-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathWin10STIGAndMitigations.ps1
1616 lines (1323 loc) · 97.7 KB
/
Win10STIGAndMitigations.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<#
.SYNOPSIS
Applies DISA stigs for Windows 10
.DESCRIPTION
Applies DISA stigs for Windows 10
Utilizes LGPO.exe to apply group policy item where neceassary.
Utilizes MDT/SCCM TaskSequence property control
Configurable using custom variables in MDT/SCCM
.EXAMPLE
powershell.exe -ExecutionPolicy Bypass -file "Win10STIGAndMitigations.ps1"
.INFO
Script: Win10STIGAndMitigations.ps1
Author: Richard Tracy
Email: [email protected]
Twitter: @rick2_1979
Website: www.powershellcrack.com
Last Update: 06/18/2019
Version: 2.1.6
Thanks to: unixuser011,W4RH4WK,TheVDIGuys,cluberti,JGSpiers
.DISCLOSURE
THE SCRIPT IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. BY USING OR DISTRIBUTING THIS SCRIPT, YOU AGREE THAT IN NO EVENT
SHALL RICHARD TRACY OR ANY AFFILATES BE HELD LIABLE FOR ANY DAMAGES WHATSOEVER RESULTING FROM USING OR DISTRIBUTION OF THIS SCRIPT, INCLUDING,
WITHOUT LIMITATION, ANY SPECIAL, CONSEQUENTIAL, INCIDENTAL OR OTHER DIRECT OR INDIRECT DAMAGES. BACKUP UP ALL DATA BEFORE PROCEEDING.
.PARAM
'// Global Settings
DisableSTIGScript
CFG_UseLGPOForConfigs
LGPOPath
'// VDI Preference
CFG_OptimizeForVDI
'// STIG Settings
CFG_ApplySTIGItems
CFG_ApplyEMETMitigations
.EXAMPLE
#Copy this to MDT CustomSettings.ini
Properties=CFG_UseLGPOForConfigs,LGPOPath,CFG_OptimizeForVDI,CFG_ApplySTIGItems,CFG_ApplyEMETMitigations
#Then add each option to a priority specifically for your use, like:
[Default]
CFG_OptimizeForVDI=False
CFG_ApplySTIGItems=True
CFG_ApplyEMETMitigations=True
#Add script to task sequence
.LOGS
2.1.6 - Jun 18, 2019 - Added more info page, change Get-SMSTSENV warning to verbose message
2.1.5 - May 30, 2019 - defaulted reg type to dword if not specified, standarized registry keys captalizations
2.1.4 - May 28, 2019 - fixed set-usersettings default users,resolved all VSC problems
2.1.3 - May 28, 2019 - fixed Get-SMSTSENV log path
2.1.2 - May 15, 2019 - Added Get-ScriptPpath function to support VScode and ISE; fixed Set-UserSettings
2.1.1 - May 10, 2019 - reorganized controls in categories
2.1.0 - Apr 17, 2019 - added Set-UserSetting function
2.0.0 - Apr 12, 2019 - added more Windows 10 settings check
1.5.0 - Mar 29, 2019 - added more options from theVDIGuys script
1.1.5 - Mar 13, 2019 - Fixed mitigations script and removed null outputs
1.1.0 - Mar 12, 2019 - Updatd LGPO process as global variable and added param for it
1.0.0 - Nov 20, 2018 - split from config script
#>
##*===========================================================================
##* FUNCTIONS
##*===========================================================================
Function Test-IsISE {
# try...catch accounts for:
# Set-StrictMode -Version latest
try {
return ($null -ne $psISE);
}
catch {
return $false;
}
}
Function Get-ScriptPath {
# Makes debugging from ISE easier.
if ($PSScriptRoot -eq "")
{
if (Test-IsISE)
{
$psISE.CurrentFile.FullPath
#$root = Split-Path -Parent $psISE.CurrentFile.FullPath
}
else
{
$context = $psEditor.GetEditorContext()
$context.CurrentFile.Path
#$root = Split-Path -Parent $context.CurrentFile.Path
}
}
else
{
#$PSScriptRoot
$PSCommandPath
#$MyInvocation.MyCommand.Path
}
}
Function Get-SMSTSENV{
param(
[switch]$ReturnLogPath
)
Begin{
## Get the name of this function
[string]${CmdletName} = $PSCmdlet.MyInvocation.MyCommand.Name
if (-not $PSBoundParameters.ContainsKey('Verbose')) {
$VerbosePreference = $PSCmdlet.SessionState.PSVariable.GetValue('VerbosePreference')
}
}
Process{
If(${CmdletName}){$prefix = "${CmdletName} ::" }Else{$prefix = "" }
try{
# Create an object to access the task sequence environment
$Script:tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment
Write-Verbose ("{0}Task Sequence environment detected!" -f $prefix)
}
catch{
Write-Verbose ("{0}Task Sequence environment not detected. Running in stand-alone mode" -f $prefix)
#set variable to null
$Script:tsenv = $null
}
Finally{
#set global Logpath
if ($Script:tsenv){
#grab the progress UI
$Script:TSProgressUi = New-Object -ComObject Microsoft.SMS.TSProgressUI
# Convert all of the variables currently in the environment to PowerShell variables
$tsenv.GetVariables() | ForEach-Object { Set-Variable -Name "$_" -Value "$($tsenv.Value($_))" }
# Query the environment to get an existing variable
# Set a variable for the task sequence log path
#Something like: C:\MININT\SMSOSD\OSDLOGS
#[string]$LogPath = $tsenv.Value("LogPath")
#Somthing like C:\WINDOWS\CCM\Logs\SMSTSLog
[string]$LogPath = $tsenv.Value("_SMSTSLogPath")
}
Else{
[string]$LogPath = $env:Temp
}
}
}
End{
#If output log path if specified , otherwise output ts environment
If($ReturnLogPath){
return $LogPath
}
Else{
return $Script:tsenv
}
}
}
Function Format-ElapsedTime($ts) {
$elapsedTime = ""
if ( $ts.Minutes -gt 0 ){$elapsedTime = [string]::Format( "{0:00} min. {1:00}.{2:00} sec", $ts.Minutes, $ts.Seconds, $ts.Milliseconds / 10 );}
else{$elapsedTime = [string]::Format( "{0:00}.{1:00} sec", $ts.Seconds, $ts.Milliseconds / 10 );}
if ($ts.Hours -eq 0 -and $ts.Minutes -eq 0 -and $ts.Seconds -eq 0){$elapsedTime = [string]::Format("{0:00} ms", $ts.Milliseconds);}
if ($ts.Milliseconds -eq 0){$elapsedTime = [string]::Format("{0} ms", $ts.TotalMilliseconds);}
return $elapsedTime
}
Function Format-DatePrefix{
[string]$LogTime = (Get-Date -Format 'HH:mm:ss.fff').ToString()
[string]$LogDate = (Get-Date -Format 'MM-dd-yyyy').ToString()
return ($LogDate + " " + $LogTime)
}
Function Write-LogEntry{
param(
[Parameter(Mandatory=$true,Position=0,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)]
[ValidateNotNullOrEmpty()]
[string]$Message,
[Parameter(Mandatory=$false,Position=2)]
[string]$Source = '',
[parameter(Mandatory=$false)]
[ValidateSet(0,1,2,3,4)]
[int16]$Severity,
[parameter(Mandatory=$false, HelpMessage="Name of the log file that the entry will written to")]
[ValidateNotNullOrEmpty()]
[string]$OutputLogFile = $Global:LogFilePath,
[parameter(Mandatory=$false)]
[switch]$Outhost
)
Begin{
[string]$LogTime = (Get-Date -Format 'HH:mm:ss.fff').ToString()
[string]$LogDate = (Get-Date -Format 'MM-dd-yyyy').ToString()
[int32]$script:LogTimeZoneBias = [timezone]::CurrentTimeZone.GetUtcOffset([datetime]::Now).TotalMinutes
[string]$LogTimePlusBias = $LogTime + $script:LogTimeZoneBias
}
Process{
# Get the file name of the source script
Try {
If ($script:MyInvocation.Value.ScriptName) {
[string]$ScriptSource = Split-Path -Path $script:MyInvocation.Value.ScriptName -Leaf -ErrorAction 'Stop'
}
Else {
[string]$ScriptSource = Split-Path -Path $script:MyInvocation.MyCommand.Definition -Leaf -ErrorAction 'Stop'
}
}
Catch {
$ScriptSource = ''
}
If(!$Severity){$Severity = 1}
$LogFormat = "<![LOG[$Message]LOG]!>" + "<time=`"$LogTimePlusBias`" " + "date=`"$LogDate`" " + "component=`"$ScriptSource`" " + "context=`"$([Security.Principal.WindowsIdentity]::GetCurrent().Name)`" " + "type=`"$Severity`" " + "thread=`"$PID`" " + "file=`"$ScriptSource`">"
# Add value to log file
try {
Out-File -InputObject $LogFormat -Append -NoClobber -Encoding Default -FilePath $OutputLogFile -ErrorAction Stop
}
catch {
Write-Host ("[{0}] [{1}] :: Unable to append log entry to [{1}], error: {2}" -f $LogTimePlusBias,$ScriptSource,$OutputLogFile,$_.Exception.Message) -ForegroundColor Red
}
}
End{
If($Outhost -or $Global:OutTohost){
If($Source){
$OutputMsg = ("[{0}] [{1}] :: {2}" -f $LogTimePlusBias,$Source,$Message)
}
Else{
$OutputMsg = ("[{0}] [{1}] :: {2}" -f $LogTimePlusBias,$ScriptSource,$Message)
}
Switch($Severity){
0 {Write-Host $OutputMsg -ForegroundColor Green}
1 {Write-Host $OutputMsg -ForegroundColor Gray}
2 {Write-Warning $OutputMsg}
3 {Write-Host $OutputMsg -ForegroundColor Red}
4 {If($Global:Verbose){Write-Verbose $OutputMsg}}
default {Write-Host $OutputMsg}
}
}
}
}
Function Set-Bluetooth{
[CmdletBinding()]
Param (
[Parameter(Mandatory=$true)][ValidateSet('Off', 'On')]
[string]$DeviceStatus
)
Begin{
## Get the name of this function
[string]${CmdletName} = $PSCmdlet.MyInvocation.MyCommand.Name
}
Process{
Add-Type -AssemblyName System.Runtime.WindowsRuntime
$asTaskGeneric = ([System.WindowsRuntimeSystemExtensions].GetMethods() | Where-Object{ $_.Name -eq 'AsTask' -and $_.GetParameters().Count -eq 1 -and $_.GetParameters()[0].ParameterType.Name -eq 'IAsyncOperation`1' })[0]
Function Await($WinRtTask, $ResultType) {
$asTask = $asTaskGeneric.MakeGenericMethod($ResultType)
$netTask = $asTask.Invoke($null, @($WinRtTask))
$netTask.Wait(-1) | Out-Null
$netTask.Result
}
[Windows.Devices.Radios.Radio,Windows.System.Devices,ContentType=WindowsRuntime] | Out-Null
[Windows.Devices.Radios.RadioAccessStatus,Windows.System.Devices,ContentType=WindowsRuntime] | Out-Null
Await ([Windows.Devices.Radios.Radio]::RequestAccessAsync()) ([Windows.Devices.Radios.RadioAccessStatus]) | Out-Null
$radios = Await ([Windows.Devices.Radios.Radio]::GetRadiosAsync()) ([System.Collections.Generic.IReadOnlyList[Windows.Devices.Radios.Radio]])
$bluetooth = $radios | Where-Object { $_.Kind -eq 'Bluetooth' }
[Windows.Devices.Radios.RadioState,Windows.System.Devices,ContentType=WindowsRuntime] | Out-Null
If($bluetooth){
Try{
Await ($bluetooth.SetStateAsync($DeviceStatus)) ([Windows.Devices.Radios.RadioAccessStatus]) | Out-Null
}
Catch{
Write-LogEntry ("Unable to configure Bluetooth Settings: {0}" -f $_.Exception.Message) -Severity 3 -Source ${CmdletName}
}
Finally{
#If ((Get-Service bthserv).Status -eq 'Stopped') { Start-Service bthserv }
}
}
Else{
Write-LogEntry ("No Bluetooth found") -Severity 0 -Source ${CmdletName}
}
}
End{}
}
function Show-ProgressStatus
{
<#
.SYNOPSIS
Shows task sequence secondary progress of a specific step
.DESCRIPTION
Adds a second progress bar to the existing Task Sequence Progress UI.
This progress bar can be updated to allow for a real-time progress of
a specific task sequence sub-step.
The Step and Max Step parameters are calculated when passed. This allows
you to have a "max steps" of 400, and update the step parameter. 100%
would be achieved when step is 400 and max step is 400. The percentages
are calculated behind the scenes by the Com Object.
.PARAMETER Message
The message to display the progress
.PARAMETER Step
Integer indicating current step
.PARAMETER MaxStep
Integer indicating 100%. A number other than 100 can be used.
.INPUTS
- Message: String
- Step: Long
- MaxStep: Long
.OUTPUTS
None
.EXAMPLE
Set's "Custom Step 1" at 30 percent complete
Show-ProgressStatus -Message "Running Custom Step 1" -Step 100 -MaxStep 300
.EXAMPLE
Set's "Custom Step 1" at 50 percent complete
Show-ProgressStatus -Message "Running Custom Step 1" -Step 150 -MaxStep 300
.EXAMPLE
Set's "Custom Step 1" at 100 percent complete
Show-ProgressStatus -Message "Running Custom Step 1" -Step 300 -MaxStep 300
#>
param(
[Parameter(Mandatory=$true)]
[string] $Message,
[Parameter(Mandatory=$true)]
[int]$Step,
[Parameter(Mandatory=$true)]
[int]$MaxStep,
[string]$SubMessage,
[int]$IncrementSteps,
[switch]$Outhost
)
Begin{
If($SubMessage){
$StatusMessage = ("{0} [{1}]" -f $Message,$SubMessage)
}
Else{
$StatusMessage = $Message
}
}
Process
{
If($Script:tsenv){
$Script:TSProgressUi.ShowActionProgress(`
$Script:tsenv.Value("_SMSTSOrgName"),`
$Script:tsenv.Value("_SMSTSPackageName"),`
$Script:tsenv.Value("_SMSTSCustomProgressDialogMessage"),`
$Script:tsenv.Value("_SMSTSCurrentActionName"),`
[Convert]::ToUInt32($Script:tsenv.Value("_SMSTSNextInstructionPointer")),`
[Convert]::ToUInt32($Script:tsenv.Value("_SMSTSInstructionTableSize")),`
$StatusMessage,`
$Step,`
$Maxstep)
}
Else{
Write-Progress -Activity "$Message ($Step of $Maxstep)" -Status $StatusMessage -PercentComplete (($Step / $Maxstep) * 100) -id 1
}
}
End{
Write-LogEntry $Message -Severity 1 -Outhost:$Outhost
}
}
Function Set-SystemSetting {
[CmdletBinding(SupportsShouldProcess, ConfirmImpact='Medium')]
Param (
[Parameter(Mandatory=$true,Position=0)]
[Alias("Path")]
[string]$RegPath,
[Parameter(Mandatory=$false,Position=1)]
[Alias("v")]
[string]$Name,
[Parameter(Mandatory=$false,Position=2)]
[Alias("d")]
$Value,
[Parameter(Mandatory=$false,Position=3)]
[ValidateSet('None','String','Binary','DWord','ExpandString','MultiString','QWord')]
[Alias("PropertyType","t")]
$Type,
[Parameter(Mandatory=$false,Position=4)]
[Alias("f")]
[switch]$Force,
[Parameter(Mandatory=$false)]
[boolean]$TryLGPO,
[Parameter(Mandatory=$false)]
$LGPOExe = $Global:LGPOPath,
[Parameter(Mandatory=$false)]
[string]$LogPath,
[Parameter(Mandatory=$false)]
[switch]$RemoveFile
)
Begin
{
## Get the name of this function
[string]${CmdletName} = $PSCmdlet.MyInvocation.MyCommand.Name
if (-not $PSBoundParameters.ContainsKey('Verbose')) {
$VerbosePreference = $PSCmdlet.SessionState.PSVariable.GetValue('VerbosePreference')
}
if (-not $PSBoundParameters.ContainsKey('Confirm')) {
$ConfirmPreference = $PSCmdlet.SessionState.PSVariable.GetValue('ConfirmPreference')
}
if (-not $PSBoundParameters.ContainsKey('WhatIf')) {
$WhatIfPreference = $PSCmdlet.SessionState.PSVariable.GetValue('WhatIfPreference')
}
}
Process
{
$RegKeyHive = ($RegPath).Split('\')[0].Replace('Registry::','').Replace(':','')
#if Name not specified, grab last value from full path
If(!$Name){
$RegKeyPath = Split-Path ($RegPath).Split('\',2)[1] -Parent
$RegKeyName = Split-Path ($RegPath).Split('\',2)[1] -Leaf
}
Else{
$RegKeyPath = ($RegPath).Split('\',2)[1]
$RegKeyName = $Name
}
#The -split operator supports specifying the maximum number of sub-strings to return.
#Some values may have additional commas in them that we don't want to split (eg. LegalNoticeText)
[String]$Value = $Value -split ',',2
Switch($RegKeyHive){
HKEY_LOCAL_MACHINE {$LGPOHive = 'Computer';$RegHive = 'HKLM:'}
MACHINE {$LGPOHive = 'Computer';$RegHive = 'HKLM:'}
HKLM {$LGPOHive = 'Computer';$RegHive = 'HKLM:'}
HKEY_CURRENT_USER {$LGPOHive = 'User';$RegHive = 'HKCU:'}
HKEY_USERS {$LGPOHive = 'User';$RegHive = 'Registry::HKEY_USERS'}
HKCU {$LGPOHive = 'User';$RegHive = 'HKCU:'}
HKU {$LGPOHive = 'User';$RegHive = 'Registry::HKEY_USERS'}
USER {$LGPOHive = 'User';$RegHive = 'HKCU:'}
default {$LGPOHive = 'Computer';$RegHive = 'HKLM:'}
}
#convert registry type to LGPO type
Switch($Type){
'None' {$LGPORegType = 'NONE'}
'String' {$LGPORegType = 'SZ'}
'ExpandString' {$LGPORegType = 'EXPAND_SZ'}
'Binary' {$LGPORegType = 'BINARY'; $value = Convert-ToHexString $value}
'DWord' {$LGPORegType = 'DWORD'}
'QWord' {$LGPORegType = 'DWORD_BIG_ENDIAN'}
'MultiString' {$LGPORegType = 'LINK'}
default {$LGPORegType = 'DWORD';$Type = 'DWord'}
}
Try{
#check if tryLGPO is set and path is set
If($TryLGPO -and $LGPOExe)
{
#does LGPO path exist?
If(Test-Path $LGPOExe)
{
#$lgpoout = $null
$lgpoout = "; ----------------------------------------------------------------------`r`n"
$lgpoout += "; PROCESSING POLICY`r`n"
$lgpoout += "; Source file:`r`n"
$lgpoout += "`r`n"
# build a unique output file
$LGPOfile = ($RegKeyHive + '-' + $RegKeyPath.replace('\','-').replace(' ','') + '-' + $RegKeyName.replace(' ','') + '.lgpo')
#Remove the Username or SID from Registry key path
If($LGPOHive -eq 'User'){
$UserID = $RegKeyPath.Split('\')[0]
If($UserID -match "DEFAULT|S-1-5-21-(\d+-?){4}$"){
$RegKeyPath = $RegKeyPath.Replace($UserID+"\","")
}
}
#complete LGPO file
Write-LogEntry ("LGPO applying [{3}] to registry: [{0}\{1}\{2}] as a Group Policy item" -f $RegHive,$RegKeyPath,$RegKeyName,$RegKeyName) -Severity 4 -Source ${CmdletName}
$lgpoout += "$LGPOHive`r`n"
$lgpoout += "$RegKeyPath`r`n"
$lgpoout += "$RegKeyName`r`n"
$lgpoout += "$($LGPORegType):$Value`r`n"
$lgpoout += "`r`n"
$lgpoout | Out-File "$env:Temp\$LGPOfile"
If($VerbosePreference){$args = "/v /q /t"}Else{$args="/q /t"}
Write-LogEntry "Start-Process $LGPOExe -ArgumentList '/t $env:Temp\$LGPOfile' -RedirectStandardError '$env:Temp\$LGPOfile.stderr.log'" -Severity 4 -Source ${CmdletName}
If(!$WhatIfPreference){$result = Start-Process $LGPOExe -ArgumentList "$args $env:Temp\$LGPOfile /v" -RedirectStandardError "$env:Temp\$LGPOfile.stderr.log" -Wait -NoNewWindow -PassThru | Out-Null}
Write-LogEntry ("LGPO ran successfully. Exit code: {0}" -f $result.ExitCode) -Severity 4
}
Else{
Write-LogEntry ("LGPO will not be used. Path not found: {0}" -f $LGPOExe) -Severity 3
}
}
Else{
Write-LogEntry ("LGPO not enabled. Hardcoding registry keys [{0}\{1}\{2}]" -f $RegHive,$RegKeyPath,$RegKeyName) -Severity 0 -Source ${CmdletName}
}
}
Catch{
If($TryLGPO -and $LGPOExe){
Write-LogEntry ("LGPO failed to run. exit code: {0}. Hardcoding registry keys [{1}\{2}\{3}]" -f $result.ExitCode,$RegHive,$RegKeyPath,$RegKeyName) -Severity 3 -Source ${CmdletName}
}
}
Finally
{
#wait for LGPO file to finish generating
start-sleep 1
#verify the registry value has been set
Try{
If( -not(Test-Path ($RegHive +'\'+ $RegKeyPath)) ){
Write-LogEntry ("Path was not found; Creating path and setting registry keys [{0}\{1}] with value [{2}]" -f ($RegHive +'\'+ $RegKeyPath),$RegKeyName,$Value) -Severity 0 -Source ${CmdletName}
#New-Item -Path ($RegHive +'\'+ $RegKeyPath) -Force -WhatIf:$WhatIfPreference -ErrorAction Stop | Out-Null
New-Item ($RegHive +'\'+ $RegKeyPath) -Force:$Force -WhatIf:$WhatIfPreference -ErrorAction Stop | New-ItemProperty -Name $RegKeyName -PropertyType $Type -Value $Value -Force:$Force -ErrorAction Stop | Out-Null
#wait for registry path to popluate (only on slower systems)
#start-sleep 2
#New-ItemProperty -Path ($RegHive +'\'+ $RegKeyPath) -Name $RegKeyName -PropertyType $Type -Value $Value -Force:$Force -WhatIf:$WhatIfPreference -ErrorAction Stop | Out-Null
}
Else{
Write-LogEntry ("Setting key name [{1}] at path [{0}] with value [{2}]" -f ($RegHive +'\'+ $RegKeyPath),$RegKeyName,$Value) -Source ${CmdletName}
Set-ItemProperty -Path ($RegHive +'\'+ $RegKeyPath) -Name $RegKeyName -Value $Value -Force:$Force -WhatIf:$WhatIfPreference -ErrorAction Stop | Out-Null
}
}
Catch{
Write-LogEntry ("Unable to configure registry key [{0}\{1}\{2}]. {4}" -f $RegHive,$RegKeyPath,$RegKeyName,$Value,$_.Exception.Message) -Severity 3 -Source ${CmdletName}
}
}
}
End {
#cleanup LGPO logs
If(!$WhatIfPreference){$RemoveFile = $false}
If($LGPOfile -and (Test-Path "$env:Temp\$LGPOfile") -and $RemoveFile){
Remove-Item "$env:Temp\$LGPOfile" -ErrorAction SilentlyContinue | Out-Null
#Remove-Item "$env:Temp" -Include "$LGPOfile*" -Recurse -Force
}
}
}
Function Set-UserSetting {
[CmdletBinding(SupportsShouldProcess, ConfirmImpact='Medium')]
Param (
[Parameter(Mandatory=$true,Position=0,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)]
[Alias("Path")]
[string]$RegPath,
[Parameter(Mandatory=$false,Position=1)]
[Alias("v")]
[string]$Name,
[Parameter(Mandatory=$false,Position=2)]
[Alias("d")]
$Value,
[Parameter(Mandatory=$false,Position=3)]
[ValidateSet('None','String','Binary','DWord','ExpandString','MultiString','QWord')]
[Alias("PropertyType","t")]
[string]$Type,
[Parameter(Mandatory=$false,Position=4)]
[ValidateSet('CurrentUser','AllUsers','DefaultUser')]
[Alias("Users")]
[string]$ApplyTo = $Global:ApplyToProfiles,
[Parameter(Mandatory=$false,Position=5)]
[Alias("r")]
[switch]$Remove,
[Parameter(Mandatory=$false,Position=6)]
[Alias("f")]
[switch]$Force,
[Parameter(Mandatory=$false)]
[ValidateNotNullOrEmpty()]
[string]$Message,
[Parameter(Mandatory=$false)]
[boolean]$TryLGPO,
[Parameter(Mandatory=$false)]
$LGPOExe = $Global:LGPOPath,
[Parameter(Mandatory=$false)]
[string]$LogPath
)
Begin
{
## Get the name of this function
[string]${CmdletName} = $PSCmdlet.MyInvocation.MyCommand.Name
if (-not $PSBoundParameters.ContainsKey('Verbose')) {
$VerbosePreference = $PSCmdlet.SessionState.PSVariable.GetValue('VerbosePreference')
}
if (-not $PSBoundParameters.ContainsKey('Confirm')) {
$ConfirmPreference = $PSCmdlet.SessionState.PSVariable.GetValue('ConfirmPreference')
}
if (-not $PSBoundParameters.ContainsKey('WhatIf')) {
$WhatIfPreference = $PSCmdlet.SessionState.PSVariable.GetValue('WhatIfPreference')
}
#If user profile variable doesn't exist, build one
If(!$Global:UserProfiles){
# Get each user profile SID and Path to the profile
$AllProfiles = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*" | Where-Object {$_.PSChildName -match "S-1-5-21-(\d+-?){4}$" } |
Select-Object @{Name="SID"; Expression={$_.PSChildName}}, @{Name="UserHive";Expression={"$($_.ProfileImagePath)\NTuser.dat"}}, @{Name="UserName";Expression={Split-Path $_.ProfileImagePath -Leaf}}
# Add in the DEFAULT User Profile (Not be confused with .DEFAULT)
$DefaultProfile = "" | Select-Object SID, UserHive,UserName
$DefaultProfile.SID = "DEFAULT"
$DefaultProfile.Userhive = "$env:systemdrive\Users\Default\NTuser.dat"
$DefaultProfile.UserName = "Default"
#Add it to the UserProfile list
$Global:UserProfiles = @()
$Global:UserProfiles += $AllProfiles
$Global:UserProfiles += $DefaultProfile
#get current users sid
[string]$CurrentSID = (Get-WmiObject win32_useraccount | Where-Object {$_.name -eq $env:username}).SID
}
}
Process
{
#grab the hive from the regpath
$RegKeyHive = ($RegPath).Split('\')[0].Replace('Registry::','').Replace(':','')
#Grab user keys and profiles based on whom it will be applied to
Switch($ApplyTo){
'AllUsers' {$RegHive = 'HKEY_USERS'; $ProfileList = $Global:UserProfiles}
'CurrentUser' {$RegHive = 'HKCU' ; $ProfileList = ($Global:UserProfiles | Where-Object{$_.SID -eq $CurrentSID})}
'DefaultUser' {$RegHive = 'HKU' ; $ProfileList = $DefaultProfile}
default {$RegHive = $RegKeyHive ; $ProfileList = ($Global:UserProfiles | Where-Object{$_.SID -eq $CurrentSID})}
}
#check if hive is local machine.
If($RegKeyHive -match "HKEY_LOCAL_MACHINE|HKLM|HKCR"){
Write-LogEntry ("Registry path [{0}] is not a user path. Use Set-SystemSetting cmdlet instead" -f $RegKeyHive) -Severity 2 -Source ${CmdletName}
return
}
#check if hive was found and is a user hive
ElseIf($RegKeyHive -match "HKEY_USERS|HKEY_CURRENT_USER|HKCU|HKU"){
#if Name not specified, grab last value from full path
If(!$Name){
$RegKeyPath = Split-Path ($RegPath).Split('\',2)[1] -Parent
$RegKeyName = Split-Path ($RegPath).Split('\',2)[1] -Leaf
}
Else{
$RegKeyPath = ($RegPath).Split('\',2)[1]
$RegKeyName = $Name
}
}
ElseIf($ApplyTo){
#if Name not specified, grab last value from full path
If(!$Name){
$RegKeyPath = Split-Path ($RegPath) -Parent
$RegKeyName = Split-Path ($RegPath) -Leaf
}
Else{
$RegKeyPath = $RegPath
$RegKeyName = $Name
}
}
Else{
Write-LogEntry ("User registry hive was not found or specified in Keypath [{0}]. Either use the -ApplyTo Switch or specify user hive [eg. HKCU\]" -f $RegPath) -Severity 3 -Source ${CmdletName}
return
}
#loope through profiles as long as the hive is not the current user hive
If($RegHive -notmatch 'HKCU|HKEY_CURRENT_USER'){
$p = 1
# Loop through each profile on the machine
Foreach ($UserProfile in $ProfileList) {
Try{
$objSID = New-Object System.Security.Principal.SecurityIdentifier($UserProfile.SID)
$UserName = $objSID.Translate([System.Security.Principal.NTAccount])
}
Catch{
$UserName = $UserProfile.UserName
}
If($Message){Show-ProgressStatus -Message $Message -SubMessage ("(Users: {0} of {1})" -f $p,$ProfileList.count) -Step $p -MaxStep $ProfileList.count}
#loadhive if not mounted
If (($HiveLoaded = Test-Path Registry::HKEY_USERS\$($UserProfile.SID)) -eq $false) {
Start-Process -FilePath "CMD.EXE" -ArgumentList "/C REG.EXE LOAD HKU\$($UserProfile.SID) $($UserProfile.UserHive)" -Wait -WindowStyle Hidden
$HiveLoaded = $true
}
If ($HiveLoaded -eq $true) {
If($Message){Write-LogEntry ("{0} for User [{1}]" -f $Message,$UserName)}
If($Remove){
Remove-ItemProperty "$RegHive\$($UserProfile.SID)\$RegKeyPath" -Name $RegKeyName -Force:$Force -WhatIf:$WhatIfPreference -ErrorAction SilentlyContinue | Out-Null
}
Else{
Set-SystemSetting -Path "$RegHive\$($UserProfile.SID)\$RegKeyPath" -Name $RegKeyName -Type $Type -Value $Value -Force:$Force -WhatIf:$WhatIfPreference -TryLGPO:$TryLGPO
}
}
#remove any leftover reg process and then remove hive
If ($HiveLoaded -eq $true) {
[gc]::Collect()
Start-Sleep -Seconds 3
Start-Process -FilePath "CMD.EXE" -ArgumentList "/C REG.EXE UNLOAD HKU\$($UserProfile.SID)" -Wait -PassThru -WindowStyle Hidden | Out-Null
}
$p++
}
}
Else{
If($Message){Write-LogEntry ("{0} for [{1}]" -f $Message,$ProfileList.UserName)}
If($Remove){
Remove-ItemProperty "$RegHive\$RegKeyPath\$RegKeyPath" -Name $RegKeyName -Force:$Force -WhatIf:$WhatIfPreference -ErrorAction SilentlyContinue | Out-Null
}
Else{
Set-SystemSetting -Path "$RegHive\$RegKeyPath" -Name $RegKeyName -Type $Type -Value $Value -Force:$Force -WhatIf:$WhatIfPreference -TryLGPO:$TryLGPO
}
}
}
End {
If($Message){Show-ProgressStatus -Message "Completed $Message" -Step 1 -MaxStep 1}
}
}
##*===========================================================================
##* VARIABLES
##*===========================================================================
# Use function to get paths because Powershell ISE and other editors have differnt results
$scriptPath = Get-ScriptPath
[string]$scriptDirectory = Split-Path $scriptPath -Parent
[string]$scriptName = Split-Path $scriptPath -Leaf
[string]$scriptBaseName = [System.IO.Path]::GetFileNameWithoutExtension($scriptName)
[int]$OSBuildNumber = (Get-WmiObject -Class Win32_OperatingSystem).BuildNumber
[string]$OsCaption = (Get-WmiObject -class Win32_OperatingSystem).Caption
#Create Paths
$ToolsPath = Join-Path $scriptDirectory -ChildPath 'Tools'
$AdditionalScriptsPath = Join-Path $scriptDirectory -ChildPath 'Scripts'
#check if running in verbose mode
$Global:Verbose = $false
If($PSBoundParameters.ContainsKey('Debug') -or $PSBoundParameters.ContainsKey('Verbose')){
$Global:Verbose = $PsBoundParameters.Get_Item('Verbose')
$VerbosePreference = 'Continue'
Write-Verbose ("[{0}] [{1}] :: VERBOSE IS ENABLED" -f (Format-DatePrefix),$scriptName)
}
Else{
$VerbosePreference = 'SilentlyContinue'
}
#build log name
[string]$FileName = $scriptBaseName +'.log'
#build global log fullpath
[string]$Global:LogFilePath = Join-Path (Get-SMSTSENV -ReturnLogPath -Verbose) -ChildPath $FileName
Write-Host "logging to file: $LogFilePath" -ForegroundColor Cyan
##*===========================================================================
##* DEFAULTS: Configurations are here (change values if needed)
##*===========================================================================
# Global Settings
[boolean]$DisableScript = $false
[string]$Global:LGPOPath = "$ToolsPath\LGPO\LGPO.exe"
[boolean]$UseLGPO = $true
# VDI Preference
[boolean]$OptimizeForVDI = $false
# STIG Settings
[boolean]$ApplySTIGItems = $false
[boolean]$ApplyEMETMitigations = $false
# When running in Tasksequence and configureation exists, use that instead
If(Get-SMSTSENV){
# Global Settings
If($tsenv:CFG_DisableSTIGScript){[boolean]$DisableScript = [boolean]::Parse($tsenv.Value("CFG_DisableSTIGScript"))}
If($tsenv:CFG_UseLGPOForConfigs){[boolean]$UseLGPO = [boolean]::Parse($tsenv.Value("CFG_UseLGPOForConfigs"))}
If($tsenv:LGPOPath){[string]$Global:LGPOPath = $tsenv.Value("LGPOPath")}
# VDI Preference
If($tsenv:CFG_OptimizeForVDI){[boolean]$OptimizeForVDI = [boolean]::Parse($tsenv.Value("CFG_OptimizeForVDI"))}
# STIG Settings
If($tsenv:CFG_ApplySTIGItems){[boolean]$ApplySTIGItems = [boolean]::Parse($tsenv.Value("CFG_ApplySTIGItems"))}
If($tsenv:CFG_ApplyEMETMitigations){[boolean]$ApplyEMETMitigations = [boolean]::Parse($tsenv.Value("CFG_ApplyEMETMitigations"))}
}
# Ultimately disable the entire script. This is useful for testing and using one task sequences with many rules
If($DisableScript){
Write-LogEntry "Script is disabled!" -Outhost
Exit 0
}
#check if LGPO file exists in Tools directory or Specified LGPOPath
$FindLGPO = Get-ChildItem $Global:LGPOPath -Filter LGPO.exe -ErrorAction SilentlyContinue
If($FindLGPO){
$Global:LGPOPath = $FindLGPO.FullName
}
Else{
$UseLGPO = $false
}
#if running in a tasksequence; apply user settings to all user profiles (use ApplyTo param cmdlet Set-UserSettings )
If(Get-SMSTSENV){$Global:ApplyToProfiles = 'AllUsers'}Else{$Global:ApplyToProfiles = 'CurrentUser'}
If((Get-SMSTSENV) -and -not($psISE)){$Global:OutToHost = $false}Else{$Global:OutToHost = $true}
#grab all Show-ProgressStatus commands in script and count them
$script:Maxsteps = ([System.Management.Automation.PsParser]::Tokenize((Get-Content $scriptPath), [ref]$null) | Where-Object { $_.Type -eq 'Command' -and $_.Content -eq 'Show-ProgressStatus' }).Count
#set counter to one
$stepCounter = 1
##*===========================================================================
##* MAIN
##*===========================================================================
If($ApplySTIGItems )
{
Show-ProgressStatus -Message "Applying STIG Items" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
If($OptimizeForVDI){
Write-LogEntry "Ignoring Stig Rule ID: SV-77813r4_rule :: Enabling TPM" -Outhost
Write-LogEntry "Ignoring Stig Rule ID: SV-91779r3_rule :: Enabling UEFI" -Outhost
Write-LogEntry "Ignoring Stig Rule ID: SV-91781r2_rule :: Enabling SecureBoot" -Outhost
Write-LogEntry "Ignoring Stig Rule ID: SV-78085r5_rule :: Enabling Virtualization Based Security" -Outhost
Write-LogEntry "Ignoring Stig Rule ID: SV-78089r7_rule :: Enabling Credential Guard" -Outhost
Write-LogEntry "Ignoring Stig Rule ID: SV-78093r6_rule :: Enabling Virtualization-based protection of code integrity" -Outhost
}
Show-ProgressStatus -Message "STIG Rule ID: SV-83411r1_rule :: Enabling Powershell Script Block Logging" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -Name 'EnableScriptBlockLogging' -Type DWord -Value 1 -Force -TryLGPO:$true
Show-ProgressStatus -Message "Applying STIG Items" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Show-ProgressStatus -Message "STIG Rule ID: SV-78039r1_rule :: Disabling Autorun for local volumes" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer' -Name 'NoAutoplayfornonVolume' -Value 1 -Force -TryLGPO:$true
Show-ProgressStatus -Message "STIG Rule ID: SV-78161r1_rule :: Disabling Autorun for local machine" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer' -Name 'NoAutorun' -Value 1 -Force -TryLGPO:$true
Show-ProgressStatus -Message "STIG Rule ID: SV-78163r1_rule :: Disabling Autorun for local drive" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer' -Name 'NoDriveTypeAutoRun' -Type DWord -Value 0xFF -Force -TryLGPO:$true
Show-ProgressStatus -Message "Disabling Bluetooth" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-Bluetooth -DeviceStatus Off
Show-ProgressStatus -Message "TIG Rule ID: SV-78301r1_rule :: Enabling FIPS Algorithm Policy" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy' -Name 'Enabled' -Type DWord -Value 1 -Force
Show-ProgressStatus -Message "STIG Rule ID: SV-96851r1_rule :: Disabling personal accounts for OneDrive synchronization" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\OneDrive' -Name 'DisablePersonalSync' -Type DWord -Value '1' -Force -TryLGPO:$true
# Privacy and mitigaton settings
# See: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services
Show-ProgressStatus -Message "STIG Rule ID: SV-78039r1_rule :: Privacy Mitigations :: Disabling Microsoft accounts for modern style apps" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'MSAOptional' -Value 1 -Force -TryLGPO:$true
Show-ProgressStatus -Message "STIG Rule ID: SV-78035r1_rule :: Privacy Mitigations :: Disabling camera usage on user's lock screen" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization' -Name 'NoLockScreenCamera' -Type DWord -Value '1' -Force -TryLGPO:$true
Show-ProgressStatus -Message "STIG Rule ID: SV-78039r1_rule :: Privacy Mitigations :: Disabling lock screen slideshow" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization' -Name 'NoLockScreenSlideshow' -Value 1 -Force -TryLGPO:$true
Show-ProgressStatus -Message "STIG Rule ID: SV-86395r2_rule :: Privacy Mitigations :: Disabling Consumer Features" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent' -Name 'DisableWindowsConsumerFeatures' -Type DWord -Value '1' -Force -TryLGPO:$true| Out-Null
Show-ProgressStatus -Message "STIG Rule ID: SV-89091r1_rule :: Privacy Mitigations :: Disabling Xbox features" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR' -Name 'AllowGameDVR' -Type DWord -Value 0 -Force -TryLGPO:$true
Write-LogEntry ("STIG Rule ID: SV-78173r3_rule :: Privacy Mitigations :: {0}Disabling telemetry" -f $prefixmsg) -Outhost
If ($OsCaption -like "*Enterprise*" -or $OsCaption -like "*Education*"){
$TelemetryLevel = "0"
Write-LogEntry "Privacy Mitigations :: Enterprise edition detected. Supported telemetry level: Security" -Outhost
}
Else{
$TelemetryLevel = "1"
Write-LogEntry "Privacy Mitigations :: Lowest supported telemetry level: Basic" -Outhost
}
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection' -Name 'AllowTelemetry' -Type DWord -Value $TelemetryLevel -Force -TryLGPO:$true
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection' -Name 'AllowTelemetry' -Type DWord -Value $TelemetryLevel -Force
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection' -Name 'AllowTelemetry' -Type DWord -Value $TelemetryLevel -Force
Show-ProgressStatus -Message "STIG Rule ID: SV-96859r1_rule: Disabling access the Insider build controls in the Advanced Options." -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection' -Name 'LimitEnhancedDiagnosticDataWindowsAnalytics' -Type DWord -Value 1 -Force -TryLGPO:$true
Show-ProgressStatus -Message "STIG Rule ID: SV-77825r1_rule :: Disabling Basic Authentication for WinRM" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' -Name 'AllowBasic' -Type DWord -Value 0 -Force -TryLGPO:$true
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' -Name 'AllowBasic' -Type DWord -Value 0 -Force -TryLGPO:$true
Show-ProgressStatus -Message "STIG Rule ID: SV-77829r1_rule :: Disabling unencrypted traffic for WinRM" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' -Name 'AllowUnencryptedTraffic' -Type DWord -Value 0 -Force -TryLGPO:$true
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' -Name 'AllowUnencryptedTraffic' -Type DWord -Value 0 -Force -TryLGPO:$true
Show-ProgressStatus -Message "STIG Rule ID: SV-77831r1_rule :: Disabling Digest authentication for WinRM" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' -Name 'AllowDigest' -Type DWord -Value 0 -Force -TryLGPO:$true
Show-ProgressStatus -Message "STIG Rule ID: SV-77831r1_rule :: Disabling Digest authentication for WinRM" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' -Name 'DisableRunAs' -Type DWord -Value 1 -Force -TryLGPO:$true
Show-ProgressStatus -Message "STIG Rule ID: SV-78309r1_rule :: Enabling UAC prompt administrators for consent on the secure desktop" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name ConsentPromptBehaviorAdmin -Type DWord -Value 2 -Force -TryLGPO:$true
Show-ProgressStatus -Message "STIG Rule ID: SV-78311r1_rule :: Disabling elevation UAC prompt User for consent on the secure desktop" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name ConsentPromptBehaviorUser -Type DWord -Value 0 -Force -TryLGPO:$true
Show-ProgressStatus -Message "STIG Rule ID: SV-78315r1_rule :: Enabling elevation UAC prompt detect application installations and prompt for elevation" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableInstallerDetection' -Type DWord -Value 1 -Force -TryLGPO:$true
Show-ProgressStatus -Message "STIG Rule ID: SV-78315r1_rule :: Enabling elevation UAC UIAccess applications that are installed in secure locations" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableSecureUAIPaths' -Type DWord -Value 1 -Force -TryLGPO:$true
Show-ProgressStatus -Message "STIG Rule ID: SV-78321r1_rule :: Enabling Enable virtualize file and registry write failures to per-user locations." -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableVirtualization' -Type DWord -Value 1 -Force -TryLGPO:$true
Show-ProgressStatus -Message "STIG Rule ID: SV-78319r1_rule :: Enabling UAC for all administrators" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' -Type DWord -Value 1 -Force
Show-ProgressStatus -Message "STIG Rule ID: SV-78087r2_rule :: FIlter Local administrator account privileged tokens" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'LocalAccountTokenFilterPolicy' -Type DWord -Value 0 -Force -TryLGPO:$true
Show-ProgressStatus -Message "STIG Rule ID: SV-78307r1_rule :: Enabling User Account Control approval mode" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'FilterAdministratorToken' -Type DWord -Value 1 -Force -TryLGPO:$true
Show-ProgressStatus -Message "STIG Rule ID: SV-78307r1_rule :: Disabling enumerating elevated administator accounts" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' -Name 'EnumerateAdministrators' -Type DWord -Value 0 -Force -TryLGPO:$true
Show-ProgressStatus -Message "Enable All credential or consent prompting will occur on the interactive user's desktop" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'PromptOnSecureDesktop' -Type DWord -Value 1 -Force -TryLGPO:$true
Show-ProgressStatus -Message "Enforce cryptographic signatures on any interactive application that requests elevation of privilege" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost
Set-SystemSetting -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'ValidateAdminCodeSignatures' -Type DWord -Value 0 -Force -TryLGPO:$true
If(!$OptimizeForVDI)
{
Write-LogEntry "STIG Rule ID: SV-78085r5_rule :: Enabling Virtualization Based Security" -Outhost
if ($OSBuildNumber -gt 14393) {
try {
# For version older than Windows 10 version 1607 (build 14939), enable required Windows Features for Credential Guard
Enable-WindowsOptionalFeature -FeatureName Microsoft-Hyper-V-HyperVisor -Online -All -LimitAccess -NoRestart -ErrorAction Stop | Out-Null
Write-LogEntry "Successfully enabled Microsoft-Hyper-V-HyperVisor feature" -Outhost
}
catch [System.Exception] {
Write-LogEntry ("An error occured when enabling Microsoft-Hyper-V-HyperVisor. {0}" -f $_) -Severity 3 -Outhost
}
try {
# For version older than Windows 10 version 1607 (build 14939), add the IsolatedUserMode feature as well
Enable-WindowsOptionalFeature -FeatureName IsolatedUserMode -Online -All -LimitAccess -NoRestart -ErrorAction Stop | Out-Null
Write-LogEntry "Successfully enabled IsolatedUserMode feature" -Outhost
}
catch [System.Exception] {
Write-LogEntry ("An error occured when enabling IsolatedUserMode. {0}" -f $_) -Severity 3 -Outhost
}
}
Write-LogEntry "Enabling Windows Defender Application Guard" -Outhost
Enable-WindowsOptionalFeature -online -FeatureName "Windows-Defender-ApplicationGuard" -NoRestart -WarningAction SilentlyContinue | Out-Null
Show-ProgressStatus -Message "STIG Rule ID: SV-78093r6_rule :: Enabling Virtualization-based protection of code integrity" -Step ($stepCounter++) -MaxStep $script:Maxsteps -Outhost