From 4a067e4dab167bed8f9fd259f6f2007346dce713 Mon Sep 17 00:00:00 2001 From: Ralf Bosz Date: Wed, 1 Jun 2022 13:03:14 +0200 Subject: [PATCH] This commit moves up all local changes - add User configuration policies - update 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' policy - fix 'Configure detection for potentially unwanted applications' policy (removed spaces) - add windows 2022 extra checks - add Firewall settings to policy - fix 'Turn off the offer to update to the latest version of Windows' policy - add new policy settings - 'Configure SMB v1 client' This setting may need to be set to `['Bowser','MRxSmb20','NSI']` when using the `Configure SMB v1 client driver` policy - fix 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' enabled = 1 (was 3) was changes in previous release but needs more testing and has been rolled back. - add new policy settings - Turn off Windows Error Reporting (PCHealth) - Do not allow drive redirection - Turn on behavior monitoring - Scan removable drives - Turn on e-mail scanning - Configure Attack Surface Reduction rules - Prevent users and apps from accessing dangerous websites - Configure detection for potentially unwanted applications - Minimize the number of simultaneous connections to the Internet or a Windows Domain (enabled = 3, was 1) - add new policy settings for windows 2019 - Turn Off notifications network usage - Encryption Oracle Remediation - Enumeration policy for external devices incompatible with Kernel DMA Protection - Allow Clipboard synchronization across devices - Allow upload of User Activities - Require use of specific security layer for remote (RDP) connections - Require user authentication for remote connections by using Network Level Authentication - Prevent users from modifying settings - make a backup of the registry.pol file - add new policy settings: - Configure SMB v1 client driver - Configure SMB v1 server - Remote host allows delegation of non-exportable credentials - Turn off picture password sign-in - Turn off Windows Location Provider - Configure local setting override for reporting to Microsoft MAPS - Require Mutual Authentication (NETLOGON) - Require Mutual Authentication (SYSVOL) - Allow Online Tips - Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service - Allow Message Service Cloud Sync - Block all consumer Microsoft account user authentication - add 'gpupdate /force /n' as a scheduled task to fix 'illegal' changes to the registry --- .fixtures.yml | 2 + .rubocop.yml | 145 +- CHANGELOG | 29 - CHANGELOG.md | 93 + Gemfile | 85 +- README.md | 55 +- Rakefile | 112 +- appveyor.yml | 33 +- .../provider/advanced_security_policy/lgpo.rb | 68 +- lib/puppet_x/asp/security_policy.rb | 2952 ++++++++++------- manifests/init.pp | 31 +- metadata.json | 52 +- spec/classes/init_spec.rb | 17 + spec/spec_helper.rb | 55 +- ...rb => advanced_security_policy_disable.rb} | 20 +- .../type/advanced_security_policy_spec.rb | 2 +- 16 files changed, 2382 insertions(+), 1369 deletions(-) delete mode 100644 CHANGELOG create mode 100644 CHANGELOG.md create mode 100644 spec/classes/init_spec.rb rename spec/unit/puppet/provider/{advanced_security_policy_spec.rb => advanced_security_policy_disable.rb} (81%) diff --git a/.fixtures.yml b/.fixtures.yml index 3ecb608..1cbf237 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,3 +1,5 @@ fixtures: + repositories: + scheduled_task: 'https://github.com/puppetlabs/puppetlabs-scheduled_task' symlinks: advanced_security_policy: '#{source_dir}' diff --git a/.rubocop.yml b/.rubocop.yml index 8989e18..54e63ae 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -1,4 +1,141 @@ ---- -inherit_gem: - kpn-style: - - ruby-2.4.yml +--- +require: +- rubocop-rspec +- rubocop-i18n +AllCops: + DisplayCopNames: true + TargetRubyVersion: '2.1' + Include: + - "./**/*.rb" + Exclude: + - bin/* + - ".vendor/**/*" + - "**/Gemfile" + - "**/Rakefile" + - pkg/**/* + - spec/fixtures/**/* + - vendor/**/* + - "**/Puppetfile" + - "**/Vagrantfile" + - "**/Guardfile" +Metrics/LineLength: + Description: People have wide screens, use them. + Max: 200 +GetText: + Enabled: false +GetText/DecorateString: + Description: We don't want to decorate test output. + Exclude: + - spec/**/* + Enabled: false +RSpec/BeforeAfterAll: + Description: Beware of using after(:all) as it may cause state to leak between tests. + A necessary evil in acceptance testing. + Exclude: + - spec/acceptance/**/*.rb +RSpec/HookArgument: + Description: Prefer explicit :each argument, matching existing module's style + EnforcedStyle: each +Style/BlockDelimiters: + Description: Prefer braces for chaining. Mostly an aesthetical choice. Better to + be consistent then. + EnforcedStyle: braces_for_chaining +Style/ClassAndModuleChildren: + Description: Compact style reduces the required amount of indentation. + EnforcedStyle: compact +Style/EmptyElse: + Description: Enforce against empty else clauses, but allow `nil` for clarity. + EnforcedStyle: empty +Style/FormatString: + Description: Following the main puppet project's style, prefer the % format format. + EnforcedStyle: percent +Style/FormatStringToken: + Description: Following the main puppet project's style, prefer the simpler template + tokens over annotated ones. + EnforcedStyle: template +Style/Lambda: + Description: Prefer the keyword for easier discoverability. + EnforcedStyle: literal +Style/RegexpLiteral: + Description: Community preference. See https://github.com/voxpupuli/modulesync_config/issues/168 + EnforcedStyle: percent_r +Style/TernaryParentheses: + Description: Checks for use of parentheses around ternary conditions. Enforce parentheses + on complex expressions for better readability, but seriously consider breaking + it up. + EnforcedStyle: require_parentheses_when_complex +Style/TrailingCommaInArguments: + Description: Prefer always trailing comma on multiline argument lists. This makes + diffs, and re-ordering nicer. + EnforcedStyleForMultiline: comma +Style/TrailingCommaInLiteral: + Description: Prefer always trailing comma on multiline literals. This makes diffs, + and re-ordering nicer. + EnforcedStyleForMultiline: comma +Style/SymbolArray: + Description: Using percent style obscures symbolic intent of array's contents. + EnforcedStyle: brackets +RSpec/MessageSpies: + EnforcedStyle: receive +Style/Documentation: + Exclude: + - lib/puppet/parser/functions/**/* + - spec/**/* +Style/WordArray: + EnforcedStyle: brackets +Style/CollectionMethods: + Enabled: true +Style/MethodCalledOnDoEndBlock: + Enabled: true +Style/StringMethods: + Enabled: true +GetText/DecorateFunctionMessage: + Enabled: false +GetText/DecorateStringFormattingUsingInterpolation: + Enabled: false +GetText/DecorateStringFormattingUsingPercent: + Enabled: false +Layout/EndOfLine: + Enabled: false +Layout/IndentHeredoc: + Enabled: false +Metrics/AbcSize: + Enabled: false +Metrics/BlockLength: + Enabled: false +Metrics/ClassLength: + Enabled: false +Metrics/CyclomaticComplexity: + Enabled: false +Metrics/MethodLength: + Enabled: false +Metrics/ModuleLength: + Enabled: false +Metrics/ParameterLists: + Enabled: false +Metrics/PerceivedComplexity: + Enabled: false +RSpec/DescribeClass: + Enabled: false +RSpec/ExampleLength: + Enabled: false +RSpec/MessageExpectation: + Enabled: false +RSpec/MultipleExpectations: + Enabled: false +RSpec/NestedGroups: + Enabled: false +Style/AsciiComments: + Enabled: false +Style/IfUnlessModifier: + Enabled: false +Style/SymbolProc: + Enabled: false +Naming/MethodParameterName: + Enabled: false +RSpec/RepeatedExampleGroupBody: + Enabled: false +Style/MutableConstant: + Enabled: false +Lint/ConstantDefinitionInBlock: + Enabled: false diff --git a/CHANGELOG b/CHANGELOG deleted file mode 100644 index 69b5684..0000000 --- a/CHANGELOG +++ /dev/null @@ -1,29 +0,0 @@ -2018-04-04 Release 2.1.1 -- release to puppet forge - -2018-01-23 Release 2.1.0 -- allows configurable result for enabled and disabled -- policy_setting has changed to policy_value (same as local_security_policy) - -2017-12-19 Release 2.0.1 -- unknown (domain) policies already set on the system are ignored -- trying to set an unknown/invalid policy using puppet will still result in an error - -2017-12-04 Release 2.0.0 -- makes advanced security policy settings ensurable -- policy names are looked up in a list - -2017-11-28 Release 1.0.4 -- makes the provider case-insensitive - -2017-10-11 Release 1.0.3 -- change permission on lgpo.exe - -2017-07-06 Release 1.0.2 -- changed file persmissions because of missing administrator user - -2017-07-06 Release 1.0.1 -- add file lgpo.exe creation - -2017-07-06 Release 1.0.0 -- initial commit diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..40fd3e5 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,93 @@ +2022-05-12 Release 3.0.0 +- add User configuration policies +- update 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' policy +- fix 'Configure detection for potentially unwanted applications' policy (removed spaces) +- add windows 2022 extra checks + +2022-05-11 Release 2.6.0 +- Add Firewall settings to policy + +2020-12-23 Release 2.5.3 +- fix 'Turn off the offer to update to the latest version of Windows' policy + +2020-06-08 Release 2.5.2 +- Add new policy settings + - 'Configure SMB v1 client' +This setting may need to be set to `['Bowser','MRxSmb20','NSI']` when using the `Configure SMB v1 client driver` policy + +2020-05-26 Release 2.5.1 +- fix 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' + enabled = 1 (was 3) + was changes in previous release but needs more testing and has been rolled back. + +2020-05-13 Release 2.5.0 +- Add new policy settings + - Turn off Windows Error Reporting (PCHealth) + - Do not allow drive redirection + - Turn on behavior monitoring + - Scan removable drives + - Turn on e-mail scanning + - Configure Attack Surface Reduction rules + - Prevent users and apps from accessing dangerous websites + - Configure detection for potentially unwanted applications + - Minimize the number of simultaneous connections to the Internet or a Windows Domain (enabled = 3, was 1) + +2019-09-25 Release 2.4.0 +- Add new policy settings for windows 2019 + - Turn Off notifications network usage + - Encryption Oracle Remediation + - Enumeration policy for external devices incompatible with Kernel DMA Protection + - Allow Clipboard synchronization across devices + - Allow upload of User Activities + - Require use of specific security layer for remote (RDP) connections + - Require user authentication for remote connections by using Network Level Authentication + - Prevent users from modifying settings + +2018-01-31 Release 2.3.0 +- make a backup of the registry.pol file +- Add new policy settings: + - Configure SMB v1 client driver + - Configure SMB v1 server + - Remote host allows delegation of non-exportable credentials + - Turn off picture password sign-in + - Turn off Windows Location Provider + - Configure local setting override for reporting to Microsoft MAPS + - Require Mutual Authentication (NETLOGON) + - Require Mutual Authentication (SYSVOL) + - Allow Online Tips + - Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service + - Allow Message Service Cloud Sync + - Block all consumer Microsoft account user authentication + +2018-11-15 Release 2.2.0 +- Add 'gpupdate /force /n' as a scheduled task to fix 'illegal' changes to the registry + +2018-04-04 Release 2.1.1 +- release to puppet forge + +2018-01-23 Release 2.1.0 +- allows configurable result for enabled and disabled +- policy_setting has changed to policy_value (same as local_security_policy) + +2017-12-19 Release 2.0.1 +- unknown (domain) policies already set on the system are ignored +- trying to set an unknown/invalid policy using puppet will still result in an error + +2017-12-04 Release 2.0.0 +- makes advanced security policy settings ensurable +- policy names are looked up in a list + +2017-11-28 Release 1.0.4 +- makes the provider case-insensitive + +2017-10-11 Release 1.0.3 +- change permission on lgpo.exe + +2017-07-06 Release 1.0.2 +- changed file persmissions because of missing administrator user + +2017-07-06 Release 1.0.1 +- add file lgpo.exe creation + +2017-07-06 Release 1.0.0 +- initial commit diff --git a/Gemfile b/Gemfile index bafacde..2aeab8e 100644 --- a/Gemfile +++ b/Gemfile @@ -1,19 +1,72 @@ source ENV['GEM_SOURCE'] || 'https://rubygems.org' -puppetversion = ENV.key?('PUPPET_VERSION') ? ENV['PUPPET_VERSION'] : ['>= 3.3'] -gem 'facter', '>= 1.7.0' -gem 'kpn-style' -gem 'metadata-json-lint' -gem 'puppet', puppetversion -gem 'puppet-lint', '>= 1.0.0' -gem 'puppetlabs_spec_helper', '>= 1.0.0' -gem 'rspec-puppet' - -# rspec must be v2 for ruby 1.8.7 -if RUBY_VERSION >= '1.8.7' && RUBY_VERSION < '1.9' - gem 'rake', '~> 10.0' - gem 'rspec', '~> 2.0' -else - # rubocop requires ruby >= 1.9 - gem 'rubocop' +def location_for(place_or_version, fake_version = nil) + git_url_regex = %r{\A(?(https?|git)[:@][^#]*)(#(?.*))?} + file_url_regex = %r{\Afile:\/\/(?.*)} + + if place_or_version && (git_url = place_or_version.match(git_url_regex)) + [fake_version, { git: git_url[:url], branch: git_url[:branch], require: false }].compact + elsif place_or_version && (file_url = place_or_version.match(file_url_regex)) + ['>= 0', { path: File.expand_path(file_url[:path]), require: false }] + else + [place_or_version, { require: false }] + end +end + +ruby_version_segments = Gem::Version.new(RUBY_VERSION.dup).segments +minor_version = ruby_version_segments[0..1].join('.') + +group :development do + gem "fast_gettext", '1.1.0', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.1.0') + gem "fast_gettext", require: false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.1.0') + gem "json_pure", '<= 2.0.1', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0') + gem "json", '= 1.8.1', require: false if Gem::Version.new(RUBY_VERSION.dup) == Gem::Version.new('2.1.9') + gem "json", '= 2.0.4', require: false if Gem::Requirement.create('~> 2.4.2').satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) + gem "json", '= 2.1.0', require: false if Gem::Requirement.create(['>= 2.5.0', '< 2.7.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) + gem "rb-readline", '= 0.5.5', require: false, platforms: [:mswin, :mingw, :x64_mingw] + gem "puppet-module-posix-default-r#{minor_version}", '~> 0.3', require: false, platforms: [:ruby] + gem "puppet-module-posix-dev-r#{minor_version}", '~> 0.3', require: false, platforms: [:ruby] + gem "puppet-module-win-default-r#{minor_version}", '~> 0.3', require: false, platforms: [:mswin, :mingw, :x64_mingw] + gem "puppet-module-win-dev-r#{minor_version}", '~> 0.3', require: false, platforms: [:mswin, :mingw, :x64_mingw] +end + +puppet_version = ENV['PUPPET_GEM_VERSION'] +facter_version = ENV['FACTER_GEM_VERSION'] +hiera_version = ENV['HIERA_GEM_VERSION'] + +gems = {} + +gems['puppet'] = location_for(puppet_version) + +# If facter or hiera versions have been specified via the environment +# variables + +gems['facter'] = location_for(facter_version) if facter_version +gems['hiera'] = location_for(hiera_version) if hiera_version + +if Gem.win_platform? && puppet_version =~ %r{^(file:///|git://)} + # If we're using a Puppet gem on Windows which handles its own win32-xxx gem + # dependencies (>= 3.5.0), set the maximum versions (see PUP-6445). + gems['win32-dir'] = ['<= 0.4.9', require: false] + gems['win32-eventlog'] = ['<= 0.6.5', require: false] + gems['win32-process'] = ['<= 0.7.5', require: false] + gems['win32-security'] = ['<= 0.2.5', require: false] + gems['win32-service'] = ['0.8.8', require: false] +end + +gems.each do |gem_name, gem_params| + gem gem_name, *gem_params +end + +# Evaluate Gemfile.local and ~/.gemfile if they exist +extra_gemfiles = [ + "#{__FILE__}.local", + File.join(Dir.home, '.gemfile'), +] + +extra_gemfiles.each do |gemfile| + if File.file?(gemfile) && File.readable?(gemfile) + eval(File.read(gemfile), binding) + end end +# vim: syntax=ruby diff --git a/README.md b/README.md index 5c80c0f..216f674 100644 --- a/README.md +++ b/README.md @@ -2,22 +2,32 @@ #### Table of Contents -1. [Module Description](#module-description) -1. [Setup - The basics of getting started with advanced_security](#setup) - * [Setup Requirements](#setup-requirements) - * [What advanced_security_policy affects](#what-advanced_security_policy-affects) - * [Beginning with advanced_security_policy](#beginning-with-advanced_security_policy) -1. [Usage - Configuration options and additional functionality](#usage) -1. [Reference - An under-the-hood peek at what the module is doing and how](#reference) -1. [Limitations - OS compatibility, etc.](#limitations) -1. [Development - Guide for contributing to the module](#development) +- [advanced_security_policy](#advanced_security_policy) + - [Table of Contents](#table-of-contents) + - [Overview](#overview) + - [Module Description](#module-description) + - [Setup](#setup) + - [Setup Requirements](#setup-requirements) + - [What advanced_security_policy affects](#what-advanced_security_policy-affects) + - [Beginning with advanced_security_policy](#beginning-with-advanced_security_policy) + - [Usage](#usage) + - [Parameters](#parameters) + - [policy(resource) name (required)](#policyresource-name-required) + - [ensure](#ensure) + - [policy_value](#policy_value) + - [Examples](#examples) + - [Example: Setting multiple security policies](#example-setting-multiple-security-policies) + - [Reference](#reference) + - [Defined Types](#defined-types) + - [Provider](#provider) + - [Limitations](#limitations) + - [Development](#development) ## Overview This module sets and enforces the advanced security policies for windows. -We used Paul Cannons Local Security Policy as a 'blueprint' to read the policies from a template. ## Module Description -This module uses LGPO.exe (v2.2) to configure the advanced security policies on Windows. +This module uses LGPO.exe (v2.2) to configure the advanced security policies on Windows. LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy. It can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, as well as from formatted @@ -37,29 +47,32 @@ This module requires: ### What advanced_security_policy affects - Advanced security policies. - `C:\Windows\System32\GroupPolicy\Machine\Registry.pol` +- A backup is made of `C:\Windows\System32\GroupPolicy\Machine\Registry.pol` and is placed in `C:\Management\advanced_security\Registry.pol` ### Beginning with advanced_security_policy -To start using advanced_security_policy, +To start using advanced_security_policy, simply include the module and add the defined type statements in your profile. Then configure the policies you want to set. (for example in hiera) ## Usage +**When using `Configure SMB v1 client driver` you may also need to set `Configure SMB v1 client` to `['Bowser','MRxSmb20','NSI']` due to dependencies for this service** + ### Parameters #### policy(resource) name (required) -Type: 'String' -Default: '$title' -Values: Any valid advanced security subcategory +Type: 'String' +Default: '$title' +Values: Any valid advanced security subcategory Description: The policy name matches the name in the policy editor #### ensure -Type: 'String' -Default: 'present' -Values: 'present' or 'absent' -Description: When a policy is set, ensure will be 'present'. If a policy is to be set as 'not configured' then ensure must be set to 'absent'. +Type: 'String' +Default: 'present' +Values: 'present' or 'absent' +Description: When a policy is set, ensure will be 'present'. If a policy is to be set as 'not configured' then ensure must be set to 'absent'. #### policy_value -Type: 'String' +Type: 'String' Values: 'enabled', 'disabled' or a value Description: This is the value to be set for the policy. This can be 'enabled', 'disabled' or a value to be set. @@ -102,6 +115,8 @@ This module works on: - Windows 2008 R2 - Windows 2012 R2 - Windows 2016 +- Windows 2019 +- Windows 2022 ## Development diff --git a/Rakefile b/Rakefile index 60c2cbb..395df54 100644 --- a/Rakefile +++ b/Rakefile @@ -1,26 +1,86 @@ -require 'puppetlabs_spec_helper/rake_tasks' -require 'metadata-json-lint/rake_task' - -# Must clear as it will not override the existing puppet-lint rake task since we require to import for -# the PuppetLint::RakeTask -Rake::Task[:lint].clear -# Relative is not able to be set within the context of PuppetLint::RakeTask -PuppetLint.configuration.relative = true -PuppetLint::RakeTask.new(:lint) do |config| - config.fail_on_warnings = true - config.disable_checks = %w[ - 80chars - class_inherits_from_params_class - class_parameter_defaults - documentation - ] - config.ignore_paths = ['vendor/**/*.pp', 'spec/**/*.pp', 'pkg/**/*.pp'] -end - -desc 'Run syntax, lint, and spec tests.' -task test: [ - :syntax, - :lint, - :metadata_lint, - :spec, -] +require 'puppet_litmus/rake_tasks' if Bundler.rubygems.find_name('puppet_litmus').any? +require 'puppetlabs_spec_helper/rake_tasks' +require 'puppet-syntax/tasks/puppet-syntax' +require 'puppet_blacksmith/rake_tasks' if Bundler.rubygems.find_name('puppet-blacksmith').any? +require 'github_changelog_generator/task' if Bundler.rubygems.find_name('github_changelog_generator').any? +require 'puppet-strings/tasks' if Bundler.rubygems.find_name('puppet-strings').any? + +def changelog_user + return unless Rake.application.top_level_tasks.include? "changelog" + returnVal = nil || JSON.load(File.read('metadata.json'))['author'] + raise "unable to find the changelog_user in .sync.yml, or the author in metadata.json" if returnVal.nil? + puts "GitHubChangelogGenerator user:#{returnVal}" + returnVal +end + +def changelog_project + return unless Rake.application.top_level_tasks.include? "changelog" + + returnVal = nil + returnVal ||= begin + metadata_source = JSON.load(File.read('metadata.json'))['source'] + metadata_source_match = metadata_source && metadata_source.match(%r{.*\/([^\/]*?)(?:\.git)?\Z}) + + metadata_source_match && metadata_source_match[1] + end + + raise "unable to find the changelog_project in .sync.yml or calculate it from the source in metadata.json" if returnVal.nil? + + puts "GitHubChangelogGenerator project:#{returnVal}" + returnVal +end + +def changelog_future_release + return unless Rake.application.top_level_tasks.include? "changelog" + returnVal = "v%s" % JSON.load(File.read('metadata.json'))['version'] + raise "unable to find the future_release (version) in metadata.json" if returnVal.nil? + puts "GitHubChangelogGenerator future_release:#{returnVal}" + returnVal +end + +PuppetLint.configuration.send('disable_relative') + +if Bundler.rubygems.find_name('github_changelog_generator').any? + GitHubChangelogGenerator::RakeTask.new :changelog do |config| + raise "Set CHANGELOG_GITHUB_TOKEN environment variable eg 'export CHANGELOG_GITHUB_TOKEN=valid_token_here'" if Rake.application.top_level_tasks.include? "changelog" and ENV['CHANGELOG_GITHUB_TOKEN'].nil? + config.user = "#{changelog_user}" + config.project = "#{changelog_project}" + config.future_release = "#{changelog_future_release}" + config.exclude_labels = ['maintenance'] + config.header = "# Change log\n\nAll notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org)." + config.add_pr_wo_labels = true + config.issues = false + config.merge_prefix = "### UNCATEGORIZED PRS; GO LABEL THEM" + config.configure_sections = { + "Changed" => { + "prefix" => "### Changed", + "labels" => ["backwards-incompatible"], + }, + "Added" => { + "prefix" => "### Added", + "labels" => ["feature", "enhancement"], + }, + "Fixed" => { + "prefix" => "### Fixed", + "labels" => ["bugfix"], + }, + } + end +else + desc 'Generate a Changelog from GitHub' + task :changelog do + raise <= Gem::Version.new('2.2.2')" +EOM + end +end + diff --git a/appveyor.yml b/appveyor.yml index 5fd5e89..ec38949 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -1,4 +1,9 @@ +--- version: 1.1.x.{build} +branches: + only: + - master + - release skip_commits: message: /^\(?doc\)?.*/ clone_depth: 10 @@ -12,29 +17,23 @@ environment: matrix: - RUBY_VERSION: 24-x64 - CHECK: syntax lint - - - RUBY_VERSION: 24-x64 - CHECK: metadata_lint - - - RUBY_VERSION: 24-x64 - CHECK: rubocop - - - PUPPET_GEM_VERSION: ~> 4.0 - RUBY_VERSION: 21 - CHECK: spec - - - PUPPET_GEM_VERSION: ~> 4.0 - RUBY_VERSION: 21-x64 - CHECK: spec + CHECK: syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop - PUPPET_GEM_VERSION: ~> 5.0 RUBY_VERSION: 24 - CHECK: spec + CHECK: parallel_spec - PUPPET_GEM_VERSION: ~> 5.0 RUBY_VERSION: 24-x64 - CHECK: spec + CHECK: parallel_spec + - + PUPPET_GEM_VERSION: ~> 6.0 + RUBY_VERSION: 25 + CHECK: parallel_spec + - + PUPPET_GEM_VERSION: ~> 6.0 + RUBY_VERSION: 25-x64 + CHECK: parallel_spec matrix: fast_finish: true install: diff --git a/lib/puppet/provider/advanced_security_policy/lgpo.rb b/lib/puppet/provider/advanced_security_policy/lgpo.rb index bb3b09a..b97e230 100644 --- a/lib/puppet/provider/advanced_security_policy/lgpo.rb +++ b/lib/puppet/provider/advanced_security_policy/lgpo.rb @@ -5,8 +5,9 @@ require 'puppet_x/asp/security_policy' Puppet::Type.type(:advanced_security_policy).provide(:lgpo) do - TEMP_FILE = 'C:\\windows\\temp\\lgpotemp.txt' - REGISTRY_FILE = 'C:\\Windows\\System32\\GroupPolicy\\Machine\\Registry.pol' + TEMP_FILE = 'C:\\windows\\temp\\lgpotemp.txt' + REGISTRY_FILE_MACHINE = 'C:\\Windows\\System32\\GroupPolicy\\Machine\\Registry.pol' + REGISTRY_FILE_USER = 'C:\\Windows\\System32\\GroupPolicy\\User\\Registry.pol' confine osfamily: :windows defaultfor osfamily: :windows @@ -28,7 +29,8 @@ def flush if policy_hash[:data_type] == 'boolean' policy_value = (resource[:policy_value] == 'enabled') ? policy_hash[:enabled_value] : policy_hash[:disabled_value] elsif !resource[:policy_value].nil? - policy_value = resource[:policy_value].downcase + # policy_value = resource[:policy_value].downcase + policy_value = resource[:policy_value] end configuration = policy_hash[:configuration] @@ -52,8 +54,12 @@ def self.write_setting_to_tempfile(configuration, registry_key, value_name, acti out_file.close end - def self.registry_file_exists - File.file? REGISTRY_FILE + def self.registry_file_exists_machine + File.file? REGISTRY_FILE_MACHINE + end + + def self.registry_file_exists_user + File.file? REGISTRY_FILE_USER end def exists? @@ -72,13 +78,14 @@ def destroy @resource[:action] = 'DELETE' end - def self.configuration_is_computer(action, policy_values) + def self.configuration_is(action, policy_values) if ['DELETE', 'SZ:'].include?(action) ensure_value = :absent policy_setting = action else ensure_value = :present - policy_setting = (policy_values[:data_type] == 'boolean') ? policy_datatype_boolean(action, policy_values[:enabled_value]) : action.split(':')[1].downcase + # policy_setting = (policy_values[:data_type] == 'boolean') ? policy_datatype_boolean(action, policy_values[:enabled_value]) : action.split(':')[1].downcase + policy_setting = (policy_values[:data_type] == 'boolean') ? policy_datatype_boolean(action, policy_values[:enabled_value]) : action.split(':')[1] end [ensure_value, policy_setting] @@ -91,8 +98,8 @@ def self.policy_datatype_boolean(action, enabled_value) def self.instances instances = [] - if registry_file_exists - categories = securitypol('/parse', '/q', '/m', REGISTRY_FILE) + if registry_file_exists_machine + categories = securitypol('/parse', '/q', '/m', REGISTRY_FILE_MACHINE) line_array = categories.split("\n").drop(4) entries = line_array.each_slice(5) @@ -100,28 +107,61 @@ def self.instances configuration = entry_array[0] next unless configuration == 'Computer' + + registry_key = entry_array[1] + value_name = entry_array[2] + # action = entry_array[3].upcase + action = entry_array[3] + registry_value = "#{registry_key}\\#{value_name}" + policy_desc, policy_values = AdvancedSecurityPolicy.find_mapping_from_policy_name(registry_value) + + next if policy_desc.nil? + + ensure_value, policy_setting = configuration_is(action, policy_values) + policy_hash = { + name: policy_desc, + ensure: ensure_value, + policy_value: policy_setting, + } + instances << new(policy_hash) + end + end + + if registry_file_exists_user + categories = securitypol('/parse', '/q', '/u', REGISTRY_FILE_USER) + line_array = categories.split("\n").drop(4) + entries = line_array.each_slice(5) + + entries.map do |entry_array| + configuration = entry_array[0] + + next unless configuration == 'User' + registry_key = entry_array[1] value_name = entry_array[2] - action = entry_array[3].upcase + # action = entry_array[3].upcase + action = entry_array[3] registry_value = "#{registry_key}\\#{value_name}" policy_desc, policy_values = AdvancedSecurityPolicy.find_mapping_from_policy_name(registry_value) next if policy_desc.nil? - ensure_value, policy_setting = configuration_is_computer(action, policy_values) + + ensure_value, policy_setting = configuration_is(action, policy_values) policy_hash = { - name: policy_desc, - ensure: ensure_value, + name: policy_desc, + ensure: ensure_value, policy_value: policy_setting, } instances << new(policy_hash) end end + instances end def self.prefetch(resources) policies = instances - resources.keys.each do |name| + resources.each_key do |name| if (provider = policies.find { |policy| policy.name == name }) resources[name].provider = provider end diff --git a/lib/puppet_x/asp/security_policy.rb b/lib/puppet_x/asp/security_policy.rb index 6a77c3c..410a9ca 100644 --- a/lib/puppet_x/asp/security_policy.rb +++ b/lib/puppet_x/asp/security_policy.rb @@ -21,1688 +21,2258 @@ def self.find_mapping_from_policy_desc(desc) unless value raise KeyError, "#{desc} is not a valid policy" end + value end def self.asp_mapping @asp_mapping ||= { 'Prevent enabling lock screen camera' => { - name: 'Software\Policies\Microsoft\Windows\Personalization\NoLockScreenCamera', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Personalization', - value_name: 'NoLockScreenCamera', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\Personalization\NoLockScreenCamera', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Personalization', + value_name: 'NoLockScreenCamera', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Prevent enabling lock screen slide show' => { - name: 'Software\Policies\Microsoft\Windows\Personalization\NoLockScreenSlideshow', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Personalization', - value_name: 'NoLockScreenSlideshow', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\Personalization\NoLockScreenSlideshow', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Personalization', + value_name: 'NoLockScreenSlideshow', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Allow Input Personalization' => { - name: 'Software\Policies\Microsoft\InputPersonalization\AllowInputPersonalization', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\InputPersonalization', - value_name: 'AllowInputPersonalization', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\InputPersonalization\AllowInputPersonalization', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\InputPersonalization', + value_name: 'AllowInputPersonalization', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' => { - name: 'Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon', - configuration: 'Computer', - registry_key: 'Software\Microsoft\Windows NT\CurrentVersion\Winlogon', - value_name: 'AutoAdminLogon', - reg_type: 'SZ', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows NT\CurrentVersion\Winlogon', + value_name: 'AutoAdminLogon', + reg_type: 'SZ', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' => { - name: 'System\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting', - configuration: 'Computer', - registry_key: 'System\CurrentControlSet\Services\Tcpip6\Parameters', - value_name: 'DisableIPSourceRouting', - reg_type: 'DWORD', - data_type: 'string', + name: 'System\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Services\Tcpip6\Parameters', + value_name: 'DisableIPSourceRouting', + reg_type: 'DWORD', + data_type: 'string', }, 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' => { - name: 'System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting', - configuration: 'Computer', - registry_key: 'System\CurrentControlSet\Services\Tcpip\Parameters', - value_name: 'DisableIPSourceRouting', - reg_type: 'DWORD', - data_type: 'string', + name: 'System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Services\Tcpip\Parameters', + value_name: 'DisableIPSourceRouting', + reg_type: 'DWORD', + data_type: 'string', disabled_value: '0', }, 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' => { - name: 'System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect', - configuration: 'Computer', - registry_key: 'System\CurrentControlSet\Services\Tcpip\Parameters', - value_name: 'EnableICMPRedirect', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Services\Tcpip\Parameters', + value_name: 'EnableICMPRedirect', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' => { - name: 'System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime', - configuration: 'Computer', - registry_key: 'System\CurrentControlSet\Services\Tcpip\Parameters', - value_name: 'KeepAliveTime', - reg_type: 'DWORD', - data_type: 'string', + name: 'System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Services\Tcpip\Parameters', + value_name: 'KeepAliveTime', + reg_type: 'DWORD', + data_type: 'string', }, 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' => { - name: 'System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand', - configuration: 'Computer', - registry_key: 'System\CurrentControlSet\Services\Netbt\Parameters', - value_name: 'NoNameReleaseOnDemand', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Services\Netbt\Parameters', + value_name: 'NoNameReleaseOnDemand', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' => { - name: 'System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery', - configuration: 'Computer', - registry_key: 'System\CurrentControlSet\Services\Tcpip\Parameters', - value_name: 'PerformRouterDiscovery', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Services\Tcpip\Parameters', + value_name: 'PerformRouterDiscovery', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' => { - name: 'System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode', - configuration: 'Computer', - registry_key: 'System\CurrentControlSet\Control\Session Manager', - value_name: 'SafeDllSearchMode', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Control\Session Manager', + value_name: 'SafeDllSearchMode', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' => { - name: 'Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod', - configuration: 'Computer', - registry_key: 'Software\Microsoft\Windows NT\CurrentVersion\Winlogon', - value_name: 'ScreenSaverGracePeriod', - reg_type: 'SZ', - data_type: 'string', + name: 'Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows NT\CurrentVersion\Winlogon', + value_name: 'ScreenSaverGracePeriod', + reg_type: 'SZ', + data_type: 'string', }, 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' => { - name: 'System\CurrentControlSet\Services\Tcpip6\Parameters\TcpMaxDataRetransmissions', - configuration: 'Computer', - registry_key: 'System\CurrentControlSet\Services\Tcpip6\Parameters', - value_name: 'TcpMaxDataRetransmissions', - reg_type: 'DWORD', - data_type: 'string', + name: 'System\CurrentControlSet\Services\Tcpip6\Parameters\TcpMaxDataRetransmissions', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Services\Tcpip6\Parameters', + value_name: 'TcpMaxDataRetransmissions', + reg_type: 'DWORD', + data_type: 'string', }, 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' => { - name: 'System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions', - configuration: 'Computer', - registry_key: 'System\CurrentControlSet\Services\Tcpip\Parameters', - value_name: 'TcpMaxDataRetransmissions', - reg_type: 'DWORD', - data_type: 'string', + name: 'System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Services\Tcpip\Parameters', + value_name: 'TcpMaxDataRetransmissions', + reg_type: 'DWORD', + data_type: 'string', }, 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' => { - name: 'System\CurrentControlSet\Services\Eventlog\Security\WarningLevel', - configuration: 'Computer', - registry_key: 'System\CurrentControlSet\Services\Eventlog\Security', - value_name: 'WarningLevel', - reg_type: 'DWORD', - data_type: 'string', + name: 'System\CurrentControlSet\Services\Eventlog\Security\WarningLevel', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Services\Eventlog\Security', + value_name: 'WarningLevel', + reg_type: 'DWORD', + data_type: 'string', }, 'NetBIOS node type' => { - name: 'System\CurrentControlSet\Services\Netbt\Parameters\NodeType', - configuration: 'Computer', - registry_key: 'System\CurrentControlSet\Services\Netbt\Parameters', - value_name: 'NodeType', - reg_type: 'DWORD', - data_type: 'string', + name: 'System\CurrentControlSet\Services\Netbt\Parameters\NodeType', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Services\Netbt\Parameters', + value_name: 'NodeType', + reg_type: 'DWORD', + data_type: 'string', }, 'Turn off multicast name resolution' => { - name: 'Software\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows NT\DNSClient', - value_name: 'EnableMulticast', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '0', + name: 'Software\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\DNSClient', + value_name: 'EnableMulticast', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', disabled_value: '1', }, 'Enable Font Providers' => { - name: 'Software\Policies\Microsoft\Windows\System\EnableFontProviders', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\System', - value_name: 'EnableFontProviders', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\System\EnableFontProviders', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\System', + value_name: 'EnableFontProviders', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Enable insecure guest logons' => { - name: 'Software\Policies\Microsoft\Windows\LanmanWorkstation\AllowInsecureGuestAuth', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\LanmanWorkstation', - value_name: 'AllowInsecureGuestAuth', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\LanmanWorkstation\AllowInsecureGuestAuth', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\LanmanWorkstation', + value_name: 'AllowInsecureGuestAuth', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn on Mapper I/O (LLTDIO) driver (EnableLLTDIO)' => { - name: 'Software\Policies\Microsoft\Windows\LLTD\EnableLLTDIO', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\LLTD', - value_name: 'EnableLLTDIO', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\LLTD\EnableLLTDIO', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\LLTD', + value_name: 'EnableLLTDIO', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOndomain)' => { - name: 'Software\Policies\Microsoft\Windows\LLTD\AllowLLTDIOOndomain', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\LLTD', - value_name: 'AllowLLTDIOOndomain', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\LLTD\AllowLLTDIOOndomain', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\LLTD', + value_name: 'AllowLLTDIOOndomain', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOnPublicNet)' => { - name: 'Software\Policies\Microsoft\Windows\LLTD\AllowLLTDIOOnPublicNet', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\LLTD', - value_name: 'AllowLLTDIOOnPublicNet', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\LLTD\AllowLLTDIOOnPublicNet', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\LLTD', + value_name: 'AllowLLTDIOOnPublicNet', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn on Mapper I/O (LLTDIO) driver (ProhibitLLTDIOOnPrivateNet)' => { - name: 'Software\Policies\Microsoft\Windows\LLTD\ProhibitLLTDIOOnPrivateNet', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\LLTD', - value_name: 'ProhibitLLTDIOOnPrivateNet', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\LLTD\ProhibitLLTDIOOnPrivateNet', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\LLTD', + value_name: 'ProhibitLLTDIOOnPrivateNet', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn on Responder (RSPNDR) driver (EnableRspndr)' => { - name: 'Software\Policies\Microsoft\Windows\LLTD\EnableRspndr', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\LLTD', - value_name: 'EnableRspndr', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\LLTD\EnableRspndr', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\LLTD', + value_name: 'EnableRspndr', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn on Responder (RSPNDR) driver (AllowRspndrOndomain)' => { - name: 'Software\Policies\Microsoft\Windows\LLTD\AllowRspndrOndomain', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\LLTD', - value_name: 'AllowRspndrOndomain', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\LLTD\AllowRspndrOndomain', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\LLTD', + value_name: 'AllowRspndrOndomain', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn on Responder (RSPNDR) driver (AllowRspndrOnPublicNet)' => { - name: 'Software\Policies\Microsoft\Windows\LLTD\AllowRspndrOnPublicNet', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\LLTD', - value_name: 'AllowRspndrOnPublicNet', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\LLTD\AllowRspndrOnPublicNet', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\LLTD', + value_name: 'AllowRspndrOnPublicNet', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn on Responder (RSPNDR) driver (ProhibitRspndrOnPrivateNet)' => { - name: 'Software\Policies\Microsoft\Windows\LLTD\ProhibitRspndrOnPrivateNet', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\LLTD', - value_name: 'ProhibitRspndrOnPrivateNet', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\LLTD\ProhibitRspndrOnPrivateNet', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\LLTD', + value_name: 'ProhibitRspndrOnPrivateNet', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn off Microsoft Peer-to-Peer Networking Services' => { - name: 'Software\Policies\Microsoft\Peernet\Disabled', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Peernet', - value_name: 'Disabled', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Peernet\Disabled', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Peernet', + value_name: 'Disabled', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Prohibit installation and configuration of Network Bridge on your DNS domain network' => { - name: 'Software\Policies\Microsoft\Windows\Network Connections\NC_AllowNetBridge_NLA', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Network Connections', - value_name: 'NC_AllowNetBridge_NLA', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '0', + name: 'Software\Policies\Microsoft\Windows\Network Connections\NC_AllowNetBridge_NLA', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Network Connections', + value_name: 'NC_AllowNetBridge_NLA', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', disabled_value: '1', }, 'Require domain users to elevate when setting a network`s location' => { - name: 'Software\Policies\Microsoft\Windows\Network Connections\NC_StdDomainUserSetLocation', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Network Connections', - value_name: 'NC_StdDomainUserSetLocation', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\Network Connections\NC_StdDomainUserSetLocation', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Network Connections', + value_name: 'NC_StdDomainUserSetLocation', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Prohibit use of Internet Connection Sharing on your DNS domain network' => { - name: 'Software\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Network Connections', - value_name: 'NC_ShowSharedAccessUI', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '0', + name: 'Software\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Network Connections', + value_name: 'NC_ShowSharedAccessUI', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', disabled_value: '1', }, 'Configuration of wireless settings using Windows Connect Now (EnableRegistrars)' => { - name: 'Software\Policies\Microsoft\Windows\WCN\Registrars\EnableRegistrars', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\WCN\Registrars', - value_name: 'EnableRegistrars', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\WCN\Registrars\EnableRegistrars', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WCN\Registrars', + value_name: 'EnableRegistrars', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Configuration of wireless settings using Windows Connect Now (DisableUPnPRegistrar)' => { - name: 'Software\Policies\Microsoft\Windows\WCN\Registrars\DisableUPnPRegistrar', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\WCN\Registrars', - value_name: 'DisableUPnPRegistrar', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\WCN\Registrars\DisableUPnPRegistrar', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WCN\Registrars', + value_name: 'DisableUPnPRegistrar', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Configuration of wireless settings using Windows Connect Now (DisableInBand802DOT11Registrar)' => { - name: 'Software\Policies\Microsoft\Windows\WCN\Registrars\DisableInBand802DOT11Registrar', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\WCN\Registrars', - value_name: 'DisableInBand802DOT11Registrar', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\WCN\Registrars\DisableInBand802DOT11Registrar', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WCN\Registrars', + value_name: 'DisableInBand802DOT11Registrar', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Configuration of wireless settings using Windows Connect Now (DisableFlashConfigRegistrar)' => { - name: 'Software\Policies\Microsoft\Windows\WCN\Registrars\DisableFlashConfigRegistrar', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\WCN\Registrars', - value_name: 'DisableFlashConfigRegistrar', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\WCN\Registrars\DisableFlashConfigRegistrar', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WCN\Registrars', + value_name: 'DisableFlashConfigRegistrar', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)' => { - name: 'Software\Policies\Microsoft\Windows\WCN\Registrars\DisableWPDRegistrar', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\WCN\Registrars', - value_name: 'DisableWPDRegistrar', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\WCN\Registrars\DisableWPDRegistrar', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WCN\Registrars', + value_name: 'DisableWPDRegistrar', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Prohibit access of the Windows Connect Now wizards' => { - name: 'Software\Policies\Microsoft\Windows\WCN\UI\DisableWcnUi', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\WCN\UI', - value_name: 'DisableWcnUi', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\WCN\UI\DisableWcnUi', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WCN\UI', + value_name: 'DisableWcnUi', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' => { - name: 'Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\fMinimizeConnections', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy', - value_name: 'fMinimizeConnections', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', - disabled_value: '0', + name: 'Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\fMinimizeConnections', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy', + value_name: 'fMinimizeConnections', + reg_type: 'DWORD', + data_type: 'string', }, 'Prohibit connection to non-domain networks when connected to domain authenticated network' => { - name: 'Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\fBlockNonDomain', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy', - value_name: 'fBlockNonDomain', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\fBlockNonDomain', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy', + value_name: 'fBlockNonDomain', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off notifications network usage' => { + name: 'Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\NoCloudApplicationNotification', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications', + value_name: 'NoCloudApplicationNotification', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Apply UAC restrictions to local accounts on network logons' => { - name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy', - configuration: 'Computer', - registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System', - value_name: 'LocalAccountTokenFilterPolicy', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '0', + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System', + value_name: 'LocalAccountTokenFilterPolicy', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', disabled_value: '1', }, 'WDigest Authentication' => { - name: 'System\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential', - configuration: 'Computer', - registry_key: 'System\CurrentControlSet\Control\SecurityProviders\WDigest', - value_name: 'UseLogonCredential', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', - disabled_value: '0', + name: 'System\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Control\SecurityProviders\WDigest', + value_name: 'UseLogonCredential', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Encryption Oracle Remediation' => { + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\AllowEncryptionOracle', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters', + value_name: 'AllowEncryptionOracle', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', + disabled_value: '1', }, 'Include command line in process creation events' => { - name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled', - configuration: 'Computer', - registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit', - value_name: 'ProcessCreationIncludeCmdLine_Enabled', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit', + value_name: 'ProcessCreationIncludeCmdLine_Enabled', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Allow remote access to the Plug and Play interface' => { - name: 'Software\Policies\Microsoft\Windows\DeviceInstall\Settings\AllowRemoteRPC', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\DeviceInstall\Settings', - value_name: 'AllowRemoteRPC', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\DeviceInstall\Settings\AllowRemoteRPC', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\DeviceInstall\Settings', + value_name: 'AllowRemoteRPC', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Boot-Start Driver Initialization Policy' => { - name: 'System\CurrentControlSet\Policies\EarlyLaunch\DriverLoadPolicy', - configuration: 'Computer', - registry_key: 'System\CurrentControlSet\Policies\EarlyLaunch', - value_name: 'DriverLoadPolicy', - reg_type: 'DWORD', - data_type: 'string', + name: 'System\CurrentControlSet\Policies\EarlyLaunch\DriverLoadPolicy', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Policies\EarlyLaunch', + value_name: 'DriverLoadPolicy', + reg_type: 'DWORD', + data_type: 'string', }, 'Configure registry policy processing: Do not apply during periodic background processing' => { - name: 'Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}', - value_name: 'NoBackgroundPolicy', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '0', + name: 'Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}', + value_name: 'NoBackgroundPolicy', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', disabled_value: '1', }, 'Configure registry policy processing: Process even if the Group Policy objects have not changed' => { - name: 'Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}', - value_name: 'NoGPOListChanges', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '0', + name: 'Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}', + value_name: 'NoGPOListChanges', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', disabled_value: '1', }, 'Turn off background refresh of Group Policy' => { - name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableBkGndGroupPolicy', - configuration: 'Computer', - registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System', - value_name: 'DisableBkGndGroupPolicy', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableBkGndGroupPolicy', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System', + value_name: 'DisableBkGndGroupPolicy', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Continue experiences on this device' => { - name: 'Software\Policies\Microsoft\Windows\System\EnableCdp', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\System', - value_name: 'EnableCdp', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\System\EnableCdp', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\System', + value_name: 'EnableCdp', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn off access to the Store' => { - name: 'Software\Policies\Microsoft\Windows\Explorer\NoUseStoreOpenWith', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Explorer', - value_name: 'NoUseStoreOpenWith', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\Explorer\NoUseStoreOpenWith', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Explorer', + value_name: 'NoUseStoreOpenWith', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn off downloading of print drivers over HTTP' => { - name: 'Software\Policies\Microsoft\Windows NT\Printers\DisableWebPnPDownload', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows NT\Printers', - value_name: 'DisableWebPnPDownload', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows NT\Printers\DisableWebPnPDownload', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Printers', + value_name: 'DisableWebPnPDownload', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn off handwriting personalization data sharing' => { - name: 'Software\Policies\Microsoft\Windows\TabletPC\PreventHandwritingDataSharing', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\TabletPC', - value_name: 'PreventHandwritingDataSharing', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\TabletPC\PreventHandwritingDataSharing', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\TabletPC', + value_name: 'PreventHandwritingDataSharing', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn off handwriting recognition error reporting' => { - name: 'Software\Policies\Microsoft\Windows\HandwritingErrorReports\PreventHandwritingErrorReports', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\HandwritingErrorReports', - value_name: 'PreventHandwritingErrorReports', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\HandwritingErrorReports\PreventHandwritingErrorReports', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\HandwritingErrorReports', + value_name: 'PreventHandwritingErrorReports', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' => { - name: 'Software\Policies\Microsoft\Windows\Internet Connection Wizard\ExitOnMSICW', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Internet Connection Wizard', - value_name: 'ExitOnMSICW', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\Internet Connection Wizard\ExitOnMSICW', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Internet Connection Wizard', + value_name: 'ExitOnMSICW', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn off Internet download for Web publishing and online ordering wizards' => { - name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebServices', - configuration: 'Computer', - registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', - value_name: 'NoWebServices', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebServices', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', + value_name: 'NoWebServices', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn off Internet File Association service' => { - name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetOpenWith', - configuration: 'Computer', - registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', - value_name: 'NoInternetOpenWith', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetOpenWith', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', + value_name: 'NoInternetOpenWith', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn off printing over HTTP' => { - name: 'Software\Policies\Microsoft\Windows NT\Printers\DisableHTTPPrinting', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows NT\Printers', - value_name: 'DisableHTTPPrinting', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows NT\Printers\DisableHTTPPrinting', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Printers', + value_name: 'DisableHTTPPrinting', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn off Registration if URL connection is referring to Microsoft.com' => { - name: 'Software\Policies\Microsoft\Windows\Registration Wizard Control\NoRegistration', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Registration Wizard Control', - value_name: 'NoRegistration', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\Registration Wizard Control\NoRegistration', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Registration Wizard Control', + value_name: 'NoRegistration', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn off Search Companion content file updates' => { - name: 'Software\Policies\Microsoft\SearchCompanion\DisableContentFileUpdates', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\SearchCompanion', - value_name: 'DisableContentFileUpdates', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\SearchCompanion\DisableContentFileUpdates', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\SearchCompanion', + value_name: 'DisableContentFileUpdates', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn off the "Order Prints" picture task' => { - name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoOnlinePrintsWizard', - configuration: 'Computer', - registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', - value_name: 'NoOnlinePrintsWizard', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoOnlinePrintsWizard', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', + value_name: 'NoOnlinePrintsWizard', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn off the "Publish to Web" task for files and folders' => { - name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPublishingWizard', - configuration: 'Computer', - registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', - value_name: 'NoPublishingWizard', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPublishingWizard', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', + value_name: 'NoPublishingWizard', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn off the Windows Messenger Customer Experience Improvement Program' => { - name: 'Software\Policies\Microsoft\Messenger\Client\CEIP', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Messenger\Client', - value_name: 'CEIP', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '2', + name: 'Software\Policies\Microsoft\Messenger\Client\CEIP', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Messenger\Client', + value_name: 'CEIP', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '2', disabled_value: '1', }, 'Turn off Windows Customer Experience Improvement Program' => { - name: 'Software\Policies\Microsoft\SQMClient\Windows\CEIPEnable', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\SQMClient\Windows', - value_name: 'CEIPEnable', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '0', + name: 'Software\Policies\Microsoft\SQMClient\Windows\CEIPEnable', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\SQMClient\Windows', + value_name: 'CEIPEnable', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', disabled_value: '1', }, 'Turn off Windows Error Reporting' => { - name: 'Software\Policies\Microsoft\Windows\Windows Error Reporting\Disabled', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Windows Error Reporting', - value_name: 'Disabled', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\Windows Error Reporting\Disabled', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Windows Error Reporting', + value_name: 'Disabled', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Support device authentication using certificate (DevicePKInitEnabled)' => { - name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters\DevicePKInitEnabled', - configuration: 'Computer', - registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters', - value_name: 'DevicePKInitEnabled', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '0', - disabled_value: '1', + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters\DevicePKInitEnabled', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters', + value_name: 'DevicePKInitEnabled', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', }, 'Support device authentication using certificate (DevicePKInitBehavior)' => { - name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters\DevicePKInitBehavior', - configuration: 'Computer', - registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters', - value_name: 'DevicePKInitBehavior', - reg_type: 'DWORD', - data_type: 'string', + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters\DevicePKInitBehavior', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters', + value_name: 'DevicePKInitBehavior', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Enumeration policy for external devices incompatible with Kernel DMA Protection' => { + name: 'Software\Policies\Microsoft\Windows\Kernel DMA Protection\DeviceEnumerationPolicy', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Kernel DMA Protection', + value_name: 'DeviceEnumerationPolicy', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', + disabled_value: '1', }, 'Disallow copying of user input methods to the system account for sign-in' => { - name: 'Software\Policies\Microsoft\Control Panel\International\BlockUserInputMethodsForSignIn', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Control Panel\International', - value_name: 'BlockUserInputMethodsForSignIn', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Control Panel\International\BlockUserInputMethodsForSignIn', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Control Panel\International', + value_name: 'BlockUserInputMethodsForSignIn', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Always use classic logon' => { - name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\LogonType', - configuration: 'Computer', - registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System', - value_name: 'LogonType', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '0', + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\LogonType', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System', + value_name: 'LogonType', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', disabled_value: '1', }, 'Do not display network selection UI' => { - name: 'Software\Policies\Microsoft\Windows\System\DontDisplayNetworkSelectionUI', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\System', - value_name: 'DontDisplayNetworkSelectionUI', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\System\DontDisplayNetworkSelectionUI', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\System', + value_name: 'DontDisplayNetworkSelectionUI', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Do not enumerate connected users on domain-joined computers' => { - name: 'Software\Policies\Microsoft\Windows\System\DontEnumerateConnectedUsers', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\System', - value_name: 'DontEnumerateConnectedUsers', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\System\DontEnumerateConnectedUsers', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\System', + value_name: 'DontEnumerateConnectedUsers', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Enumerate local users on domain-joined computers' => { - name: 'Software\Policies\Microsoft\Windows\System\EnumerateLocalUsers', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\System', - value_name: 'EnumerateLocalUsers', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\System\EnumerateLocalUsers', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\System', + value_name: 'EnumerateLocalUsers', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn off app notifications on the lock screen' => { - name: 'Software\Policies\Microsoft\Windows\System\DisableLockScreenAppNotifications', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\System', - value_name: 'DisableLockScreenAppNotifications', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\System\DisableLockScreenAppNotifications', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\System', + value_name: 'DisableLockScreenAppNotifications', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn on convenience PIN sign-in' => { - name: 'Software\Policies\Microsoft\Windows\System\AllowDomainPINLogon', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\System', - value_name: 'AllowDomainPINLogon', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\System\AllowDomainPINLogon', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\System', + value_name: 'AllowDomainPINLogon', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Allow Clipboard synchronization across devices' => { + name: 'Software\Policies\Microsoft\Windows\System\AllowCrossDeviceClipboard', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\System', + value_name: 'AllowCrossDeviceClipboard', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Allow upload of User Activities' => { + name: 'Software\Policies\Microsoft\Windows\System\UploadUserActivities', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\System', + value_name: 'UploadUserActivities', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Block user from showing account details on sign-in' => { - name: 'Software\Policies\Microsoft\Windows\System\BlockUserFromShowingAccountDetailsOnSignin', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\System', - value_name: 'BlockUserFromShowingAccountDetailsOnSignin', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\System\BlockUserFromShowingAccountDetailsOnSignin', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\System', + value_name: 'BlockUserFromShowingAccountDetailsOnSignin', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Untrusted Font Blocking' => { - name: 'Software\Policies\Microsoft\Windows NT\MitigationOptions\MitigationOptions_FontBocking', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows NT\MitigationOptions', - value_name: 'MitigationOptions_FontBocking', - reg_type: 'SZ', - data_type: 'string', + name: 'Software\Policies\Microsoft\Windows NT\MitigationOptions\MitigationOptions_FontBocking', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\MitigationOptions', + value_name: 'MitigationOptions_FontBocking', + reg_type: 'SZ', + data_type: 'string', }, 'Allow network connectivity during connected-standby (on battery)' => { - name: 'Software\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9\DCSettingIndex', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9', - value_name: 'DCSettingIndex', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9\DCSettingIndex', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9', + value_name: 'DCSettingIndex', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Allow network connectivity during connected-standby (plugged in)' => { - name: 'Software\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9\ACSettingIndex', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9', - value_name: 'ACSettingIndex', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9\ACSettingIndex', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9', + value_name: 'ACSettingIndex', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Require a password when a computer wakes (on battery)' => { - name: 'Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\DCSettingIndex', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51', - value_name: 'DCSettingIndex', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\DCSettingIndex', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51', + value_name: 'DCSettingIndex', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Require a password when a computer wakes (plugged in)' => { - name: 'Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ACSettingIndex', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51', - value_name: 'ACSettingIndex', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ACSettingIndex', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51', + value_name: 'ACSettingIndex', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Configure Offer Remote Assistance' => { - name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', - value_name: 'fAllowUnsolicited', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'fAllowUnsolicited', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Configure Solicited Remote Assistance' => { - name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', - value_name: 'fAllowToGetHelp', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'fAllowToGetHelp', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Enable RPC Endpoint Mapper Client Authentication' => { - name: 'Software\Policies\Microsoft\Windows NT\Rpc\EnableAuthEpResolution', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows NT\Rpc', - value_name: 'EnableAuthEpResolution', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows NT\Rpc\EnableAuthEpResolution', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Rpc', + value_name: 'EnableAuthEpResolution', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Restrict Unauthenticated RPC clients' => { - name: 'Software\Policies\Microsoft\Windows NT\Rpc\RestrictRemoteClients', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows NT\Rpc', - value_name: 'RestrictRemoteClients', - reg_type: 'DWORD', - data_type: 'string', + name: 'Software\Policies\Microsoft\Windows NT\Rpc\RestrictRemoteClients', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Rpc', + value_name: 'RestrictRemoteClients', + reg_type: 'DWORD', + data_type: 'string', disabled_value: '0', }, 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' => { - name: 'Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\DisableQueryRemoteServer', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy', - value_name: 'DisableQueryRemoteServer', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\DisableQueryRemoteServer', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy', + value_name: 'DisableQueryRemoteServer', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Enable/Disable PerfTrack' => { - name: 'Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\ScenarioExecutionEnabled', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}', - value_name: 'ScenarioExecutionEnabled', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\ScenarioExecutionEnabled', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}', + value_name: 'ScenarioExecutionEnabled', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn off the advertising ID' => { - name: 'Software\Policies\Microsoft\Windows\AdvertisingInfo\DisabledByGroupPolicy', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\AdvertisingInfo', - value_name: 'DisabledByGroupPolicy', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\AdvertisingInfo\DisabledByGroupPolicy', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\AdvertisingInfo', + value_name: 'DisabledByGroupPolicy', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Enable Windows NTP Client' => { - name: 'Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\Enabled', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\W32time\TimeProviders\NtpClient', - value_name: 'Enabled', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\Enabled', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\W32time\TimeProviders\NtpClient', + value_name: 'Enabled', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Enable Windows NTP Server' => { - name: 'Software\Policies\Microsoft\W32time\TimeProviders\NtpServer\Enabled', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\W32time\TimeProviders\NtpServer', - value_name: 'Enabled', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\W32time\TimeProviders\NtpServer\Enabled', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\W32time\TimeProviders\NtpServer', + value_name: 'Enabled', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Allow a Windows app to share application data between users' => { - name: 'Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager\AllowSharedLocalAppData', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager', - value_name: 'AllowSharedLocalAppData', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager\AllowSharedLocalAppData', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager', + value_name: 'AllowSharedLocalAppData', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Let Windows apps *' => { - name: 'Software\Policies\Microsoft\Windows\AppPrivacy\LetAppsAccessAccountInfo', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\AppPrivacy', - value_name: 'LetAppsAccessAccountInfo', - reg_type: 'DWORD', - data_type: 'string', + name: 'Software\Policies\Microsoft\Windows\AppPrivacy\LetAppsAccessAccountInfo', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\AppPrivacy', + value_name: 'LetAppsAccessAccountInfo', + reg_type: 'DWORD', + data_type: 'string', }, 'Allow Microsoft accounts to be optional' => { - name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\MSAOptional', - configuration: 'Computer', - registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System', - value_name: 'MSAOptional', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\MSAOptional', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System', + value_name: 'MSAOptional', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' => { - name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\BlockHostedAppAccessWinRT', - configuration: 'Computer', - registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System', - value_name: 'BlockHostedAppAccessWinRT', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\System\BlockHostedAppAccessWinRT', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\System', + value_name: 'BlockHostedAppAccessWinRT', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Disallow Autoplay for non-volume devices' => { - name: 'Software\Policies\Microsoft\Windows\Explorer\NoAutoplayfornonVolume', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Explorer', - value_name: 'NoAutoplayfornonVolume', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\Explorer\NoAutoplayfornonVolume', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Explorer', + value_name: 'NoAutoplayfornonVolume', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Set the default behavior for AutoRun' => { - name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun', - configuration: 'Computer', - registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', - value_name: 'NoAutorun', - reg_type: 'DWORD', - data_type: 'string', + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', + value_name: 'NoAutorun', + reg_type: 'DWORD', + data_type: 'string', }, 'Turn off Autoplay' => { - name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun', - configuration: 'Computer', - registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', - value_name: 'NoDriveTypeAutoRun', - reg_type: 'DWORD', - data_type: 'string', + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', + value_name: 'NoDriveTypeAutoRun', + reg_type: 'DWORD', + data_type: 'string', }, 'Use enhanced anti-spoofing when available' => { - name: 'Software\Policies\Microsoft\Biometrics\FacialFeatures\EnhancedAntiSpoofing', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Biometrics\FacialFeatures', - value_name: 'EnhancedAntiSpoofing', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Biometrics\FacialFeatures\EnhancedAntiSpoofing', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Biometrics\FacialFeatures', + value_name: 'EnhancedAntiSpoofing', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Allow Use of Camera' => { - name: 'Software\Policies\Microsoft\Camera\AllowCamera', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Camera', - value_name: 'AllowCamera', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Camera\AllowCamera', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Camera', + value_name: 'AllowCamera', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn off Microsoft consumer experiences' => { - name: 'Software\Policies\Microsoft\Windows\CloudContent\DisableWindowsConsumerFeatures', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\CloudContent', - value_name: 'DisableWindowsConsumerFeatures', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\CloudContent\DisableWindowsConsumerFeatures', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\CloudContent', + value_name: 'DisableWindowsConsumerFeatures', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Require pin for pairing' => { - name: 'Software\Policies\Microsoft\Windows\Connect\RequirePinForPairing', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Connect', - value_name: 'RequirePinForPairing', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\Connect\RequirePinForPairing', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Connect', + value_name: 'RequirePinForPairing', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Do not display the password reveal button' => { - name: 'Software\Policies\Microsoft\Windows\CredUI\DisablePasswordReveal', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\CredUI', - value_name: 'DisablePasswordReveal', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\CredUI\DisablePasswordReveal', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\CredUI', + value_name: 'DisablePasswordReveal', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Enumerate administrator accounts on elevation' => { - name: 'Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators', - configuration: 'Computer', - registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\CredUI', - value_name: 'EnumerateAdministrators', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\CredUI', + value_name: 'EnumerateAdministrators', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Allow Telemetry' => { - name: 'Software\Policies\Microsoft\Windows\DataCollection\AllowTelemetry', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\DataCollection', - value_name: 'AllowTelemetry', - reg_type: 'DWORD', - data_type: 'string', + name: 'Software\Policies\Microsoft\Windows\DataCollection\AllowTelemetry', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\DataCollection', + value_name: 'AllowTelemetry', + reg_type: 'DWORD', + data_type: 'string', }, 'Disable pre-release features or settings' => { - name: 'Software\Policies\Microsoft\Windows\PreviewBuilds\EnableConfigFlighting', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\PreviewBuilds', - value_name: 'EnableConfigFlighting', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\PreviewBuilds\EnableConfigFlighting', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\PreviewBuilds', + value_name: 'EnableConfigFlighting', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Do not show feedback notifications' => { - name: 'Software\Policies\Microsoft\Windows\DataCollection\DoNotShowFeedbackNotifications', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\DataCollection', - value_name: 'DoNotShowFeedbackNotifications', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\DataCollection\DoNotShowFeedbackNotifications', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\DataCollection', + value_name: 'DoNotShowFeedbackNotifications', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Toggle user control over Insider builds' => { - name: 'Software\Policies\Microsoft\Windows\PreviewBuilds\AllowBuildPreview', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\PreviewBuilds', - value_name: 'AllowBuildPreview', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\PreviewBuilds\AllowBuildPreview', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\PreviewBuilds', + value_name: 'AllowBuildPreview', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn off desktop gadgets' => { - name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffSidebar', - configuration: 'Computer', - registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar', - value_name: 'TurnOffSidebar', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffSidebar', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar', + value_name: 'TurnOffSidebar', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn Off user-installed desktop gadgets' => { - name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffUserInstalledGadgets', - configuration: 'Computer', - registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar', - value_name: 'TurnOffUserInstalledGadgets', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffUserInstalledGadgets', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar', + value_name: 'TurnOffUserInstalledGadgets', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Application: Control Event Log behavior when the log file reaches its maximum size' => { - name: 'Software\Policies\Microsoft\Windows\EventLog\Application\Retention', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\EventLog\Application', - value_name: 'Retention', - reg_type: 'SZ', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\EventLog\Application\Retention', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\EventLog\Application', + value_name: 'Retention', + reg_type: 'SZ', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Application: Specify the maximum log file size (KB)' => { - name: 'Software\Policies\Microsoft\Windows\EventLog\Application\MaxSize', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\EventLog\Application', - value_name: 'MaxSize', - reg_type: 'DWORD', - data_type: 'string', + name: 'Software\Policies\Microsoft\Windows\EventLog\Application\MaxSize', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\EventLog\Application', + value_name: 'MaxSize', + reg_type: 'DWORD', + data_type: 'string', }, 'Security: Control Event Log behavior when the log file reaches its maximum size' => { - name: 'Software\Policies\Microsoft\Windows\EventLog\Security\Retention', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\EventLog\Security', - value_name: 'Retention', - reg_type: 'SZ', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\EventLog\Security\Retention', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\EventLog\Security', + value_name: 'Retention', + reg_type: 'SZ', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Security: Specify the maximum log file size (KB)' => { - name: 'Software\Policies\Microsoft\Windows\EventLog\Security\MaxSize', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\EventLog\Security', - value_name: 'MaxSize', - reg_type: 'DWORD', - data_type: 'string', + name: 'Software\Policies\Microsoft\Windows\EventLog\Security\MaxSize', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\EventLog\Security', + value_name: 'MaxSize', + reg_type: 'DWORD', + data_type: 'string', }, 'Setup: Control Event Log behavior when the log file reaches its maximum size' => { - name: 'Software\Policies\Microsoft\Windows\EventLog\Setup\Retention', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\EventLog\Setup', - value_name: 'Retention', - reg_type: 'SZ', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\EventLog\Setup\Retention', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\EventLog\Setup', + value_name: 'Retention', + reg_type: 'SZ', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Setup: Specify the maximum log file size (KB)' => { - name: 'Software\Policies\Microsoft\Windows\EventLog\Setup\MaxSize', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\EventLog\Setup', - value_name: 'MaxSize', - reg_type: 'DWORD', - data_type: 'string', + name: 'Software\Policies\Microsoft\Windows\EventLog\Setup\MaxSize', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\EventLog\Setup', + value_name: 'MaxSize', + reg_type: 'DWORD', + data_type: 'string', }, 'System: Control Event Log behavior when the log file reaches its maximum size' => { - name: 'Software\Policies\Microsoft\Windows\EventLog\System\Retention', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\EventLog\System', - value_name: 'Retention', - reg_type: 'SZ', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\EventLog\System\Retention', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\EventLog\System', + value_name: 'Retention', + reg_type: 'SZ', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'System: Specify the maximum log file size (KB)' => { - name: 'Software\Policies\Microsoft\Windows\EventLog\System\MaxSize', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\EventLog\System', - value_name: 'MaxSize', - reg_type: 'DWORD', - data_type: 'string', + name: 'Software\Policies\Microsoft\Windows\EventLog\System\MaxSize', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\EventLog\System', + value_name: 'MaxSize', + reg_type: 'DWORD', + data_type: 'string', }, 'Configure Windows SmartScreen' => { - name: 'Software\Policies\Microsoft\Windows\System\EnableSmartScreen', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\System', - value_name: 'EnableSmartScreen', - reg_type: 'DWORD', - data_type: 'string', + name: 'Software\Policies\Microsoft\Windows\System\EnableSmartScreen', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\System', + value_name: 'EnableSmartScreen', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Configure Windows SmartScreen (Level)' => { + name: 'Software\Policies\Microsoft\Windows\System\ShellSmartScreenLevel', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\System', + value_name: 'ShellSmartScreenLevel', + reg_type: 'SZ', + data_type: 'string', }, 'Turn off Data Execution Prevention for Explorer' => { - name: 'Software\Policies\Microsoft\Windows\Explorer\NoDataExecutionPrevention', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Explorer', - value_name: 'NoDataExecutionPrevention', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\Explorer\NoDataExecutionPrevention', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Explorer', + value_name: 'NoDataExecutionPrevention', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn off heap termination on corruption' => { - name: 'Software\Policies\Microsoft\Windows\Explorer\NoHeapTerminationOnCorruption', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Explorer', - value_name: 'NoHeapTerminationOnCorruption', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\Explorer\NoHeapTerminationOnCorruption', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Explorer', + value_name: 'NoHeapTerminationOnCorruption', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn off shell protocol protected mode' => { - name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior', - configuration: 'Computer', - registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', - value_name: 'PreXPSP2ShellProtocolBehavior', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', + value_name: 'PreXPSP2ShellProtocolBehavior', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn off location' => { - name: 'Software\Policies\Microsoft\Windows\LocationAndSensors\DisableLocation', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\LocationAndSensors', - value_name: 'DisableLocation', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\LocationAndSensors\DisableLocation', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\LocationAndSensors', + value_name: 'DisableLocation', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Allow Extensions' => { - name: 'Software\Policies\Microsoft\MicrosoftEdge\Extensions\ExtensionsEnabled', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\Extensions', - value_name: 'ExtensionsEnabled', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\MicrosoftEdge\Extensions\ExtensionsEnabled', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\Extensions', + value_name: 'ExtensionsEnabled', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Allow InPrivate Browsing' => { - name: 'Software\Policies\Microsoft\MicrosoftEdge\Main\AllowInPrivate', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\Main', - value_name: 'AllowInPrivate', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\MicrosoftEdge\Main\AllowInPrivate', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\Main', + value_name: 'AllowInPrivate', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Configure cookies' => { - name: 'Software\Policies\Microsoft\MicrosoftEdge\Main\Cookies', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\Main', - value_name: 'Cookies', - reg_type: 'DWORD', - data_type: 'string', + name: 'Software\Policies\Microsoft\MicrosoftEdge\Main\Cookies', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\Main', + value_name: 'Cookies', + reg_type: 'DWORD', + data_type: 'string', }, 'Configure Pop-up Blocker' => { - name: 'Software\Policies\Microsoft\MicrosoftEdge\Main\AllowPopups', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\Main', - value_name: 'AllowPopups', - reg_type: 'SZ', - data_type: 'string', + name: 'Software\Policies\Microsoft\MicrosoftEdge\Main\AllowPopups', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\Main', + value_name: 'AllowPopups', + reg_type: 'SZ', + data_type: 'string', }, 'Configure search suggestions in Address bar' => { - name: 'Software\Policies\Microsoft\MicrosoftEdge\SearchScopes\ShowSearchSuggestionsGlobal', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\SearchScopes', - value_name: 'ShowSearchSuggestionsGlobal', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\MicrosoftEdge\SearchScopes\ShowSearchSuggestionsGlobal', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\SearchScopes', + value_name: 'ShowSearchSuggestionsGlobal', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Configure Password Manager' => { - name: 'Software\Policies\Microsoft\MicrosoftEdge\Main\FormSuggest Passwords', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\Main', - value_name: 'FormSuggest Passwords', - reg_type: 'SZ', - data_type: 'string', + name: 'Software\Policies\Microsoft\MicrosoftEdge\Main\FormSuggest Passwords', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\Main', + value_name: 'FormSuggest Passwords', + reg_type: 'SZ', + data_type: 'string', }, 'Configure SmartScreen Filter' => { - name: 'Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter\EnabledV9', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter', - value_name: 'EnabledV9', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter\EnabledV9', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter', + value_name: 'EnabledV9', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Prevent access to the about: flags page in Microsoft Edge' => { - name: 'Software\Policies\Microsoft\MicrosoftEdge\Main\PreventAccessToAboutFlagsInMicrosoftEdge', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\Main', - value_name: 'PreventAccessToAboutFlagsInMicrosoftEdge', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\MicrosoftEdge\Main\PreventAccessToAboutFlagsInMicrosoftEdge', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\Main', + value_name: 'PreventAccessToAboutFlagsInMicrosoftEdge', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Prevent bypassing SmartScreen prompts for files' => { - name: 'Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter\PreventOverrideAppRepUnknown', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter', - value_name: 'PreventOverrideAppRepUnknown', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter\PreventOverrideAppRepUnknown', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter', + value_name: 'PreventOverrideAppRepUnknown', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Prevent bypassing SmartScreen prompts for sites' => { - name: 'Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter\PreventOverride', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter', - value_name: 'PreventOverride', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter\PreventOverride', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter', + value_name: 'PreventOverride', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Prevent using Localhost IP address for WebRTC' => { - name: 'Software\Policies\Microsoft\MicrosoftEdge\Main\HideLocalHostIP', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\Main', - value_name: 'HideLocalHostIP', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\MicrosoftEdge\Main\HideLocalHostIP', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\MicrosoftEdge\Main', + value_name: 'HideLocalHostIP', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Prevent the usage of OneDrive for file storage (DisableFileSync)' => { - name: 'Software\Policies\Microsoft\Windows\Skydrive\DisableFileSync', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Skydrive', - value_name: 'DisableFileSync', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\Skydrive\DisableFileSync', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Skydrive', + value_name: 'DisableFileSync', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Prevent the usage of OneDrive for file storage (DisableFileSyncNGSC)' => { - name: 'Software\Policies\Microsoft\Windows\OneDrive\DisableFileSyncNGSC', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\OneDrive', - value_name: 'DisableFileSyncNGSC', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\OneDrive\DisableFileSyncNGSC', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\OneDrive', + value_name: 'DisableFileSyncNGSC', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', }, 'Do not allow passwords to be saved' => { - name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', - value_name: 'DisablePasswordSaving', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'DisablePasswordSaving', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' => { - name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fSingleSessionPerUser', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', - value_name: 'fSingleSessionPerUser', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fSingleSessionPerUser', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'fSingleSessionPerUser', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Do not allow COM port redirection' => { - name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fDisableCcm', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', - value_name: 'fDisableCcm', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fDisableCcm', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'fDisableCcm', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Do not allow LPT port redirection' => { - name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fDisableLPT', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', - value_name: 'fDisableLPT', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fDisableLPT', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'fDisableLPT', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Do not allow supported Plug and Play device redirection' => { - name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fDisablePNPRedir', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', - value_name: 'fDisablePNPRedir', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fDisablePNPRedir', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'fDisablePNPRedir', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Always prompt for password upon connection' => { - name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', - value_name: 'fPromptForPassword', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'fPromptForPassword', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Require secure RPC communication' => { - name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fEncryptRPCTraffic', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', - value_name: 'fEncryptRPCTraffic', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fEncryptRPCTraffic', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'fEncryptRPCTraffic', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Require use of specific security layer for remote (RDP) connections' => { + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\SecurityLayer', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'SecurityLayer', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Require user authentication for remote connections by using Network Level Authentication' => { + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\UserAuthentication', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'UserAuthentication', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Set client connection encryption level' => { - name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', - value_name: 'MinEncryptionLevel', - reg_type: 'DWORD', - data_type: 'string', + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'MinEncryptionLevel', + reg_type: 'DWORD', + data_type: 'string', }, 'Set time limit for active but idle Remote Desktop Services sessions' => { - name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', - value_name: 'MaxIdleTime', - reg_type: 'DWORD', - data_type: 'string', + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'MaxIdleTime', + reg_type: 'DWORD', + data_type: 'string', }, 'Set time limit for disconnected sessions' => { - name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', - value_name: 'MaxDisconnectionTime', - reg_type: 'DWORD', - data_type: 'string', + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'MaxDisconnectionTime', + reg_type: 'DWORD', + data_type: 'string', }, 'Do not delete temp folders upon exit' => { - name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\DeleteTempDirsOnExit', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', - value_name: 'DeleteTempDirsOnExit', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '0', + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\DeleteTempDirsOnExit', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'DeleteTempDirsOnExit', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', disabled_value: '1', }, 'Do not use temporary folders per session' => { - name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\PerSessionTempDir', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', - value_name: 'PerSessionTempDir', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '0', + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\PerSessionTempDir', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'PerSessionTempDir', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', disabled_value: '1', }, 'Prevent downloading of enclosures' => { - name: 'Software\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Internet Explorer\Feeds', - value_name: 'DisableEnclosureDownload', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Internet Explorer\Feeds', + value_name: 'DisableEnclosureDownload', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Allow Cortana' => { - name: 'Software\Policies\Microsoft\Windows\Windows Search\AllowCortana', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Windows Search', - value_name: 'AllowCortana', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\Windows Search\AllowCortana', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Windows Search', + value_name: 'AllowCortana', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Set what information is shared in Search' => { - name: 'Software\Policies\Microsoft\Windows\Windows Search\ConnectedSearchPrivacy', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Windows Search', - value_name: 'ConnectedSearchPrivacy', - reg_type: 'DWORD', - data_type: 'string', + name: 'Software\Policies\Microsoft\Windows\Windows Search\ConnectedSearchPrivacy', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Windows Search', + value_name: 'ConnectedSearchPrivacy', + reg_type: 'DWORD', + data_type: 'string', }, 'Allow indexing of encrypted files' => { - name: 'Software\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Windows Search', - value_name: 'AllowIndexingEncryptedStoresOrItems', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Windows Search', + value_name: 'AllowIndexingEncryptedStoresOrItems', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Allow search and Cortana to use location' => { - name: 'Software\Policies\Microsoft\Windows\Windows Search\AllowSearchToUseLocation', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Windows Search', - value_name: 'AllowSearchToUseLocation', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\Windows Search\AllowSearchToUseLocation', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Windows Search', + value_name: 'AllowSearchToUseLocation', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Allow Cortana above lock screen' => { - name: 'Software\Policies\Microsoft\Windows\Windows Search\AllowCortanaAboveLock', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Windows Search', - value_name: 'AllowCortanaAboveLock', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\Windows Search\AllowCortanaAboveLock', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Windows Search', + value_name: 'AllowCortanaAboveLock', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn off KMS Client Online AVS Validation' => { - name: 'Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform\NoGenTicket', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform', - value_name: 'NoGenTicket', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform\NoGenTicket', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform', + value_name: 'NoGenTicket', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Disable all apps from Windows Store' => { - name: 'Software\Policies\Microsoft\WindowsStore\DisableStoreApps', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\WindowsStore', - value_name: 'DisableStoreApps', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '0', + name: 'Software\Policies\Microsoft\WindowsStore\DisableStoreApps', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\WindowsStore', + value_name: 'DisableStoreApps', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', disabled_value: '1', }, 'Turn off Automatic Download and Install of updates' => { - name: 'Software\Policies\Microsoft\WindowsStore\AutoDownload', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\WindowsStore', - value_name: 'AutoDownload', - reg_type: 'DWORD', - data_type: 'string', + name: 'Software\Policies\Microsoft\WindowsStore\AutoDownload', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\WindowsStore', + value_name: 'AutoDownload', + reg_type: 'DWORD', + data_type: 'string', }, 'Turn off the offer to update to the latest version of Windows' => { - name: 'Software\Policies\Microsoft\WindowsStore\DisableOSUpgrade', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\WindowsStore', - value_name: 'DisableOSUpgrade', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '0', - disabled_value: '1', + name: 'Software\Policies\Microsoft\WindowsStore\DisableOSUpgrade', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\WindowsStore', + value_name: 'DisableOSUpgrade', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', }, 'Turn off the Store application' => { - name: 'Software\Policies\Microsoft\WindowsStore\RemoveWindowsStore', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\WindowsStore', - value_name: 'RemoveWindowsStore', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\WindowsStore\RemoveWindowsStore', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\WindowsStore', + value_name: 'RemoveWindowsStore', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Join Microsoft MAPS' => { - name: 'Software\Policies\Microsoft\Windows Defender\Spynet\SpynetReporting', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows Defender\Spynet', - value_name: 'SpynetReporting', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows Defender\Spynet\SpynetReporting', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows Defender\Spynet', + value_name: 'SpynetReporting', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Configure Watson events' => { - name: 'Software\Policies\Microsoft\Windows Defender\Reporting\DisableGenericRePorts', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows Defender\Reporting', - value_name: 'DisableGenericRePorts', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '0', + name: 'Software\Policies\Microsoft\Windows Defender\Reporting\DisableGenericRePorts', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows Defender\Reporting', + value_name: 'DisableGenericRePorts', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', disabled_value: '1', }, 'Configure Default consent' => { - name: 'Software\Policies\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Windows Error Reporting\Consent', - value_name: 'DefaultConsent', - reg_type: 'DWORD', - data_type: 'string', + name: 'Software\Policies\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Windows Error Reporting\Consent', + value_name: 'DefaultConsent', + reg_type: 'DWORD', + data_type: 'string', }, 'Automatically send memory dumps for OS-generated error reports' => { - name: 'Software\Policies\Microsoft\Windows\Windows Error Reporting\AutoApproveOSDumps', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Windows Error Reporting', - value_name: 'AutoApproveOSDumps', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\Windows Error Reporting\AutoApproveOSDumps', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Windows Error Reporting', + value_name: 'AutoApproveOSDumps', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Allow suggested apps in Windows Ink Workspace' => { - name: 'Software\Policies\Microsoft\WindowsInkWorkspace\AllowSuggestedAppsInWindowsInkWorkspace', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\WindowsInkWorkspace', - value_name: 'AllowSuggestedAppsInWindowsInkWorkspace', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\WindowsInkWorkspace\AllowSuggestedAppsInWindowsInkWorkspace', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\WindowsInkWorkspace', + value_name: 'AllowSuggestedAppsInWindowsInkWorkspace', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Allow Windows Ink Workspace' => { - name: 'Software\Policies\Microsoft\WindowsInkWorkspace\AllowWindowsInkWorkspace', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\WindowsInkWorkspace', - value_name: 'AllowWindowsInkWorkspace', - reg_type: 'DWORD', - data_type: 'string', + name: 'Software\Policies\Microsoft\WindowsInkWorkspace\AllowWindowsInkWorkspace', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\WindowsInkWorkspace', + value_name: 'AllowWindowsInkWorkspace', + reg_type: 'DWORD', + data_type: 'string', }, 'Allow user control over installs' => { - name: 'Software\Policies\Microsoft\Windows\Installer\EnableUserControl', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Installer', - value_name: 'EnableUserControl', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\Installer\EnableUserControl', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Installer', + value_name: 'EnableUserControl', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Always install with elevated privileges' => { - name: 'Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Installer', - value_name: 'AlwaysInstallElevated', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Installer', + value_name: 'AlwaysInstallElevated', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Prevent Internet Explorer security prompt for Windows Installer scripts' => { - name: 'Software\Policies\Microsoft\Windows\Installer\SafeForScripting', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Installer', - value_name: 'SafeForScripting', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\Installer\SafeForScripting', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Installer', + value_name: 'SafeForScripting', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn on PowerShell Script Block Logging' => { - name: 'Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging', - value_name: 'EnableScriptBlockLogging', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging', + value_name: 'EnableScriptBlockLogging', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Turn on PowerShell Transcription' => { - name: 'Software\Policies\Microsoft\Windows\PowerShell\Transcription\EnableTranscripting', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\PowerShell\Transcription', - value_name: 'EnableTranscripting', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\PowerShell\Transcription\EnableTranscripting', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\PowerShell\Transcription', + value_name: 'EnableTranscripting', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Allow Basic authentication (Client)' => { - name: 'Software\Policies\Microsoft\Windows\WinRM\Client\AllowBasic', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Client', - value_name: 'AllowBasic', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\WinRM\Client\AllowBasic', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Client', + value_name: 'AllowBasic', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Allow unencrypted traffic (Client)' => { - name: 'Software\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Client', - value_name: 'AllowUnencryptedTraffic', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Client', + value_name: 'AllowUnencryptedTraffic', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Disallow Digest authentication' => { - name: 'Software\Policies\Microsoft\Windows\WinRM\Client\AllowDigest', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Client', - value_name: 'AllowDigest', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '0', + name: 'Software\Policies\Microsoft\Windows\WinRM\Client\AllowDigest', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Client', + value_name: 'AllowDigest', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', disabled_value: '1', }, 'Allow Basic authentication (Service)' => { - name: 'Software\Policies\Microsoft\Windows\WinRM\Service\AllowBasic', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Service', - value_name: 'AllowBasic', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\WinRM\Service\AllowBasic', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Service', + value_name: 'AllowBasic', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Allow remote server management through WinRM' => { - name: 'Software\Policies\Microsoft\Windows\WinRM\Service\AllowAutoConfig', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Service', - value_name: 'AllowAutoConfig', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\WinRM\Service\AllowAutoConfig', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Service', + value_name: 'AllowAutoConfig', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Allow unencrypted traffic (Service)' => { - name: 'Software\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Service', - value_name: 'AllowUnencryptedTraffic', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Service', + value_name: 'AllowUnencryptedTraffic', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Disallow WinRM from storing RunAs credentials' => { - name: 'Software\Policies\Microsoft\Windows\WinRM\Service\DisableRunAs', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Service', - value_name: 'DisableRunAs', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\WinRM\Service\DisableRunAs', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Service', + value_name: 'DisableRunAs', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, 'Allow Remote Shell Access' => { - name: 'Software\Policies\Microsoft\Windows\WinRM\Service\WinRS\AllowRemoteShellAccess', - configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Service\WinRS', - value_name: 'AllowRemoteShellAccess', - reg_type: 'DWORD', - data_type: 'boolean', - enabled_value: '1', + name: 'Software\Policies\Microsoft\Windows\WinRM\Service\WinRS\AllowRemoteShellAccess', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WinRM\Service\WinRS', + value_name: 'AllowRemoteShellAccess', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Prevent users from modifying settings' => { + name: 'Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection\DisallowExploitProtectionOverride', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection', + value_name: 'DisallowExploitProtectionOverride', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Configure SMB v1 client driver' => { + name: 'System\CurrentControlSet\Services\MrxSmb10\Start', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Services\MrxSmb10', + value_name: 'Start', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Configure SMB v1 client' => { + name: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\DependOnService', + configuration: 'Computer', + registry_key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation', + value_name: 'DependOnService', + reg_type: 'MULTISZ', + data_type: 'string', + }, + 'Configure SMB v1 server' => { + name: 'System\CurrentControlSet\Services\LanmanServer\Parameters\SMB1', + configuration: 'Computer', + registry_key: 'System\CurrentControlSet\Services\LanmanServer\Parameters', + value_name: 'SMB1', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Remote host allows delegation of non-exportable credentials' => { + name: 'Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowProtectedCreds', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\CredentialsDelegation', + value_name: 'AllowProtectedCreds', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off picture password sign-in' => { + name: 'Software\Policies\Microsoft\Windows\System\BlockDomainPicturePassword', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\System', + value_name: 'BlockDomainPicturePassword', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off Windows Location Provider' => { + name: 'Software\Policies\Microsoft\Windows\LocationAndSensors\DisableWindowsLocationProvider', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\LocationAndSensors', + value_name: 'DisableWindowsLocationProvider', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Configure local setting override for reporting to Microsoft MAPS' => { + name: 'Software\Policies\Microsoft\Microsoft Antimalware\SpyNet\LocalSettingOverrideSpyNetReporting', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Microsoft Antimalware\SpyNet', + value_name: 'LocalSettingOverrideSpyNetReporting', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Require Mutual Authentication (NETLOGON)' => { + name: 'Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\NETLOGON', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths', + value_name: '\\\\*\NETLOGON', + reg_type: 'SZ', + data_type: 'string', + }, + 'Require Mutual Authentication (SYSVOL)' => { + name: 'Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\SYSVOL', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths', + value_name: '\\\\*\SYSVOL', + reg_type: 'SZ', + data_type: 'string', + }, + 'Allow Online Tips' => { + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowOnlineTips', + configuration: 'Computer', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', + value_name: 'AllowOnlineTips', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' => { + name: 'Software\Policies\Microsoft\Windows\DataCollection\DisableEnterpriseAuthProxy', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\DataCollection', + value_name: 'DisableEnterpriseAuthProxy', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Allow Message Service Cloud Sync' => { + name: 'Software\Policies\Microsoft\Windows\Messaging\AllowMessageSync', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Messaging', + value_name: 'AllowMessageSync', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Block all consumer Microsoft account user authentication' => { + name: 'Software\Policies\Microsoft\MicrosoftAccount\DisableUserAuth', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\MicrosoftAccount', + value_name: 'DisableUserAuth', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off Windows Error Reporting (PCHealth)' => { + name: 'Software\Policies\Microsoft\PCHealth\ErrorReporting\DoReport', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\PCHealth\ErrorReporting', + value_name: 'DoReport', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', + disabled_value: '1', + }, + 'Do not allow drive redirection' => { + name: 'Software\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Terminal Services', + value_name: 'fDisableCdm', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn on behavior monitoring' => { + name: 'Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows Defender\Real-Time Protection', + value_name: 'DisableBehaviorMonitoring', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', + disabled_value: '1', + }, + 'Scan removable drives' => { + name: 'Software\Policies\Microsoft\Windows Defender\Scan\DisableRemovableDriveScanning', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows Defender\Scan', + value_name: 'DisableRemovableDriveScanning', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', + disabled_value: '1', + }, + 'Turn on e-mail scanning' => { + name: 'Software\Policies\Microsoft\Windows Defender\Scan\DisableEmailScanning', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows Defender\Scan', + value_name: 'DisableEmailScanning', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', + disabled_value: '1', + }, + 'Configure Attack Surface Reduction rules' => { + name: 'Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ExploitGuard_ASR_Rules', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR', + value_name: 'ExploitGuard_ASR_Rules', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Prevent users and apps from accessing dangerous websites' => { + name: 'Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection\EnableNetworkProtection', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection', + value_name: 'EnableNetworkProtection', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Configure detection for potentially unwanted applications' => { + name: 'Software\Policies\Microsoft\Windows Defender\PUAProtection', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows Defender', + value_name: 'PUAProtection', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Limits print driver installation to Administrators' => { + name: 'Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint', + value_name: 'RestrictDriverInstallationToAdministrators', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Configure DNS over HTTPS (DoH) name resolution' => { + name: 'Software\Policies\Microsoft\Windows NT\DNSClient\DoHPolicy', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\DNSClient', + value_name: 'DoHPolicy', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Allow Print Spooler to accept client connections' => { + name: 'Software\Policies\Microsoft\Windows NT\Printers\RegisterSpoolerRemoteRpcEndPoint', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Printers', + value_name: 'RegisterSpoolerRemoteRpcEndPoint', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '2', + }, + 'Point and Print Restrictions when installing drivers for a new connection' => { + name: 'Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\NoWarningNoElevationOnInstall', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint', + value_name: 'NoWarningNoElevationOnInstall', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '0', + disabled_value: '1', + }, + 'Point and Print Restrictions when updating drivers for an existing connection' => { + name: 'Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\UpdatePromptSettings', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint', + value_name: 'UpdatePromptSettings', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Prevent device metadata retrieval from the Internet' => { + name: 'SOFTWARE\Policies\Microsoft\Windows\Device Metadata\PreventDeviceMetadataFromNetwork', + configuration: 'Computer', + registry_key: 'SOFTWARE\Policies\Microsoft\Windows\Device Metadata', + value_name: 'PreventDeviceMetadataFromNetwork', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off cloud consumer account state content' => { + name: 'Software\Policies\Microsoft\Windows\CloudContent\DisableConsumerAccountStateContent', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\CloudContent', + value_name: 'DisableConsumerAccountStateContent', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Disable OneSettings Downloads' => { + name: 'Software\Policies\Microsoft\Windows\DataCollection\DisableOneSettingsDownloads', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\DataCollection', + value_name: 'DisableOneSettingsDownloads', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Enable OneSettings Auditing' => { + name: 'Software\Policies\Microsoft\Windows\DataCollection\EnableOneSettingsAuditing', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\DataCollection', + value_name: 'EnableOneSettingsAuditing', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Limit Diagnostic Log Collection' => { + name: 'Software\Policies\Microsoft\Windows\DataCollection\LimitDiagnosticLogCollection', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\DataCollection', + value_name: 'LimitDiagnosticLogCollection', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Limit Dump Collection' => { + name: 'Software\Policies\Microsoft\Windows\DataCollection\LimitDumpCollection', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\DataCollection', + value_name: 'LimitDumpCollection', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off Push To Install service' => { + name: 'Software\Policies\Microsoft\PushToInstall\DisablePushToInstall', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\PushToInstall', + value_name: 'DisablePushToInstall', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Allow Cloud Search' => { + name: 'SOFTWARE\Policies\Microsoft\Windows\Windows Search\AllowCloudSearch', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\Windows Search', + value_name: 'AllowCloudSearch', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Manage preview builds (setting)' => { + name: 'Software\Policies\Microsoft\Windows\WindowsUpdate\ManagePreviewBuilds', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WindowsUpdate', + value_name: 'ManagePreviewBuilds', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Manage preview builds (policy)' => { + name: 'Software\Policies\Microsoft\Windows\WindowsUpdate\ManagePreviewBuildsPolicyValue', + configuration: 'Computer', + registry_key: 'Software\Policies\Microsoft\Windows\WindowsUpdate', + value_name: 'ManagePreviewBuildsPolicyValue', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Enable screen saver' => { + name: 'Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveActive', + configuration: 'User', + registry_key: 'Software\Policies\Microsoft\Windows\Control Panel\Desktop', + value_name: 'ScreenSaveActive', + reg_type: 'SZ', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Force specific screen saver' => { + name: 'Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE', + configuration: 'User', + registry_key: 'Software\Policies\Microsoft\Windows\Control Panel\Desktop', + value_name: 'SCRNSAVE.EXE', + reg_type: 'SZ', + data_type: 'string', + }, + 'Password protect the screen saver' => { + name: 'Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecure', + configuration: 'User', + registry_key: 'Software\Policies\Microsoft\Windows\Control Panel\Desktop', + value_name: 'ScreenSaverIsSecure', + reg_type: 'SZ', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Screen saver timeout' => { + name: 'Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut', + configuration: 'User', + registry_key: 'Software\Policies\Microsoft\Windows\Control Panel\Desktop', + value_name: 'ScreenSaveTimeOut', + reg_type: 'SZ', + data_type: 'string', + }, + 'Turn off toast notifications on the lock screen' => { + name: 'SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\NoToastApplicationNotificationOnLockScreen', + configuration: 'User', + registry_key: 'SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications', + value_name: 'NoToastApplicationNotificationOnLockScreen', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off Help Experience Improvement Program' => { + name: 'Software\Policies\Microsoft\Assistance\Client\1.0\NoImplicitFeedback', + configuration: 'User', + registry_key: 'Software\Policies\Microsoft\Assistance\Client\1.0', + value_name: 'NoImplicitFeedback', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Do not preserve zone information in file attachments' => { + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation', + configuration: 'User', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Attachments', + value_name: 'SaveZoneInformation', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Notify antivirus programs when opening attachments' => { + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus', + configuration: 'User', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Attachments', + value_name: 'ScanWithAntiVirus', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Configure Windows spotlight on lock screen' => { + name: 'Software\Policies\Microsoft\Windows\CloudContent\ConfigureWindowsSpotlight', + configuration: 'User', + registry_key: 'Software\Policies\Microsoft\Windows\CloudContent', + value_name: 'ConfigureWindowsSpotlight', + reg_type: 'DWORD', + data_type: 'string', + }, + 'Do not suggest third-party content in Windows spotlight' => { + name: 'Software\Policies\Microsoft\Windows\CloudContent\DisableThirdPartySuggestions', + configuration: 'User', + registry_key: 'Software\Policies\Microsoft\Windows\CloudContent', + value_name: 'DisableThirdPartySuggestions', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Do not use diagnostic data for tailored experiences' => { + name: 'Software\Policies\Microsoft\Windows\CloudContent\DisableTailoredExperiencesWithDiagnosticData', + configuration: 'User', + registry_key: 'Software\Policies\Microsoft\Windows\CloudContent', + value_name: 'DisableTailoredExperiencesWithDiagnosticData', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Turn off all Windows spotlight features' => { + name: 'Software\Policies\Microsoft\Windows\CloudContent\DisableWindowsSpotlightFeatures', + configuration: 'User', + registry_key: 'Software\Policies\Microsoft\Windows\CloudContent', + value_name: 'DisableWindowsSpotlightFeatures', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Prevent users from sharing files within their profile' => { + name: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInplaceSharing', + configuration: 'User', + registry_key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', + value_name: 'NoInplaceSharing', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Always install with elevated privileges user' => { + name: 'Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated', + configuration: 'User', + registry_key: 'Software\Policies\Microsoft\Windows\Installer', + value_name: 'AlwaysInstallElevated', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', + disabled_value: '0', + }, + 'Prevent Codec Download' => { + name: 'Software\Policies\Microsoft\WindowsMediaPlayer\PreventCodecDownload', + configuration: 'User', + registry_key: 'Software\Policies\Microsoft\WindowsMediaPlayer', + value_name: 'PreventCodecDownload', + reg_type: 'DWORD', + data_type: 'boolean', + enabled_value: '1', disabled_value: '0', }, } diff --git a/manifests/init.pp b/manifests/init.pp index a137451..ac38bad 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,10 +1,33 @@ # class advanced_security_policy class advanced_security_policy { + + file { 'c:/Management/advanced_security': + ensure => 'directory', + } + + exec { 'backup registry.pol': + command => 'powershell Copy-Item C:\Windows\System32\GroupPolicy\Machine\Registry.pol c:\Management\advanced_security', + path => 'C:\Windows\System32\WindowsPowerShell\v1.0', + creates => 'C:\Management\advanced_security\Registry.pol', + onlyif => 'C:\Windows\System32\cmd.exe /c dir C:\Windows\System32\GroupPolicy\Machine\Registry.pol', + } + file { 'C:/Windows/System32/LGPO.exe': ensure => file, - source => 'puppet:///modules/advanced_security_policy/LGPO.exe', - owner => 'Administrators', - group => 'Administrators', - mode => '0770', + source => 'puppet:///modules/advanced_security_policy/LGPO.exe' # lint:ignore:source_without_rights + } + + if $facts['domainrole'] == 'Standalone Server' and $facts['os']['release']['major'] !~ '2008' { + scheduled_task { 'gpupdate (managed by puppet)': + ensure => present, + enabled => true, + command => 'C:\Windows\system32\gpupdate.exe', + trigger => { + schedule => daily, + start_time => '00:30', + minutes_interval => 30, + }, + user => 'SYSTEM', + } } } diff --git a/metadata.json b/metadata.json index 076eaad..f3cc84f 100644 --- a/metadata.json +++ b/metadata.json @@ -1,33 +1,19 @@ -{ - "name": "kpn-advanced_security_policy", - "version": "2.1.1", - "author": "kpn", - "summary": "This module sets Advanced Security Policy settings on Windows.", - "license": "Apache-2.0", - "source": "https://github.com/kpn-puppet/puppet-kpn-advanced_security_policy", - "project_page": "https://github.com/kpn-puppet/puppet-kpn-advanced_security_policy", - "issues_url": "https://github.com/kpn-puppet/puppet-kpn-advanced_security_policy/issues", - "dependencies": [], - "operatingsystem_support": [ - { - "operatingsystem": "windows", - "operatingsystemrelease": [ - "2008 R2", - "2012 R2", - "2016" - ] - } - ], - "requirements": [ - { - "name": "puppet", - "version_requirement": ">= 4.7.0 < 6.0.0" - } - ], - "kpn_quality_label": "A", - "kpn_module_owner": "Product Owner Platforms", - "kpn_module_support": "Puppet Development Team", - "pdk-version": "1.4.1", - "template-url": "file:///opt/puppetlabs/pdk/share/cache/pdk-templates.git", - "template-ref": "1.4.1-0-g52adbbb" -} +{ + "name": "kpn-advanced_security_policy", + "version": "3.0.0", + "author": "kpn", + "summary": "This module sets Advanced Security Policy settings on Windows.", + "license": "proprietary", + "source": "https://github.com/kpn-puppet/puppet-kpn-advanced_security_policy", + "project_page": "https://github.com/kpn-puppet/puppet-kpn-advanced_security_policy", + "issues_url": "https://github.com/kpn-puppet/puppet-kpn-advanced_security_policy/issues", + "operatingsystem_support": [ + { + "operatingsystem": "windows", + "operatingsystemrelease": [ "2012", "2012 R2", "2016", "2019", "2022" ] + } + ], + "dependencies": [ + { "name": "puppetlabs/scheduled_task", "version_requirement": ">=4.6.0 <5.0.0" } + ] +} diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb new file mode 100644 index 0000000..1f606fd --- /dev/null +++ b/spec/classes/init_spec.rb @@ -0,0 +1,17 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'advanced_security_policy' do + on_supported_os.each do |os, facts| + describe "on #{os}" do + let(:facts) { facts } + + it { is_expected.to compile } + it { is_expected.to contain_class('advanced_security_policy') } + it { is_expected.to contain_file('c:/Management/advanced_security') } + it { is_expected.to contain_exec('backup registry.pol') } + it { is_expected.to contain_file('C:/Windows/System32/LGPO.exe') } + end + end +end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 384a50a..feb5720 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,7 +1,54 @@ -# frozen_string_literal: true - require 'puppetlabs_spec_helper/module_spec_helper' +require 'rspec-puppet-facts' + +require 'spec_helper_local' if File.file?(File.join(File.dirname(__FILE__), 'spec_helper_local.rb')) + +include RspecPuppetFacts + +default_facts = { + puppetversion: Puppet.version, + facterversion: Facter.version, +} + +default_fact_files = [ + File.expand_path(File.join(File.dirname(__FILE__), 'default_facts.yml')), + File.expand_path(File.join(File.dirname(__FILE__), 'default_module_facts.yml')), +] + +default_fact_files.each do |f| + next unless File.exist?(f) && File.readable?(f) && File.size?(f) + + begin + default_facts.merge!(YAML.safe_load(File.read(f), [], [], true)) + rescue => e + RSpec.configuration.reporter.message "WARNING: Unable to load #{f}: #{e}" + end +end + +# read default_facts and merge them over what is provided by facterdb +default_facts.each do |fact, value| + add_custom_fact fact, value +end + +RSpec.configure do |c| + c.default_facts = default_facts + c.before :each do + # set to strictest setting for testing + # by default Puppet runs at warning level + Puppet.settings[:strict] = :warning + end + c.filter_run_excluding(bolt: true) unless ENV['GEM_BOLT'] + c.after(:suite) do + end +end -RSpec.configure { |c| c.fail_fast = true } +# Ensures that a module is defined +# @param module_name Name of the module +def ensure_module_defined(module_name) + module_name.split('::').reduce(Object) do |last_module, next_module| + last_module.const_set(next_module, Module.new) unless last_module.const_defined?(next_module, false) + last_module.const_get(next_module, false) + end +end -at_exit { print "Resource coverage report is N/A for custom provider type\n\n" } +# 'spec_overrides' from sync.yml will appear below this line diff --git a/spec/unit/puppet/provider/advanced_security_policy_spec.rb b/spec/unit/puppet/provider/advanced_security_policy_disable.rb similarity index 81% rename from spec/unit/puppet/provider/advanced_security_policy_spec.rb rename to spec/unit/puppet/provider/advanced_security_policy_disable.rb index 6cf5196..aeea225 100644 --- a/spec/unit/puppet/provider/advanced_security_policy_spec.rb +++ b/spec/unit/puppet/provider/advanced_security_policy_disable.rb @@ -10,12 +10,12 @@ let(:resource) do provider_resource.new( - name: 'Prohibit installation and configuration of Network Bridge on your DNS domain network', - ensure: 'present', + name: 'Prohibit installation and configuration of Network Bridge on your DNS domain network', + ensure: 'present', configuration: 'Computer', - registry_key: 'Software\Policies\Microsoft\Windows\Network Connections', - value_name: 'NC_AllowNetBridge_NLA', - policy_value: '1', + registry_key: 'Software\Policies\Microsoft\Windows\Network Connections', + value_name: 'NC_AllowNetBridge_NLA', + policy_value: '1', ) end @@ -47,8 +47,8 @@ provider.class.stubs(registry_file_exists: true) provider.class.expects(:new) .with( - name: 'Application: Specify the maximum log file size (KB)', - ensure: :present, + name: 'Application: Specify the maximum log file size (KB)', + ensure: :present, policy_value: '32768', ) provider.class.instances @@ -63,9 +63,9 @@ provider.instance_variable_set( :@property_flush, configuration: 'Computer', - registry_key: 'Software\\Policies\\Microsoft\\Windows\\Network Connections', - value_name: 'NC_AllowNetBridge_NLA', - action: 'DWORD:1', + registry_key: 'Software\\Policies\\Microsoft\\Windows\\Network Connections', + value_name: 'NC_AllowNetBridge_NLA', + action: 'DWORD:1', ) end diff --git a/spec/unit/puppet/type/advanced_security_policy_spec.rb b/spec/unit/puppet/type/advanced_security_policy_spec.rb index f420ec5..5e26c48 100644 --- a/spec/unit/puppet/type/advanced_security_policy_spec.rb +++ b/spec/unit/puppet/type/advanced_security_policy_spec.rb @@ -5,7 +5,7 @@ type_class = Puppet::Type.type(:advanced_security_policy) EXAMPLE = { - name: 'Application: Specify the maximum log file size (KB)', + name: 'Application: Specify the maximum log file size (KB)', action: 'DWORD:0001', }.freeze