Windows 10 Lockdown

von Andreas Schreiner · Veröffentlicht 18. Oktober 2017 · Aktualisiert 15. Januar 2020

Seit Windows 10 Version 1703 habe ich damit begonnen, meine Lock-Down Einstellungen zu dokumentieren. Einige Einstellungen sind auch bereits in älteren Versionen enthalten.

Hier meine Tips, um die Sicherheit des Systems und die Datenvertraulichkeit per GPO, Registry und Scripts wieder etwas zu verbessern.

Die Einstellungen beziehen sich auf die konfiguration für einen stationären Arbeitsplatz. Bei z.B. Windows Tablets und 2-in-1-Geräten kann es durchaus sinnvoll sein, andere/offenere Einstellungen zu wählen (z.B. macht ein Tablet mit Webcam wenig Sinn, wenn der Zugriff auf die Kamera verboten und deren Konfiguration ausgeblendet ist).

Der Beitrag wird regelmäßig mit Einstellungen für die neuen Releases aktualisiert.

——–

System Einstellungen

Windows Settings / System / Shared experiences

Computer Configuration / Administrative Templates / System / Group Policy / Continue experiences on this device - DISABLED

Hinweis: Wer die neu eingeführte Phone-Koppelung nutzen möchte, der benötigt eine aktive Shared Experience Einstellung.

——–

Account Einstellungen

Windows Settings / Accounts / Sync your settings

Computer Configuration / Administrative Templates / Windows Components / Sync your settings / Do not sync - ENABLED
Computer Configuration / Administrative Templates / Windows Components / Sync your settings / Do not sync / Allow users to turn syncing on - DISABLED

——–

Geräte Einstellungen

Windows Settings / Devices / AutoPlay

Computer Configuration / Administrative Templates / Windows Components / AutoPlay Policies / Turn off Autoplay - ENABLED

——–

Gaming Einstellungen

Windows Settings / Gaming

Computer Configuration / Administrative Templates / Windows Components / Windows Game Recording and Broadcasting / Enables or disables the Windows Game Recording and Broadcasting - DISABLED

———

Privacy Einstellungen

Windows Settings / Privacy / General

Computer Configuration / Administrative Templates / System / User Profiles / Turn off the advertising ID - ENABLED
User Configuration / Preferences / Registry - New Registry Item
 General / Action: Update
 General / Hive: HKEY_CURRENT_USER
 General / Key Path: Control Panel\International\User Profile
 General / Value name: HttpAcceptLanguageOptOut
 General / Value type: REG_DWORD
 General / Value data: 1
 Common / Run in logged-on user's security context - CHECKED
User Configuration / Preferences / Registry - New Registry Item
 General / Action: Update
 General / Hive: HKEY_CURRENT_USER
 General / Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
 General / Value name: Start_TrackProgs
 General / Value type: REG_DWORD
 General / Value data: 0
 Common / Run in logged-on user's security context - CHECKED

Windows Settings / Privacy / Location

Computer Configuration / Administrative Templates / Windows Components / Location and Sensors / Turn off location - ENABLED
Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access location - DISABLED
Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access location / Default for all apps - FORCE DENY

Windows Settings / Privacy / Camera

Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access the camera - DISABLED
Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access the camera / Default for all apps - FORCE DENY

Windows Settings / Privacy / Microphone

Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access the microphone - DISABLED
Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access the microphone / Default for all apps - FORCE DENY

Windows Settings / Privacy / Notifications

Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access notifications - DISABLED
Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access notifications / Default for all apps - FORCE DENY

Windows Settings / Privacy / Motion

Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access motion - DISABLED
Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access motion / Default for all apps - FORCE DENY

Windows Settings / Privacy / Account info

Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access account information - DISABLED
Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access account information / Default for all apps - FORCE DENY

Windows Settings / Privacy / Contacts

Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access contacts - DISABLED
Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access contacts / Default for all apps - FORCE DENY

Windows Settings / Privacy / Calendar

Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access calendar - DISABLED
Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access calendar / Default for all apps - FORCE DENY

Windows Settings / Privacy / Call history

Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access call history - DISABLED
Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access call history / Default for all apps - FORCE DENY

Windows Settings / Privacy / Email

Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access email - DISABLED
Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access email / Default for all apps - FORCE DENY

Windows Settings / Privacy / Tasks

Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access Tasks - DISABLED
Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access Tasks / Default for all apps - FORCE DENY

Windows Settings / Privacy / Messaging

Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access messaging - DISABLED
Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access messaging / Default for all apps - FORCE DENY

Windows Settings / Privacy / Radios

Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access radios - DISABLED
Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access radios / Default for all apps - FORCE DENY

Windows Settings / Privacy / Other devices

Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access trusted devices - DISABLED
Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps access trusted devices / Default for all apps - FORCE DENY

Windows Settings / Privacy / Radios

Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps control radios - DISABLED
Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps control radios / Default for all apps - FORCE DENY

Windows Settings / Privacy / Phone calls

Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps make phone calls - DISABLED
Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps make phone calls / Default for all apps - FORCE DENY

Windows Settings / Privacy / Feedback & diagnostics

Computer Configuration / Administrative Templates / Windows Components / Windows Error Reporting / Disable Windows Error Reporting - ENABLED

Windows Settings / Privacy / Background apps

Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps run in the background - DISABLED
Computer Configuration / Administrative Templates / Windows Components / App Privacy / Let Windows Apps run in the background / Default for all apps - FORCE DENY

Windows Settings / Privacy / App diagnostics

Computer Configuration / Windows Components / App Privacy / Let Windows Apps access diagnostic information about other apps - DISABLED
Computer Configuration / Windows Components / App Privacy / Let Windows Apps access diagnostic information about other apps / Default for all apps - FORCE DENY

———-

Update & Sicherheitseinstellungen

Windows Settings / Update & security / Windows Insider Program

Computer Configuration / Administrative Templates / Windows Components / Data collection and Preview Builds / Disable pre-release features or settings - ENABLED
Computer Configuration / Administrative Templates / Windows Components / Data collection and Preview Builds / Do not show feedback notifications - ENABLED
Computer Configuration / Administrative Templates / Windows Components / Data collection and Preview Builds / Toggle user control over Insider Builds - DISABLED

Windows Settings / Update & security / Windows Updates

Computer Configuration / Administrative Templates / Windows Components / Delivery Optimization / Download Mode - ENABLED
Computer Configuration / Administrative Templates / Windows Components / Delivery Optimization / Download Mode [Download Mode: None]

——–

Settings

Hinweis: Für die Ein-/Ausblendung muss das jeweilige Setting ohne „ms-settings:“ eingetragen werden!

Home

ms-settings: > Settings

System

ms-settings:about > About
ms-settings:clipboard > Clipboard
ms-settings:display > Display
- ms-settings:nightlight > Night light
ms-settings:display-advanced > Advanced Display Options
ms-settings:notifications > Notifications
ms-settings:powersleep > Power & sleep
ms-settings:batterysaver > Battery
- ms-settings:batterysaver-settings > Battery saver settings
- ms-settings:batterysaver-usagedetails > Battery usage by app
ms-settings:storagesense > Storage
- ms-settings:savelocations > Save locations
- ms-settings:storagepolicies > Change how we free up space
ms-settings:tabletmode > Tablet mode
ms-settings:multitasking > Multitasking
ms-settings:project > Projecting to this PC
ms-settings:crossdevice > Shared experiences
ms-settings:remotedesktop > Remote Desktop
ms-settings:deviceencryption > Encryption

Devices

ms-settings:bluetooth > Bluetooth & other devices
- ms-settings:connecteddevices > Connected devices
ms-settings:printers > Printers & scanners
ms-settings:mousetouchpad > Mouse
ms-settings:devices-touchpad > Touchpad
ms-settings:typing > Typing
ms-settings:pen > Pen & Windows Ink
ms-settings:autoplay > AutoPlay
ms-settings:usb > USB

Phone

ms-settings:mobile-devices > Phone settings
ms-settings:mobile-devices-addphone > Add Phone

Network & Internet

ms-settings:network-status > Status
ms-settings:network-ethernet > Ethernet
ms-settings:network-wifi > Wi-Fi
ms-settings:network-wificalling > Wi-Fi Calling
- ms-settings:network-wifisettings > Manage known networks
ms-settings:network-cellular > Cellular
ms-settings:network-dialup > Dial-up
ms-settings:network-directaccess > Direct Access
ms-settings:network-vpn > VPN
ms-settings:network-airplanemode > Airplane mode
ms-settings:network-mobilehotspot > Mobile hotspot
ms-settings:datausage > Data usage
ms-settings:network-proxy > Proxy

Personalization

ms-settings:personalization
ms-settings:personalization-background > Background
ms-settings:colors > Colors
ms-settings:lockscreen > Lock screen
ms-settings:themes > Themes
ms-settings:personalization-start > Start
ms-settings:taskbar > Taskbar

Apps

ms-settings:appsfeatures > Apps & features
- ms-settings:optionalfeatures > Manage optional features
ms-settings:defaultapps > Default apps
ms-settings:maps > Offline maps
- ms-settings:maps-downloadmaps > Download offline maps
ms-settings:appsforwebsites > Apps for websites
ms-settings:videoplayback > Video playback

Accounts

ms-settings:yourinfo > Your info
ms-settings:emailandaccounts > Email & app accounts
ms-settings:signinoptions > Sign-in options
- ms-settings:signinoptions-launchfaceenrollment > Windows Hello!
- ms-settings:signinoptions-launchfingerprintenrollment
- ms-settings:signinoptions-launchpinenrollment > PIN
ms-settings:workplace > Access work or school
ms-settings:otherusers > Family & other people
ms-settings:sync > Sync your settings

Time & language

ms-settings:dateandtime > Date & time
- ms-settings:keyboard > Keyboard
ms-settings:regionandlanguage > Region & language
ms-settings:speech > Speech

Gaming

ms-settings:gaming-gamebar > Game bar / 1703
ms-settings:gaming-damedvr > Game DVR / 1703
ms-settings:gaming-broadcasting > Broadcasting / 1703
ms-settings:gaming-gamemode > Game Mode / 1703
ms-settings:gaming-trueplay > TruePlay / 1709
ms-settings:gaming-xboxnetworking > Xbox Networking / 1709

Ease of Access

ms-settings:easeofaccess-narrator > Narrator
ms-settings:easeofaccess-magnifier > Magnifier
ms-settings:easeofaccess-highcontrast > Color & high contrast
ms-settings:easeofaccess-closedcaptioning > Closed captions
ms-settings:easeofaccess-keyboard > Keyboard
ms-settings:easeofaccess-mouse > Mouse
ms-settings:easeofaccess-otheroption > Other options

Cortana

ms-settings:cortana > Talk to Cortana
ms-settings:cortana-permissions > Permissions & history
ms-settings:cortana-notifications > Notifications
ms-settings:cortana-moredetails > More details
- ms-settings:cortana-language > Cortana Language

Privacy

ms-settings:privacy
ms-settings:privacy-general > General
ms-settings:privacy-location > Location
ms-settings:privacy-webcam > Camera
ms-settings:privacy-microphone > Microphone
ms-settings:privacy-notifications > Notifications
ms-settings:privacy-speechtyping > Speech, inking & typing
ms-settings:privacy-accountinfo > Account info
ms-settings:privacy-contacts > Contacts
ms-settings:privacy-calendar > Calendar
ms-settings:privacy-callhistory > Call history
ms-settings:privacy-email > Email
ms-settings:privacy-tasks > Tasks
ms-settings:privacy-messaging > Messaging
ms-settings:privacy-motion > Motion
ms-settings:privacy-radios > Radios
ms-settings:privacy-customdevices > Other devices
ms-settings:privacy-feedback > Feedback & diagnostics
ms-settings:privacy-backgroundapps > Background Apps
ms-settings:privacy-appdiagnostics > App diagnostics
ms-settings:privacy-automaticfiledownloads > Automatic file downloads

Update & Security

ms-settings:windowsupdate > Windows Update
- ms-settings:windowsupdate-action > Check for updates
- ms-settings:windowsupdate-history > Update history
- ms-settings:windowsupdate-restartoptions > Restart options
- ms-settings:windowsupdate-options > Advanced options
  - ms-settings:delivery-optimization > Delivery optimization
ms-settings:windowsdefender > Windows Defender
ms-settings:backup > Backup
ms-settings:recovery > Recovery
ms-settings:troubleshoot > Troubleshoot
ms-settings:activation > Activation
ms-settings:findmydevice > Find my device
ms-settings:developers > For developers
ms-settings:windowsinsider > Windows Insider Program

Search

ms-settings:search
ms-settings:search-?? > Permissions & history
ms-settings:search-?? > More details

——–

Sonstiges

Cortana

Computer Configuration / Administrative Templates / Windows Components / Search / Allow Cortana - DISABLED
Computer Configuration / Administrative Templates / Windows Components / Search / Don't search the web or display web results in Search - ENABLED
Computer Configuration / Administrative Templates / Windows Components / Search / Prevent automatically adding shared folders to the Windows Search index - ENABLED

Telemetrie deaktivieren

Computer Configuration / Administrative Templates / Windows Components / Application Compatibility / Turn of Application Telemetry - ENABLED
Computer Configuration / Administrative Templates / Windows Components / Data Collection and Preview Builds / Allow Telemetry - ENABLED
Computer Configuration / Administrative Templates / Windows Components / Data Collection and Preview Builds / Allow Telemetry [1 - Basic]

Teredo abschalten

Computer Configuration / Administrative Templates / Network / TCPIP Settings / IPv6 Transition Technologies / Set Teredo State - ENABLED
Computer Configuration / Administrative Templates / Network / TCPIP Settings / IPv6 Transition Technologies / Set Teredo State [State: Disabled State]

Microsoft Edge Browser: Suchmaschine ändern auf Google

Computer Configuration / Administrative Templates / Windows Components / Microsoft Edge / Allow search engine customization - ENABLED
Computer Configuration / Administrative Templates / Windows Components / Microsoft Edge / Configure additional search engines - ENABLED
Computer Configuration / Administrative Templates / Windows Components / Microsoft Edge / Configure additional search engines [https://www.google.com/searchdomaincheck?format=opensearch]

Live Tiles abschalten

Computer Configuration / Administrative Templates / Startmenu and Taskbar / Notifications / Turn off tile notifications - ENABLED

Microsoft Store: App Suche im Explorer deaktivieren

Computer Configuration / Administrative Templates / System / Internet Communication Management / Internet Communication settings / Turn of access to the Store - ENABLED

OneDrive Download bei Bedarf deaktivieren/aktivieren

User Configuration / Preferences / Registry - New Registry
 Item General / Action: Update
 General / Hive: HKEY_CURRENT_USER
 General / Key Path: Software\Microsoft\OneDrive
 General / Value name: EnablePlaceholdersByDefault
 General / Value type: REG_DWORD
 General / Value data: {0|1}

0 = Datei-Download bei Bedarf ist deaktiviert / Dateien immer Offline synchronisieren ist aktiviert
1 = Datei-Download bei Bedarf ist aktiviert / Dateien immer Offline synchronisieren ist deaktiviert

Scheduled Tasks

Windows 10 beinhaltet eine Unmenge an Scheduled Task, deren einzige Aufgaben das Ausbremsen des PCs und Reporting von Daten an Microsoft sind. Über die CMD kann man mit folgenden Befehlen die Tasks deaktivieren (es kommt vor, dass nicht alle Tasks aus der Liste existieren – umso besser):

schtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /disable
schtasks /Change /TN "Microsoft\Windows\Application Experience\AitAgent" /disable
schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /disable
schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /disable
schtasks /Change /TN "Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /disable
schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /disable
schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /disable
schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /disable
schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable
schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyUpload" /disable
schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /disable

Quellen:
https://docs.microsoft.com/en-us/windows/uwp/launch-resume/launch-settings-app

Michael Müller sagt:

15. Januar 2020 um 7:41 Uhr

Hallo,
erst einmal vielen Dank für die Aufstellung!
Gibt es die Möglichkeit die Einstellungen irgendwo herunterzuladen?
Und gab es seit Dezember 2018 eine Neuerung, dass der Lockdown nicht mehr benötigt wird?

Mit freundlichen Grüßen,
Michael Müller

Antworten
- Andreas Schreiner sagt:
  
  15. Januar 2020 um 7:47 Uhr
  
  Hallo Michael
  Danke für die Rückmeldung. Ein Download-Möglichkeite gibt’s aktuell leider (noch) nicht.
  Die Lockdown-Einstellungen sind aktuell noch für max. Release 1809, aus zeitlichen Gründen habe ich das in letzter Zeit nicht mehr aktualisiert. Versuche das nachzuholen, sobald ich dazu komme.
  Gruß
  Andreas Schreiner
  
  Antworten

Schreibe einen Kommentar Antworten abbrechen

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.

M	D	M	D	F	S	S
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31
« Apr				Jun »