxS Folder | Microsoft Learn" [3]: https://web.archive.org/web/20230710000943/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/manage-the-component-store?view=windows-11 "Manage the Component Store | Microsoft Learn" call: - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\Configuration" /v "DisableResetbase" /t "REG_DWORD" /d "0" /f - revertCode: |- # Windows 10 21H1, 22H1: Key exists with value "1" | Windows 11 21H1: Key does not exist | Windows 11 22H2, 23H2: Key exists with value "1" - reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\Configuration" /v "DisableResetbase" /t "REG_DWORD" /d "1" /f + keyPath: HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\Configuration + valueName: DisableResetbase + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 21H1) | Missing on Windows 11 Pro 21H1 | `1` on Windows 11 Pro (≥ 22H2) - name: Remove Windows product key from registry # Helps to protect it from being stolen and used for identity theft or identifying you. @@ -2459,15 +2475,13 @@ actions: parameters: appCapability: location - - function: RunInlineCode + function: SetRegistryValue parameters: - code: |- - :: Disable "Location Services" - reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /d "0" /t REG_DWORD /f - # The default value is `1` by default since Windows 10 22H2 and Windows 11 23H2. - revertCode: |- - :: Restore "Location Services" - reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /d "1" /t REG_DWORD /f + keyPath: HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration # Location Services + valueName: Status + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - function: BlockUWPLegacyDeviceAccess parameters: @@ -3540,11 +3554,13 @@ actions: data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f - # `0` by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2) - revertCode: reg add "HKLM\Software\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f + keyPath: HKLM\Software\Microsoft\SQMClient\Windows + valueName: CEIPEnable + dataType: REG_DWORD + data: '0' + dataOnRevert: '0' # Default value: `0` on Windows 10 Pro (≥ 21H1) | `1` on Windows 11 Pro (≥ 22H2) - name: Disable Customer Experience Improvement Program data uploads recommend: standard @@ -5224,11 +5240,13 @@ actions: [4]: https://web.archive.org/web/20230731225544/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/overview "Desktop Analytics - Configuration Manager | Microsoft Learn" call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t "REG_DWORD" /d "0" /f - revertCode: |- # Key exists with value "1" since Windows 10 22H2, Windows 11 22H3 - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t "REG_DWORD" /d "1" /f + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection + valueName: AllowTelemetry + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 22H3) - function: SetRegistryValue # Using Group policy object (GPO) parameters: @@ -5382,11 +5400,13 @@ actions: codeComment: Disable Windows Error Reporting (WER) consent revertCodeComment: Revert Windows Error Reporting (WER) consent - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t "REG_DWORD" /d "1" /f - revertCode: >- # Key exists with value "4" (All data) since Windows 10 22H2, Windows 11 22H3 - reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t "REG_DWORD" /d "4" /f + keyPath: HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent + valueName: DefaultConsent + dataType: REG_DWORD + data: '1' + dataOnRevert: '4' # Default value: `4` on Windows 10 Pro (≥ 22H2) | `4` on Windows 11 Pro (≥ 22H3) - function: SetRegistryValue parameters: @@ -5452,11 +5472,13 @@ actions: - https://web.archive.org/web/20240314125819/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#preventdevicemetadatafromnetwork call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f - revertCode: >- # Key exists as `0` since Windows 10 22H2, Windows 11 22H3 - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 0 /f + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata + valueName: PreventDeviceMetadataFromNetwork + dataType: REG_DWORD + data: '1' + dataOnRevert: '0' # Default value: `0` on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 22H3) - function: SetRegistryValue parameters: @@ -5482,12 +5504,13 @@ actions: docs: https://www.stigviewer.com/stig/windows_7/2018-02-12/finding/V-21965 recommend: strict call: - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t "REG_DWORD" /d "1" /f - revertCode: |- - :: Key exists with value "4" (All data) since Windows 10 22H2, Windows 11 22H3 - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t "REG_DWORD" /d "1" /f + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching + valueName: SearchOrderConfig + dataType: REG_DWORD + data: '1' + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 22H3) - category: Disable obtaining updates from other PCs on the Internet (delivery optimization) docs: |- @@ -5612,20 +5635,24 @@ actions: name: Disable active probing to Microsoft NCSI server recommend: strict call: - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t "REG_DWORD" /d "0" /f - revertCode: >- # Key exists with value "1" since Windows 10 21H2, Windows 11 22H2 - reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t "REG_DWORD" /d "1" /f + keyPath: HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet + valueName: EnableActiveProbing + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 21H2) | `1` on Windows 11 Pro (≥ 22H2) - name: Opt out of Windows privacy consent recommend: standard call: - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t "REG_DWORD" /d "0" /f - revertCode: >- # Key exists with value "1" since Windows 10 21H2, Windows 11 22H2 - reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t "REG_DWORD" /d "1" /f + keyPath: HKCU\SOFTWARE\Microsoft\Personalization\Settings + valueName: AcceptedPrivacyPolicy + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 21H2) | `1` on Windows 11 Pro (≥ 22H2) - name: Disable Windows feedback collection recommend: standard @@ -5710,11 +5737,13 @@ actions: data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d 0 /f - revertCode: |- # Default value: `1` since Windows 10 21H2, Windows 11 23H2 - reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d 1 /f + keyPath: HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore + valueName: HarvestContacts + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 21H2) | `1` on Windows 11 Pro (≥ 23H2) - category: Disable location access children: @@ -5760,11 +5789,13 @@ actions: data: "Deny" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /d "0" /t REG_DWORD /f - revertCode: >- # Default value is `1` since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /d "1" /t REG_DWORD /f + keyPath: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44} + valueName: SensorPermissionState + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - name: Disable device sensors recommend: standard @@ -5846,9 +5877,14 @@ actions: - name: Disable Cortana experience recommend: standard - code: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d 0 /f - # This key has value `1` (tested since Windows 10 22H2, and Windows 11 23H3) - revertCode: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d 1 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Experience\AllowCortana + valueName: value + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - name: Disable Cortana's access to cloud services such as OneDrive and SharePoint recommend: standard @@ -6579,11 +6615,13 @@ actions: docs: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f - # `1` by default since Windows 10 22H2, and Windows 11 22H3 - revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "1" /f + keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo + valueName: Enabled + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: @@ -6599,8 +6637,14 @@ actions: name: Disable Windows Tips recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::DisableSoftLanding - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t REG_DWORD /d "1" /f - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t REG_DWORD /d "0" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent + valueName: DisableSoftLanding + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Windows Spotlight (shows random wallpapers on lock screen) recommend: strict @@ -6636,22 +6680,45 @@ actions: - https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-71771 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::DisableWindowsConsumerFeatures - https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics - code: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t "REG_DWORD" /d "1" /f - revertCode: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t "REG_DWORD" /d "0" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\CloudContent + valueName: DisableWindowsConsumerFeatures + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable suggested content in Settings app recommend: standard docs: - https://web.archive.org/web/20230929130219/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004 - https://www.blogsdna.com/28017/how-to-disable-turn-off-suggested-content-on-windows-10-setting-app.htm - code: |- - reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /d "0" /t REG_DWORD /f - reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /d "0" /t REG_DWORD /f - reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /d "0" /t REG_DWORD /f - revertCode: |- - reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /d "1" /t REG_DWORD /f - reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /d "1" /t REG_DWORD /f - reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /d "1" /t REG_DWORD /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager + valueName: SubscribedContent-338393Enabled + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager + valueName: SubscribedContent-353694Enabled + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager + valueName: SubscribedContent-353696Enabled + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable biometrics (breaks fingerprinting/facial login) children: @@ -6712,11 +6779,13 @@ actions: data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "value" /t REG_DWORD /d 0 /f - # Default value: `1` since Windows 10 21H2, Windows 11 22H2 - revertCode: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "value" /t REG_DWORD /d 1 /f + keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots + valueName: Enabled + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 21H2) | `1` on Windows 11 Pro (≥ 22H2) - function: SetRegistryValue parameters: @@ -6777,11 +6846,13 @@ actions: recommend: standard call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f - revertCode: >- # `0` since Windows 11 23H2 and `1` since Windows 10 22H2 - reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f + keyPath: HKCU\System\GameConfigStore + valueName: GameDVR_Enabled + dataType: REG_DWORD + data: '0' + dataOnRevert: '0' # Default value: `1` on Windows 10 Pro (≥ 21H2) | `0` on Windows 11 Pro (≥ 22H2) - function: SetRegistryValue parameters: @@ -6807,17 +6878,21 @@ actions: recommend: standard call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f - # `1` since Windows 11 23H2 and `1` since Windows 10 22H2 - revertCode: reg add "HKLM\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 1 /f + keyPath: HKLM\SOFTWARE\Microsoft\Input\TIPC + valueName: Enabled + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f - # `1` since Windows 11 23H2 and `1` since Windows 10 22H2 - revertCode: reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 1 /f + keyPath: HKCU\SOFTWARE\Microsoft\Input\TIPC + valueName: Enabled + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - name: Disable Activity Feed feature recommend: standard @@ -6874,11 +6949,13 @@ actions: data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t "REG_DWORD" /d 0 / - # Default value is `1` since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - revertCode: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t "REG_DWORD" /d 1 /f + keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation + valueName: value + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - name: Disable receipt of Windows preview builds docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AllowBuildPreview::AllowBuildPreview @@ -7137,66 +7214,113 @@ actions: name: Disable participation in Visual Studio Customer Experience Improvement Program (VSCEIP) recommend: standard docs: |- - `VSCEIP` collects information about errors, computer hardware, and how people use Visual Studio [1]. - The information is sent to Microsoft servers for further analysis. + This script disables participation in the Visual Studio Customer Experience Improvement Program (VSCEIP), + enhancing your privacy and system performance. + + Previously, VSCEIP was known as `PerfWatson` in Visual Studio [1]. + It collects information about errors, hardware specifications, and usage patterns in Visual Studio [1] [2]. + This data includes crashes, memory dumps, errors, stack traces, CPU and memory usage, interaction telemetry, + and other diagnostic data [2]. + The collected information is sent to Microsoft servers for analysis [1] [2]. - This was previously known as Customer Experience Improvement Program (`PerfWatson`) for Visual Studio - that primarily collected your personal usage and related performance data [2]. + By default, VSCEIP data collection is enabled when Visual Studio is installed. + This means unless you actively opt out, Microsoft will collect and analyze your usage data. - For more information about the information collected, processed, or transmitted by the `VSCEIP`, see the - [Microsoft Privacy Statement](https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement). + By disabling VSCEIP, this script enhances your privacy by preventing Visual Studio from sending your usage + data to Microsoft. + It also improves system performance by reducing background data collection and transmission. - Visual Studio uses different keys based on CPU architecture of the host operating system (32bit or 64bit) [1]: + ## Technical Details - - 32bit: `HKLM\SOFTWARE\Microsoft\VSCommon` - - 64bit: `HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon` + The script modifies registry keys for Visual Studio versions from 2015 to 2022 [3]: - Key `OptIn` can have two different values [1]: + | Version | Product | + |:-------:|--------------------| + | 14.0 | Visual Studio 2015 | + | 15.0 | Visual Studio 2017 | + | 16.0 | Visual Studio 2019 | + | 17.0 | Visual Studio 2022 | - - `0` is opted out (turn off) - - `1` is opted in (turn on) + It sets the `OptIn` value to `0` in the following registry paths: - The default installation sets the key as `1` (opt-in by default) since Visual Studio 2022. + - `HKLM\SOFTWARE[\Wow6432Node]\Microsoft\VSCommon\\SQM` [2] + - `HKLM\Software\Policies\Microsoft\VisualStudio\SQM` (for Group Policy enabled users) [2] - [1]: https://web.archive.org/web/20240314092010/https://learn.microsoft.com/en-us/visualstudio/ide/visual-studio-experience-improvement-program?view=vs-2022 "Customer Experience Improvement Program - Visual Studio (Windows) | Microsoft Learn | learn.microsoft.com" - [2]: https://devblogs.microsoft.com/visualstudio/how-we-use-your-perfwatson-data-to-identify-unresponsive-areas/ "How we use your PerfWatson data to identify Unresponsive areas | Visual Studio Blog" + The script modifies both 32-bit and 64-bit paths, except for Visual Studio 2022, which is 64-bit only [4]. + + By default, Visual Studio 2022 (last tested on version 17.10.5 on Windows 11 23H2) sets the `OptIn` value to `1`, + meaning the user is opted in to the program. + This script changes that value to `0`, opting the user out [2]. + + [1]: https://web.archive.org/web/20240808194752/https://devblogs.microsoft.com/visualstudio/how-we-use-your-perfwatson-data-to-identify-unresponsive-areas/ "How we use your PerfWatson data to identify Unresponsive areas | Visual Studio Blog" + [2]: https://web.archive.org/web/20240314092010/https://learn.microsoft.com/en-us/visualstudio/ide/visual-studio-experience-improvement-program?view=vs-2022 "Customer Experience Improvement Program - Visual Studio (Windows) | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240808200605/https://en.wikipedia.org/wiki/Visual_Studio#History "Visual Studio - Wikipedia | en.wikipedia.org" + [4]: https://web.archive.org/web/20240808195819/https://devblogs.microsoft.com/visualstudio/visual-studio-2022/ "Visual Studio 2022 - Visual Studio Blog | devblogs.microsoft.com" call: - - # Using OS keys - function: RunInlineCode + function: SetRegistryValue parameters: - code: |- - if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit? - reg add "HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f - ) else ( - reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f - ) - revertCode: |- - if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit? - reg add "HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f - ) else ( - reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f - ) + keyPath: HKLM\Software\Policies\Microsoft\VisualStudio\SQM # Group Policy + valueName: OptIn + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default on Windows 11 Pro 23H2 running Visual Studio 22 17.10.5 - function: SetRegistryValue parameters: - keyPath: HKLM\Software\Policies\Microsoft\VisualStudio\SQM + keyPath: HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM # Visual Studio 2015 on x86 (32-bit) Windows valueName: OptIn dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022 + data: '0' + dataOnRevert: '1' + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM # Visual Studio 2015 on x64 (64-bit) Windows + valueName: OptIn + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM # Visual Studio 2017 on x86 (32-bit) Windows + valueName: OptIn + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM # Visual Studio 2017 on x64 (64-bit) Windows + valueName: OptIn + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM # Visual Studio 2019 on x86 (32-bit) Windows + valueName: OptIn + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM # Visual Studio 2019 on x64 (64-bit) Windows + valueName: OptIn + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\17.0\SQM # Visual Studio 2022 on x64 (64-bit) Windows + valueName: OptIn + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' # Last tested on Windows 11 Pro 23H2 running Visual Studio 22 17.10.5 - name: Disable Visual Studio telemetry docs: |- @@ -7652,88 +7776,326 @@ actions: powerShellValue: $false - category: Disable Microsoft Office telemetry - docs: https://web.archive.org/web/20240314130549/https://learn.microsoft.com/en-us/deployoffice/compat/manage-the-privacy-of-data-monitored-by-telemetry-in-office + docs: |- + This category includes scripts that disable various telemetry and data collection features in Microsoft Office applications. + + Microsoft Office collects telemetry data to improve user experience and product functionality [1]. + However, this data collection raises privacy concerns. + + The scripts in this category aim to enhance user privacy by limiting or disabling the transmission of usage data, + diagnostic information, and other potentially sensitive details to Microsoft. + + Disabling Office telemetry will: + + - Enhance privacy by preventing the collection and transmission of user data. + - Potentially improve system performance by reducing background processes related to data collection. + - Reduce network usage associated with sending telemetry data. + + Disabling telemetry may impact Microsoft's ability to provide personalized experiences, troubleshoot issues, or deliver certain updates. + However, for users prioritizing privacy, the benefits often outweigh these potential drawbacks. + + [1]: https://web.archive.org/web/20240314130549/https://learn.microsoft.com/en-us/deployoffice/compat/manage-the-privacy-of-data-monitored-by-telemetry-in-office "Manage the privacy of data monitored by Office Telemetry Dashboard - Deploy Office | Microsoft Learn" children: - name: Disable Microsoft Office logging recommend: standard - code: |- - reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f - reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f - reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f - reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f - reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f - reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f - reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f - reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f - reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f - reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f - revertCode: |- - reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 1 /f - reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 1 /f - reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 1 /f - reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 1 /f - reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 1 /f - reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 1 /f - reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 1 /f - reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 1 /f - reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 1 /f - reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 1 /f + docs: |- + This script disables logging and data collection features in Microsoft Office applications. + + It improves your privacy by preventing Office from recording and potentially sharing + information about your usage patterns and document activities. + This data may include details about the files you open, edit, or create. + + The script may also improve system performance by reducing background processes + related to logging and data collection. + + ### Technical Details + + This script affects Office versions from 2013 to 2021 [1]: + + | Version Number | Product Name | + | -------------- | ------------ | + | 15.0 | Office 2013 | + | 16.0 | Office 2016 | + | 16.0 | Office 2019 | + | 16.0 | Office 2021 | + + The script modifies registry settings to disable: + + - Mail logging in Outlook: `HKCU\SOFTWARE\Microsoft\Office\\Outlook\Options\Mail!EnableLogging` + - Calendar logging in Outlook: `HKCU\SOFTWARE\Microsoft\Office\\Outlook\Options\Calendar!EnableCalendarLogging` + - Logging in Word: `HKCU\SOFTWARE\Microsoft\Office\\Word\Options!EnableLogging` + - Office Software Management (OSM) logging: `HKCU\SOFTWARE\Policies\Microsoft\Office\\OSM!EnableLogging` + - Office Software Management (OSM) data upload: `HKCU\SOFTWARE\Policies\Microsoft\Office\\OSM!EnableUpload` + + Tests on Office versions 2013, 2016, 2019, and 2021 confirm that these registry values are not present in a default installation. + + [1]: https://web.archive.org/web/20240809090857/https://en.wikipedia.org/wiki/History_of_Microsoft_Office#Summary "History of Microsoft Office - Wikipedia | en.wikipedia.org" + call: + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail + valueName: EnableLogging + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail + valueName: EnableLogging + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (tested on Windows 11 Pro 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar + valueName: EnableCalendarLogging + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar + valueName: EnableCalendarLogging + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options + valueName: EnableLogging + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options + valueName: EnableLogging + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM + valueName: EnableLogging + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM + valueName: EnableLogging + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM + valueName: EnableUpload + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM + valueName: EnableUpload + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2) - name: Disable Microsoft Office client telemetry recommend: standard - code: |- - reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f - reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f - reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f - reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f - revertCode: |- - reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 0 /f - reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 0 /f - reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 1 /f - reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 1 /f + docs: |- + This script disables telemetry data collection in Microsoft Office applications. + + It improves your privacy by preventing Office from sending usage data and diagnostic + information to Microsoft. + This data may include details about your Office usage patterns, document content, + and system information. + + The script may also improve system performance by reducing background processes + related to data collection and transmission. + + ### Technical Details + + The script modifies registry settings for multiple Office versions (Common, 15.0, and 16.0). + It includes (but not limited to) following products [1]: + + | Version Number | Product Name | + | -------------- | ------------ | + | 15.0 | Office 2013 | + | 16.0 | Office 2016 | + | 16.0 | Office 2019 | + | 16.0 | Office 2021 | + + The script modifies registry settings to disable: + + - Telemetry: `HKCU\SOFTWARE\Microsoft\Office[\]\Common\ClientTelemetry!DisableTelemetry` + - Verbose logging: `HKCU\SOFTWARE\Microsoft\Office[\]\Common\ClientTelemetry!VerboseLogging` + + Tests on Office versions 2013, 2016, 2019, and 2021 confirm that these registry values are not present in a default installation. + + [1]: https://web.archive.org/web/20240809090857/https://en.wikipedia.org/wiki/History_of_Microsoft_Office#Summary "History of Microsoft Office - Wikipedia | en.wikipedia.org" + call: + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry + valueName: DisableTelemetry + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Office\15.0\Common\ClientTelemetry + valueName: DisableTelemetry + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry + valueName: DisableTelemetry + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry + valueName: VerboseLogging + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Office\15.0\Common\ClientTelemetry + valueName: VerboseLogging + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry + valueName: VerboseLogging + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2) - name: Disable user participation in Office Customer Experience Improvement Program (CEIP) recommend: standard docs: |- This script disables user participation in the Microsoft Office Customer Experience Improvement Program (CEIP) [1]. - The CEIP allows Microsoft Office users to send usage information to Microsoft [1]. When users join this program, Office applications - transmit data to Microsoft about the user's interaction with the software [1]. Part of this data includes identifying details, such as - the user's IP address used during the data transfer [1]. + The CEIP allows Microsoft Office users to send usage information to Microsoft [1]. + When users join this program, Office applications transmit data to Microsoft about the user's interaction with the software [1]. + Part of this data includes identifying details, such as the user's IP address used during the data transfer [1]. - By default, when running Microsoft Office for the first time, users are given the choice to join the CEIP [1]. If they accept, - their Office applications will periodically send usage statistics to Microsoft [1]. + By default, when running Microsoft Office for the first time, users are given the choice to join the CEIP [1]. + If they accept, their Office applications will periodically send usage statistics to Microsoft [1]. Implementing this script ensures: - Users will not have the choice to participate in the CEIP [1]. - Office applications won't send any CEIP usage data to Microsoft [1]. - To accomplish this, the script modifies the `HKCU\Software\Policies\Microsoft\Office\{15.0|16.0}\common!QMEnable` policy setting [1] [2] [3]. - If this policy is not configured, it acts as if the policy is set to `Enabled` [1], meaning users are offered the choice to join the CEIP during - their initial use of Office [1] [2]. - Prioritizing privacy, the US Department of Defense (DoD) suggests this configuration to enhance the security and privacy of the operating system [2]. + ### Technical Details + + This modifies the `HKCU\Software\Policies\Microsoft\Office\\Common!QMEnable` policy setting [1] [2] [3]. + If this policy is not configured, it acts as if the policy is set to `Enabled` [1]. + This means that users are offered the choice to join the CEIP during their initial use of Office [1] [2]. + This script sets this value to `0`, which disables the Customer Experience Improvement Program [1] [2] [3]. + + This script affects Office versions from 2013 to 2021 [4]: + + | Version Number | Product Name | + | -------------- | ------------ | + | 15.0 | Office 2013 | + | 16.0 | Office 2016 | + | 16.0 | Office 2019 | + | 16.0 | Office 2021 | + + Tests on Office versions 2013, 2016, 2019, and 2021 confirm that these registry values are not present in a default installation. + [1]: https://web.archive.org/web/20230922125001/https://download.microsoft.com/download/c/3/f/c3f8bd05-1743-4d7d-849c-c352b0f61835/office2010grouppolicyandoctsettings_reference.xls "ADMX, ADML, and ADM Settings - Download Center | microsoft.com" [2]: https://web.archive.org/web/20230922125003/https://www.stigviewer.com/stig/microsoft_office_system_2013/2014-12-23/finding/V-17612 "The Customer Experience Improvement Program for Office must be disabled. | stigviewer.com" [3]: https://web.archive.org/web/20221205201409/https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_EnableCustomerExperienceImprovementProgram "Enable Customer Experience Improvement Program | admx.help" - code: |- - reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f - reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f - revertCode: |- - reg delete "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /f - reg delete "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /f + [4]: https://web.archive.org/web/20240809090857/https://en.wikipedia.org/wiki/History_of_Microsoft_Office#Summary "History of Microsoft Office - Wikipedia | en.wikipedia.org" + call: + - + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Policies\Microsoft\Office\15.0\Common + valueName: QMEnable + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Policies\Microsoft\Office\16.0\Common + valueName: QMEnable + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2) - name: Disable Microsoft Office feedback recommend: standard - code: |- - reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f - reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f - revertCode: |- - reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 1 /f - reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 1 /f + docs: |- + This script disables feedback collection in Microsoft Office applications. + + It enhances your privacy by blocking Office from collecting and sending your usage data to Microsoft. + This limits the personal information Microsoft receives about how you use Office. + It may also slightly boost system performance by removing background processes that collect feedback. + + ### Technical Details + + This script configures `HKCU\SOFTWARE\Microsoft\Office\\Common\Feedback!Enabled` registry value. + It affects Office versions from 2013 to 2021 [1]: + + | Version Number | Product Name | + | -------------- | ------------ | + | 15.0 | Office 2013 | + | 16.0 | Office 2016 | + | 16.0 | Office 2019 | + | 16.0 | Office 2021 | + + Tests on Office versions 2013, 2016, 2019, and 2021 confirm that this registry value is not present in a default installation. + + [1]: https://web.archive.org/web/20240809090857/https://en.wikipedia.org/wiki/History_of_Microsoft_Office#Summary "History of Microsoft Office - Wikipedia | en.wikipedia.org" + call: + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback + valueName: Enabled + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback + valueName: Enabled + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2) - name: Disable Microsoft Office telemetry agent recommend: standard @@ -10103,10 +10465,14 @@ actions: - name: Disable legacy WCM policy calls recommend: standard - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 0 /f - revertCode: >- - :: Default value is `0` since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 0 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings + valueName: CallLegacyWCMPolicies + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2) - name: Disable SSLv3 fallback recommend: standard @@ -10831,9 +11197,17 @@ actions: - name: Disable sending Windows Media Player statistics recommend: standard - code: reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t "REG_DWORD" /d "0" /f - # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2), but key exists as `1` once Media Player in installed on Windows 10 22H2 - revertCode: reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t "REG_DWORD" /d "1" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences + valueName: UsageTracking + dataType: REG_DWORD + data: "0" + # Key is missing by default on Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2). + # On Windows 10 22H2, the key is created with value `1` when Windows Media Player is installed. + # Windows 11 uses a new Media Player app and lacks this legacy registry key. + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable metadata retrieval recommend: standard @@ -10907,11 +11281,13 @@ actions: data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 0 /f - revertCode: >- # `1` by default on Windows 10 22H2, missing key on Windows 11 23H2 (CCleaner v6.23) - reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 1 /f + keyPath: HKCU\Software\Piriform\CCleaner + valueName: SystemMonitoring + dataType: REG_DWORD + data: "0" + dataOnRevert: "1" # Default value: `1` on Windows 10 22H2 | `1` on Windows 11 23H2 (CCleaner v6.23) - function: SetRegistryValue parameters: @@ -10929,11 +11305,21 @@ actions: data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23) - - function: RunInlineCode + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Piriform\CCleaner + valueName: UpdateBackground + dataType: REG_DWORD + data: "0" + dataOnRevert: "1" # Default value: `1` on Windows 11 23H2 (CCleaner v6.26) + - + function: SetRegistryValue parameters: - code: reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 0 /f - revertCode: >- # `0` by default on Windows 10 22H2, missing key on Windows 11 23H2 (CCleaner v6.23) - reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 1 /f + keyPath: HKCU\Software\Piriform\CCleaner + valueName: CheckTrialOffer + dataType: REG_DWORD + data: "0" + dataOnRevert: "0" # Default value: `0` on Windows 10 22H2 | `1` on Windows 11 23H2 (CCleaner v6.26) - function: SetRegistryValue parameters: @@ -12293,7 +12679,7 @@ actions: This is a security action recommended by organizations like the Department of Defense [1], NASA [2], IRS [8], NIST [6], CIS [4], and Microsoft [3]. - The change is enacted through the `HKLM\SYSTEM\CurrentControlSet\Control\Lsa!RestrictAnonymousSAM` registry + The change is enacted through the `HKLM\SYSTEM\CurrentControlSet\Control\Lsa!restrictanonymoussam` registry value [1] [2] [4] [5]. By default, it's enabled [4] and Windows restricts this setting if the registry value does not exist [3]. @@ -12322,10 +12708,14 @@ actions: [7]: https://web.archive.org/web/20231105201346/https://support.microsoft.com/en-us/topic/client-service-and-program-issues-can-occur-if-you-change-security-settings-and-user-rights-assignments-0cb6901b-dcbf-d1a9-e9ea-f1b49a56d53a "Client, service, and program issues can occur if you change security settings and user rights assignments - Microsoft Support | support.microsoft.com" [8]: https://web.archive.org/web/20231105200853/https://www.irs.gov/pub/irs-utl/safeguards-scsem-win-server2016.xlsx "IRS Office of Safeguards SCSEM | irs.gov" [9]: https://web.archive.org/web/20231105201413/https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/trust-between-windows-ad-domain-not-work-correctly "Trust between a Windows NT domain and an Active Directory domain can't be established or it doesn't work as expected - Windows Server | Microsoft Learn | learn.microsoft.com" - code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "RestrictAnonymousSAM" /t REG_DWORD /d 1 /f - revertCode: |- - :: Default value is `1` on modern Windows versions (Windows 10 since 22H2, Windows 11 since 22H2) - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "RestrictAnonymousSAM" /t REG_DWORD /d 1 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Lsa + valueName: restrictanonymoussam + dataType: REG_DWORD + data: '1' + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - name: Disable anonymous access to named pipes and shares recommend: standard @@ -12336,7 +12726,7 @@ actions: *Anonymous access* lets users connect to services without a username or password, increasing the risk of unauthorized access. - It configures the `HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters!RestrictNullSessAccess` registry + It configures the `HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters!restrictnullsessaccess` registry setting [1] [2] to control null session access, which is a common exploit method via shared folders [2]. > **Caution:** @@ -12345,10 +12735,14 @@ actions: [1]: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63759 "Anonymous access to Named Pipes and Shares must be restricted. | www.stigviewer.com" [2]: https://web.archive.org/web/20240510180133/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares "Network access Restrict anonymous access to Named Pipes and Shares - Windows 10 | Microsoft Learn | learn.microsoft.com" - code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d 1 /f - revertCode: |- - :: Default value is `1` on modern Windows versions (Windows 10 since 22H2, Windows 11 since 23H2) - reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d 1 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters + valueName: restrictnullsessaccess + dataType: REG_DWORD + data: '1' + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - name: Disable hidden remote file access via administrative shares (breaks remote system management software) recommend: strict @@ -12395,7 +12789,7 @@ actions: This script disables the anonymous enumeration of shares to prevent unauthorized users from listing account names and shared resources, which could serve as a roadmap for attackers [1]. - It configures the `HKLM\SYSTEM\CurrentControlSet\Control\LSA!RestrictAnonymous` registry key to ensure that + It configures the `HKLM\SYSTEM\CurrentControlSet\Control\LSA!restrictanonymous` registry key to ensure that such enumeration is blocked, improving system security against potential breaches [1]. > **Caution:** @@ -12403,9 +12797,14 @@ actions: > administration is necessary. [1]: https://web.archive.org/web/20240510180528/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63749 "Anonymous enumeration of shares must be restricted. | www.stigviewer.com" - code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d "1" /f - revertCode: |- # 0 by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d "0" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\LSA + valueName: restrictanonymous + dataType: REG_DWORD + data: '1' + dataOnRevert: '0' # Default value: `0` on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2) - name: Disable "Telnet Client" feature recommend: standard # Already disabled by default in Windows @@ -12502,14 +12901,21 @@ actions: [6]: https://web.archive.org/web/20240510233842/https://support.microsoft.com/en-us/topic/an-update-to-disable-the-chat-feature-in-remote-assistance-msra-exe-is-available-for-windows-7-sp1-and-windows-server-2008-r2-sp1-a29674bc-ea7b-d5ab-1314-95cd3b93fcb3 "An update to disable the Chat feature in Remote Assistance (MSRA.exe) is available for Windows 7 SP1 and Windows Server 2008 R2 SP1 - Microsoft Support | support.microsoft.com" call: - - function: RunInlineCode + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance + valueName: fAllowToGetHelp + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue parameters: - code: |- - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 0 /f - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 0 /f - revertCode: |- # 1 by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 1 /f + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance + valueName: fAllowFullControl + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: @@ -12862,17 +13268,43 @@ actions: children: - name: Mitigate Spectre Variant 2 and Meltdown in host operating system - code: |- - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d 3 /f - wmic cpu get name | findstr "Intel" >nul && ( - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 0 /f - ) - wmic cpu get name | findstr "AMD" >nul && ( - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 64 /f - ) - revertCode: |- - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d 3 /f - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 3 /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management + valueName: FeatureSettingsOverrideMask + dataType: REG_DWORD + data: "3" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management + valueName: FeatureSettingsOverride + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + setupCode: |- + $cpuName = Get-CimInstance -ClassName Win32_Processor -ErrorAction Stop | Select-Object -ExpandProperty Name + if ($cpuName -NotMatch 'Intel') { + Write-Host 'Skipping, this action is intended for Intel CPUs only.' + Exit 0 + } + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management + valueName: FeatureSettingsOverride + dataType: REG_DWORD + data: "64" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + setupCode: |- + $cpuName = Get-CimInstance -ClassName Win32_Processor -ErrorAction Stop | Select-Object -ExpandProperty Name + if ($cpuName -NotMatch 'AMD') { + Write-Host 'Skipping, this action is intended for AMD CPUs only.' + Exit 0 + } - name: Mitigate Spectre Variant 2 and Meltdown in Hyper-V call: @@ -12951,10 +13383,14 @@ actions: name: Disable storage of the LAN Manager password hashes recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63797 - code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d "1" /f - revertCode: |- - :: `1` as default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d "1" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Lsa + valueName: NoLMHash + dataType: REG_DWORD + data: '1' + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - name: Disable "Always install with elevated privileges" in Windows Installer recommend: standard @@ -14800,19 +15236,37 @@ actions: data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: RunInlineCode + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue parameters: - code: |- - reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f - reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f - reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f - reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f - # "StandardProfile", "DomainProfile" and "PublicProfile" exists HKLM\SYSTEM\CurrentControlSet they're not deleted but set to default state - revertCode: |- # HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy - reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f - reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f - reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f - reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f + keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Firewall & network protection" section in "Windows Security" docs: |- @@ -16313,23 +16767,45 @@ actions: children: - name: Disable Microsoft Defender logging - code: |- - reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f - reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f - revertCode: |- # 1 as default in registry - reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "1" /f - reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "1" /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger + valueName: Start + dataType: REG_DWORD + data: "0" + dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger + valueName: Start + dataType: REG_DWORD + data: "0" + dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - name: Disable Microsoft Defender ETW provider (Windows Event Logs) docs: - https://m365internals.com/2021/07/05/why-are-windows-defender-av-logs-so-important-and-how-to-monitor-them-with-azure-sentinel/ - https://web.archive.org/web/20240314124054/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide - code: |- - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 0 /f - revertCode: |- # 1 as default in registry - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 1 /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational + valueName: Enabled + dataType: REG_DWORD + data: "0" + dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC + valueName: Enabled + dataType: REG_DWORD + data: "0" + dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - name: Minimize Windows software trace preprocessor (WPP Software Tracing) docs: @@ -16374,25 +16850,28 @@ actions: - name: Remove "Scan with Microsoft Defender" from context menu docs: |- - This script removes the "Scan with Microsoft Defender" option from the right-click context menu. + This script removes the **Scan with Microsoft Defender** option from the right-click context menu. + + This script enhances user privacy by limiting engagement with Microsoft Defender's data collection processes. + Defender may collect data during scans and at regular intervals, which some users may find unnecessary or unwanted. + + Removing this option only affects the context menu appearance and does not disable Microsoft Defender or its other functions. + + > **Caution**: This may reduce system security by making it less convenient to perform on-demand scans of specific files or folders. - This feature, while useful for some, may be unnecessary or unwanted for users, especially if they prefer not to use Defender - due to concerns about data collection during scans and at regular intervals. - By removing this option, the script enhances user privacy by limiting the engagement with Defender's data collection processes. + ### Technical Details - The script functions by altering specific registry keys that correspond to the Defender context menu option. It specifically targets the - CLSID `{09A47860-11B0-4DA5-AFA5-26D86198A780}`, which is associated with this option [1] [2]. The deletion of this key effectively removes - the "Scan with Microsoft Defender" option from the context menu. This feature is provided by `shellext.dll` file located in Defender's - program files [1]. + The script functions by altering specific registry keys that correspond to the Defender context menu option. + It specifically targets the CLSID `{09A47860-11B0-4DA5-AFA5-26D86198A780}`, which is associated with this option [1] [2]. + The script alters keys in the `HKLM\Software\Classes` branch, which automatically reflects in the `HKCR` (HKEY_CLASSES_ROOT) view [3]. - This script only affects the appearance of the context menu and does not disable Microsoft Defender or its other functions. + The deletion of this key effectively removes the **Scan with Microsoft Defender** option from the context menu. + This feature is provided by `shellext.dll` file located in Defender's program files [1]. [1]: https://web.archive.org/web/20231124215149/https://strontic.github.io/xcyclopedia/library/clsid_09A47860-11B0-4DA5-AFA5-26D86198A780.html "CLSID 09A47860-11B0-4DA5-AFA5-26D86198A780 | (C:\Program Files\Windows Defender\shellext.dll) | STRONTIC | strontic.github.io" [2]: https://web.archive.org/web/20231124215202/https://www.shouldiblockit.com/shellext.dll-d9ed4e24723880f608c62e2e00430bdd.aspx "shellext.dll - Should I Block It? (MD5 d9ed4e24723880f608c62e2e00430bdd) | www.shouldiblockit.com" + [3]: https://web.archive.org/web/20240802114228/https://learn.microsoft.com/en-us/windows/win32/sysinfo/hkey-classes-root-key "HKEY_CLASSES_ROOT Key - Win32 apps | Microsoft Learn | learn.microsoft.com" call: - # It modifies the registry keys in the `HKLM\Software\Classes` branch. The `HKCR` (HKEY_CLASSES_ROOT) keys are not modified, as they - # are a merged view of the `HKLM\Software\Classes` and `HKCU\Software\Classes` keys. Since the `HKCU` keys for the context menu are - # not present by default, and modifications to `HKLM` are automatically reflected in `HKCR`, there's no need to modify `HKCU` or `HKCR` keys directly. - function: DeleteRegistryValue parameters: @@ -17478,11 +17957,13 @@ actions: data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f - revertCode: |- # Has "1" value in "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" as default - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "1" /f + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost + valueName: Enabled + dataType: REG_DWORD + data: "0" + dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: @@ -18251,11 +18732,13 @@ actions: [2]: https://web.archive.org/web/20221001051250/https://support.microsoft.com/en-us/topic/incorrect-automatic-updates-notification-is-received-even-though-au-options-are-disabled-in-windows-8-1-and-windows-server-2012-r2-18b4b73a-3910-9408-809c-7eaad0e1fbc7 "Incorrect Automatic Updates notification is received even though AU options are disabled in Windows 8.1 and Windows Server 2012 R2 - Microsoft Support" [3]: https://web.archive.org/web/20230711172555/https://learn.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry "Manage additional Windows Update settings - Windows Deployment | Microsoft Learn" call: - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "1" /f - # Default value is `0` since Windows 10 21H2 and Windows 11 21H2 - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU + valueName: Enabled + dataType: REG_DWORD + data: "1" + dataOnRevert: "0" # Default value: `0` on Windows 10 Pro (≥ 21H2) | `0` on Windows 11 Pro (≥ 21H2) - name: Disable automatic installation of Windows updates without user consent docs: |- @@ -18283,11 +18766,13 @@ actions: [4]: https://web.archive.org/web/20230826081345/https://learn.microsoft.com/en-US/troubleshoot/windows-client/deployment/update-windows-update-agent "Update Windows Update Agent to latest version - Windows Client | Microsoft Learn" [5]: https://web.archive.org/web/20221001051250/https://support.microsoft.com/en-us/topic/incorrect-automatic-updates-notification-is-received-even-though-au-options-are-disabled-in-windows-8-1-and-windows-server-2012-r2-18b4b73a-3910-9408-809c-7eaad0e1fbc7 "Incorrect Automatic Updates notification is received even though AU options are disabled in Windows 8.1 and Windows Server 2012 R2 - Microsoft Support" call: - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "2" /f - # Default value is `4` since Windows 10 21H2 and Windows 11 21H2 - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "4" /f + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU + valueName: AUOptions + dataType: REG_DWORD + data: "2" + dataOnRevert: "4" # Default value: `4` on Windows 10 Pro (≥ 21H2) | `0` on Windows 11 Pro (≥ 21H2) - name: Disable automatic daily installation of Windows updates docs: |- @@ -19406,7 +19891,7 @@ actions: children: - name: Maximize update pause duration - docs: |- + docs: |- # refactor-with-variables: • Security Update Postpone Caution This script maximizes the pause duration for system updates via the settings interface. It postpones both feature and quality updates in Windows 10 and Windows 11. This is particularly useful for those preferring fewer interruptions from regular updates. @@ -19430,32 +19915,60 @@ actions: [1]: https://github.com/undergroundwires/privacy.sexy/issues/272#issuecomment-1772602388 "[BUG]: Windows automatically re-enables Update after 4-5 days · Issue #272 · undergroundwires/privacy.sexy | github.com/undergroundwires" call: - function: RunPowerShell - parameters: - # Note: - # - StartTime must be set, or the setting UI on Windows 11 becomes unresponsive for future changes. - # - >3000 on Windows 11 does not work, works fine for Windows 10. - # Marked: refactor-with-variables - # - Getting `$currentTime` is used across multiple scripts. - code: |- - $currentTime = (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ') - $endTime = '2963-01-17T00:00:00Z' - reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseFeatureUpdatesStartTime" /t REG_SZ /d "$currentTime" /f - reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseFeatureUpdatesEndTime" /t REG_SZ /d "$endTime" /f - reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseQualityUpdatesStartTime" /t REG_SZ /d "$currentTime" /f - reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseQualityUpdatesEndTime" /t REG_SZ /d "$endTime" /f - reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseUpdatesStartTime" /t REG_SZ /d "$currentTime" /f - reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseUpdatesExpiryTime" /t REG_SZ /d "$endTime" /f - revertCode: |- - reg delete "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseFeatureUpdatesStartTime" /f 2>$null - reg delete "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseFeatureUpdatesEndTime" /f 2>$null - reg delete "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseQualityUpdatesStartTime" /f 2>$null - reg delete "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseQualityUpdatesEndTime" /f 2>$null - reg delete "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseUpdatesStartTime" /f 2>$null - reg delete "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseUpdatesExpiryTime" /f 2>$null + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings + valueName: PauseFeatureUpdatesStartTime + dataType: REG_SZ + data: (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ') + evaluateDataAsPowerShell: 'true' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings + valueName: PauseFeatureUpdatesEndTime + dataType: REG_SZ + data: '2963-01-17T00:00:00Z' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings + valueName: PauseQualityUpdatesStartTime + dataType: REG_SZ + data: (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ') + evaluateDataAsPowerShell: 'true' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings + valueName: PauseQualityUpdatesEndTime + dataType: REG_SZ + data: '2963-01-17T00:00:00Z' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings + valueName: PauseUpdatesStartTime + dataType: REG_SZ + data: (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ') + evaluateDataAsPowerShell: 'true' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings + valueName: PauseUpdatesExpiryTime + dataType: REG_SZ + data: '2963-01-17T00:00:00Z' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Maximize feature update duration (disables resuming updates from settings) - docs: |- + docs: |- # refactor-with-variables: • Security Update Postpone Caution This script provides control over when and how often Windows feature updates and preview builds occur. These updates bring major changes to the operating system, affecting functionality and user privacy [1] [2]. @@ -19465,7 +19978,6 @@ actions: - Adding new features [1]. > **Caution**: - > > - This script postpones critical security updates, increasing potential security risks for your computer. > - This script disables the option to resume updates through the settings interface. > The update settings will display "Your organization paused some updates for this device", and you won't be able @@ -19477,59 +19989,49 @@ actions: Group Policy (GPO) keys: + - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!Pause`: + Used for pausing updates in older Windows 10 versions [5]. + - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!PauseFeatureUpdates`: + Obsolete key that only applies to Windows 10 version 1607 [5]. + Setting value `1` pauses feature updates and leaving absent or setting another value does not [5]. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!PauseFeatureUpdatesStartTime`: Sets the start date for pausing feature updates [3]. It is specified in a date format (yyyy-mm-dd, e.g., 2018-10-28) [4]. - This key supersedes the now-obsolete Windows 10 version 1607 key: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!PauseFeatureUpdates` [5]. - By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. + This key supersedes the now-obsolete Windows 10 ver!sion 1607 key: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!PauseFeatureUpdates` [5]. + This setting has been available since Windows 10 1703 [4]. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!PauseFeatureUpdatesPeriodInDays`: Specifies the pause duration for feature updates [6]. The range is from 0 (default) to 365 days [6]. - By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferFeatureUpdates`: Enables pausing of feature updates and activates `PauseFeatureUpdatesPeriodInDays` [5]. - By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3, meaning that the feature updates are not paused [7]. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferFeatureUpdatesPeriodInDays`: Allows pausing of feature updates for a specified number of days [4] [5] [7]. It ranges from 0 to 365 days [5] [7]. This key supersedes the now-obsolete Windows 10 version 1511 key: `HKLM\Policies\Microsoft\Windows\WindowsUpdate!DeferUpgradePeriod` [4] [5]. - By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. - - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!Pause`: - Used for pausing updates in older Windows 10 versions [4]. - By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. State keys: - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings!PausedFeatureStatus`: Shows the current status of feature update pause [5]. - By default, this key is set to `0` since Windows 10 22H2 and Windows 11 22H3. `0` means feature updates not paused, `1` means feature updates paused, `2` means feature updates have auto-resumed after being paused [5]. - - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState!DeferFeatureUpdates`: - By default, this key is set to `0` since Windows 10 22H2 and Windows 11 22H3. - - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState!FeatureUpdatesPaused`: - By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. + - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState!DeferFeatureUpdates` + - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState!FeatureUpdatesPaused` - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings!PausedFeatureDate`: Records the date when feature updates were paused [5]. - By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. - - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState!PauseFeatureUpdatesStartTime`: - Reflects the start time for pausing Feature Updates. - By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. + - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState!PauseFeatureUpdatesStartTime` MDM (PolicyManager) keys: + - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\Pause!value`: - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseFeatureUpdates!value`: - Manages pausing of feature updates for Windows 10, version 1607 or later [5]. - By default, this key is set to `0` since Windows 10 22H2 and Windows 11 22H3. + Manages pausing of feature updates for Windows 10, version 1607 or later [4]. - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartTime!value`: Specifies the start time for pausing feature updates [3] [4]. - By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays!value`: Sets the deferral period for feature updates [4]. - By default, this key is set to `0` since Windows 10 22H2 and Windows 11 22H3. - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ConfigureDeadlineForFeatureUpdates!value`: - Determines the deadline for automatic feature update installation [5]. - The maximum value is limited to 30 days [5]. - By default, this key is set to `7` since Windows 10 22H2 and Windows 11 22H3 [5]. + Determines the deadline for automatic feature update installation [4]. + The maximum value is limited to 30 days [4]. [1]: https://web.archive.org/web/20231209161721/https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview "Windows feature updates overview - Windows Deployment | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20231214085615/https://learn.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb "Windows Update for Business - Windows Deployment | Microsoft Learn | learn.microsoft.com" @@ -19537,63 +20039,141 @@ actions: [4]: https://web.archive.org/web/20230708165017/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update "Update Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20231206151045/https://learn.microsoft.com/en-us/windows/deployment/update/waas-configure-wufb "Configure Windows Update for Business - Windows Deployment | Microsoft Learn | learn.microsoft.com" [6]: https://web.archive.org/web/20231209161617/https://learn.microsoft.com/en-us/mem/intune/protect/windows-update-settings "Windows Update settings you can manage with Intune Update Ring policies for Windows 10/11 devices. | Microsoft Learn | learn.microsoft.com" - [7]: https://web.archive.org/web/20231209161658/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::DeferFeatureUpdates "Select when Preview Builds and Feature Updates are received | admx.help" - call: - function: RunPowerShell - parameters: - # Note: - # - Policy state keys (HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy) are not needed to be modified, but just modified for extra robustness. - # Marked: refactor-with-variables - # - Getting `$currentTime` is used across multiple scripts. - code: |- - $currentTime = (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ') - # GPO - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseFeatureUpdatesStartTime" /t "REG_SZ" /d "$currentTime" /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseFeatureUpdatesPeriodInDays" /d "365" /t "REG_DWORD" /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseFeatureUpdates" /t "REG_DWORD" /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferFeatureUpdates" /t "REG_DWORD" /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferFeatureUpdatesPeriodInDays" /d "365" /t "REG_DWORD" /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "Pause" /t "REG_DWORD" /d "1" /f - # State - reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedFeatureStatus" /t "REG_DWORD" /d "1" /f - reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedFeatureDate" /t "REG_SZ" /d "$currentTime" /f - reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "DeferFeatureUpdates" /d "1" /t "REG_DWORD" /f - reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "FeatureUpdatesPaused" /d "1" /t "REG_DWORD" /f - reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "PauseFeatureUpdatesStartTime" /t "REG_SZ" /d "$currentTime" /f - # MDM (PolicyManager) - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\Pause" /v "value" /t "REG_DWORD" /d "1" /f - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseFeatureUpdates" /v "value" /t "REG_DWORD" /d "1" /f - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartTime" /v "value" /t "REG_SZ" /d "$currentTime" /f - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays" /v "value" /t "REG_DWORD" /d "365" /f - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ConfigureDeadlineForFeatureUpdates" /v "value" /t "REG_DWORD" /d "30" /f - revertCode: |- - # GPO - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseFeatureUpdatesStartTime" /f 2>$null - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseFeatureUpdatesPeriodInDays" /f 2>$null - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseFeatureUpdates" /f 2>$null - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferFeatureUpdates" /f 2>$null - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferFeatureUpdatesPeriodInDays" /f 2>$null - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "Pause" /f 2>$null - # State - reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedFeatureStatus" /t "REG_DWORD" /d "0" /f - reg delete "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedFeatureDate" /f 2>$null - reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "DeferFeatureUpdates" /d "0" /t "REG_DWORD" /f - reg delete "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "FeatureUpdatesPaused" /f 2>$null - reg delete "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "PauseFeatureUpdatesStartTime" /f 2>$null - # MDM (PolicyManager) - reg delete "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\Pause" /v "value" /f 2>$null - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseFeatureUpdates" /v "value" /t "REG_DWORD" /d "0" /f - reg delete "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartTime" /v "value" /f 2>$null - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays" /v "value" /t "REG_DWORD" /d "0" /f - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ConfigureDeadlineForFeatureUpdates" /v "value" /t "REG_DWORD" /d "7" /f + [7]: https://web.archive.org/web/20231209161658/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::DeferFeatureUpdates "Select when Preview Builds and Feature Updates are received | admx.help" + call: + # Note: Policy state keys (HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy) are not needed to be modified, + # but just modified for extra robustness. + - # GPO + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + valueName: Pause + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - # GPO + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + valueName: PauseFeatureUpdates + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - # GPO + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + valueName: PauseFeatureUpdatesStartTime + dataType: REG_SZ + data: (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ') + evaluateDataAsPowerShell: 'true' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - # GPO + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + valueName: PauseFeatureUpdatesPeriodInDays + dataType: REG_DWORD + data: '365' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - # GPO + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + valueName: DeferFeatureUpdates + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - # GPO + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + valueName: DeferFeatureUpdatesPeriodInDays + dataType: REG_DWORD + data: '365' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - # State + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings + valueName: PausedFeatureStatus + dataType: REG_DWORD + data: '1' + dataOnRevert: '0' # Default value: `0` on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2) + - # State + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState + valueName: DeferFeatureUpdates + dataType: REG_DWORD + data: '1' + dataOnRevert: '0' # Default value: `0` on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2) + - # State + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState + valueName: FeatureUpdatesPaused + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - # State + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings + valueName: PausedFeatureDate + dataType: REG_SZ + data: (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ') + evaluateDataAsPowerShell: 'true' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - # MDM (PolicyManager) + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\Pause + valueName: value + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - # MDM (PolicyManager) + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseFeatureUpdates + valueName: value + dataType: REG_DWORD + data: '1' + dataOnRevert: '0' # Default value: `0` on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2) + - # MDM (PolicyManager) + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartTime + valueName: value + dataType: REG_SZ + data: (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ') + evaluateDataAsPowerShell: 'true' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - # MDM (PolicyManager) + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays + valueName: value + dataType: REG_DWORD + data: '365' + dataOnRevert: '0' # Default value: `0` on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2) + - # MDM (PolicyManager) + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ConfigureDeadlineForFeatureUpdates + valueName: value + dataType: REG_DWORD + data: '30' + dataOnRevert: '7' # Default value: `7` on Windows 10 Pro (≥ 22H2) | `7` on Windows 11 Pro (≥ 23H2) - name: Maximize quality update duration (disables resuming updates from settings) - docs: |- + docs: |- # refactor-with-variables: • Security Update Postpone Caution This script extends the time between mandatory quality updates, which include security patches [1] [2]. - Delaying these updates helps prevent frequent system reboots and disruptions, aiding productivity in professional and critical settings. + Delaying these updates helps prevent frequent system reboots and disruptions, aiding productivity + in professional and critical settings. > **Caution**: - > > - This script postpones critical security updates, increasing potential security risks for your computer. > - This script disables the option to resume updates through the settings interface. > The update settings will display "Your organization paused some updates for this device", and you won't be able @@ -19603,28 +20183,23 @@ actions: The script modifies various Group Policy (GPO), state, and Mobile Device Management (MDM) keys. - Group Policy (GPO) Keys: + Group Policy (GPO) keys: + - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!Pause`: + Defers updates and upgrades in earlier versions of Windows 10 (1511) [3]. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!PauseQualityUpdates`: Pauses quality updates for up to 35 days, or until the setting is reversed [3] [4]. This setting has been available since Windows 10 1607 [3]. - By default, this key is not present since Windows 10 22H2 and Windows 11 23H2. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!PauseQualityUpdatesStartTime`: Sets the start date for pausing quality updates [3] [4]. This setting is available since Windows 10 1703, and it activates `PauseQualityUpdates key` [3]. - By default, this key is not present since Windows 10 22H2 and Windows 11 23H2. - - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!Pause`: - Defers updates and upgrades in earlier versions of Windows 10 (1511) [3]. - By default, this key is not present since Windows 10 22H2 and Windows 11 23H2. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferQualityUpdates`: Defers quality updates for up to 30 days [3] [4]. - By default, this key is not present since Windows 10 22H2 and Windows 11 23H2. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferQualityUpdatesPeriodInDays`: - Specifies the deferral period for quality updates, up to 35 [3] or 30 [4] [5] days. + Specifies the deferral period for quality updates, up to 30 [4] [5] or 35 [3] days. This setting has been available since Windows 10 1607 [3] [4], and it activates `DeferQualityUpdates` key [3]. - By default, this key is not present since Windows 10 22H2 and Windows 11 23H2. - State Keys: + State keys: - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings!PausedQualityStatus`: Indicates if quality updates are currently paused, with `0` as not paused [3]. @@ -19632,29 +20207,26 @@ actions: - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings!PausedQualityDate`: Indicates the date when the pause of quality updates was initiated [3]. This key is used to disable auto-updates [6]. - By default, this key is not present since Windows 10 22H2 and Windows 11 23H2 [6]. + By default, this key is not present on Windows [6]. - `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState!DeferQualityUpdates`: Indicates whether quality updates have been paused. This key is used to disable auto-updates [6]. - By default, this key is set to `0`, indicating no pause since Windows 10 22H2 and Windows 11 23H2 [6]. + By default, this key is set to `0`, indicating no pause [6]. - Mobile Device Management (MDM) Keys: + Mobile Device Management (MDM) keys: + - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\Pause!value`: + MDM for Windows 10, version 1511 [3]. - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseQualityUpdates!value`: Manages pausing of quality updates for Windows 10 1607 and later [3]. The default value is `0`, indicating no pause since Windows 10 22H2 and Windows 11 23H2. - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime!value`: Sets the start time for pausing quality updates for Windows 10 1703 and later [3]. - By default, this key is not present since Windows 10 22H2 and Windows 11 23H2. - - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\Pause!value`: - MDM for Windows 10, version 1511 [3]. - By default, this key is not present since Windows 10 22H2 and Windows 11 23H2. - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays!value`: Determines the deferral period for quality updates for Windows 10 1607 and later [3]. - By default, this key is set to `0`, indicating no pause since Windows 10 22H2 and Windows 11 23H2. - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ConfigureDeadlineForQualityUpdates!value`: Sets the deadline for automatic installation of quality updates for Windows 10 1903 and later, up to 30 days [4]. - By default, this key is set to `7` [4], indicating seven days deadline before updates are enforced since Windows 10 22H2 and Windows 11 23H2. + By default, this key is set to `7` [4], indicating seven days deadline before updates are enforced. [1]: https://web.archive.org/web/20231214091439/https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview "Windows quality updates overview with Autopatch groups experience - Windows Deployment | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20231214085615/https://learn.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb "Windows Update for Business - Windows Deployment | Microsoft Learn | learn.microsoft.com" @@ -19663,53 +20235,125 @@ actions: [5]: https://archive.ph/2023.12.14-092501/https://github.com/MicrosoftDocs/IntuneDocs/blob/main/intune/protect/windows-update-settings.md "IntuneDocs/intune/protect/windows-update-settings.md at main · MicrosoftDocs/IntuneDocs | github.com" [6]: https://web.archive.org/web/20231111173058/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004#re-enable-windows-update "Optimizing Windows 10, Build 2004, for a Virtual Desktop role | Microsoft Learn | learn.microsoft.com" call: - function: RunPowerShell - parameters: - # Marked: refactor-with-variables - # - Getting `$currentTime` is used across multiple scripts. - code: |- - $currentTime = (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ') - # GPO - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "Pause" /t "REG_DWORD" /d "1" /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseQualityUpdates" /t "REG_DWORD" /d "1" /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseQualityUpdatesStartTime" /t "REG_SZ" /d "$currentTime" /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferQualityUpdates" /t "REG_DWORD" /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferQualityUpdatesPeriodInDays" /d "35" /t "REG_DWORD" /f - # State - reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedQualityStatus" /t "REG_DWORD" /d "1" /f - reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedQualityDate" /t "REG_SZ" /d "$currentTime" /f - reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "DeferQualityUpdates" /d "1" /t "REG_DWORD" /f - # MDM (PolicyManager) - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\Pause" /v "value" /t "REG_DWORD" /d "1" /f - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseQualityUpdates" /v "value" /t "REG_DWORD" /d "1" /f - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime" /v "value" /t "REG_SZ" /d "$currentTime" /f - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays" /v "value" /t "REG_DWORD" /d "35" /f - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ConfigureDeadlineForQualityUpdates" /v "value" /t "REG_DWORD" /d "30" /f - revertCode: |- - # GPO - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "Pause" /f 2>$null - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseQualityUpdates" /f 2>$null - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseQualityUpdatesStartTime" /f 2>$null - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferQualityUpdates" /f 2>$null - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferQualityUpdatesPeriodInDays" /f 2>$null - # State - reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedQualityStatus" /t "REG_DWORD" /d "0" /f - reg delete "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedQualityDate" /f 2>$null - reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "DeferQualityUpdates" /t "REG_DWORD" /d "0" /f - # MDM (PolicyManager) - reg delete "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\Pause" /v "value" /f 2>$null - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseQualityUpdates" /v "value" /t "REG_DWORD" /d "0" /f - reg delete "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime" /v "value" /f 2>$null - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays" /v "value" /t "REG_DWORD" /d "0" /f - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ConfigureDeadlineForQualityUpdates" /v "value" /t "REG_DWORD" /d "7" /f + # Note: Policy state keys (HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy) are not needed to be modified, + # but just modified for extra robustness. + - # GPO + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + valueName: Pause + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - # GPO + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + valueName: PauseQualityUpdates + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + minimumWindowsVersion: 'Windows10-1607' + - # GPO + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + valueName: PauseQualityUpdatesStartTime + dataType: REG_SZ + data: (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ') + evaluateDataAsPowerShell: 'true' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - # GPO + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + valueName: DeferQualityUpdates + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - # GPO + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + valueName: DeferQualityUpdatesPeriodInDays + dataType: REG_DWORD + data: "30" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - # State + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings + valueName: PausedQualityStatus + dataType: REG_DWORD + data: "1" + dataOnRevert: "0" # Default value: `0` on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2) + - # State + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings + valueName: PausedQualityDate + dataType: REG_SZ + data: (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ') + evaluateDataAsPowerShell: 'true' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - # State + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState + valueName: DeferQualityUpdates + dataType: REG_DWORD + data: "1" + dataOnRevert: "0" # Default value: `0` on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2) + - # MDM (PolicyManager) + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\Pause + valueName: value + dataType: REG_DWORD + data: '1' + dataOnRevert: '0' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - # MDM (PolicyManager) + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseQualityUpdates + valueName: value + dataType: REG_DWORD + data: '1' + dataOnRevert: '0' # Default value: `0` on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2) + minimumWindowsVersion: 'Windows10-1607' + - # MDM (PolicyManager) + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime + valueName: value + dataType: REG_SZ + data: (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ') + evaluateDataAsPowerShell: 'true' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - # MDM (PolicyManager) + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays + valueName: value + dataType: REG_DWORD + data: '30' # Set to lower of conflicting Microsoft docs stating maximum 30 and 35 to ensure validity + dataOnRevert: '0' # Default value: `0` on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2) + minimumWindowsVersion: 'Windows10-1607' + - # MDM (PolicyManager) + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ConfigureDeadlineForQualityUpdates + valueName: value + dataType: REG_DWORD + data: '30' # Set to lower of conflicting Microsoft docs stating maximum 30 and 35 to ensure validity + dataOnRevert: '7' # Default value: `7` on Windows 10 Pro (≥ 22H2) | `7` on Windows 11 Pro (≥ 23H2) - name: Maximize update duration on older Windows versions - docs: |- + docs: |- # refactor-with-variables: • Security Update Postpone Caution This script extends the time between updates and upgrades, but only works on older Windows versions (version 1511 and earlier) [1] [2]. > **Caution**: - > > - This script postpones critical security updates, increasing potential security risks for your computer. > - This script has no effect on newer Windows versions and will not make the intended changes. @@ -19717,25 +20361,19 @@ actions: - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpgrade!value`: Sets the device to a more predictable update schedule [1]. - By default, this key is set to `0` since Windows 10 22H2 and Windows 11 22H3. - `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpdate!value`: Pauses quality updates [1]. - By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferUpdate`: Determines the delay period for updates [1]. - By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferUpgrade`: Determines the delay period for upgrades [1]. - By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferUpdatePeriod` [1]. Pauses upgrades for up to 4 weeks [2] [3]. - By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferUpgradePeriod` [1] [2] [3]. Pauses upgrades for up to 8 months [2] [3]. - By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. + Supported values range from 0 to 8 [2] [3], representing the number of months to defer upgrades [2]. - `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!PauseDeferrals`: Pauses updates and upgrades for up to 5 weeks [2] [3]. - By default, this registry key is missing since Windows 10 22H2 and Windows 11 22H3. [1]: https://web.archive.org/web/20231206151045/https://learn.microsoft.com/en-us/windows/deployment/update/waas-configure-wufb "Configure Windows Update for Business - Windows Deployment | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20230708165017/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update "Update Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" @@ -19790,12 +20428,13 @@ actions: data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: |- - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpgrade" /v "value" /t "REG_DWORD" /d "1" /f - revertCode: >- # `0` by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpgrade" /v "value" /t "REG_DWORD" /d "0" /f + keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpgrade + valueName: value + dataType: REG_DWORD + data: '1' + dataOnRevert: '0' # Default value: `0` on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2) - category: Configure how downloaded files are handled docs: |- @@ -19884,8 +20523,14 @@ actions: [2]: https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-09-02/finding/V-14270 "The system will notify antivirus when file attachments are opened. | stigviewer.com" [3]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AttachmentManager::AM_CallIOfficeAntiVirus "Notify antivirus programs when opening attachments | admx.help" [4]: https://web.archive.org/web/20230102223412/https://www.irs.gov/pub/irs-utl/safeguards-scsem-win-11-v1-1-033122.xlsx "Windows 11 SafeGuards | irs.gov" - code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "ScanWithAntiVirus" /t REG_DWORD /d "1" /f - revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "ScanWithAntiVirus" /t REG_DWORD /d "3" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments + valueName: ScanWithAntiVirus + dataType: REG_DWORD + data: '1' + dataOnRevert: '3' # Default value: `3` on Windows 10 Pro (≥ 22H2) | `3` on Windows 11 Pro (≥ 23H2) - name: Remove "Windows Security" app (`SecHealthUI`) (breaks Windows Security user interface) docs: |- @@ -20059,9 +20704,14 @@ actions: name: Disable history of recently opened documents recommend: strict docs: https://web.archive.org/web/20231207105611/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::NoRecentDocsHistory - code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 1 /f - # `0` by default on Windows 10 (22H2 and above), missing by default on Windows 11 (23H2 and above) - revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 0 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + valueName: NoRecentDocsHistory + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # `0` by default on Windows 10 (22H2 and above) | Missing by default on Windows 11 (23H2 and above) - name: Clear recently opened document history upon exit recommend: strict @@ -25118,12 +25768,23 @@ actions: [1]: https://web.archive.org/web/20231025220530/https://support.microsoft.com/en-us/office/sync-files-with-onedrive-in-windows-615391c4-2bd3-4aae-a42a-858262e42a49 "Sync files with OneDrive in Windows | support.microsoft.com" [2]: https://web.archive.org/web/20240322101857/https://answers.microsoft.com/en-us/windows/forum/all/remove-onedrive-from-file-explorer-navigation-pane/38ac7524-2b35-4ffc-baab-40ad61dc5d79 "Remove OneDrive from File Explorer navigation pane - Microsoft Community | answers.microsoft.com" - code: |- # `1` by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /d "0" /t REG_DWORD /f - reg add "HKCR\Wow6432Node\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /d "0" /t REG_DWORD /f - revertCode: |- - reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /d "1" /t REG_DWORD /f - reg add "HKCR\Wow6432Node\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /d "1" /t REG_DWORD /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} + valueName: System.IsPinnedToNameSpaceTree + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Classes\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} + valueName: System.IsPinnedToNameSpaceTree + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - name: Disable OneDrive scheduled tasks recommend: strict @@ -25272,7 +25933,7 @@ actions: **Note:** This script uses methods not officially documented but confirmed effective by community testing and support. - [1]: https://archive.ph/2024.06.21-133029/https://github.com/undergroundwires/privacy.sexy/issues/236 "[BUG]: Edge Browser uninstall process no longer works · Issue #236 · undergroundwires/privacy.sexy | github.com" + [1]: https://web.archive.org/web/20240809110743/https://github.com/undergroundwires/privacy.sexy/issues/236 "[BUG]: Edge Browser uninstall process no longer works · Issue #236 · undergroundwires/privacy.sexy | github.com" [2]: https://archive.ph/2024.06.21-133037/https://github.com/undergroundwires/privacy.sexy/issues/309 "[BUG]: Microsoft Edge still alive after removal · Issue #309 · undergroundwires/privacy.sexy" call: - @@ -27648,17 +28309,21 @@ actions: code: dism /online /Set-ReservedStorageState /State:Disabled /NoRestart revertCode: dism /online /Set-ReservedStorageState /State:Enabled /NoRestart - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "0" /f - # `1` by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "1" /f + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager + valueName: ShippedWithReserves + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "PassedPolicy" /t REG_DWORD /d "0" /f - # `1` by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "PassedPolicy" /t REG_DWORD /d "1" /f + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager + valueName: PassedPolicy + dataType: REG_DWORD + data: '0' + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - function: SetRegistryValue parameters: @@ -27919,51 +28584,56 @@ functions: "You may search for it or an alternative in the Microsoft Store or " + ` "consider using an earlier version of Windows where this package was originally provided." - - function: RunInlineCode - # This script prevents specified applications from being automatically reinstalled during Windows updates. - # Windows has a feature where certain pre-installed applications (also known as provisioned apps) are reinstalled - # when you perform a major update, even if they were previously uninstalled. - # For detailed information, refer to the following Microsoft documentation: - # - Deprovisioning Apps: https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update#create-registry-keys-for-deprovisioned-apps - # - Archived versions: https://archive.ph/04108, https://web.archive.org/web/20231023131048/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update#create-registry-keys-for-deprovisioned-apps - # - In-place Upgrade Recommendations: https://learn.microsoft.com/en-us/mem/configmgr/osd/understand/in-place-upgrade-recommendations#remove-default-apps - # - Archived versions: https://archive.ph/I7Dwc, https://web.archive.org/web/20231023132613/https://learn.microsoft.com/en-us/mem/configmgr/osd/understand/in-place-upgrade-recommendations#remove-default-apps + function: CreateRegistryKey parameters: - code: |- - :: Mark '{{ $packageName }}' as deprovisioned to block reinstall during Windows updates. - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\{{ $packageName }}_{{ $publisherId }}" /f - revertCode: |- - :: Remove '{{ $packageName }}' from deprovisioned list to allow reinstall during updates. - reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\{{ $packageName }}_{{ $publisherId }}" /f 2>nul + codeComment: Mark '{{ $packageName }}' as deprovisioned to block reinstall during Windows updates. + revertCodeComment: Remove '{{ $packageName }}' from deprovisioned list to allow reinstall during updates. + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\{{ $packageName }}_{{ $publisherId }} + deleteOnRevert: 'true' - name: UninstallNonRemovableStoreApp parameters: - name: packageName - name: publisherId + docs: |- + This function uninstalls a non-removable app by marking it as removable and then + running the built-in app uninstallation process. + + Process: + + 1. Mark package as 'EndOfLife': + - Sets EndOfLife key in `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\EndOfLife\\` [1] [2]. + This enables removal of normally non-removable apps [1] [2], preventing uninstallation failure (error `0x80070032`). + - No packages are marked as 'EndOfLife' by default (tested on Windows 10 Pro ≥ 22H2 and Windows 11 Pro ≥ 23H2). + - Even though this script deletes this key right after app removal, it's also removed on revert to restore default OS state. + This handles cases where the key might remain (e.g., manual addition, third-party tools, incomplete script execution), as keeping this + key may have unintended side effects. + 2. Uninstall store app using Windows' built-in app package removal + 3. Remove 'EndOfLife' mark: + - Deletes the EndOfLife key added in step 1 + - Restores the app to its default, non-removable state + - Prevents potential side effects like blocking Windows Updates [3]. + + [1]: https://web.archive.org/web/20240809110626/https://github.com/undergroundwires/privacy.sexy/issues/260 "Improve system app uninstallation with a hard delete · Issue #260 · undergroundwires/privacy.sexy | github.com" + [2]: https://web.archive.org/web/20240809110743/https://github.com/undergroundwires/privacy.sexy/issues/236 "[BUG]: Edge Browser uninstall process no longer works · Issue #236 · undergroundwires/privacy.sexy | github.com" + [3]: https://web.archive.org/web/20240809111127/https://github.com/undergroundwires/privacy.sexy/issues/287 "\"Remove system apps\" breaks windows commulative updates · Issue #287 · undergroundwires/privacy.sexy | github.com" call: - - # ❗️ ORDERING: Run before `UninstallStoreApp` to enable removal of system apps. function: CreateRegistryKey parameters: codeComment: Enable removal of system app '{{ $packageName }}' by marking it as "EndOfLife" - # This script modifies the system registry to enable the uninstallation of a specified app. - # Some apps (including system apps) are marked as non-removable, which prevents uninstallation and results in error 0x80070032 if an uninstall is attempted. - # To bypass this, the script marks the app as 'EndOfLife' in the registry, tricking the system into allowing the uninstallation keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\EndOfLife\$CURRENT_USER_SID\{{ $packageName }}_{{ $publisherId }} replaceSid: 'true' + deleteOnRevert: 'true' # Although unnecessary due to the `DeleteRegistryKey` step later, this handles edge cases where this value may exist. - function: UninstallStoreApp parameters: packageName: '{{ $packageName }}' publisherId: '{{ $publisherId }}' - - # ❗️ ORDERING: Run after `UninstallStoreApp` to restore the app to its default state. function: DeleteRegistryKey parameters: codeComment: Revert '{{ $packageName }}' to its default, non-removable state. - # This script reverses the previous modification made to the Windows registry to enable its uninstallation. - # By removing the 'EndOfLife' status from the registry entry, the app is restored to its default, non-removable state. - # Restoring (removing) this key is important for maintaining the stability of Windows Updates (for details: https://github.com/undergroundwires/privacy.sexy/issues/287). keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\EndOfLife\$CURRENT_USER_SID\{{ $packageName }}_{{ $publisherId }} replaceSid: 'true' - @@ -29750,8 +30420,10 @@ functions: - name: CreateRegistryKey parameters: - - name: keyPath # Full path of the subkey or entry to be added. - - name: replaceSid # Replaces "$CURRENT_USER_SID" string in registry key with user SID. + - name: keyPath # Full path of the subkey or entry to be added. + - name: replaceSid # Replaces "$CURRENT_USER_SID" string in registry key with user SID. + optional: true + - name: deleteOnRevert # Set to 'true' to revert to the initial state by deleting the registry key. optional: true - name: codeComment optional: true @@ -29761,6 +30433,7 @@ functions: # Marked: refactor-with-variables # - Replacing SID is same as `DeleteRegistryKey` # - Registry path construction with hive is same as `DeleteRegistryValue` and `DeleteRegistryKey` + # - Deleting on revert is same as `DeleteRegistryKey` function: RunPowerShell parameters: code: |- @@ -29781,6 +30454,31 @@ functions: } catch { Write-Error "Failed to create the registry key at path `"$registryPath`": $($_.Exception.Message)" } + revertCode: |- + {{ with $deleteOnRevert }} + $keyPath='{{ $keyPath }}' + $registryHive = $keyPath.Split('\')[0] + $registryPath = "$($registryHive):$($keyPath.Substring($registryHive.Length))" + {{ with $replaceSid }} + $userSid = (New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([Security.Principal.SecurityIdentifier]).Value + $registryPath = $registryPath.Replace('$CURRENT_USER_SID', $userSid) + {{ end }} + Write-Host "Removing registry key at `"$registryPath`"." + if (-not (Test-Path -LiteralPath $registryPath)) { + Write-Host "Skipping, no action needed, registry key `"$registryPath`" does not exist." + exit 0 + } + try { + Remove-Item ` + -LiteralPath $registryPath ` + -Force ` + -ErrorAction Stop ` + | Out-Null + Write-Host "Successfully removed the registry key at path `"$registryPath`"." + } catch { + Write-Error "Failed to remove the registry key at path `"$registryPath`": $($_.Exception.Message)" + } + {{ end }} codeComment: '{{ with $codeComment }}{{ . }}{{ end }}' revertCodeComment: '{{ with $revertCodeComment }}{{ . }}{{ end }}' - @@ -29795,7 +30493,7 @@ functions: optional: true - name: codeComment optional: true - - name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints` + - name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints` optional: true call: - @@ -29810,6 +30508,7 @@ functions: # Marked: refactor-with-variables # - Replacing SID is same as `CreateRegistryKey` # - Registry path construction with hive is same as `DeleteRegistryValue` and `CreateRegistryKey` + # - Deleting is same as reverting `CreateRegistryKey` function: RunPowerShellWithWindowsVersionConstraints parameters: maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}' @@ -30042,14 +30741,20 @@ functions: codeComment: Require "{{ $algorithmName }}" key exchange algorithm to have at "{{ $keySizeInBits }}" least bits keys for TLS/SSL connections revertCodeComment: Restore key size requirement for "{{ $algorithmName }}" for TLS/SSL connections - - function: RunInlineCode - # Marked: refactor-with-if-syntax - # Only run if `ignoreServerSide !== false`, then use `SetRegistryValue` + function: SetRegistryValue parameters: - code: >- - {{ with $ignoreServerSide }}:: {{ end }} reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\{{ $algorithmName }}" /v "ServerMinKeyBitLength" /t "REG_DWORD" /d "{{ $keySizeInBits }}" /f - revertCode: >- # Missing key since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - {{ with $ignoreServerSide }}:: {{ end }} reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\{{ $algorithmName }}" /v "ServerMinKeyBitLength" /f 2>nul + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\{{ $algorithmName }} + valueName: ServerMinKeyBitLength + dataType: REG_DWORD + data: '{{ $keySizeInBits }}' + deleteOnRevert: 'true' # Missing key since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) + # Marked: refactor-with-if-syntax + # Only run if `ignoreServerSide !== false`, then use `SetRegistryValue` + setupCode: |- + {{ with $ignoreServerSide }} + Write-Host 'Skipping server-side configuration. This setting is not managed by this mechanism. No action needed.' + Exit 0 + {{ end }} - function: SetRegistryValue parameters: @@ -30333,13 +31038,19 @@ functions: - name: SetRegistryValue parameters: - - name: keyPath # Full path of the subkey or entry to be added. - - name: valueName # Name of the add registry entry. - - name: dataType # Type for the registry entry. - - name: data # Data for the new registry entry. - - name: deleteOnRevert # Set to 'true' to revert to the initial state by deleting the registry key. + - name: keyPath # Full path of the subkey or entry to be added. + - name: valueName # Name of the add registry entry. + - name: dataType # Type for the registry entry. + - name: data # Data for the new registry entry. + - name: evaluateDataAsPowerShell # If true, evaluates 'data' as a PowerShell expression before setting the registry value. optional: true - - name: minimumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints` + - name: dataOnRevert # Specifies the value to restore when reverting the registry change, instead of deleting the entry. + optional: true + - name: deleteOnRevert # Set to 'true' to revert to the initial state by deleting the registry key. + optional: true + - name: setupCode # See `RunPowerShellWithWindowsVersionConstraints` + optional: true + - name: minimumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints` optional: true docs: |- This function creates or modifies a registry entry at a specified path. @@ -30348,18 +31059,33 @@ functions: call: function: RunPowerShellWithWindowsVersionConstraints parameters: + setupCode: '{{ with $setupCode }}{{ . }}{{ end }}' minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}' code: |- + $data = '{{ $data }}' + {{ with $evaluateDataAsPowerShell }} + $data = $({{ $data }}) + {{ end }} reg add '{{ $keyPath }}' ` /v '{{ $valueName }}' ` /t '{{ $dataType }}' ` - /d '{{ $data }}' ` + /d "$data" ` /f revertCode: |- {{ with $deleteOnRevert }} reg delete '{{ $keyPath }}' ` /v '{{ $valueName }}' ` /f 2>$null + {{ end }}{{ with $dataOnRevert }} + $revertData = '{{ . }}' + {{ with $evaluateDataAsPowerShell }} + $revertData = $({{ . }}) + {{ end }} + reg add '{{ $keyPath }}' ` + /v '{{ $valueName }}' ` + /t '{{ $dataType }}' ` + /d "$revertData" ` + /f {{ end }} - name: EnableTLSProtocol @@ -30583,12 +31309,13 @@ functions: codeComment: Disable app capability ({{ $appCapability }}) using user privacy settings revertCodeComment: Restore app capability ({{ $appCapability }}) using user privacy settings - - function: RunInlineCode + function: SetRegistryValue parameters: - code: >- - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\{{ $appCapability }}" /v "Value" /d "Deny" /t REG_SZ /f - revertCode: >- # All subkeys have `Allow` value since Windows 10 22H2 Pro and Windows 11 23H2 Pro - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\{{ $appCapability }}" /v "Value" /d "Allow" /t "REG_SZ" /f + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\{{ $appCapability }} + valueName: Value + dataType: REG_SZ + data: 'Deny' + dataOnRevert: 'Allow' # Default value: `Allow` for all subkeys on Windows 10 Pro (≥ 21H1) and on Windows 11 Pro (≥ 22H2) - name: BlockUWPLegacyDeviceAccess parameters: @@ -31164,7 +31891,7 @@ functions: docs: >- Sets registry value using TrustedInstaller privileges. - > - 💡 Use this function for a consistent approach instead of directly using `reg add` or `reg delete` commands.> + > - 💡 Use this function for a consistent approach instead of directly using `reg add` or `reg delete` commands. > - ❗️ Use this function only when `SetRegistryValue` fails with permission errors. call: # Marked: refactor-with-variables @@ -31175,8 +31902,7 @@ functions: revertCode: |- {{ with $deleteOnRevert }} reg delete "{{ $keyPath }}" /v "{{ $valueName }}" /f 2>nul - {{ end }} - {{ with $dataOnRevert }} + {{ end }}{{ with $dataOnRevert }} reg add "{{ $keyPath }}" /v "{{ $valueName }}" /t "{{ $dataType }}" /d "{{ . }}" /f {{ end }} minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}' @@ -31185,15 +31911,21 @@ functions: parameters: - name: productGuid docs: |- - This function deletes license data for a given Visual Studio product GUID. + This function deletes license data for a specific Visual Studio product GUID. + + Visual Studio stores license data in the registry in + `HKCR\Licenses\\!(Default)` [1] [2]. + Each numeric subkey contains a default value with binary license data. - Visual Studio stores license data under different numeric subkeys with default values that contain binary data. - The registry path is: `HKCR\Licenses\\!(Default)`. + `HKCR` is a virtual view combining `HKCU\Software\Classes` and `HKLM\Software\Classes` [3]. + The actual license data is stored in `HKLM\Software\Classes`. - This script deletes the specified registry key, removing all numeric subkeys and their associated binary data. + This function removes the entire registry key for the given product GUID, + including all subkeys and values, effectively deleting the license. - [1]: https://github.com/privacysexy-forks/VSKeyExtractor/blob/main/Program.cs "VSKeyExtractor/Program.cs at main · privacysexy-forks/VSKeyExtractor | github.com" - [2]: https://github.com/privacysexy-forks/VSCELicense/blob/master/VSCELicense.psm1 "VSCELicense/VSCELicense.psm1 at master · privacysexy-forks/VSCELicense | github.com" + [1]: https://web.archive.org/web/20240809125530/https://github.com/privacysexy-forks/VSKeyExtractor/blob/main/Program.cs "VSKeyExtractor/Program.cs at main · privacysexy-forks/VSKeyExtractor | github.com" + [2]: https://web.archive.org/web/20240809125330/https://github.com/privacysexy-forks/VSCELicense/blob/master/VSCELicense.psm1 "VSCELicense/VSCELicense.psm1 at master · privacysexy-forks/VSCELicense | github.com" + [3]: https://web.archive.org/web/20240802114228/https://learn.microsoft.com/en-us/windows/win32/sysinfo/hkey-classes-root-key "HKEY_CLASSES_ROOT Key - Win32 apps | Microsoft Learn | learn.microsoft.com" call: - function: Comment @@ -31202,7 +31934,7 @@ functions: - function: DeleteRegistryKey parameters: - keyPath: HKCR\Licenses\{{ $productGuid }} + keyPath: HKLM\SOFTWARE\Classes\Licenses\{{ $productGuid }} - name: ClearRegistryValues # Deletes values in the specified registry key, preserving the key and subkeys. @@ -31675,7 +32407,7 @@ functions: valueName: 'HideIfEnabled' dataType: REG_DWORD data: '0x22ab9b9' # Default value on Windows 11 Pro (≥ 23H2) 11, it hides - # dataOnRevert: '0x22ab9b9' # Default value: Missing on Windows 10 Pro (≥ 22H2) | `0x22ab9b9` on Windows 11 Pro (≥ 23H2) # Not yet supported + dataOnRevert: '0x22ab9b9' # Default value: Missing on Windows 10 Pro (≥ 22H2) | `0x22ab9b9` on Windows 11 Pro (≥ 23H2) minimumWindowsVersion: Windows11-FirstRelease # `HideIfEnabled` has no effect Windows 10 - function: ShowExplorerRestartSuggestion @@ -31721,7 +32453,7 @@ functions: dataType: REG_SZ data: 'Hide' deleteOnRevert: '{{ with $hideOnRevert }}true{{ end }}' # By default, this value does not exist if the item is hidden since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # dataOnRevert: '{{ with $showOnRevert }}Show{{ end }}' # Not yet supported + dataOnRevert: '{{ with $showOnRevert }}Show{{ end }}' # This is the default value if this item is shown by default - function: SetRegistryValue parameters: @@ -31730,7 +32462,7 @@ functions: dataType: REG_SZ data: Hide deleteOnRevert: '{{ with $hideOnRevert }}true{{ end }}' # By default, this value does not exist if the item is hidden since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # dataOnRevert: '{{ with $showOnRevert }}Show{{ end }}' # Not yet supported + dataOnRevert: '{{ with $showOnRevert }}Show{{ end }}' # This is the default value if this item is shown by default - function: SetRegistryValue parameters: