β οΈ DISCLAIMER: USE AT YOUR OWN RISK.
This tool makes deep modifications to the Windows Registry and System Services. While extensive backups are created, the authors accept no responsibility for any damage, data loss, or system instability. Always review changes before applying.
630+ Settings β’ 7 Modules β’ Full Backup & Restore
π₯ Quick Start β’ π Documentation β’ π― Key Features β’ π¬ Community
7 Independent Security Modules β’ Modular Design β’ Complete BAVR Pattern
β‘ READ THIS BEFORE RUNNING This tool modifies critical Windows security settings!
WARNING: This tool is NOT recommended for production domain-joined systems without AD team coordination!
Why?
- This tool modifies local Group Policies
- Domain Group Policies override local policies every 90 minutes
- Your hardening may be reset automatically by domain GPOs
- Can lead to configuration conflicts and "flapping" behavior
RECOMMENDED USE CASES:
- Standalone systems (Home/Workgroup)
- Home/Personal PCs (not domain-joined)
- Virtual machines (testing/lab environments)
- Air-gapped systems
- Test/development domain-joined systems (non-production)
For Enterprise/Domain Environments:
- Integrate these settings into your Domain Group Policies instead!
- Coordinate with your Active Directory team before using this tool
Before running this tool, you MUST create:
- Windows System Restore Point (recommended)
- Full System Image/Backup (critical!)
- VM Snapshot (if running in virtual machine)
Why?
- This tool creates internal backups for rollback (Registry, Services, Tasks)
- However, a full system backup protects against:
- Unforeseen system issues
- Hardware failures during hardening
- Configuration conflicts
- Critical errors
Backup Tools:
- Windows Backup (Settings β System β Storage β Backup)
- System Image (wbadmin, Macrium Reflect, Acronis)
- Hyper-V/VMware: Checkpoint/Snapshot
What? Microsoft Security Baseline + Advanced Hardening for Windows 11 25H2 How? PowerShell: Backup Apply Verify Restore (100% reversible!) For whom? Professionals, power users, SMBs without Intune/Active Directory
630+ Security Settings β’ 7 Modules β’ 100% BAVR Coverage β’ Production-Ready*
*For all settings changed by NoID Privacy
Because security and privacy are inseparable. You can't have one without the other.
π‘οΈ Security Foundation
- 425 settings: MS Security Baseline for Win11 25H2
- 24 settings: MS Security Baseline for Edge
- 19 rules: Attack Surface Reduction
- VBS + Credential Guard*: Hardware-level protection
π Privacy Layer
- DNS: Block telemetry, tracking, ads (DoH)
- Telemetry: 3 modes (MSRecommended/Strict/Paranoid)
- AntiAI: 15 AI features disabled (Recall, Copilot, Paint AI, Notepad AI, Edge AI, etc.)
- Bloatware: 24 pre-installed apps removed
π― The Result: A hardened system that's both secure against attacks and private from surveillance.
*Credential Guard requires Windows 11 Enterprise or Education
| SECURITY | PRIVACY | RELIABILITY | SAFETY |
|---|---|---|---|
| Microsoft Baseline 25H2 | AI Lockdown | Professional Quality | 100% Reversible |
| 630+ Security Settings | No Recall / Copilot / AI | 100% Verification Coverage | BAVR Architecture |
| 19 ASR Rules (17 Block + 2 Configurable) | Telemetry & Ads Blocked | Detailed Logging | Exact Pre-State Restore |
| Zero-Day CVE-2025-9491 | DNS-over-HTTPS (DoH) | Modular Design | Designed for Zero Data Loss |
| VBS & Credential Guard* | Edge Browser Hardened | Open Source / Auditable | Safe for Production |
π 3-Minute Quick Start β’ π Full Feature List
Full BAVR pattern (Backup β Apply β Verify β Restore) β’ Zero external binaries β’ 100% native PowerShell
| Feature | NoID Privacy | HardeningKitty | ChrisTitus winutil | O&O ShutUp10++ |
|---|---|---|---|---|
| Focus | MS Baseline 25H2 + ASR + DNS + Privacy (630+ settings) | CIS/MS baseline audit & CSV-based hardening | System tweaks, debloat & app installs | Privacy toggles & telemetry control |
| BAVR Pattern | Backup β Apply β Verify β Restore (all modules) | Audit + HailMary apply + partial restore | System Restore point (no verify) | System Restore + profile export |
| Verification | 630+ automated compliance checks | Audit mode with severity scoring | No compliance scan | No compliance scan |
| Dependencies | Zero (runs on stock PS 5.1/7+) | PowerShell only | winget/chocolatey required | Portable EXE (closed-source) |
| AI Lockdown | 32 policies (Copilot+/Recall/25H2) | No dedicated AI profile | Individual AI tweaks | Multiple AI/Copilot toggles |
π BAVR = Backup-Apply-Verify-Restore (Every change is reversible)
"We practice what we preach"
| πͺ Zero Cookies | No cookie banners, no tracking cookies, no consent popups |
| π Zero Analytics | No Google Analytics, no third-party tracking scripts |
| π Zero Telemetry | No usage tracking, no telemetry β only minimal license validation |
| β 100% Verifiable | Open source - inspect the code yourself |
Actions speak louder than privacy policies. Unlike other "privacy" tools that track you, we actually respect your privacy.
Microsoft Security Baseline 25H2 - 100% Implementation
- 335 Registry Policies Computer + User Configuration
- 67 Security Template Settings Password Policy, Account Lockout, User Rights, Security Options
- 23 Advanced Audit Policies Complete security event logging
- Credential Guard* Passwords can't be stolen from memory (Enterprise/Education only)
- BitLocker Policies USB drive protection, enhanced PIN, DMA attack prevention
- VBS & HVCI Virtualization-based security
19 ASR Rules (17 Block + 2 Configurable)
- Helps block common ransomware, macro, exploit, and credential theft techniques
- Office/Adobe/Email protection
- Script & executable blocking
- PSExec/WMI: Audit mode (if management tools used), Block otherwise
- New/Unknown Software: Audit mode (if installing untrusted software), Block otherwise
DNS-over-HTTPS with Secure Default (REQUIRE)
- Quad9 (Default) Security-focused, malware blocking, 9.9.9.9
- Cloudflare Fastest resolver, 1.1.1.1
- AdGuard Ad/tracker blocking built-in
- REQUIRE mode (default): no unencrypted fallback
- ALLOW mode (optional): fallback allowed for VPN/mobile/enterprise networks
- IPv4 + IPv6 dual-stack support
3 Operating Modes
- MSRecommended (Default) MS-supported, max compatibility
- Strict Maximum privacy (AllowTelemetry=0 Ent/Edu only, Teams/Zoom work)
- Paranoid Hardcore (Force Deny ALL - BREAKS Teams/Zoom!)
Features:
- Telemetry minimized to Security-Essential level
- Bloatware removal (policy-based on 25H2+ Ent/Edu)
- OneDrive telemetry off (sync functional)
- App permissions configurable per mode
15 AI Features Disabled (incl. Master Switch)
- Master Switch Disables generative AI models system-wide
- Windows Recall Complete deactivation (component removal + protection)
- Windows Copilot System-wide disabled + hardware key remapped
- Click to Do Screenshot AI analysis disabled
- Paint AI Cocreator, Generative Fill, Image Creator all blocked
- Notepad AI GPT features disabled
- Settings Agent AI-powered settings search disabled
Microsoft Edge Security Baseline
- SmartScreen enforced
- Tracking Prevention strict
- SSL/TLS hardening
- Extension security
- IE Mode restrictions
Beyond Microsoft Baseline
- SRP .lnk Protection β CVE-2025-9491 zero-day mitigation
- RDP Hardening β Disabled by default, TLS + NLA enforced
- Wireless Display Security β Miracast hardening, screen interception protection
- Legacy Protocol Blocking β SMBv1, NetBIOS, LLMNR, WPAD, PowerShell v2
- TLS Hardening β 1.0/1.1 OFF, 1.2/1.3 ON
- UPnP/SSDP Blocking β Port forwarding attack prevention
- Discovery Protocols β Optional WS-Discovery + mDNS disable (Maximum profile)
- Windows Update β Interactive configuration
- Finger Protocol β Blocked (ClickFix malware protection)
π Detailed Feature Documentation
Every change is tracked, verified, and 100% reversible!
[1/4] BACKUP Full system state backup before changes
[2/4] APPLY Settings applied with comprehensive logging
[3/4] VERIFY Automated compliance checks confirm success
[4/4] RESTORE One command reverts everything
What sets us apart:
- 100% BAVR Coverage* All settings we change are verified and restorable
- Professional Code Quality Advanced functions, comprehensive error handling
- Complete Restore Registry, Services, Tasks, Files - everything
- Production-Ready Tested on Windows 11 25H2, PowerShell 5.1+
Before v2.2.0: 89.4% verification coverage (62 settings missing) After v2.2.0: 100% verification coverage (all 630+ settings verified)
Important Limitations:
| Threat | Why Not Protected |
|---|---|
| Social Engineering | If users deliberately bypass all warnings and run malicious files |
| Supply-Chain Attacks | Malware embedded in legitimate signed software |
| Physical Access | Stolen device without BitLocker (use BitLocker!) |
| Nation-State Actors | Sophisticated targeted attacks require enterprise EDR/XDR |
| Zero-Day Exploits | Unknown vulnerabilities not yet patched by Microsoft |
What you need additionally:
- Regular Windows Updates β Critical for security patches
- BitLocker β For lost/stolen device protection
- User Awareness β Don't click suspicious links/attachments
- Backups β 3-2-1 backup strategy for ransomware resilience
NoID Privacy hardens your system significantly, but no security solution provides 100% protection. Defense in depth is always recommended.
Step 1: Open PowerShell as Administrator
- Press
Win + Xβ Click "Terminal (Admin)"
Step 2: Run installer
# Download and run (Windows 11 25H2 recommended)
irm https://raw.githubusercontent.com/NexusOne23/noid-privacy/main/install.ps1 | iexWhat it does:
- Checks Administrator privileges
- Verifies Windows 11 25H2
- Downloads latest release from GitHub
- Extracts & unblocks all files
- Starts interactive mode
Alternative - Manual Install:
# 1. Clone repository
git clone https://github.com/NexusOne23/noid-privacy.git
cd noid-privacy
# 2. Run as Admin
.\Start-NoIDPrivacy.bat
# 3. Verify after reboot
.\Tools\Verify-Complete-Hardening.ps1Downloaded ZIP? Run
Start-NoIDPrivacy.bat- it automatically unblocks all files!
# Start interactive menu
.\Start-NoIDPrivacy.bat
# Follow prompts:
# 1. Select modules (all or custom)
# 2. Choose settings (DNS provider, Privacy mode, etc.)
# 3. Automatic backup β apply β verify
# 4. Reboot prompt# Apply all modules
.\NoIDPrivacy.ps1 -Module All
# Apply specific module
.\NoIDPrivacy.ps1 -Module Privacy
# Dry-run (no changes)
.\NoIDPrivacy.ps1 -Module All -DryRun# Full verification (633 checks with Paranoid mode)
.\Tools\Verify-Complete-Hardening.ps1
# Expected output (all modules enabled, Paranoid mode):
# SecurityBaseline: 425/425 verified
# ASR: 19/19 verified
# DNS: 5/5 verified
# Privacy: 78/78 verified
# AntiAI: 32/32 verified
# EdgeHardening: 24/24 verified
# AdvancedSecurity: 50/50 verified
# Total: 633/633 (100%)# Restore from latest backup
.\Core\Rollback.ps1 -RestoreLatest
# Or via interactive menu
.\Start-NoIDPrivacy.bat
# Select "Restore from backup"| Module | Settings | Description | Status |
|---|---|---|---|
| SecurityBaseline | 425 | Microsoft Security Baseline 25H2 | v2.2.3 |
| ASR | 19 | Attack Surface Reduction Rules | v2.2.3 |
| DNS | 5 | Secure DNS with DoH encryption | v2.2.3 |
| Privacy | 78 | Telemetry, Bloatware, OneDrive hardening (Strict) | v2.2.3 |
| AntiAI | 32 | AI lockdown (15 features, 32 compliance checks) | v2.2.3 |
| EdgeHardening | 24 | Microsoft Edge security (24 policies) | v2.2.3 |
| AdvancedSecurity | 50 | Beyond MS Baseline (SRP, Legacy protocols, Wireless Display, Discovery Protocols, IPv6) | v2.2.3 |
| TOTAL | 633 | Complete Framework (Paranoid mode) | Production |
Release Highlights:
- v2.2.0: 100% verification coverage (all 630+ settings verified)
- v2.2.0: Improved Advanced Security module with SRP .lnk protection
- v2.2.0: Enhanced RDP hardening with TLS + NLA enforced
- v2.2.0: Legacy protocol blocking (SMBv1, NetBIOS, LLMNR, WPAD, PowerShell v2)
- v2.2.0: TLS hardening (1.0/1.1 OFF, 1.2/1.3 ON)
- v2.2.0: Windows Update interactive configuration
- v2.2.0: Finger Protocol blocked (ClickFix malware protection)
- v2.2.0: Enhanced Registry Backup (Smart JSON-Fallback for protected system keys)
π Detailed Module Documentation
Small/Medium Business (SMB)
- No Active Directory/Intune licenses
- Cloud-first (Microsoft 365, Google Workspace)
- Remote/hybrid work security
- Compliance without enterprise infrastructure
Freelancers & Consultants
- Client data protection
- Secure workstations without domain
- Professional security standards
- Safe experimentation (complete backup)
Power Users & Privacy-Conscious
- Real security, not just "debloat"
- AI/Telemetry lockdown
- Understand every setting
- Full control + reversibility
IT Pros Without Intune
- Standalone Windows 11 hardening
- Microsoft Baseline compliance locally
- Quick deploy for clients
- No domain controller required
Enterprise with Intune/AD
- Use Microsoft Security Baselines with Group Policy instead
Windows 10 or Older
- This tool is designed for Windows 11 24H2 or newer
Legacy Software Dependencies
- If you rely on unsafe SMB1/RPC/DCOM
Strict MDM Reporting
- If compliance must be centrally reported
NoID Privacy is designed for modern, officially supported Windows 11 systems.
If your PC can run Windows 11 according to Microsoft's official requirements, it is compatible with NoID Privacy:
- OS: Windows 11 24H2 or newer (25H2 fully tested)
- CPU: Any CPU on Microsoft's Windows 11 support list (Intel 8th Gen / AMD Ryzen 2000+)
- Firmware: UEFI with Secure Boot enabled
- TPM: 2.0 (required for BitLocker, Credential Guard*, VBS)
- RAM: 8 GB minimum, 16 GB recommended for VBS
- Admin Rights: Required
Short version: If Windows 11 is officially supported on your PC, NoID Privacy is supported too.
Tested & Compatible:
| OS Version | Status |
|---|---|
| Windows 11 25H2 (Build 26200+) | Fully Tested |
| Windows 11 24H2 (Build 26100+) | Compatible |
| Windows 11 23H2 or older | β Not Supported |
The AdvancedSecurity and SecurityBaseline modules intentionally disable legacy and insecure protocols:
- TLS 1.0/1.1 (TLS 1.2+ required)
- NetBIOS name resolution, LLMNR, WPAD
- PowerShell v2
- Administrative shares (C$, ADMIN$) in some scenarios
- NTLMv1/LM authentication (NTLMv2 only)
This can affect very old hardware and software, for example:
- NAS, printers, IP cameras, and IoT devices that only support TLS 1.0/1.1
- Legacy Windows systems (XP, 7) and old Samba implementations
- Old management tools that rely on hidden admin shares
In practice: Environments using hardware and software from ~2018 onwards are fully compatible.
If you still depend on legacy devices, use the built-in BAVR pattern (Backup β Apply β Verify β Restore) to roll back if something breaks.
NoID Privacy is optimized for the default Windows 11 security stack:
Windows 11 + Microsoft Defender + NoID Privacy = 100% Feature Coverage (630+ Settings)
This is the recommended setup β just install Windows 11, keep Defender active, and run NoID Privacy. You get:
- β All 7 modules (Security Baseline, ASR, DNS, Privacy, AntiAI, Edge, Advanced Security)
- β 19 ASR rules protecting against ransomware, exploits, and malware
- β Full enterprise-grade hardening with zero additional software
No problem! NoID Privacy automatically detects third-party antivirus software and adapts:
| Your Setup | What Happens | Coverage |
|---|---|---|
| Defender Active | All modules applied | 633 settings (100%) |
| 3rd-Party AV (Kaspersky, Norton, Bitdefender, etc.) | ASR skipped, all other modules applied | 614 settings (~97%) |
Why? ASR (Attack Surface Reduction) rules are a Microsoft Defender exclusive feature. Third-party antivirus products provide their own equivalent protection. NoID Privacy detects this and gracefully skips ASR while applying everything else.
When a third-party antivirus is detected, you'll see a clear notification:
========================================
ASR Module Skipped
========================================
Third-party antivirus detected: Kaspersky Total Security
ASR rules require Windows Defender to be active.
Your antivirus (Kaspersky Total Security) has its own protection features.
This is NOT an error - ASR will be skipped.
Why? Third-party antivirus products typically provide their own equivalent protection features. The rest of the hardening (Security Baseline, DNS, Privacy, Edge, Advanced Security) will still be applied.
All other modules work normally regardless of your antivirus choice.
- PSScriptAnalyzer: Available for static analysis
- Pester Tests: Unit and integration tests in
Tests/directory (.\Tests\Run-Tests.ps1) - Verification: 630+ automated compliance checks in production
- Production-Ready: Professional error handling and comprehensive logging
- Best Practices: Advanced Functions, CmdletBinding, Validated Parameters
- Hardens Windows 11 to enterprise standards
- Implements Microsoft Security Baseline 25H2
- Protects against zero-day exploits (CVE-2025-9491)
- Minimizes telemetry to Security-Essential level
- Locks down AI features (Recall, Copilot, etc.)
- Configures BitLocker policies, Credential Guard*, VBS
- Install third-party antivirus (uses Windows Defender)
- Configure domain-specific policies
- Modify BIOS/UEFI settings
- Break critical Windows functionality
- Prevent re-enabling features
- What CAN be restored: Services, Registry, Firewall, DNS, Tasks, AI features
- What CAN be auto-restored: Most removed bloatware apps via
wingetduring session restore (where mappings exist) - What may still need manual reinstall: Unmapped/third-party bloatware apps (use Microsoft Store)
- Backup System: Complete system state before applying
- REMOVED_APPS_LIST.txt: Created during bloatware removal with a full list of removed apps for manual reinstall if needed
- Documented Changes: All changes logged
All settings configured for maximum security with maintained usability:
- Services: Telemetry services controlled, critical services protected
- Firewall: Inbound blocked, outbound allowed
- Privacy: Default-deny for app permissions (user can enable individually)
- BitLocker: Policies set, user must enable manually
- AI Features: Disabled via Registry (100% reversible)
All module settings can be customized via JSON files in Modules/*/Config/:
# Example: Adjust DNS provider
Edit: Modules/DNS/Config/Providers.json
# Example: Modify Privacy mode
Edit: Modules/Privacy/Config/Privacy-MSRecommended.json
# Example: Configure ASR exceptions
Edit: Modules/ASR/Config/ASR-Rules.jsonCan't install software after hardening? See Temporarily Disable ASR Rule for step-by-step solution
"Access Denied" errors
- Not running as Administrator
- Right-click PowerShell β "Run as Administrator"
VBS/Credential Guard not active after reboot
- Credential Guard requires Windows 11 Enterprise or Education
- Hardware incompatibility (no TPM 2.0 or virtualization disabled)
- Enable virtualization in BIOS/UEFI
- Verify:
.\Tools\Verify-Complete-Hardening.ps1
BitLocker not activating
- No TPM 2.0 or insufficient disk space
- Check TPM:
Get-Tpm - Manual activation: Control Panel β BitLocker
ASR blocking legitimate software installation
- ASR rule "Block executable files unless they meet prevalence" blocks unknown installers
- See Temporarily Disable ASR Rule below
Problem: ASR blocks installation of legitimate software (e.g., downloaded installers not in Microsoft's reputation database)
Blocked Rule: 01443614-cd74-433a-b99e-2ecdc07bfc25 ("Block executable files unless they meet prevalence, age, or trusted list")
Solution: Temporarily set the rule to AUDIT mode (warns only, doesn't block)
Step 1: Disable Tamper Protection (GUI method - easiest)
- Press
Winkey β Type "Windows Security" β Enter - Go to: Virus & threat protection
- Click: Manage settings
- Scroll down to: Tamper Protection Toggle OFF
Step 2: Set ASR Rule to AUDIT (PowerShell as Admin)
# Get current ASR configuration
$currentIds = (Get-MpPreference).AttackSurfaceReductionRules_Ids
$currentActions = (Get-MpPreference).AttackSurfaceReductionRules_Actions
# Convert to arrays
$ids = @($currentIds)
$actions = @($currentActions)
# Find the prevalence rule
$targetGuid = "01443614-cd74-433a-b99e-2ecdc07bfc25"
$index = [array]::IndexOf($ids, $targetGuid)
# Set to AUDIT (2 = Audit, 1 = Block)
$actions[$index] = 2
# Apply changes
Set-MpPreference -AttackSurfaceReductionRules_Ids $ids -AttackSurfaceReductionRules_Actions $actions
Write-Host " ASR Prevalence Rule: AUDIT (Installation now possible)" -ForegroundColor GreenStep 3: Install your software
Step 4: Re-enable the ASR Rule (PowerShell as Admin)
# Get current ASR configuration
$currentIds = (Get-MpPreference).AttackSurfaceReductionRules_Ids
$currentActions = (Get-MpPreference).AttackSurfaceReductionRules_Actions
# Convert to arrays
$ids = @($currentIds)
$actions = @($currentActions)
# Find the prevalence rule
$targetGuid = "01443614-cd74-433a-b99e-2ecdc07bfc25"
$index = [array]::IndexOf($ids, $targetGuid)
# Set back to BLOCK
$actions[$index] = 1
# Apply changes
Set-MpPreference -AttackSurfaceReductionRules_Ids $ids -AttackSurfaceReductionRules_Actions $actions
Write-Host " ASR Prevalence Rule: BLOCK (Protection restored)" -ForegroundColor GreenStep 5: Re-enable Tamper Protection (Windows Security Toggle ON)
IMPORTANT: Always re-enable both the ASR rule AND Tamper Protection after installation!
Problem: After applying Privacy hardening (MSRecommended mode), Windows Insider enrollment requires extra steps.
Cause: Privacy module sets AllowTelemetry=1 (Required diagnostic data) via Group Policy, which prevents the user from enabling "Optional diagnostic data" in Settings - a requirement for Insider Program enrollment.
Solution:
Step 1: Temporarily remove the telemetry policy (PowerShell as Admin)
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry"Step 2: Reboot (recommended for policy changes to take effect)
Restart-ComputerStep 3: Join Windows Insider Program
- Go to: Settings > Windows Update > Windows Insider Program
- Click: Get Started
- When prompted, enable "Optional diagnostic data"
- Complete Insider enrollment and select your channel (Dev/Beta/Release Preview)
Step 4 (Optional): Re-apply Privacy hardening
.\NoIDPrivacy.ps1 -Module PrivacyNote: Once enrolled in the Insider Program, Windows will continue to receive preview builds even after re-applying Privacy hardening with AllowTelemetry=1.
All operations logged to:
Logs/NoIDPrivacy_YYYYMMDD_HHMMSS.log
Example: NoIDPrivacy_20251117_142345.log
- Features - Complete 630+ setting reference
- Changelog - Version history
- Quick Start - Installation guide (see above)
- Troubleshooting - Common issues (see above)
- π¬ Discussions - Questions and ideas
- π Issues - Bug reports only
- π Documentation - Complete feature reference
- Microsoft Security Baseline Team for Windows 11 25H2 guidance
- PowerShell Community for best practices and patterns
- Open Source Contributors for testing and feedback
NoID Privacy is available under a dual-licensing model:
For individuals, researchers, and open-source projects:
This project is licensed under the GNU General Public License v3.0 (GPL-3.0).
β You CAN:
- βοΈ Use the software freely for personal and commercial purposes
- βοΈ Modify the source code
- βοΈ Distribute the software
- βοΈ Distribute your modifications
- π Disclose your source code when distributing
- π License your modifications under GPL v3.0
- π Include the original copyright notice
- π State significant changes made to the software
Read the full GPL v3.0 License
For companies and organizations that want to:
- Integrate this software into closed-source/proprietary products
- Distribute this software without disclosing source code
- Receive dedicated commercial support and warranties
- Avoid GPL v3.0 copyleft requirements
Contact:
- Email: [email protected] (Preferred for commercial inquiries)
- GitHub: π¬ Discussions (Public questions)
This software implements security configurations based on:
- Microsoft Security Baselines - Public documentation
- Microsoft Defender ASR Rules - Official documentation
- DNS Providers - Cloudflare, Quad9, AdGuard (public services)
Microsoft, Windows, and Edge are trademarks of Microsoft Corporation. This project is not affiliated with Microsoft.
This script modifies critical system settings. Use at your own risk. Always:
- Create a system backup before running
- Test in a VM first
- Review the code to understand changes
- Verify compatibility with your environment
The authors are not responsible for any damage or data loss.
Current Version: 2.2.3 Last Updated: January 7, 2026 Status: Production-Ready
- Critical Fix: Restore Mode manual module selection crash
- Fix:
.Split()wrong .NET overload β-splitoperator
- Performance: Firewall snapshot 60-120s β 2-5s (batch query fix)
- Version alignment across 60+ framework files
- Critical Fix: Multi-run session bug (auditpol backup failures when running multiple times)
- Fix:
.Countproperty bug in 5 files (Where-Object single-object results) - Improved: ASR prompt text ("untrusted" β "new software" - more neutral)
π See Full Changelog
Made with π‘οΈ for the Windows Security Community
Report Bug Request Feature Discussions
Star this repo if you find it useful!
