Hardening Windows 10 Desktops – Part 1
30 December 2020Here are some privacy settings that allow you to limit the communication of your information to the publisher and its partners.
This will go through the use of Group Policy Objects, which we will discover in this article.
The article was inspired by the recommendations of the National Agency for the Security of Information Systems, as well as my experience.
Please excuse me the screenshot are in French.
Data Collection and Trial Versions Preview
- On your domain controller, open the Group Policy Management console, right-click on Group Policy Objects, and click Create a GPO in this domain.
- Name the strategy and click OK
- Once the strategy is created, right click on it and click Modify
Go to: Computer Configuration / Administrative Templates / Windows Components / Data Collection and Trial Versions Preview
Allow telemetry
“This policy determines the amount of usage and diagnostic data returned to Microsoft. A value of 0 indicates that minimum data is being sent to Microsoft. This data includes Windows Defender Malicious Software Removal Tool (MSRT) data, if enabled, and telemetry client settings. Setting a value of 0 is applicable for Enterprise, EDU, IoT, and Server devices only. Setting a value of 0 for other devices is equivalent to choosing a value of 1. A value of 1 sends an amount of diagnostic and basic usage data only. Note: Setting values of 0 or 1 will degrade the experience of the device. A value of 2 sends enhanced diagnostic and usage data.A value of 3 sends the same data as a value of 2, plus additional diagnostic data such as the state of the system at the time of a crash or crash, as well as files and content that may be missing. origin of the problem. Windows 10 telemetry settings apply to Windows operating systems and some core apps. This setting does not apply to third-party apps running on Windows 10.This setting does not apply to third-party apps running on Windows 10.This setting does not apply to third-party apps running on Windows 10.
If you disable or do not configure this policy setting, users can configure the telemetry level in settings. “
- We will choose 0 for the disabled
Do not show comment notifications
“This policy setting allows an organization to block Microsoft’s comment questions on their devices.
If you enable this policy setting, users will no longer see comment notifications through the Comments app on Windows.
If you disable or do not configure this policy setting, users can see notifications through the Comments on Windows app, which asks them to provide comments.
Note: If you disable or do not configure this policy setting, users can control how often they receive feedback questions. “
- We will choose activated
Toggle User Control on Insider Builds
“This policy setting determines whether users can access Insider build controls in Windows Update Advanced Options. These checks are located under Get Insider Builds. They allow users to make their device available for downloading and installing Windows trial software.
If you enable or do not configure this policy setting, users can download and install Windows trial software on their device.
If you disable this policy setting, the Get Insider Builds option is unavailable.
Note: This policy setting only applies to devices running Windows 10 Pro, Enterprise, Education, or Server. “
- We will choose Disabled
Computer Configuration / Administrative Templates / Windows Components / Windows Defender / MAPS
- On your domain controller, open the Group Policy Management console, right-click on Group Policy Objects, and click Create a GPO in this domain.
- Name the strategy and click OK
- Once the strategy is created, right click on it and click Modify
- Go to: Computer Configuration / Administrative Templates / Windows Components / Windows Defender / MAPS
Configures a local replacement value for the configuration to join Microsoft MAPS
“This policy setting configures a local replacement value for the configuration to join Microsoft MAPS.” This setting can only be set by Group Policy.
If you enable this setting, the local preference setting takes precedence over Group Policy.
If you disable or do not configure this setting, Group Policy takes precedence over the local preference setting. “
- We will choose Disabled
Send sample files when additional analysis is needed
“This policy setting configures the behavior of sending samples when MAPS telemetry is accepted.”
The possible options are:
(0x0) Always ask
(0x1) Automatically send secure samples
(0x2) Never send
(0x2) Automatically send all samples »
- We will choose On – Never send
Computer configuration / Administrative templates / Windows components / Search
- On your domain controller, open the Group Policy Management console, right-click on Group Policy Objects, and click Create a GPO in this domain.
- Name the strategy and click OK
- Once the strategy is created, right click on it and click Modify
- Go to: Computer Configuration / Administrative Templates / Windows Components / Search
Authorize Cortana
“This policy setting specifies whether Cortana is allowed on the device.
If you enable or do not configure this setting, Cortana will be allowed on the device. If you disable this setting, Cortana will be disabled.
When Cortana is turned off, users are still able to use search on the device. “
- We will choose Disabled
Allow Cortana above the lock screen
“This policy setting determines whether or not the user can interact with Cortana using voice while the system is locked.
If you enable this setting or if you do not configure it, the user can interact with Cortana using voice while the system is locked.
If you disable this setting, the system must be unlocked before the user can interact with Cortana using voice. “
- We will choose Disabled
Allow indexing of encrypted files
“This policy setting allows indexing of encrypted items. If this policy setting is enabled, indexing attempts to decrypt and index the content (access restrictions are still enforced). If disabled or not configured, Search Service components (including third-party components) do not index encrypted items and encrypted stores. This policy setting is not configured by default. If this policy setting is not configured, the local setting, configured in Control Panel, is used. By default, the Control Panel setting does not allow indexing of encrypted content.
If this setting is enabled or disabled, the index is rebuilt entirely.
Full volume encryption (such as BitLocker Drive Encryption or a third-party solution) should be used for the index location to maintain the security of the encrypted files. “
- We will choose Disabled
Do not allow web search
“Enabling this policy removes the ability to search the web from Windows Search.
If this policy is disabled or not configured, the Web option is available and users can search the web through the search engine of the default browser. “
- We will choose Enabled
“This policy setting allows you to control what information is shared with Bing in Search.
If you enable this policy setting, you can specify one of four settings, which users cannot change:
– User and Location Info: Allows you to share a user’s search history, certain Microsoft account information, and a specific location to personalize their searches and other Microsoft experiences.
– User Information Only: Allows you to share a user’s search history, certain Microsoft account information to personalize their searches, and other Microsoft experiences.
– Anonymous Information: Allows you to share usage information but not to share search history, Microsoft account information, or a specific location.
If you disable or do not configure this policy setting, users can choose what information is shared in Search. “
- We will choose On – Anonymous information
Do not search the web or display web results in Search
“This policy setting allows you to control whether or not Search can perform web queries, and whether web results display in Search.”
If you enable this policy setting, no queries are executed on the web and web results are not displayed when a user runs a query in Search.
If you enable this policy setting, no queries are executed on the web and no web results are displayed when a user runs a query in Search.
If you do not configure this policy setting, a user can choose whether or not Search can perform web queries, and whether web results are displayed in Search. “
- We will choose Enabled
Computer Configuration / Administrative Templates / Windows Components / Location and Sensors / Windows Location Service
- On your domain controller, open the Group Policy Management console, right-click on Group Policy Objects, and click Create a GPO in this domain.
- Name the strategy and click OK
- Once the strategy is created, right click on it and click Modify
- Go to: Computer Configuration / Administrative Templates / Windows Components / Location and Sensors / Windows Location Service / Disable Windows Location Service
Enable / Disable the locate my device option
“This policy setting turns off the Windows Location Services feature on this computer.”
If you enable this policy setting, the Windows Location Services feature is disabled, and no programs on this computer will be able to use the Windows Location Services feature anymore.
If you disable or do not configure this policy setting, all programs on this computer will be able to use the Windows Location Services feature. “
- We will choose Enabled
Visits: 2244
