• Stars
    star
    733
  • Rank 61,835 (Top 2 %)
  • Language
    PowerShell
  • License
    MIT License
  • Created over 4 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Enhance the security and privacy of your Windows 10 and Windows 11 deployments with our fully optimized, hardened, and debloated script. Adhere to industry best practices and Department of Defense STIG/SRG requirements for optimal performance and security.

Optimize, Harden, and Debloat Windows 10 and Windows 11 Deployments

Script Test CICDVirusTotal ScanPSScriptAnalyzer

Introduction:

Windows 10 and Windows 11 are invasive and insecure operating system out of the box. Organizations like PrivacyTools.io, Microsoft, Cyber.mil, the Department of Defense, and the National Security Agency have recommended configuration changes to lockdown, harden, and secure the operating system. These changes cover a wide range of mitigations including blocking telemetry, macros, removing bloatware, and preventing many digital and physical attacks on a system. This script aims to automate the configurations recommended by those organizations.

Notes, Warnings, and Considerations:

WARNING:

This script should work for most, if not all, systems without issue. While @SimeonOnSecurity creates, reviews, and tests each repo intensively, we can not test every possible configuration nor does @SimeonOnSecurity take any responsibility for breaking your system. If something goes wrong, be prepared to submit an issue.

  • This script is designed for operation in primarily Personal Use environments. With that in mind, certain enterprise configuration settings are not implemented. This script is not designed to bring a system to 100% compliance. Rather it should be used as a stepping stone to complete most, if not all, the configuration changes that can be scripted while skipping past issues like branding and banners where those should not be implemented even in a hardened personal use environment.
  • This script is designed in such a way that the optimizations, unlike some other scripts, will not break core windows functionality.
  • Features like Windows Update, Windows Defender, the Windows Store, and Cortona have been restricted, but are not in a dysfunctional state like most other Windows 10 Privacy scripts.
  • If you seek a minimized script targeted only to commercial environments, please see this GitHub Repository

Do not run this script if you don't understand what it does. It is your responsibility to review and test the script before running it.

FOR EXAMPLE, THE FOLLOWING WILL BREAK IF YOU RUN THIS WITHOUT TAKING PREVENTATIVE STEPS:

  • Using the default administrator account named "Administrator" is disabled and renamed per DoD STIG

    • Does not apply to the default account created but does apply to using the Default Administrator account often found on Enterprise, IOT, and Windows Server Versions

    • Create a new account under Computer Management and set it as an administrator if you wish. Then copy the contents of the previous users folder into the new one after signing into the new user for the first time to work around this prior to running the script.

  • Signing in using a microsoft account is disabled per DoD STIG.

    • When trying to be secure and private, signing into your local account via a Microsoft Account is not advised. This is enforced by this repo.

    • Create a new account under Computer Management and set it as an administrator if you wish. Then copy the contents of the previous users folder into the new one after signing into the new user for the first time to work around this prior to running the script.

  • Account PINs are disabled per DoD STIG

    • PINs are insecure when used solely in place of a password and can be easily bypassed in a matter of hours or potentially even seconds or minutes

    • Remove the pin from the account and/or sign in using password after running the script.

  • Bitlocker defaults are changed and hardened due to DoD STIG.

    • Due to how bitlocker is implemented, when this changes occur and if you already have bitlocker enabled it will break the bitlocker implementation.

    • Disable bitlocker, run the script, then reenable bitlocker to workaround this issue.

Requirements:

Recommended reading material:

Additions, notable changes, and bugfixes:

This script adds, removes, and changes settings on your system. Please review the script before running it.

Browsers:

  • Browsers will have additional extentions installed to aid in privacy and security.
    • See here for additional information.
  • Due to the DoD STIGs implemented for browsers, extension management and other enterprise settings are set. For instructions on how to see these options, you'll need to look at the GPO instructions below.

Powershell Modules:

  • To aid in automating Windows Updates the PowerShell PSWindowsUpdate module will be added to your system.

Fixing Microsoft Account, Store, or Xbox Services:

This is because we block signing into microsoft accounts. Microsoft's telemetry and identity association is frowned upon. However, if you still wish to use these services see the following issue tickets for the resolution:

If you use Thunder Bolt Devices:

You may run into issues. There are multiple vulnerabilities assosiated with using Thunderbolt and advanced USB-C type devices. Because of this we have disabled it by default. If you'd like to ignore this, please read:

Editing policies in Local Group Policy after the fact:

If you need to modify or change a setting, they are most likely configurable via GPO:

  • Import the ADMX Policy definitions from this repo into C:\windows\PolicyDefinitions on the system you're trying to modify.

  • Open gpedit.msc on on the system you're trying to modify.

A list of scripts and tools this collection utilizes:

First Party:

Third Party:

STIGS/SRGs Applied:

Additional configurations were considered from:

Learn more about Optimizing and Hardening Windows 10 and Windows 11

How to run the script:

GUI - Guided Install:

Download the latest release here, choose the options you want and hit execute.

Example of 
Windows-Optimize-Harden-Debloat GUI Based Guided install

Automated Install:

Use this one-liner to automatically download, unzip all supporting files, and run the latest version of the script.

iwr -useb 'https://simeononsecurity.ch/scripts/windowsoptimizeandharden.ps1'|iex

Example of 
Windows-Optimize-Harden-Debloat automatic install

Manual Install:

If manually downloaded, the script must be launched from an administrative powershell in the directory containing all the files from the GitHub Repository

The script "sos-optimize-windows.ps1" includes several parameters that allow for customization of the optimization process. Each parameter is a boolean value that defaults to true if not specified.

  • cleargpos: Clears Group Policy Objects settings.
  • installupdates: Installs updates to the system.
  • adobe: Implements the Adobe Acrobat Reader STIGs.
  • firefox: Implements the FireFox STIG.
  • chrome: Implements the Google Chrome STIG.
  • IE11: Implements the Internet Explorer 11 STIG.
  • edge: Implements the Microsoft Chromium Edge STIG.
  • dotnet: Implements the Dot Net 4 STIG.
  • office: Implements the Microsoft Office Related STIGs.
  • onedrive: Implements the Onedrive STIGs.
  • java: Implements the Oracle Java JRE 8 STIG.
  • windows: Implements the Windows Desktop STIGs.
  • defender: Implements the Windows Defender STIG.
  • firewall: Implements the Windows Firewall STIG.
  • mitigations: Implements General Best Practice Mitigations.
  • defenderhardening: Implements and Hardens Windows Defender Beyond STIG Requirements.
  • pshardening: Implements PowerShell Hardening and Logging.
  • sslhardening: Implements SSL Hardening.
  • smbhardening: Hardens SMB Client and Server Settings.
  • applockerhardening: Installs and Configures Applocker (In Audit Only Mode).
  • bitlockerhardening: Harden Bitlocker Implementation.
  • removebloatware: Removes unnecessary programs and features from the system.
  • disabletelemetry: Disables data collection and telemetry.
  • privacy: Makes changes to improve privacy.
  • imagecleanup: Cleans up unneeded files from the system.
  • nessusPID: Resolves Unquoted System Strings in Path.
  • sysmon: Installs and configures sysmon to improve auditing capabilities.
  • diskcompression: Compresses the system disk.
  • emet: Implements STIG Requirements and Hardening for EMET on Windows 7 Systems.
  • updatemanagement: Changes the way updates are managed and improved on the system.
  • deviceguard: Enables Device Guard Hardening.
  • sosbrowsers: Optimizes the system's web browsers.

An example of how to launch the script with specific parameters would be:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
Get-ChildItem -Recurse *.ps1 | Unblock-File
powershell.exe -ExecutionPolicy ByPass -File .\sos-optimize-windows.ps1 -cleargpos:$false -installupdates:$false

More Repositories

1

Windows-Optimize-Debloat

Optimize and debloat Windows 10 and Windows 11 deployments according to best practices for maximum performance and privacy. The ultimate script for enhancing your Windows experience.
PowerShell
247
star
2

FireFox-Privacy-Script

Implement the privacy oriented configurations for FireFox
Shell
141
star
3

Standalone-Windows-STIG-Script

Create a compliant and secure Windows 10/11 system with our Gold Master image creation tool. Adhere to DoD STIG/SRG Requirements and NSA Cybersecurity guidance for standalone Windows systems with ease, using our ultimate STIG script.
PowerShell
140
star
4

Blue-Team-Tools

A collection of scripts, tools. and configs for various OS'es and applications, all free and or open-source, to assist in impromptu Blue-Team defense under an active threat.
HTML
96
star
5

Standalone-Windows-Server-STIG-Script

Enhance the security and compliance of your standalone Windows servers with our STIG script, specifically designed to meet DoD STIG/SRG requirements and NSACyber guidance. Achieve ultimate Windows Server protection with our easy-to-use script.
PowerShell
59
star
6

Windows-Defender-Hardening

Take advantage of some more advanced Windows Defender settings.
PowerShell
54
star
7

Windows-Optimize-Harden-Debloat-GUI

C# Based GUI for Windows-Optimize-Harden-Debloat
C#
35
star
8

System-Wide-Windows-Ad-Blocker

Block Ads, Tracking, and Telemetry System Wide
PowerShell
32
star
9

Windows-Defender-Application-Control-Hardening

Harden Windows with Windows Defender Application Control (WDAC)
PowerShell
30
star
10

STIG-Compliant-Domain-Prep

Import all the GPOs provided by SimeonOnSecurity to assist in making your domain compliant with all applicable STIGs and SRGs.
HTML
26
star
11

Shodan_PS

A collection of PowerShell modules for interacting with the Shodan API. Includes modules for returning information about the API, client IP, DNS, exploits, honeypot scores, hosts, ports, profiles, and scans. Shodan API key required. Query and scan credits used.
PowerShell
24
star
12

Applocker-Hardening

Ultimate Applocker Hardening Configuration Script.
PowerShell
23
star
13

setup-scripts

Set up scripts for various OS'es
PowerShell
22
star
14

Windows-Hardening-CTF

A windows hardening script that makes it difficult to compromise a Windows device. Only for use during Blue-Team Competitions.
PowerShell
22
star
15

Windows-Defender-STIG-Script

Automate Windows Defender STIG to 100% Compliance
PowerShell
17
star
16

awesome-hardening

A collection of scripts and configurations for hardening various systems and applications.
17
star
17

Automate-Sysmon

Automate Sysmon Deployment and Configuration
PowerShell
16
star
18

Windows_STIG_Ansible

Ansible Playbooks for SimeonOnSecurity's STIG Scripts
Python
14
star
19

FireFox-Security-Researcher

Configure FireFox with Security and Intelligance features for OSINT and Security Investigations.
PowerShell
13
star
20

SAPS

A collection of scripts to assist System Adminsitrators
PowerShell
11
star
21

FireFox-STIG-Script

STIG FireFox the Easy Way
PowerShell
11
star
22

VirusTotal-PS

PowerShell Modules for Interacting with the VirusTotal API
PowerShell
9
star
23

Windows-Branding-Script

A simple script to assist with configuring branding on Windows 10 and Windows Server 2016/2019
PowerShell
9
star
24

.NET-STIG-Script

The only script to assist administrators in completing the .NET STIG.
PowerShell
8
star
25

Windows-Terminal-Hardening

Scripts and Documentation for Hardening Windows Command Prompt and PowerShell
PowerShell
8
star
26

discord-backdoors-and-breaches

A Discord Bot for Backdoors and Breaches. Pre-Alpha State Is Not Fully Functional
Python
8
star
27

ChocoAutomateWindowsUpdates

Automate Windows Updates with Chocolatey and PSWindowsUpdates
PowerShell
8
star
28

docker-duino-coin

Dockerized Duino-Coin Miner
Shell
7
star
29

KMS-Auto-PS

Install GLVKs for Windows Desktop, Windows Server, and Office
PowerShell
7
star
30

Apache-Web-Server-Hardening

An collection of example configurations and scripts to aid administrators in configuring a hardened Apache Web Server
Shell
7
star
31

awesome-stigs

A collection of tested automations for implementing DoD STIGs and SRGs
7
star
32

docker-rtklib-onocoy-rtkdirect

Docker Container that Takes in USB or TCP Based Serial GPS Receiver Output and Forwards the Data to Either Onocoy or RTKDirect or Both.
Shell
7
star
33

simeononsecurity

6
star
34

LazyWindowsUpdates

Easily accomplish updating all windows machines in a domain
PowerShell
6
star
35

WMI-Filters

A Collection of WMI Filters
6
star
36

Offine-PS-ActiveDirectory-Install

Install the PowerShell RSAT ActiveDirectory Module Offline
PowerShell
6
star
37

docker-ubuntu-hardened

Hardened Docker Container with arm, arm64, and amd64 support https://simeononsecurity.com
Dockerfile
6
star
38

docker-pharos-control

Dockerized TP-Link Pharos Centralized Managment Platform https://simeononsecurity.com
Dockerfile
5
star
39

docker-ffmpeg-mp4-folder

Stream From a Folder of MP4 Files to Twitch, YouTube, and/or Kick
Shell
5
star
40

Windows-Audit-Policy

Max out Windows Auditing
PowerShell
5
star
41

ansible_linux_update

This Ansible role automates Linux security patching by applying updates to supported Linux distributions. It handles various package managers such as apt, dnf, yum, and apk to ensure that Linux systems are kept up to date with the latest security patches.
5
star
42

docker-debian-hardened

Hardened Debian Docker Container with arm, arm64, and amd64 support https://simeononsecurity.com
Dockerfile
5
star
43

Windows-Defender-Application-Guard-Hardening

Implement WDAG and Harden Windows Based OS'es
4
star
44

SoS-Parrot_OS-Setup

Setup ParrotOS how I like it.
Shell
4
star
45

simeononsecurity.ch

The source code for the SimeonOnSecurity website
HTML
4
star
46

BraveADMX

Proper ADMX Templates for the Brave Browser
4
star
47

ntripserver

Ntrip Version 2.0 Command Line Server - Fork of ntripserver at https://software.rtcm-ntrip.org/browser/ntrip/trunk/ntripserver
C
4
star
48

SoS-Parrot-Docker

A Customized ParrotOS Docker Image https://simeononsecurity.com
Dockerfile
4
star
49

AnonUpload

A PowerShell Module to Upload to anonfiles.com
PowerShell
3
star
50

Oracle-JRE-8-STIG-Script

Apply the JAVA STIG to a Windows System.
PowerShell
3
star
51

SolarWinds-SunBurst-SolarFlare-SolarMarker-Countermeasures

SolarWinds SunBurst Countermeasures
PowerShell
3
star
52

ansible_shodan

A collection of shodan modules for ansible
Python
3
star
53

Windows-Spectre-Meltdown-Mitigation-Script

Simple script to implement protections against speculative execution side-channel vulnerabilities in Windows systems.
PowerShell
3
star
54

docker-mesonnetwork

Dockerized Meson Network Node https://simeononsecurity.com
Dockerfile
3
star
55

glotta

Translate Hugo markdown file content and create index bundles
JavaScript
2
star
56

WMISupport

Scrap code testing C# skills for interacting with WMI via CIMSessions
C#
2
star
57

Adobe-Reader-DC-STIG-Script

Fully implement the Adobe Reader DC STIG
PowerShell
2
star
58

docker-rocky-hardened

Prehardenend Rocky Linux Docker Container with arm64 and amd64 support https://simeononsecurity.com
Dockerfile
2
star
59

rocky-ansible

Dockerized Ansible Controller running on Rockylinux 8 https://simeononsecurity.com
Dockerfile
2
star
60

docker-rss-display-web

A docker container that publishes an rss feed to a generated webpage
HTML
2
star
61

track-openroaming-passpoint

A collection of scripts and tools that tracks the availability of hotspot 2.0, passpoint, and openroaming networks in the wild from the Wigle Dataset. Updates every 24 hours.
HTML
2
star
62

ansible_windows_update

This Ansible role automates the process of applying Windows security updates. It utilizes the `ansible.windows.win_updates` module to search for available security updates and install them on Windows hosts. By automating the patching process, you can ensure that your Windows systems stay up-to-date with the latest security patches.
2
star
63

ansible_system_update

This Ansible role automates the patching of both Linux and Windows systems, allowing you to keep your infrastructure up-to-date with the latest security updates.
2
star
64

CVE-2020-1350-Fix

A registry-based workaround can be used to help protect an affected Windows server, and it can be implemented without requiring an administrator to restart the server. Because of the volatility of this vulnerability, administrators may have to implement the workaround before they apply the security update in order to enable them to update their systems by using a standard deployment cadence.
PowerShell
2
star
65

docker-ubuntu-apache

https://simeononsecurity.com
Dockerfile
1
star
66

docker-kaspapool

Dockerfile
1
star
67

sos-landing-page

A static landing page for the purposes of backlinks generation.
HTML
1
star
68

linux-hostapd-hs20-dhcpd

Scripts and a Docker Container for Hotspot 2.0 Supported AP in Linux
Shell
1
star
69

docker-hs20server

A Full HS20 OSU Server Setup in Docker using hostapd, HS20-Server, Radius, sqllite3, and apache
PHP
1
star
70

shodanpy

A Series of Python Modules for Interacting with the Shodan API
Python
1
star
71

simeononsecurity.com-comments

Just here to use as a serverless comment host for simeononsecurity.ch
1
star
72

ChromiumADMX

Proper ADMX Template for the Chromium Browser
1
star
73

scratchpad

Notes and tidbits
1
star
74

Chocolatey-Nethor

https://simeononsecurity.ch
PowerShell
1
star
75

docker-rhel-hardened

Prehardenend RHEL Docker Container with arm64 and amd64 support https://simeononsecurity.com
Dockerfile
1
star
76

chocolateypackages

All the chocolatey packages that I maintain https://simeononsecurity.com
PowerShell
1
star
77

WeatherXM-Python

A Script That Interfaces with WeatherXM API and Pulls Weather Information from Your Weather XM Devices
Python
1
star
78

docker-tor-bridge

Quickly Spin up a Tor Node https://simeononsecurity.com/github/docker-tor-bridge
Dockerfile
1
star
79

sosfirefox

Search the SimeonOnSecurity Website Natively In Firefox - https://simeononsecurity.com
CSS
1
star
80

track-helium-mobile-wifi

A collection of scripts and tools that tracks the availability of helium mobile wifi networks in the wild from the Wigle Dataset. Updates every 24 hours.
HTML
1
star