Miscellaneous Configurations | Harden System Security

• Sets Early launch antimalware engine's status to 8 which is Good only. The default value is 3, which allows good, unknown and 'bad but critical'. that is the default value, because setting it to 8 can prevent your computer from booting if the driver it relies on is critical but at the same time unknown or bad. CSP

  • By being launched first by the kernel, ELAM is ensured to be launched before any third-party software and is therefore able to detect malware in the boot process and prevent it from initializing. ELAM drivers must be specially signed by Microsoft to ensure they are started by the Windows kernel early in the boot process.

• Disables location services (Location, Windows Location Provider, Location Scripting) system wide. Websites and apps won't be able to use your precise location, however they will still be able to detect your location using your IP address. CSP CSP CSP

• Enables svchost.exe mitigations. built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. These stricter security policies include a policy requiring all binaries loaded in these processes to be signed by Microsoft, and a policy disallowing dynamically generated code. CSP

  • Requires Business Windows licenses. e.g., Windows 11 pro for Workstations, Enterprise or Education.

• Turns on Enhanced mode search for Windows indexer. The default is classic mode. CSP
  • This causes some UI elements in the search settings in Windows settings to become unavailable for Standard user accounts to view, because it will be a managed feature by an Administrator.

• Enforce the Administrator role for adding printer drivers CSP

• Enables SMB/LDAP Signing CSP CSP

• Enables Edge browser (stable/beta/dev channels) to download and install updates on any network, metered or not; because the updates are important and should not be suppressed.

• Enables all Windows users to use Hyper-V and Windows Sandbox by adding all Windows users to the "Hyper-V Administrators" security group using its SID. By default, only Administrators can use Hyper-V or Windows Sandbox.

• Creates custom views for Windows Event Viewer to help keep tabs on important security events:

  • Attack Surface Reduction Rules

  • Controlled Folder Access

  • Exploit Protection

  • Network Protection

  • MSI and Scripts for App Control Auditing

  • Sudden Shut down events (due to power outage)

  • Code Integrity Operational

  • Restarts (By user or by the System/Apps)

  • Workstation Locks and Unlocks

  • Checks to make sure Other Logon/Logoff Events Audit is active CSP

  • Failed Login attempts via PIN at lock screen

    • Error/Status code 0xC0000064 indicates wrong PIN entered at lock screen

  • USB storage Connects & Disconnects (Flash drives, phones etc.)

• Enables WinVerifyTrust Signature Validation, a security feature related to WinVerifyTrust function that handles Windows Authenticode signature verification for portable executable (PE) files.

• Enables Command line process auditing. CSP

• Enables a policy that requests claims and compound authentication for Dynamic Access Control and Kerberos armoring. CSP

• Enables Windows Protected Print. CSP

• Configures the SSH client's configurations to use the following secure MACs (Message Authentication Codes): MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com.

• Enables support for long paths.

• Force strong key protection for user keys stored on the computer. User is prompted when the key is first used.

• Reduced Telemetry. This sub-category applies all of the policies mentioned below. They do not have any effect on security.

• Disable Online Tips. CSP

• Disable Find My Device feature. CSP

• Disable Automatic Update of Speech Data. CSP

• Turn off the advertising ID. CSP

• Turn off cloud optimized content. CSP

• Do not show Windows tips. CSP

• Do not show feedback notifications. CSP

• Turn off Automatic Download and Update of Map Data. CSP

• Disable Message Service Cloud Sync for cellular text messages. CSP

• Disable support for web-to-app linking with app URI handlers. CSP

• Disable "Continue experiences on this device" feature. CSP

• Disable Font Providers. CSP

• Don't search the web or display web results in Search. CSP

• Do not allow web search. More Info