Created
March 11, 2021 10:06
-
-
Save danmansfield/af6331b3ca9eb7675aa16f8ed079666c to your computer and use it in GitHub Desktop.
Manages various security settings through local group policy, without the need for a domain controller or Azure AD. Allows for central management of Windows Defender when combined with event ID monitoring from your RMM of choice. Errors are also written to the event log for monitoring purposes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Configures Windows Defender and various security settings. | |
| .DESCRIPTION | |
| This script uses the PolicyFileEditor PowerShell Module to manage local group policy settings of Windows Defender and various other OS security related settings. | |
| .EXAMPLE | |
| ./WindowsSecurityBaseline.ps1 -ASRMode 2 | |
| .LINK | |
| Required PowerShell Module: https://www.powershellgallery.com/packages/PolicyFileEditor | |
| Group Policy Registry Lookup: https://gpsearch.azurewebsites.net/ | |
| User Account Control: https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings | |
| Windows Defender ASR: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction | |
| Windows Defender ASR Events: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/event-views | |
| .NOTES | |
| Version: 1.1 | |
| Author: Aaron J. Stevenson | |
| Creation Date: 3/2021 | |
| #> | |
| Param ( | |
| [Parameter(Mandatory=$true)] | |
| [ValidateSet('0','1','2')] | |
| [string]$ASRMode = '2', # 0 (Off), 1 (Block), or 2 (Audit) | |
| [ValidateSet('0','1')] | |
| [string]$FirewallState = '1', # 0 (Off), 1 (On) - Applies to all profiles | |
| [switch]$Reset # True clears existing local policies | |
| ) | |
| # Setup Event Log and error action preference for error handling and monitoring | |
| $ErrorActionPreference = 'Stop' | |
| $EventLog = 'Company Name' # Suggest to replace with your company name. | |
| $EventID = 1501 # Suggest to replace with Event ID relevant to you. | |
| if ( !($(Get-EventLog -List).Log.Contains($EventLog))) {New-EventLog -source $EventLog -LogName $EventLog} | |
| # Download and install group policy templates | |
| $DownloadURL = 'https://redlettertech.s3.wasabisys.com/public/policy-templates.zip' # Please host somewhere you trust! | |
| $PolicyTemplates = ($env:temp + '\policy-templates.zip') | |
| $LocalPolicyStore = ($env:SystemRoot + '\PolicyDefinitions') | |
| try { | |
| Write-Output "`nDownloading group policy templates..." | |
| Invoke-WebRequest -Uri $DownloadURL -OutFile $PolicyTemplates | |
| Write-Output "Importing templates into local policy store...`n" | |
| Expand-Archive -Path $PolicyTemplates -DestinationPath $LocalPolicyStore -Force | |
| } | |
| catch{ | |
| $EventMessage = @" | |
| Local Policy Management Script: Error downloading / installing group policy templates. `n | |
| $Error | |
| "@ | |
| Write-EventLog -LogName $EventLog -Source $EventLog -EventId $EventID -EntryType Error -Message $EventMessage | |
| throw $Error | |
| } | |
| # Install NuGet package provider | |
| Write-Output "`nChecking for NuGet package provider..." | |
| try { | |
| if (!(Get-PackageProvider -ListAvailable -Name NuGet -ErrorAction Ignore)) { | |
| Write-Output "Installing NuGet package provider..." | |
| Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force | |
| } | |
| else { | |
| Write-Output "NuGet package provider already installed." | |
| } | |
| } | |
| catch{ | |
| $EventMessage = @" | |
| Local Policy Management Script: Error installing NuGet package provider. `n | |
| $Error | |
| "@ | |
| Write-EventLog -LogName $EventLog -Source $EventLog -EventId $EventID -EntryType Error -Message $EventMessage | |
| throw $Error | |
| } | |
| # Set PSGallery to trusted repository | |
| Write-Output "`nAdding PowerShell Gallery to trusted repositories...`n" | |
| Set-PSRepository -Name 'PSGallery' -InstallationPolicy Trusted | |
| # Install PolicyFileEditor Module | |
| Write-Output "Checking for PolicyFileEditor module..." | |
| try { | |
| if (!(Get-Module -ListAvailable -Name PolicyFileEditor -ErrorAction Ignore)) { | |
| Write-Output "Installing PolicyFileEditor module..." | |
| Install-Module -Name PolicyFileEditor -Force | |
| } | |
| else { | |
| Write-Output "PolicyFileEditor Module already installed." | |
| } | |
| } | |
| catch{ | |
| $EventMessage = @" | |
| Local Policy Management Script: Error installing PolicyFileEditor module. `n | |
| $Error | |
| "@ | |
| Write-EventLog -LogName $EventLog -Source $EventLog -EventId $EventID -EntryType Error -Message $EventMessage | |
| throw $Error | |
| } | |
| # Import PolicyFileEditor Module | |
| Write-Output "Importing PolicyFileEditor Module...`n" | |
| Import-Module PolicyFileEditor | |
| # Reset local policies if specified | |
| if ($Reset) { | |
| try{ | |
| Write-Output "Clearing existing local policies...`n" | |
| $PolicyFiles = $env:SystemRoot + '\System32\GroupPolicy' | |
| $UserPolicyFiles = $env:SystemRoot + '\System32\GroupPolicyUsers' | |
| Remove-Item -Path $PolicyFiles -Recurse -Force | |
| Remove-Item -Path $UserPolicyFiles -Recurse -Force | |
| } | |
| catch { | |
| $EventMessage = @" | |
| Local Policy Management Script: Error clearing existing local policies. `n | |
| $Error | |
| "@ | |
| Write-EventLog -LogName $EventLog -Source $EventLog -EventId $EventID -EntryType Error -Message $EventMessage | |
| } | |
| } | |
| # Configure auditing of various events | |
| try{ | |
| Write-Output "Setting auditing policies..." | |
| Auditpol /set /category:"Logon/Logoff" /Success:enable /Failure:enable | |
| Auditpol /set /category:"Account Logon" /Success:enable /Failure:enable | |
| Auditpol /set /category:"Account Management" /Success:enable /Failure:enable | |
| Auditpol /set /category:"DS Access" /Failure:enable | |
| Auditpol /set /category:"System" /Failure:enable | |
| } | |
| catch { | |
| $EventMessage = @" | |
| Local Policy Management Script: Error applying audit policies. `n | |
| $Error | |
| "@ | |
| Write-EventLog -LogName $EventLog -Source $EventLog -EventId $EventID -EntryType Error -Message $EventMessage | |
| throw $Error | |
| } | |
| # Default Search URLs for browser policies | |
| $DefaultSearchURL = '{google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}ie={inputEncoding}' | |
| $DefaultSuggestURL = '{google:baseURL}complete/search?output=chrome&q={searchTerms}' | |
| # Computer policy file entries | |
| $aryComputerPolicies = @( | |
| # Autoplay / AutoRun Policies | |
| [PSCustomObject]@{Key='Software\Microsoft\Windows\CurrentVersion\Policies\Explorer'; ValueName='NoAutorun'; Data='1'; Type='Dword'} # Disable Autorun | |
| [PSCustomObject]@{Key='Software\Microsoft\Windows\CurrentVersion\Policies\Explorer'; ValueName='NoDriveTypeAutoRun'; Data='255'; Type='Dword'} # Disable Autoplay on all drives | |
| # SmartScreen Policies | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows\System'; ValueName='EnableSmartScreen'; Data='1'; Type='Dword'} # Enable SmartScreen in Explorer | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows\System'; ValueName='ShellSmartScreenLevel'; Data='Warn'; Type='String'} # Set SmartScreen level in Explorer to Warn | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter'; ValueName='EnabledV9'; Data='1'; Type='Dword'} # Enable SmartScreen in Microsoft Edge (Old) | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter'; ValueName='PreventOverride'; Data='1'; Type='Dword'} # Prevent SmartScreen bypass in Microsoft Edge (Old) | |
| # Storage Sense Policies | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows\StorageSense'; ValueName='AllowStorageSenseGlobal'; Data='1'; Type='Dword'} # Enable Storage Sense | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows\StorageSense'; ValueName='AllowStorageSenseTemporaryFilesCleanup'; Data='1'; Type='Dword'} # Clean temp files | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows\StorageSense'; ValueName='ConfigStorageSenseGlobalCadence'; Data='7'; Type='Dword'} # Clean weekly | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows\StorageSense'; ValueName='ConfigStorageSenseCloudContentDehydrationThreshold'; Data='30'; Type='Dword'} # Unsync cloud content > 30 days | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows\StorageSense'; ValueName='ConfigStorageSenseRecycleBinCleanupThreshold'; Data='30'; Type='Dword'} # Clean recycle bin > 30 days | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows\StorageSense'; ValueName='ConfigStorageSenseDownloadsCleanupThreshold'; Data='30'; Type='Dword'} # Clean downloads > 30 days | |
| # User Account Control Policies | |
| [PSCustomObject]@{Key='Software\Microsoft\Windows\CurrentVersion\Policies\System'; ValueName='FilterAdministratorToken'; Data='1'; Type='Dword'} # Enable Admin Approval Mode for the built-in Administrator account | |
| [PSCustomObject]@{Key='Software\Microsoft\Windows\CurrentVersion\Policies\System'; ValueName='EnableUIADesktopToggle'; Data='0'; Type='Dword'} # Disable UIAccess applications to prompt for elevation without using the secure desktop | |
| [PSCustomObject]@{Key='Software\Microsoft\Windows\CurrentVersion\Policies\System'; ValueName='ConsentPromptBehaviorAdmin'; Data='2'; Type='Dword'} # Behavior of the elevation prompt for administrators in Admin Approval Mode | |
| [PSCustomObject]@{Key='Software\Microsoft\Windows\CurrentVersion\Policies\System'; ValueName='ConsentPromptBehaviorUser'; Data='3'; Type='Dword'} # Behavior of the elevation prompt for standard users | |
| [PSCustomObject]@{Key='Software\Microsoft\Windows\CurrentVersion\Policies\System'; ValueName='EnableInstallerDetection'; Data='1'; Type='Dword'} # Detect application installations and prompt for elevation | |
| [PSCustomObject]@{Key='Software\Microsoft\Windows\CurrentVersion\Policies\System'; ValueName='ValidateAdminCodeSignatures'; Data='0'; Type='Dword'} # Only elevate executables that are signed and validated | |
| [PSCustomObject]@{Key='Software\Microsoft\Windows\CurrentVersion\Policies\System'; ValueName='EnableSecureUIAPaths'; Data='1'; Type='Dword'} # Only elevate UIAccess applications that are installed in secure locations | |
| [PSCustomObject]@{Key='Software\Microsoft\Windows\CurrentVersion\Policies\System'; ValueName='EnableLUA'; Data='1'; Type='Dword'} # Run all administrators in Admin Approval Mode | |
| [PSCustomObject]@{Key='Software\Microsoft\Windows\CurrentVersion\Policies\System'; ValueName='PromptOnSecureDesktop'; Data='1'; Type='Dword'} # Switch to the secure desktop when prompting for elevation | |
| [PSCustomObject]@{Key='Software\Microsoft\Windows\CurrentVersion\Policies\System'; ValueName='EnableVirtualization'; Data='1'; Type='Dword'} # Virtualize file and registry write failures to per-user locations | |
| # Windows Update Policies | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows\WindowsUpdate'; ValueName='UpdateNotificationLevel'; Data='1'; Type='Dword'} # Disable update notifications excluding restart warnings | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows\WindowsUpdate'; ValueName='AUPowerManagement'; Data='1'; Type='Dword'} # Allow wake up for update installation | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows\WindowsUpdate'; ValueName='SetDisablePauseUXAccess'; Data='1'; Type='Dword'} # Remove access to "Pause updates" feature | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows\WindowsUpdate\AU'; ValueName='NoAutoUpdate'; Data='0'; Type='Dword'} # Enable automatic updates | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows\WindowsUpdate\AU'; ValueName='AutoInstallMinorUpdates'; Data='1'; Type='Dword'} # Enable automatic updates immediate installation | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows\WindowsUpdate\AU'; ValueName='AUOptions'; Data='4'; Type='Dword'} # Auto download and schedule the install | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows\WindowsUpdate\AU'; ValueName='IncludeRecommendedUpdates'; Data='1'; Type='Dword'} # Include recommended updates | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows\WindowsUpdate\AU'; ValueName='DetectionFrequencyEnabled'; Data='1'; Type='Dword'} # Enable custom update detection frequency | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows\WindowsUpdate\AU'; ValueName='DetectionFrequency'; Data='12'; Type='Dword'} # Set detection frequency to 12 hours | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows\WindowsUpdate\AU'; ValueName='ScheduledInstallDay'; Data='0'; Type='Dword'} # Install updates everyday | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows\WindowsUpdate\AU'; ValueName='ScheduledInstallTime'; Data='24'; Type='Dword'} # Automatically choose install time | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows\WindowsUpdate'; ValueName='SetActiveHours'; Data='1'; Type='Dword'} # Set active hours | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows\WindowsUpdate'; ValueName='ActiveHoursStart'; Data='6'; Type='Dword'} # Set active hours start time to 6AM | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows\WindowsUpdate'; ValueName='ActiveHoursEnd'; Data='22'; Type='Dword'} # Set active hours end time to 10PM | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\WindowsStore\WindowsUpdate'; ValueName='AutoDownload'; Data='4'; Type='Dword'} # Enable auto download and install of Microsoft Store App updates | |
| # Windows Defender Policies | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\UX Configuration'; ValueName='UILockdown'; Data='0'; Type='Dword'} # Enable Defender AV UI | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender'; ValueName='PUAProtection'; Data='1'; Type='Dword'} # Block potentially unwanted programs/apps | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender'; ValueName='DisableRoutinelyTakingAction'; Data='0'; Type='Dword'} # Enable automated remediation | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Real-Time Protection'; ValueName='DisableRealtimeMonitoring'; Data='0'; Type='Dword'} # Enable real-time protection | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Real-Time Protection'; ValueName='DisableBehaviorMonitoring'; Data='0'; Type='Dword'} # Enable behavior monitoring | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Real-Time Protection'; ValueName='DisableInformationProtectionControl'; Data='0'; Type='Dword'} # Enable information protection control | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Real-Time Protection'; ValueName='DisableIntrusionPreventionSystem'; Data='0'; Type='Dword'} # Enable intrusion prevention system | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Real-Time Protection'; ValueName='DisableScanOnRealtimeEnable'; Data='0'; Type='Dword'} # Scan when Defender is enabled | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Real-Time Protection'; ValueName='DisableOnAccessProtection'; Data='0'; Type='Dword'} # Monitor file/program activity | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Real-Time Protection'; ValueName='DisableIOAVProtection'; Data='0'; Type='Dword'} # Scan downloaded files/attachments | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Real-Time Protection'; ValueName='RealtimeScanDirection'; Data='0'; Type='Dword'} # Monitor incoming/outgoing file activity | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Real-Time Protection'; ValueName='LocalSettingOverrideDisableOnAccessProtection'; Data='0'; Type='Dword'} # Prevent disabling on access protection | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Real-Time Protection'; ValueName='LocalSettingOverrideRealtimeScanDirection'; Data='0'; Type='Dword'} # Prevent disabling monitoring incoming/outgoing file activity | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Real-Time Protection'; ValueName='LocalSettingOverrideDisableIOAVProtection'; Data='0'; Type='Dword'} # Prevent disabling scanning downloaded files | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Real-Time Protection'; ValueName='LocalSettingOverrideDisableBehaviorMonitoring'; Data='0'; Type='Dword'} # Prevent disabling behavior monitoring | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Real-Time Protection'; ValueName='LocalSettingOverrideDisableIntrusionPreventionSystem'; Data='0'; Type='Dword'} # Prevent disabling intrusion prevention system | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Real-Time Protection'; ValueName='LocalSettingOverrideDisableRealtimeMonitoring'; Data='0'; Type='Dword'} # Prevent disabling real-time protection | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Scan'; ValueName='CheckForSignaturesBeforeRunningScan'; Data='1'; Type='Dword'} # Check for signature updates before scanning | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Scan'; ValueName='LowCpuPriority'; Data='1'; Type='Dword'} # Enable low CPU priority for scanning | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Scan'; ValueName='DisableRestorePoint'; Data='0'; Type='Dword'} # Create a restore point prior to cleaning | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Scan'; ValueName='DisableArchiveScanning'; Data='0'; Type='Dword'} # Scan archive files | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Scan'; ValueName='DisableScanningNetworkFiles'; Data='0'; Type='Dword'} # Scan network files | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Scan'; ValueName='DisablePackedExeScanning'; Data='0'; Type='Dword'} # Scan packed executables | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Scan'; ValueName='DisableRemovableDriveScanning'; Data='0'; Type='Dword'} # Scan removable drives | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Scan'; ValueName='ScheduleDay'; Data='1'; Type='Dword'} # Schedule scans on Sundays | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Scan'; ValueName='ScanParameters'; Data='2'; Type='Dword'} # Set scheduled scan type to full | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Scan'; ValueName='DisableCatchupFullScan'; Data='0'; Type='Dword'} # Enable catch-up full scans | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Scan'; ValueName='DisableCatchupQuickScan'; Data='0'; Type='Dword'} # Enable catch-up quick scans | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Scan'; ValueName='DisableEmailScanning'; Data='0'; Type='Dword'} # Scan emails | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Scan'; ValueName='DisableHeuristics'; Data='0'; Type='Dword'} # Enable heuristics | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Signature Updates'; ValueName='ForceUpdateFromMU'; Data='1'; Type='Dword'} # Download updates from Microsoft Update | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Signature Updates'; ValueName='UpdateOnStartUp'; Data='1'; Type='Dword'} # Update on startup | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Signature Updates'; ValueName='RealtimeSignatureDelivery'; Data='1'; Type='Dword'} # Enable realtime signature update | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Spynet'; ValueName='SpynetReporting'; Data='2'; Type='Dword'} # Join Microsoft MAPS | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Spynet'; ValueName='SubmitSamplesConsent'; Data='1'; Type='Dword'} # Send safe file samples to MAPS | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access'; ValueName='EnableControlledFolderAccess'; Data='2'; Type='Dword'} # Enable Controlled Folder Access (audit) | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection'; ValueName='EnableNetworkProtection'; Data='1'; Type='Dword'} # Block dangerous websites | |
| # Windows Defender (ASR) Policies | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR'; ValueName='ExploitGuard_ASR_Rules'; Data='1'; Type='Dword'} # Enable ASR | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules'; ValueName='7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c'; Data=$ASRMode; Type='String'} # Block Adobe Reader from creating child processes | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules'; ValueName='D4F940AB-401B-4EFC-AADC-AD5F3C50688A'; Data=$ASRMode; Type='String'} # Block all Office applications from creating child processes | |
| # [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules'; ValueName='9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2'; Data=$ASRMode; Type='String'} # Block credential stealing from the Windows local security authority subsystem (lsass.exe) | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules'; ValueName='BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550'; Data=$ASRMode; Type='String'} # Block executable content from email client and webmail | |
| # [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules'; ValueName='01443614-cd74-433a-b99e-2ecdc07bfc25'; Data=$ASRMode; Type='String'} # Block executable files from running unless they meet a prevalence, age, or trusted list criterion | |
| # [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules'; ValueName='5BEB7EFE-FD9A-4556-801D-275E5FFC04CC'; Data=$ASRMode; Type='String'} # Block execution of potentially obfuscated scripts | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules'; ValueName='D3E037E1-3EB8-44C8-A917-57927947596D'; Data=$ASRMode; Type='String'} # Block JavaScript or VBScript from launching downloaded executable content | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules'; ValueName='3B576869-A4EC-4529-8536-B80A7769E899'; Data=$ASRMode; Type='String'} # Block Office applications from creating executable content | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules'; ValueName='75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84'; Data=$ASRMode; Type='String'} # Block Office applications from injecting code into other processes | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules'; ValueName='26190899-1602-49e8-8b27-eb1d0a1ce869'; Data=$ASRMode; Type='String'} # Block Office communication application from creating child processes | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules'; ValueName='e6db77e5-3df2-4cf1-b95a-636979351e5b'; Data=$ASRMode; Type='String'} # Block persistence through WMI event subscription | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules'; ValueName='d1e49aac-8f56-4280-b9ba-993a6d77406c'; Data=$ASRMode; Type='String'} # Block process creations originating from PSExec and WMI commands | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules'; ValueName='b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4'; Data=$ASRMode; Type='String'} # Block untrusted and unsigned processes that run from USB | |
| # [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules'; ValueName='92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B'; Data=$ASRMode; Type='String'} # Block Win32 API calls from Office macros | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules'; ValueName='c1db55ab-c21a-4637-bb3f-a12568109d35'; Data=$ASRMode; Type='String'} # Use advanced protection against ransomware | |
| # Windows Defender Firewall Profiles | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\WindowsFirewall\DomainProfile'; ValueName='EnableFirewall'; Data=$FirewallState; Type='Dword'} # Enable Domain profile | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\WindowsFirewall\PrivateProfile'; ValueName='EnableFirewall'; Data=$FirewallState; Type='Dword'} # Enable Private profile | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\WindowsFirewall\PublicProfile'; ValueName='EnableFirewall'; Data=$FirewallState; Type='Dword'} # Enable Public profile | |
| # Microsoft Edge Policies | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Edge'; ValueName='AutoplayAllowed'; Data='0'; Type='Dword'} # Disable media autoplay | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Edge'; ValueName='BackgroundModeEnabled'; Data='0'; Type='Dword'} # Disable background mode | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Edge'; ValueName='ConfigureDoNotTrack'; Data='1'; Type='Dword'} # Enable Do Not Track | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Edge'; ValueName='ForceBingSafeSearch'; Data='1'; Type='Dword'} # Enable Bing Safe Search (Moderate) | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Edge'; ValueName='ForceGoogleSafeSearch'; Data='1'; Type='Dword'} # Enable Google SafeSearch | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Edge'; ValueName='DefaultNotificationsSetting'; Data='2'; Type='Dword'} # Disable desktop notifications | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Edge'; ValueName='DefaultSearchProviderEnabled'; Data='1'; Type='Dword'} # Enable default search provider | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Edge'; ValueName='DefaultSearchProviderSearchURL'; Data=$DefaultSearchURL; Type='String'} # Set default search provider | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Edge'; ValueName='DefaultSearchProviderSuggestURL'; Data=$DefaultSuggestURL; Type='String'} # Set default suggestion provider | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Edge'; ValueName='ProxySettings'; Data='{"ProxyMode": "direct", "ProxyPacUrl": "", "ProxyServer": "", "ProxyBypassList": ""}'; Type='String'} # Disable Proxy Servers | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Edge'; ValueName='SmartScreenEnabled'; Data='1'; Type='Dword'} # Enable SmartScreen | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Edge'; ValueName='SmartScreenPuaEnabled'; Data='1'; Type='Dword'} # Block PUAs/PUPs | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Edge'; ValueName='PreventSmartScreenPromptOverride'; Data='1'; Type='Dword'} # Prevent SmartScreen bypass | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Edge\URLAllowlist'; ValueName='101'; Data='st-rmm://*'; Type='String'} # Add Splashtop RMM protocol handler | |
| # Microsoft Edge Extension Policies | |
| # Microsoft Extension lookup URL: https://microsoftedge.microsoft.com/addons/detail/[ID] | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Edge\ExtensionInstallBlocklist'; ValueName='1'; Data='*'; Type='String'} # Prevent installation of extensions not explicitly allowed | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Edge\ExtensionInstallAllowlist'; ValueName='101'; Data='mpfckamfocjknfipmpjdkkebpnieooca'; Type='String'} # Allow Keeper | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Edge\ExtensionInstallAllowlist'; ValueName='102'; Data='gggmmkjegpiggikcnhidnjjhmicpibll'; Type='String'} # Allow Microsoft Office | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Edge\ExtensionInstallAllowlist'; ValueName='103'; Data='ghbmnnjooekpmoecnnnilnnbdlolhkhi'; Type='String'} # Allow Google Docs Offline (Chrome Extension) | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Edge\ExtensionInstallAllowlist'; ValueName='104'; Data='mlhdnjepakdfdaabohjgegnomlgeejep'; Type='String'} # Allow IT Glue (Chrome Extension) | |
| [PSCustomObject]@{Key='Software\Policies\Microsoft\Edge\ExtensionInstallAllowlist'; ValueName='105'; Data='hmpigflbjeapnknladcfphgkemopofig'; Type='String'} # Allow Ubiquiti Device Discovery Tool (Chrome Extension) | |
| # [PSCustomObject]@{Key='Software\Policies\Microsoft\Edge\ExtensionInstallForcelist'; ValueName='101'; Data='extension_ID'; Type='String'} # Example entry to force install an extension | |
| # Google Chrome Policies | |
| [PSCustomObject]@{Key='Software\Policies\Google\Chrome'; ValueName='AutoplayAllowed'; Data='0'; Type='Dword'} # Disable media autoplay | |
| [PSCustomObject]@{Key='Software\Policies\Google\Chrome'; ValueName='BackgroundModeEnabled'; Data='0'; Type='Dword'} # Disable background mode | |
| [PSCustomObject]@{Key='Software\Policies\Google\Chrome'; ValueName='ConfigureDoNotTrack'; Data='1'; Type='Dword'} # Enable Do Not Track | |
| [PSCustomObject]@{Key='Software\Policies\Google\Chrome'; ValueName='ForceGoogleSafeSearch'; Data='1'; Type='Dword'} # Enable Google SafeSearch | |
| [PSCustomObject]@{Key='Software\Policies\Google\Chrome'; ValueName='DefaultNotificationsSetting'; Data='2'; Type='Dword'} # Disable desktop notifications | |
| [PSCustomObject]@{Key='Software\Policies\Google\Chrome'; ValueName='DefaultSearchProviderEnabled'; Data='1'; Type='Dword'} # Enable default search provider | |
| [PSCustomObject]@{Key='Software\Policies\Google\Chrome'; ValueName='DefaultSearchProviderSearchURL'; Data=$DefaultSearchURL; Type='String'} # Set default search provider | |
| [PSCustomObject]@{Key='Software\Policies\Google\Chrome'; ValueName='DefaultSearchProviderSuggestURL'; Data=$DefaultSuggestURL; Type='String'} # Set default suggestion provider | |
| [PSCustomObject]@{Key='Software\Policies\Google\Chrome'; ValueName='ProxyMode'; Data='direct'; Type='String'} # Disable proxy servers | |
| [PSCustomObject]@{Key='Software\Policies\Google\Chrome'; ValueName='SafeBrowsingEnabled'; Data='1'; Type='Dword'} # Enable SafeBrowsing | |
| [PSCustomObject]@{Key='Software\Policies\Google\Chrome'; ValueName='DisableSafeBrowsingProceedAnyway'; Data='1'; Type='Dword'} # Prevent SafeBrowsing bypass | |
| [PSCustomObject]@{Key='Software\Policies\Google\Chrome'; ValueName='SafeSitesFilterBehavior'; Data='1'; Type='Dword'} # Filter adult content | |
| [PSCustomObject]@{Key='Software\Policies\Google\Chrome\URLAllowlist'; ValueName='101'; Data='st-rmm://*'; Type='String'} # Add Splashtop RMM protocol handler | |
| # Google Chrome Extension Policies | |
| # Chrome Extension lookup URL: https://chrome.google.com/webstore/detail/[ID] | |
| [PSCustomObject]@{Key='Software\Policies\Google\Chrome\ExtensionInstallBlocklist'; ValueName='1'; Data='*'; Type='String'} # Prevent installation of extensions not explicitly allowed | |
| [PSCustomObject]@{Key='Software\Policies\Google\Chrome\ExtensionInstallAllowlist'; ValueName='101'; Data='bfogiafebfohielmmehodmfbbebbbpei'; Type='String'} # Allow Keeper | |
| [PSCustomObject]@{Key='Software\Policies\Google\Chrome\ExtensionInstallAllowlist'; ValueName='102'; Data='hehijbfgiekmjfkfjpbkbammjbdenadd'; Type='String'} # Allow IE Tab | |
| [PSCustomObject]@{Key='Software\Policies\Google\Chrome\ExtensionInstallAllowlist'; ValueName='103'; Data='ghbmnnjooekpmoecnnnilnnbdlolhkhi'; Type='String'} # Allow Google Docs Offline | |
| [PSCustomObject]@{Key='Software\Policies\Google\Chrome\ExtensionInstallAllowlist'; ValueName='104'; Data='mlhdnjepakdfdaabohjgegnomlgeejep'; Type='String'} # Allow IT Glue | |
| [PSCustomObject]@{Key='Software\Policies\Google\Chrome\ExtensionInstallAllowlist'; ValueName='105'; Data='hmpigflbjeapnknladcfphgkemopofig'; Type='String'} # Allow Ubiquiti Device Discovery Tool | |
| # [PSCustomObject]@{Key='Software\Policies\Google\Chrome\ExtensionInstallForcelist'; ValueName='101'; Data='extension_ID'; Type='String'} # Example entry to force install an extension | |
| ) | |
| # User policy file entries | |
| $aryUserPolicies = @( | |
| ) | |
| # Set local computer policies | |
| try{ | |
| Write-Output "`nSetting local computer policies..." | |
| $ComputerPolicyFile = ($env:SystemRoot + '\System32\GroupPolicy\Machine\registry.pol') | |
| foreach ($oComputerPolicy in $aryComputerPolicies) { | |
| Set-PolicyFileEntry -Path $ComputerPolicyFile -Key $oComputerPolicy.Key -ValueName $oComputerPolicy.ValueName -Data $oComputerPolicy.Data -Type $oComputerPolicy.Type | |
| } | |
| } | |
| catch { | |
| $EventMessage = @" | |
| Local Policy Management Script: Error setting local computer policies. `n | |
| $Error | |
| "@ | |
| Write-EventLog -LogName $EventLog -Source $EventLog -EventId $EventID -EntryType Error -Message $EventMessage | |
| throw $Error | |
| } | |
| # Set local user policies | |
| try{ | |
| Write-Output "Setting local user policies..." | |
| $UserPolicyFile = ($env:SystemRoot + '\System32\GroupPolicy\User\registry.pol') | |
| foreach ($oUserPolicy in $aryUserPolicies) { | |
| Set-PolicyFileEntry -Path $UserPolicyFile -Key $oUserPolicy.Key -ValueName $oUserPolicy.ValueName -Data $oUserPolicy.Data -Type $oUserPolicy.Type | |
| } | |
| } | |
| catch { | |
| $EventMessage = @" | |
| Local Policy Management Script: Error setting local user policies. `n | |
| $Error | |
| "@ | |
| Write-EventLog -LogName $EventLog -Source $EventLog -EventId $EventID -EntryType Error -Message $EventMessage | |
| throw $Error | |
| } | |
| # Apply group policies | |
| try { | |
| gpupdate /force /wait:0 | |
| } | |
| catch{ | |
| $EventMessage = @" | |
| Local Policy Management Script: Error applying local policy updates. `n | |
| $Error | |
| "@ | |
| $EventMessage = 'Local Policy Management `n' + 'Error applying local user policies. `n' + $Error | |
| Write-EventLog -LogName $EventLog -Source $EventLog -EventId $EventID -EntryType Error -Message $EventMessage | |
| throw $Error | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment