$ErrorActionPreference = 'SilentlyContinue' # Function to check for administrative privileges: function Test-IsAdmin { $currentUser = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()) return $currentUser.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } # Elevate script if not running as administrator: if (-not (Test-IsAdmin)) { Read-Host -Prompt "The script needs Administrator privileges! [ENTER to confirm.]" Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs Exit } # Function to get the SID of a user: function Get-UserSID { param ( [string]$Username ) $objUser = New-Object System.Security.Principal.NTAccount($Username) $strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier]).Value return $strSID } # Function to apply registry settings for a given user SID: function Set-HKCUSettings { param ( [string]$UserSID ) $userHive = "Registry::HKEY_USERS\$UserSID" Write-Output "Applying settings for user SID: $UserSID" # Apply registry settings per user: Set-ItemProperty -Path "$userHive\Software\Policies\Microsoft\Windows\WindowsAI" -Name "DisableAIDataAnalysis" -Type DWord -Value 1 Set-ItemProperty -Path "$userHive\Software\Policies\Microsoft\Windows\WindowsCopilot" -Name "TurnOffWindowsCopilot" -Type DWord -Value 1 Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "ContentDeliveryAllowed" -Type DWord -Value 0 Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "OemPreInstalledAppsEnabled" -Type DWord -Value 0 Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "PreInstalledAppsEnabled" -Type DWord -Value 0 Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "PreInstalledAppsEverEnabled" -Type DWord -Value 0 Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SilentInstalledAppsEnabled" -Type DWord -Value 0 Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SubscribedContent-338387Enabled" -Type DWord -Value 0 Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SubscribedContent-338388Enabled" -Type DWord -Value 0 Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SubscribedContent-338389Enabled" -Type DWord -Value 0 Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SubscribedContent-353698Enabled" -Type DWord -Value 0 Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SubscribedContent-338393Enabled" -Type DWord -Value 0 Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SubscribedContent-353694Enabled" -Type DWord -Value 0 Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SubscribedContent-353696Enabled" -Type DWord -Value 0 Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SystemPaneSuggestionsEnabled" -Type DWord -Value 0 Set-ItemProperty -Path "$userHive\Software\Microsoft\Input\TIPC" -Name "Enabled" -Type DWord -Value 0 Set-ItemProperty -Path "$userHive\Control Panel\International\User Profile" -Name "HttpAcceptLanguageOptOut" -Type DWord -Value 1 Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "TaskbarAl" -Type Dword -Value 0 Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "ShowTaskViewButton" -Type Dword -Value 0 Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "TaskbarMn" -Type Dword -Value 0 Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "TaskbarDa" -Type Dword -Value 0 Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" -Type Dword -Name "SystemUsesLightTheme" -Value 0 Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" -Type Dword -Name "AppsUseLightTheme" -Value 0 Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\Themes" -Type String -Name "CurrentTheme" -Value "C:\Windows\resources\Themes\dark.theme" Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\Themes" -Type MultiString -Name "ThemeMRU" -Value "C:\Windows\resources\Themes\dark.theme;C:\Windows\resources\Themes\aero.theme;" Set-ItemProperty -Path "$userHive\Software\Microsoft\Siuf\Rules" -Name "NumberOfSIUFInPeriod" -Type DWord -Value 0 Set-ItemProperty -Path "$userHive\Software\Microsoft\Siuf\Rules" -Name "PeriodInNanoSeconds" -Type QWord -Value 0 Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "Start_TrackProgs" -Type DWord -Value 0 Set-ItemProperty -Path "$userHive\Software\Policies\Microsoft\Windows\CloudContent" -Name "DisableTailoredExperiencesWithDiagnosticData" -Type DWord -Value 1 Set-ItemProperty -Path "$userHive\Software\Policies\Microsoft\Windows\CloudContent" -Name "DisableWindowsSpotlightFeatures" -Type DWord -Value 1 Set-ItemProperty -Path "$userHive\Software\Policies\Microsoft\Windows\CloudContent" -Name "DisableThirdPartySuggestions" -Type DWord -Value 1 Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "HideFileExt" -Type DWord -Value 0 Set-ItemProperty -Path "$userHive\Software\Policies\Microsoft\Windows\Explorer" -Name "DisableThumbsDBOnNetworkFolders" -Type DWord -Value 1 #reg add "$userHive\Software\Policies\Microsoft\Windows\Explorer" /v DisableThumbsDBOnNetworkFolders /d 0x1 /t REG_DWORD /f # Restore Windows 10 context menu: If (!(Test-Path "$userHive\Software\CLASSES\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}")) { New-Item -Path "$userHive\Software\CLASSES\CLSID" -Name "{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}" New-Item -Path "$userHive\Software\CLASSES\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}" -Name "InprocServer32" } Set-ItemProperty -Path "$userHive\Software\CLASSES\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32" -Name "(Default)" -Value "" # Default Explorer view 'This PC': Set-ItemProperty -Path "$userHive\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "LaunchTo" -Type DWord -Value "1" } # Loop through all user profiles $profiles = Get-WmiObject Win32_UserProfile | Where-Object { $_.Special -eq $false -and $_.LocalPath -ne $null } foreach ($profile in $profiles) { $username = $profile.LocalPath.Split('\')[-1] try { $userSID = Get-UserSID -Username $username Set-HKCUSettings -UserSID $userSID } catch { #Write-Warning "Error processing user $username:" } } Write-Host "Settings applied to all user profiles." # --------------------------------------------------------------------- # Bloatware / Service configuration Array to Remove / to be Disabled # --------------------------------------------------------------------- $Bloatware = @( "*Spotify*", "*CandyCrush*", "*Facebook*", "*Twitter*", "*LinkedInforWindows*", "*Disney*", "*Netflix*", "*BubbleWitch*", "*Duolingo*", "*Minecraft*", "Microsoft.WindowsFeedback*", "*Microsoft.Xbox*", "Microsoft.GamingApp*", "Microsoft.WindowsMaps*", "Microsoft.WindowsPhone*", "Microsoft.WindowsAlarms*", "Microsoft.YourPhone*", "Microsoft.People*", "Microsoft.Wallet*", "Microsoft.GetHelp", "Microsoft.Zune*", "Microsoft.SkypeApp*", "*Microsoft.Messaging*", "Microsoft.Advertising.Xaml*", "Microsoft.Bing*", "*windowscommunicationsapps*" ) $services = @( "diagnosticshub.standardcollector.service", "DiagTrack", "dmwappushsvc", "DPS", "MapsBroker", "NetTcpPortSharing", "RemoteRegistry", "Fax", "PhoneSvc", "RetailDemo", "edgeupdate", "edgeupdatem", "WalletService" ) # --------------------------------------------------------------------- # Restore Point # --------------------------------------------------------------------- Enable-ComputerRestore -Drive "C:\" Checkpoint-Computer -Description "Swissmakers GmbH - Pre usage Win11 hardening script" -RestorePointType "MODIFY_SETTINGS" # --------------------------------------------------------------------- # O&O Shutup Integration # --------------------------------------------------------------------- #Start-BitsTransfer "https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe" #Start-BitsTransfer "https://code.michu-it.com/michael/win11-initial-setup-script/raw/branch/master/mrit_ooshutup.cfg" Start-Process -FilePath "./OOSU10.exe" -ArgumentList 'mrit_ooshutup.cfg' -Wait #Remove-Item -Path ".\OOSU10.exe" -Force #Remove-Item -Path ".\mrit_ooshutup.cfg" -Force # --------------------------------------------------------------------- # Install Basic Engineering Tools with Ninite # --------------------------------------------------------------------- Start-Process -FilePath "./ninite.exe" -Wait # --------------------------------------------------------------------- # Debloat # --------------------------------------------------------------------- # Disk Cleanup: Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\*' | ForEach-Object { New-ItemProperty -Path $_.PSPath -Name StateFlags0005 -Value 2 -PropertyType DWord -Force } Start-Process -FilePath CleanMgr.exe -ArgumentList '/sagerun:5' -Wait # Remove Temp Files: Remove-Item "C:\Windows\Temp\*" -Recurse -Force -ErrorAction $ErrorActionPreference Remove-Item $env:TEMP\* -Recurse -Force -ErrorAction $ErrorActionPreference # Uninstall Bloatware-Apps: foreach ($Bloat in $Bloatware) { # Uninstall App on all Current User: Get-AppxPackage -Name $Bloat -AllUsers | Remove-AppxPackage # This will prevent these apps from being reinstalled on new user first logon: Get-AppxProvisionedPackage -Online | Where-Object DisplayName -like $Bloat | Remove-AppxProvisionedPackage -Online } # Disable Services: foreach ($service in $services) { Get-Service -Name $service -ErrorAction $ErrorActionPreference | Set-Service -StartupType Disabled -ErrorAction $ErrorActionPreference Write-Output Disabling $service... } # --------------------------------------------------------------------- # Privacy GLOBAL # --------------------------------------------------------------------- # Disable Windows Recall and Copilot-AI hidden analysis "features": Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI" -Name "DisableAIDataAnalysis" -Type DWord -Value 1 Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot" -Name "TurnOffWindowsCopilot" -Type DWord -Value 1 # Disable Tailored Experiences With Diagnostic Data: Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy" -Name "TailoredExperiencesWithDiagnosticDataEnabled" -Type DWord -Value 0 # Disable Telemetry: Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "MaxTelemetryAllowed" -Type DWord -Value 0 Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0 Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "DoNotShowFeedbackNotifications" -Type DWord -Value 1 Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "LimitDiagnosticLogCollection" -Type DWord -Value 1 # Disable Scheduled Tasks: Disable-ScheduledTask -TaskName "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" Disable-ScheduledTask -TaskName "Microsoft\Windows\Application Experience\ProgramDataUpdater" Disable-ScheduledTask -TaskName "Microsoft\Windows\Autochk\Proxy" Disable-ScheduledTask -TaskName "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" Disable-ScheduledTask -TaskName "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" Disable-ScheduledTask -TaskName "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" # Disable User Activity Reporting to Microsoft: Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "EnableActivityFeed" -Type DWord -Value 0 Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "AllowClipboardHistory" -Type DWord -Value 0 Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "AllowCrossDeviceClipboard" -Type DWord -Value 0 Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "PublishUserActivities" -Type DWord -Value 0 Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "UploadUserActivities" -Type DWord -Value 0 Set-ItemProperty -Path "HKLM:\SYSTEM\Maps" -Name "AutoUpdateEnabled" -Type DWord -Value 0 If (!(Test-Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting")) { New-Item -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" -Force } Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" -Name "Value" -Type DWord -Value 0 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" -Name "Value" -Type DWord -Value 0 If (!(Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent")) { New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent" -Force } Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent" -Name "DisableWindowsConsumerFeatures" -Type DWord -Value 1 Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent" -Name "DisableCloudOptimizedContent" -Type DWord -Value 1 # Disable online Windows Search features: Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" -Name "AllowCloudSearch" -Type Dword -Value 0 Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" -Name "AllowCortana" -Type Dword -Value 0 Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" -Name "AllowCortanaAboveLock" -Type Dword -Value 0 Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" -Name "DisableWebSearch" -Type Dword -Value 1 # Disable Microsoft Advertising: If (!(Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo")) { New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" } Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" -Name "DisabledByGroupPolicy" -Type DWord -Value 1 # Block additional Windows Telemetry Endpoints by local Firewall: Set-NetFirewallProfile -all netsh advfirewall firewall add rule name="Block Windows Telemetry in" dir=in action=block remoteip=134.170.30.202,137.116.81.24,157.56.106.189,184.86.53.99,2.22.61.43,2.22.61.66,204.79.197.200,23.218.212.69,65.39.117.23,65.55.108.23,64.4.54.254 enable=yes netsh advfirewall firewall add rule name="Block Windows Telemetry out" dir=out action=block remoteip=65.55.252.43,65.52.108.29,191.232.139.254,65.55.252.92,65.55.252.63,65.55.252.93,65.55.252.43,65.52.108.29,194.44.4.200,194.44.4.208,157.56.91.77,65.52.100.7,65.52.100.91,65.52.100.93,65.52.100.92,65.52.100.94,65.52.100.9,65.52.100.11,168.63.108.233,157.56.74.250,111.221.29.177,64.4.54.32,207.68.166.254,207.46.223.94,65.55.252.71,64.4.54.22,131.107.113.238,23.99.10.11,204.79.197.200,157.56.77.139,134.170.58.121,134.170.58.123,134.170.53.29,66.119.144.190,134.170.58.189,134.170.58.118,134.170.53.30,134.170.51.190,157.56.121.89,134.170.115.60,204.79.197.200,104.82.22.249,134.170.185.70,64.4.6.100,65.55.39.10,157.55.129.21,207.46.194.25,23.102.21.4,173.194.113.220,173.194.113.219,216.58.209.166,157.56.91.82,157.56.23.91,104.82.14.146,207.123.56.252,185.13.160.61,8.254.209.254,198.78.208.254,185.13.160.61,185.13.160.61,8.254.209.254,207.123.56.252,65.52.100.91,65.52.100.7,207.46.101.29,65.55.108.23,23.218.212.69 enable=yes # Disable Advanced Data Collection: Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\TabletPC" -Name "PreventHandwritingDataSharing" -Type DWord -Value 1 Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "DoNotShowFeedbackNotifications" -Type DWord -Value 1 If (!(Test-Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput")) { New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput" -Force } Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" -Name "DontSendAdditionalData" -Type DWord -Value 1 Disable-ScheduledTask -TaskName "Microsoft\Windows\Windows Error Reporting\QueueReporting" If (!(Test-Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config")) { New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\" New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" } Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" -Name "DODownloadMode" -Type DWord -Value 0 -Force Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput" -Name "AllowLinguisticDataCollection" -Type DWord -Value 0 # Disable OnlineTips: Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "AllowOnlineTips" -Type DWord -Value 0 # Register GIT_SSH globaly for Putty setx GIT_SSH "C:\Program Files\PuTTY\plink.exe" reg add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment" /v GIT_SSH /d "C:\Program Files\PuTTY\plink.exe" /t REG_SZ /f # Install winget if (!(Test-Path $env:LOCALAPPDATA\Microsoft\WindowsApps\winget.exe)){ $latest = (Invoke-WebRequest -UseBasicParsing -URI "https://github.com/microsoft/winget-cli/releases/latest").Links.Href | Select-String ".msixbundle" if ((Get-WmiObject win32_operatingsystem | Select-Object osarchitecture).osarchitecture -like "64*") { Start-BitsTransfer "https://aka.ms/Microsoft.VCLibs.x64.14.00.Desktop.appx" } else { Start-BitsTransfer "https://aka.ms/Microsoft.VCLibs.x86.14.00.Desktop.appx" } Start-BitsTransfer "https://github.com$latest"; Add-AppxPackage -Path ".\Microsoft.DesktopAppInstaller_*.msixbundle" -DependencyPath ".\Microsoft.VCLibs*.appx" } # Install Windows Terminal winget install -e Microsoft.WindowsTerminal --accept-source-agreements --accept-package-agreements --force --silent # Set Windows Terminal as Default Terminal #If (!(Test-Path "HKCU:\Console\%%Startup")) { # New-Item -Path "HKCU:\Console\%%Startup" #} #Set-ItemProperty -Path "HKCU:\Console\%%Startup" -Name "DelegationConsole" -Type String -Value "{2EACA947-7F5F-4CFA-BA87-8F7FBEEFBE69}" #Set-ItemProperty -Path "HKCU:\Console\%%Startup" -Name "DelegationTerminal" -Type String -Value "{E12CFF52-A866-4C77-9A90-F570A7AA2C6B}" Remove-Item -Path ".\Microsoft.VCLibs*.appx" -Force Remove-Item -Path ".\Microsoft.DesktopAppInstaller_*.msixbundle" -Force # End of Script - Restart PC Read-Host -Prompt "Success! Press any key to restart" Restart-Computer