Many AMD processors (Zen 2 & 3 architectures; 3000, 5000 series...) use a firmware implementation of the TPM, the fTPM (equivalent to Intel's "Platform Trust Technology", but slightly different). Researchers have just found new attacks against this form of implementation, which make it possible to completely break the fTPM and reveal its internal state. Interestingly, using a fairly complex password means you can still maintain an adequate level of security, even with a cracked fTPM. As shown in the paper (p.11), with a compromised fTPM, a 10-character PIN will only last 34 minutes against a brute-force attack:

As 10 characters is the minimum length currently requested by the script, I propose to lengthen it a bit. The researchers conclude (p.13):

Our case study shows that FDE implementations must employ standalone anti-brute-force measures beyond the sealed TPM object as BitLocker does (5.3.2). If the TPM is compromised, this upholds the protector’s confidentiality to a degree a (non-TPM) PIN/password-only protector can achieve. The security of such a method dramatically depends on the length and complexity of the PIN or password, so strong requirements regarding its length and character set should be considered.

Google Chrome is quite popular, so IMHO it is worth protecting:
https://support.google.com/chrome/a/answer/9710898?hl=en

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/bc-p/3888775

When this change makes it to the stable builds of Windows, this hardening measure will no longer be necessary and will be removed from the hardening script.

Creating this to track an upcoming change that can show a notification when location is disabled. Tracking this since the script disables location in the Miscellaneous category, will make necessary changes to the script accordingly once that change hits the more stable channels, to prevent unwanted annoyance for the users of the script.

https://blogs.windows.com/windows-insider/2023/06/22/announcing-windows-11-insider-preview-build-23486/

Proof:

What is forced on is the Check Apps and Files setting, as well as the Potentially unwanted app blocking setting under the reputation based protection section in Windows Security.

I would recommend not forcing this on in the script, as many users are likely to be uncomfortable trusting Microsoft with that much data, as opposed to required diagnostics which is (mostly) hardware data.

Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users.

https://learn.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings

Tools category

Harden Windows Security Script

Does your system meet the requirements?

• Yes, my system meets the requirements 👍

Is your Windows installation genuine?

• Yes, I am using genuine Windows installation. 💯

Please explain the bug

Run Certificate Checking category ?
1: Yes
2: No
3: Exit
Select an option: 1

Listing valid certificates not rooted to the Microsoft Certificate Trust List in the User store

Program 'sigcheck64.exe' failed to run: A certificate was explicitly revoked by its issuerAt
C:\Users\username\Harden-Windows-Security\Harden-Windows-Security.ps1:1613 char:17

•             .\sigcheck64.exe -tuv -accepteula -nobanner
  

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.
  

At C:\Users\username\Harden-Windows-Security\Harden-Windows-Security.ps1:1613 char:17

•             .\sigcheck64.exe -tuv -accepteula -nobanner
  

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
  • FullyQualifiedErrorId : NativeCommandFailed

Tools category

Harden Windows Security Script

Does your system meet the requirements?

• Yes, my system meets the requirements 👍

Please explain the bug

When you run this on an Azure VM (with the Microsoft Security Baselines option enabled) you get logged off and kicked out of the machine and can't get in anymore. Probably because the policies disable RDP. Please make something to detect that it's an Azure VM and don't apply those settings. I can help with that. Until that's done you should state that this shou;dm\t be run on azure vm because it breaks the connection to the VM.

Tools category

Harden Windows Security Module

Does your system meet the requirements?

• Yes, my system meets the requirements 👍

Is your Windows installation genuine?

• Yes, I am using genuine Windows installation. 💯

Please explain the bug

I ran the script recently and I noticed that the Controlled Folder Access Exclusion list had been cleared. There were some 15 exclusions prior to running this script and all of them were gone. This was confirmed when I checked the output of Confirm-SystemCompliance. The count said 15 and the apps were listed before I ran the script.

Also, when I try to view the Allow list in the app, I get the following message:

This is related to #151

Is clearing the Allow list by design or a bug? Is it possible to preserve this list somehow when the script is run again?

If you want to activate bitlocker, microsoft want you to remove any bootable media (cd/dvd and maybe usb) in order to do the first encrypt.

These errors occured, run Bitlocker category again after meeting the requirements
Add-TpmAndPinProtectorInternal : Le chiffrement de lecteur BitLocker a détecté la présence d’un média de démarrage
amovible (CD ou DVD) dans l’ordinateur. Retirez le média, puis redémarrez l’ordinateur avant de configurer BitLocker.

english :
Add-TpmAndPinProtectorInternal: BitLocker Drive Encryption detected the presence of bootable media
removable disk (CD or DVD) in the computer. Remove the media and then restart the computer before setting up BitLocker.

The error precise it need a computer restart before even trying to setup bitlocker if a media was here, but need to try if it works without reboot and just wait the user to eject, but at the moment, it throw this error.

Windows_11_22621.1105 fresh installed without touching anything.

Tools category

Harden Windows Security Script

Does your system meet the requirements?

• Yes, my system meets the requirements 👍

Is your Windows installation genuine?

• Yes, I am using genuine Windows installation. 💯

Please explain the bug

Error on script execution
The script stops with an error, please see the screenshot.

I kind of "fixed it" by changing the working folder path in all 3 places inside the script from %temp% to the user folder.

The same error happened on protection uninstall.
The same fix resolves the problem.

I may have missed it, but I couldn't find any activation of RunAsPPL in the registry. This could be a simple but effective security measure, endorsed by Microsoft, in addition to the UEFI lock.

Hi,

Two small improvements regarding the firewall policy:

• Split the log in separate files for each profile (such as publicfw.log, privatefw.log and domainfw.log). This is recommended in the CIS Benchmark policy
• Increase the maximum size of each logs to their upper limit (32MB, so 32767 for the LogFileSize registry keys)

this would stop the 3CX Supply Chain Attack.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

Tools category

Harden Windows Security Module

Does your system meet the requirements?

• Yes, my system meets the requirements 👍

Explain the bug

When I execute the command "Confirm-SystemCompliance", I encounter the error: "Get-NetFirewallProfile: The specified network name is no longer available." This occurs even though I'm operating from a privileged PowerShell terminal and have just installed the relevant module.

I noticed that TLS Security breaks Battle.net Launcher.

Virtual Machine: VMWare Workstation Pro 17.0.2 // Win 11 Enterprise 22H2 fresh installed, including all updates up-to-date.

After I apply TLS Security part, the machine can't connect to Battle.net anymore. I test every combination, other parts are okay with Battle.net.

Web page https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1k&guideline=5.7 suggests quite different ordering of SSL ciphers.

"The goal of performance mode is to improve functional performance for developers who use Windows 11 devices."

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-antivirus-performance-mode

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-114/ba-p/3839728

Tools category

Harden Windows Security Module

Does your system meet the requirements?

• Yes, my system meets the requirements 👍

Is your Windows installation genuine?

• Yes, I am using genuine Windows installation. 💯

Please explain the bug

Just started using this to check compliance.
I had previously used: win10-asr-get.ps1 to check ASR policies.
This test shows as passed for all 12.

However, with this compliance check, all of the ASR policies show False 1.
Along with a lot of other things failing, other scripts show them as active.

Tools category

Harden Windows Security Module

Does your system meet the requirements?

• Yes, my system meets the requirements 👍

Is your Windows installation genuine?

• Yes, I am using genuine Windows installation. 💯

Please explain the bug

There is a broken link under the section Which device to use in Rationale.md. Specifically the [!Important] call out, at the very end, the link on "Read More". The Moot inc page says 404 Not Found.

PS: I know its a very tiny bug but couldn't help myself :P

Tools category

Harden Windows Security Script

Does your system meet the requirements?

• Yes, my system meets the requirements 👍

Please explain the bug

Description:

On systems not using "English (US)" as the language, blocking untrusted fonts results in an error with the message Fehler 0x00000057: Falscher Parameter.

Steps to Reproduce:

1. On a system with a language other than "English (US)", navigate to the "Block Untrusted Fonts" section.
2. Select the option to block untrusted fonts.
3. Observe the error message: Fehler 0x00000057: Falscher Parameter.

Additional Information:

The error seems related to the AuditPol command's parameters or localization.

Below is the full output:

Block Untrusted Fonts ?
1: Yes
2: No
3: Exit
Select an option: 1
Web request status [Web request completed. (Number of bytes processed: 95238)                                        ]
LGPO.exe - Local Group Policy Object Utilitylaneous Configurations section                                           ]
Version 3.0.2004.13001
Copyright (C) 2015-2020 Microsoft Corporation
Security Compliance Toolkit - https://www.microsoft.com/download/details.aspx?id=55319

Web request status [Web request completed. (Number of bytes processed: 95238)                                        ]is
Miscellaneous Configurations [Running Miscellaneous Configurations section                                           ]
Fehler 0x00000057:
Falscher Parameter.

Syntax: Befehl AuditPol [<Unterbefehl><Optionen>]


Befehle (nur ein Befehl pro Ausführung zulässig)
  /?             Hilfe (kontextabhängig)
  /get           Zeigt die aktuelle Überwachungsrichtlinie an.
  /set           Legt die Überwachungsrichtlinie fest.
  /list          Zeigt die auswählbaren Elemente der Richtlinie an.
  /backup        Speichert Überwachungsrichtlinien in einer Datei.
  /restore       Stellt eine Überwachungsrichtlinie aus einer Datei wieder her.
  /clear         Löscht die Überwachungsrichtlinie.
  /remove        Entfernt die Einzelbenutzer-Überwachungsrichtlinie für
                 einen angegebenen Benutzer.
  /resourceSACL  Konfiguriert SACLs für globale Ressourcen

Why not add SDelete and integrate it into the context menu (and maybe recycle bin management)? Just a suggestion, as secure deletion is part of security. The updated DoD 5220.22-M ECE method requires seven passes, the command to reach this standard is: sdelete -p 7 -r -s C:\SensitiveData. I'm not sure about SDelete's compatibility with SSDs though.

Tools category

WDACConfig Module

Does your system meet the requirements?

• Yes, my system meets the requirements 👍

Is your Windows installation genuine?

• Yes, I am using genuine Windows installation. 💯

Please explain the bug

Today I start deploying WDAC in my machine and find something interesting, the following command
Edit-SignedWDACConfig -MergeSupplementalPolicies -CertPath "C:\Certificate.cer" -SuppPolicyName "Merge of Multiple Supplementals" -PolicyPaths "C:\AllowMicrosoftPlusBlockRules.xml" -CertCN "WDAC Certificate" -SuppPolicyPaths "C:\Supplemental policy for App1.xml","C:\Supplemental policy for App 2.xml","C:\Supplemental policy for App 3.xml"

It appears not working if you use the following command
New-SupplementalWDACConfig -Normal -ScanLocation "C:\Program Files\Program" -SuppPolicyName "App's Name" -PolicyPath "C:\AllowMicrosoftPlusBlockRules.xml"

It shows an error message with the PolicyPaths or even the supplemental are not deployed, but I test with the supplemental policies deployed and it not works.

Currently I'm testing creating one by one and them merging them, using this command
Edit-SignedWDACConfig -AllowNewApps -CertPath "C:\Certificate.cer" -SuppPolicyName "App's Name" -PolicyPaths "C:\AllowMicrosoftPlusBlockRules.xml" -CertCN "WDAC Certificate"

I believe it would be beneficial for the Wiki to include a dedicated section addressing these common problems and their solutions.

For example:

Suggested Solution for "Zotero missing from Word":

1. Open the Windows Registry Editor (regedit).
2. Navigate to: Computer\HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\common\toolbars\word\noextensibilitycustomizationfromdocument Change the value from 1 to 0.
3. Next, navigate to: Computer\HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\word\security\vbawarnings Change the value from 3 to 2.

By making these changes, Zotero should appear in Word as expected.

It would be fantastic if this solution could be added to the Wiki and as a script category, as it might save users a lot of time searching for fixes to this common problem. If there are other common problems related to the security script, it might be worth considering adding them to this section as well.

Tools category

Harden Windows Security Module

Does your system meet the requirements?

• Yes, my system meets the requirements 👍

Is your Windows installation genuine?

• Yes, I am using genuine Windows installation. 💯

Please explain the bug

Description:
I've encountered an issue with the file explorer on all four devices where I've applied the hardening script. After approximately a month of using the script, the file explorer started showing a black bar (refer to the attached screenshot). While I understand this might not be directly related to the script, I was wondering if anyone else has experienced this or has a potential solution. For reference, devices that haven't had the script run on them are functioning as expected.

Additional Information:

• I have already tried troubleshooting using both DISM and SFC tools.

• Affected Win Versions: 22621

• As a quick fix: Running the unprotect script fixes the issue mentioned

Kind regards

Tools category

Harden Windows Security Script

Does your system meet the requirements?

• Yes, my system meets the requirements 👍

Please explain the bug

Hi @HotCakeX ,

In the exploit protection settings I find an issue with explorer.exe and decide to share this information, just in case others users decide to use the exploit protection settings. Use strict CFG is causing a little bug in the UI of explorer.exe in Windows 11 23H2 22631.2338

In this installation I only have windows tools and didn't install any third party software and with this issue I decide to test in a VM (Hyper-V) and using Windows 11 22H2 22621.2283 the explorer.exe with the exploit protection settings is working fine.

Not sure why this is happening, but if anyone is facing this issue like me has a workaround now. I didn't test in a full clean installation of windows, at the moment only updating to the build 22631.2338 using windows update.

Tools category

Harden Windows Security Script

Does your system meet the requirements?

• Yes, my system meets the requirements 👍

Please explain the bug

According to the linked article under Miscellaneous Configuration in the README.md, it suggests blocking untrusted fonts and excluding certain apps if it causes any issues.

In the same article, under Related Content section, another techcommunity article is linked which the following:

With GDI font parsing performed in a restrictive AppContainer, the risk of handling untrusted fonts in GDI is now
acceptably low enough that we feel confident that the costs of font-blocking exceed its benefits. Therefore, we are
removing our previous recommendation to enable untrusted font blocking.

I believe, this setting should be dropped as current OS versions have other mitigations in place.

https://github.com/Harvester57/Exploit-Protection-policy
https://github.com/milgradesec/windows-settings/blob/main/ExploitGuard/ExploitSettings.xml

Script injections capable of bypassing Windows Defender with all the security and cloud options enabled are easy to find. Among its recommendations on the subject, Microsoft recommends installing and configuring InjectionHunter. Constrained language mode is also mentioned.

Perform Strict Outbound/Egress filtering in Windows. There are many methods to do this:

• Routing table
• Hosts file
• Firewall

Just an idea for now, need more research and information.

Have you completely read everything and made sure the Security measure you are suggesting hasn't already been implemented?
Yes.

Hi @HotCakeX ,

I have some suggestions for the project as the title says, I was running the script and unfortunately, I got a Inacessible_BOOT_DEVICE error, and I think I discover the problem. Since I start to use Kaspersky Plus, has a possibility of Kaspersky block some powershell scripts and cause the issue. Here's a screenshot

Maybe some warning, like we have for Battle.net will be useful for the users.

Other suggestion is warn the users about Smart App Control since this feature is controlled by Microsoft and I think that only azure members could configure the smart app control policy template, some users could have some issues while running the programs or games. The alternative recommendation is use WDAC, which users has totally control of the whitelist and blocklist of apps.

But if users want to use Smart App Control and they have some issues, here's a workaround I found
1 - Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy and change VerifiedAndReputablePolicyState to desired state:
Enabled - 1
Evaluation Mode - 2
Off - 0

You will notice that in the following regedit key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Protected
VerifiedAndReputablePolicyStateMinValueSeen is set to 1, which mean is Enabled, don't touch in this.

2 - After change the state of Smart App Control, you can use the programs and games that was having some issues with Smart App Control, when you finish to use the programs, games make sure to navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy and change VerifiedAndReputablePolicyState to 1 again.

WARNING: Do not restart the computer before restoring the state of VerifiedAndReputablePolicyState to 1 which is Enabled, if you restart your computer after change the state and not restore to Enabled, Smart App Control will be permanently disabled.

Tools category

Harden Windows Security Script

Does your system meet the requirements?

• Yes, my system meets the requirements 👍

Is your Windows installation genuine?

• Yes, I am using genuine Windows installation. 💯

Please explain the bug

When I try to run a WSL Distro I get the following:

Installing, this may take a few minutes...
WslRegisterDistribution failed with error: 0x800711c7
Error: 0x800711c7 Your organization used Device Guard to block this app. Contact your support person for more info.

Press any key to continue...

Please help in making WSL distro possible to run again.

Hi Lady, sorry to bother you ...

I want to ask you if there is an option to bypass the checks and the message saying that WD is in passive mode (asking to remove 3rd party AV) ?
Thank you for the tool and the wiki (lot of interresting stuff to know about).

Thank you in advance.
Cheers, Saltinbank.

Tools category

Harden Windows Security Script

Does your system meet the requirements?

• Yes, my system meets the requirements 👍

Please explain the bug

Hi...there seems to be an issue with "Country IP Blocking" - starting here:

Error output from powershell prompt:

1: Yes
2: No
3: Exit
Select an option: 1
Add countries in the State Sponsors of Terrorism list to the Firewall block list?
1: Yes
2: No
Select an option: 1
New-NetFirewallRule: C:\Users\redacted\Harden-Windows-Security.ps1:1372
Line |
1372 |  …             New-NetFirewallRule -DisplayName "$ListName IP range bloc …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | The network name cannot be found.
New-NetFirewallRule: C:\Users\redacted\Harden-Windows-Security.ps1:1373
Line |
1373 |  …             New-NetFirewallRule -DisplayName "$ListName IP range bloc …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | The network name cannot be found.
Add OFAC Sanctioned Countries to the Firewall block list?
1: Yes
2: No
Select an option: 1
New-NetFirewallRule: C:\Users\redacted\Harden-Windows-Security.ps1:1372
Line |
1372 |  …             New-NetFirewallRule -DisplayName "$ListName IP range bloc …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | The network name cannot be found.
New-NetFirewallRule: C:\Users\redacted\Harden-Windows-Security.ps1:1373
Line |
1373 |  …             New-NetFirewallRule -DisplayName "$ListName IP range bloc …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | The network name cannot be found.

I was able to successfully run the rest of the prompt with no issues...aside from the battle.net fix after I ran the TLS section.

I did also check to make sure the NetSecurity Module is available as well:

PS C:\Users\redacted> Get-Module -ListAvailable | Where-Object { $_.Name -eq 'NetSecurity' }
>>

    Directory: C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules

ModuleType Version    PreRelease Name                                PSEdition ExportedCommands
---------- -------    ---------- ----                                --------- ----------------
Manifest   2.0.0.0               NetSecurity                         Core,Desk {Get-DAPolicyChange, New-NetIPsecAuthPr…

however to clarify (maybe related?) I did not choose to run the Windows Network section as I run my local network under private and run a plex server. I did not want to break any media streaming on my local network. To my understanding this breaks local discoverability.

Maybe using something more granular like https://www.henrypp.org/product/simplewall would be a better use case, unsure at this point.

Thanks for any advice, and if this is an issue on my end and not a bug then feel free to close this out.

Currently only available in Windows insider builds in Dev channel and above, Citool has many new features and capabilities, including showing whether a deployed policy is signed or not.

When the change reaches the stable build of Windows, WDACConfig module should be updated to use this new capability.

https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands

At the moment, the latest Windows insider Dev build is: https://blogs.windows.com/windows-insider/2023/07/19/announcing-windows-11-insider-preview-build-23506/

Tools category

Harden Windows Security Module

Does your system meet the requirements?

• Yes, my system meets the requirements 👍

Is your Windows installation genuine?

• Yes, I am using genuine Windows installation. 💯

Please explain the bug

Hello!

I dont know since when this is happening, but when i try to run the command 'Confirm-SystemCompliance' it fails with this error:

Confirm-SystemCompliance: The 'Get-SmbServerConfiguration' command was found in the module 'SmbShare', but the module could not be loaded. For more information, run 'Import-Module SmbShare'.

If i try running the 'Import-Module SmbShare' command it also fails with the next error:

Import-LocalizedData: Cannot find the PowerShell data file 'SmbLocalization.psd1' in directory 'C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\es-ES', or in any parent culture directories.

Any ideas? Thanks in advance.

Hi @HotCakeX ,

Opening a features to be add to the project, so we can know what we should implement to the project and redirect new users if the suggest implementation is already in the project

To be implemented:

• Add more detail to New-ConfigWDAC and add more scenarios
  ⛔ Add base templates, so users could have a pre-made template to deploy.
  ⛔ Create a script to download and install Microsoft Edge templates (Group Policy templates, since the project implement Microsoft recommendations, new devices don't have the admx for Edge Chromium)

Suggestions:

⛔ Add hardening browsers based on CIS benchmarks and adjust to the recommendations to assist the users, by allow stuff like sign to the browser and use share button.
⛔ Implement a pre-made whitelist for Controlled folder access for powershell.exe, cmd.exe, powershell_ise.exe, CiTool.exe and etc.. since if Controlled folder access is enabled, Microsoft Defender will block any changes from this processes.

• Add recommendations for Microsoft Office too, since Microsoft Security Baselines has an guideline for it.

Any updates should be added to this issue, so we can track any future changes to the project and redirect the users to the correct page if is already implemented in the project.

Are you sure the Security measure is not already implemented?

• Yes, I have checked and the Security measure I'm suggesting to be implemented is not duplicate. 🫡

Please explain your new Security measure suggestion

Yo i wanna present also Reset solution:

Go to Start (open the Start menu) > Run (open the Run app), and type 'cmd' (without the quotes) and press Enter. [Or open the Start menu and then run the Command Prompt program.]

RD /S /Q "%WinDir%\System32\GroupPolicyUsers"
RD /S /Q "%WinDir%\System32\GroupPolicy"
gpupdate /force /boot

Tools category

WDACConfig Module

Does your system meet the requirements?

• Yes, my system meets the requirements 👍

Please explain the bug

PowerShell 7.3.6
PS C:\Users*> Install-Module -Name WDACConfig -Force
PS C:\Users*> New-WDACConfig -SetAutoUpdateDriverBlockRules

TaskPath TaskName State

\MSFT Driver Block list update\ MSFT Driver Block list update Ready
\MSFT Driver Block list update\ MSFT Driver Block list update Ready

The document containing the drivers block list on GitHub was last updated on 07/13/2023 15:53:45
Invoke-WebRequest: 404: Not Found

Firstly, I'd like to express my appreciation for the effort put into the Harden Windows Security repository.

However, I have encountered a problem while trying to use the script provided in the repository.

The issue pertains to the Memory Integrity feature. After going into the Group Policies and Registry Editor, I successfully disabled the corresponding entries for Memory Integrity, effectively removing its management by the administrator.

However, the problem arises when I attempt to switch off Memory Integrity. Despite successfully disabling it and restarting the system, Memory Integrity seems to reactivate itself.

I am unsure as to why this is happening and would appreciate any assistance in resolving this issue.

Thank you for your time and support.

Tools category

Harden Windows Security Module

Does your system meet the requirements?

• Yes, my system meets the requirements 👍

Is your Windows installation genuine?

• Yes, I am using genuine Windows installation. 💯

Please explain the bug

I noticed when using Windows Sandbox that when I attempted to open a .txt file, Windows suggested opening the file with Windows Media Player. This confused me for a small bit of time until I remembered that the legacy notepad had been uninstalled and my system had the modern Notepad app, which as of right now Windows Sandbox doesn't include the modern desktop apps.

Wasn't sure if this was better suited as a bug report or if should have been a discussion post. This obviously isn't a big deal as alternative notepad applications exist and can be used within Windows Sandbox.

• Microsoft Defender Application Guard overview
• Deprecated features for Windows client
• Microsoft Edge Security Features (PDF) - ⬅️ highly recommended to read this

So it's time to remove MDAG's automatic enablement form the Optional Windows Features category.

Tools category

Harden Windows Security Module

Does your system meet the requirements?

• Yes, my system meets the requirements 👍

Is your Windows installation genuine?

• Yes, I am using genuine Windows installation. 💯

Please explain the bug

The new Downloads Defence Measures category fails to run with the following error.

Before running, all the modules were updated using this command: Update-Module -Name Harden-Windows-Security-Module, WDACConfig, WinSecureDNSMgr -Force

After the update, the entire Harden-Windows_security module was run in its entirety without any tampering of the files.

Exception: The 'New-DenyWDACConfig' command was found in the module 'WDACConfig', but the module could not be loaded due to the following error: [The module has been tampered with, signature status of the file
C:\Users\ayush\OneDrive\Documents\PowerShell\Modules\WDACConfig\0.2.9\Shared\Update-self.psm1 is HashMismatch] For more
information, run 'Import-Module WDACConfig'.

If I run Import-Module WDACConfig, I am seeing a similar error:

Import-Module: The module has been tampered with, signature status of the file C:\Users\ayush\OneDrive\Documents\PowerShell\Modules\WDACConfig\0.2.9\Shared\Update-self.psm1 is HashMismatch

Tools category

WDACConfig Module

Does your system meet the requirements?

• Yes, my system meets the requirements 👍

Is your Windows installation genuine?

• Yes, I am using genuine Windows installation. 💯

Please explain the bug

Hi @HotCakeX

I follow your video that shows how to create a code signing certificate for WDAC
https://www.youtube.com/watch?v=vlu1HGuYPeg

But, I had some issues not sure what exactly I'm doing wrong. I Repeat the process 3 times and always end with the following result

Maybe I'm creating the certificate with wrong setting? I repeat every step from your video

Tools category

Harden Windows Security Module

Does your system meet the requirements?

• Yes, my system meets the requirements 👍

Is your Windows installation genuine?

• Yes, I am using genuine Windows installation. 💯

Please explain the bug

I am trying to remove this and I cant

https://blogs.windows.com/windows-insider/2023/06/02/announcing-windows-11-insider-preview-build-25381/

When that change reaches the stable channel, it will be removed from the script since it won't be necessary anymore.

Currently the script configures it in the Miscellaneous category:
https://github.com/HotCakeX/Harden-Windows-Security#miscellaneous-configurations

Set-MpPreference -IntelTDTEnabled $true

This document from last year

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defending-against-ransomware-with-microsoft-defender-for/ba-p/3243941

said that:

will be available for consumers through Microsoft Defender Antivirus.

Intel website:
https://www.intel.com/content/www/us/en/architecture-and-technology/vpro/hardware-shield/threat-detection-technology.html

CSP description and info:
https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configurationinteltdtenabled

GitHub issue:
MicrosoftDocs/windows-powershell-docs#3506

Doesn't do anything on non-capable devices but on devices that support it should activate Intel TDT.

Are you sure the Security measure is not already implemented?

• Yes, I have checked and the Security measure I'm suggesting to be implemented is not duplicate. 🫡

Please explain your new Security measure suggestion

Not sure if the next security flaws will affect this project or not, but i leave here this post if you want to check it.

https://www.neowin.net/news/microsoft-fails-to-fix-major-powershell-gallery-security-flaws-even-after-claiming-it-did/

https://blog.aquasec.com/powerhell-active-flaws-in-powershell-gallery-expose-users-to-attacks

Feel free to delete this post if its not needed 👍

Tools category

Harden Windows Security Module

Does your system meet the requirements?

• Yes, my system meets the requirements 👍

Is your Windows installation genuine?

• Yes, I am using genuine Windows installation. 💯

Please explain the bug

I ran the script in full recently. While working on a development task, the Attack surface reduction rule blocked me from running pip.exe in my virtual environment. I went into Windows Defender exclusions page to add an exclusion but it shows the following to me.

After researching the issue a little, I also found that it wont let me view the Controlled Folder Access exclusion page as well, showing me the same message as above.

Running Get-MpPreference on elevated powershell shows N/A: Administrators are not allowed to view exclusions for a lot of entries for some reason. I have attached the entire Get-MpPerference output as a text file for your reference.

The only setting I changed after running the script was to reenable the Performance mode on Dev Drive using Set-MpPreference -PerformanceModeStatus Enabled. Reversing this didn't change anything.

How can I fix this issue on my machine?
mp_perference.txt

Tools category

Harden Windows Security Script

Does your system meet the requirements?

• Yes, my system meets the requirements 👍

Please explain the bug

The script mandates users to have the latest version of Windows installed. However, it's a known fact that Windows doesn't consistently distribute updates to all users at the same time. There can be delays for some users without any apparent reason. For instance, across my four devices, I consistently encounter this error:

Write-Error: You're not using the latest build of the Windows OS. A minimum build of 22621.2215 is required but your OS build is 22621.2134. Please go to Windows Update to install the updates and then try again.

To account for these Windows update inconsistencies, I recommend introducing a grace period in the script's requirements. For instance, permitting Windows builds that are Outdated for up to 2 weeks would be more accommodating for users who haven't received the latest update yet.