Déploiement de Stratégie de Groupes Locales

Ce forum est destiné au support entre utilisateurs de logiciel OPSI
Antworten
guillaume
Beiträge: 31
Registriert: 19 Feb 2019, 18:08

Déploiement de Stratégie de Groupes Locales

Beitrag von guillaume »

Bonjour tout le monde,

Je me demandais quelle serait la meilleure option pour pousser une stratégie de groupe locale pour les utilisateurs et ordinateurs via OPSI sur les ordinateurs au bureau. En effet nous ne voulons pas utiliser d'AD pour le peu de personnes que l'on a sur site et limiter nos frais au maximum.
  1. Est ce qu'il vaut mieux privilégier un import d'un fichier texte d'une stratégie provenant d'une machine de test par exemple ?
  2. Est ce qu'il vaut mieux privilégier la création d'entrées dans la base de registre ?
  3. Est ce qu'il vaut mieux cloner le fichier config-win-10 ou config-win-base et affiner les options pour configurer selon nos besoins ?
L'idée est de forcer ou bloquer certaines choses comme les mises à jour de sécurités Windows, interdire l'installation des MAJ Chrome et Firefox (pour les installer seulement via OPSI), activer le numlock, activer l'ICMP dans le firewall, activer le bureau distant sur les ordinateurs et aussi dans le Firewall etc ...

Je reste à votre écoute pour discuter autour de ça et prendre la meilleure option.

Merci !
Benutzeravatar
SisterOfMercy
Beiträge: 1255
Registriert: 22 Jun 2012, 19:18

Re: Déploiement de Stratégie de Groupes Locales

Beitrag von SisterOfMercy »

Well, because no one seems to be responding as of yet...

I use registry entries, plain and simple. I make a snapshot of the registry, then change something in gpedit.msc, and make another snapshot of the registry.
The only downside with this that it is not easy to see what policies are in effect, and when it is deployed you can not see this from gpedit.msc.
Directly using the registry always works, so you do not have to work with policies that are not applying, or have to use them with a domain.

I recommend keeping your references in the opsi script (IE: the url where you found it), and to not put all your policy settings in one large script, because that has bitten me a bit.
Bitte schreiben Sie Deutsch, when I'm responding in the German-speaking part of the forum!
guillaume
Beiträge: 31
Registriert: 19 Feb 2019, 18:08

Re: Déploiement de Stratégie de Groupes Locales

Beitrag von guillaume »

Thanks a lot,

I'm going to think about that because in the same way i'd like to set Firefox and Chrome restrictions (plugins installation for example) and add Favorties too.
So i'll have some registry key to change or add on computers at the same time ... That is not an emergency but i'll work on it and give a feedback for the community if others users are in the same case.

When you tell
and to not put all your policy settings in one large script, because that has bitten me a bit
What's the rule or bests practices ? A script for all FW and AV rules, a script for all internet browsers rules etc or something else ? :?:
guillaume
Beiträge: 31
Registriert: 19 Feb 2019, 18:08

Re: Déploiement de Stratégie de Groupes Locales

Beitrag von guillaume »

Hi Sister of Mercy,

I start deploying restrictions on Firefox and Chrome ... it looks like to work correctly ! I was wondering if you have a good way to manage computers and not only applications with registry changes ? If yes how did you do it ?

Thanks for your help

---

Bonjour Sister of Mercy,

J'ai commencé à déployer des restrictions pour Firefox et Chrome ... ca semble fonctionner correctement ! Je me demandais si tu avais une idée pour gérer des machines et pas seulement des logiciels avec des changements dans la base de registre ? Si oui, comment fais tu cela ?

Merci pour ton aide
guillaume
Beiträge: 31
Registriert: 19 Feb 2019, 18:08

Re: Déploiement de Stratégie de Groupes Locales

Beitrag von guillaume »

Bonjour,

J'ai commencé à mettre en place des gestions et restriction sur firefox et chrome, mais je voudrais étendre cela à d'autres applications et à Windows 10. Je me demande si mon approche est correcte et sinon comment corriger cela pour que je puisse être plus agile dans les restrictions appliquées.

Je m'explique :
  • Je n'utilise et ne veut pas d'AD pour l'instant
  • J'applique mes restrictions via la base de registre
  • Plus je regarde ca et plus je trouve que ca manque de finesse ...
  • Pour la réversibilité, ca demande à coder mon fichier de désinstallation avec un REG DELETE pour chaque commande

Code: Alles auswählen

[Winbatch_install]
"%ScriptPath%\$SetupFile$" /S

; Désactivation des mises à jour automatiques
REG ADD "HKLM\Software\Policies\Mozilla\Firefox" /v DisableAppUpdate /t REG_DWORD /d 1 /f

; Activer les mises à jour automatiques des plugins
REG ADD "HKLM\Software\Policies\Mozilla\Firefox" /v ExtensionUpdate /t REG_DWORD /d 1 /f

; Désactivation de l'enregistrement des mots de passe dans Firefox
REG ADD "HKLM\Software\Policies\Mozilla\Firefox" /v PasswordManagerEnabled /t REG_DWORD /d 0 /f

; Désactivation de la fonction Pocket
REG ADD "HKLM\Software\Policies\Mozilla\Firefox" /v DisablePocket /t REG_DWORD /d 1 /f

; Désactivation de la synchroniation des comptes Firefox
REG ADD "HKLM\Software\Policies\Mozilla\Firefox" /v DisableFirefoxAccounts /t REG_DWORD /d 1 /f

; Installation des plugins autorisés
REG ADD "HKLM\Software\Policies\Mozilla\Firefox\InstallAddonsPermission" /v Default /t REG_DWORD /d 1 /f
REG ADD "HKLM\Software\Policies\Mozilla\Firefox\InstallAddonsPermission\Allow" /v 1 /t REG_SZ /d https://addons.mozilla.org/firefox/downloads/file/3775705/connecteur_pour_antidote-10.2.82-fx.xpi /f
REG ADD "HKLM\Software\Policies\Mozilla\Firefox\InstallAddonsPermission\Allow" /v 1 /t REG_SZ /d https://addons.mozilla.org/firefox/downloads/file/3484096/web_developer-2.0.5-an+fx.xpi /f
Je me dis que une configuration comme config-win10 pourrait être une bonne chose en y mettant tout ce que je veux activer ou non comme restrictions, mais je ne sais pas par ou commencer ...
  • Est ce que je fais une configuration de gestion du registre pour chaque logiciel ?
  • Est ce que je fais une configuration de gestion du registre pour Windows ?
  • Est ce que je modifie le fchier de configuration config-win10 ? Mais en cas de mise à jour de OPSI, est ce que je risque de tout perdre ?
  • Est ce que je fais quelque chose de combiné pour mes logiciels et Windows ?
Merci pour vos conseils, vos morceaux de script et vos idées pour mieux travailler ceci.

Guillaume
Benutzeravatar
SisterOfMercy
Beiträge: 1255
Registriert: 22 Jun 2012, 19:18

Re: Déploiement de Stratégie de Groupes Locales

Beitrag von SisterOfMercy »

Why are you not using Registry sections in your script?
https://download.uib.de/4.2/documentati ... t-registry

Example:

Code: Alles auswählen

Registry_system /SysNative
Registry_RDP_AllProfiles /AllNTUserDats

[Registry_system]
; Set services startup timeout to 300 seconds
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
set "ServicesPipeTimeout" = REG_DWORD:0x000493e0

[Registry_RDP_AllProfiles]
; Do not check RDP certs
openkey [HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client]
set "AuthenticationLevelOverride" = REG_DWORD:00000000
Bitte schreiben Sie Deutsch, when I'm responding in the German-speaking part of the forum!
guillaume
Beiträge: 31
Registriert: 19 Feb 2019, 18:08

Re: Déploiement de Stratégie de Groupes Locales

Beitrag von guillaume »

Bonjour SisterofMercy,

Je ne sais pas bien par ou commencer pour mettre cela en place...

Est ce que je dois faire cela dans le fichier setup.ins ou bien créer un fichier spécifiquement pour ca pour chaque application ?
Comment est ce que je peux procéder pour effectuer aussi des restrictions, configurations pour Windows ?

Si tu as des propositions, des recommandations je suis tout à fait preneur !

Merci
Guillaume
Benutzeravatar
SisterOfMercy
Beiträge: 1255
Registriert: 22 Jun 2012, 19:18

Re: Déploiement de Stratégie de Groupes Locales

Beitrag von SisterOfMercy »

(translated via google translate)
Do I have to do this in the setup.ins file or create a file specifically for CA for each application?
How can I proceed to also perform restrictions, configurations for Windows?
You do this in setup.ins, no need to create a seperate file.

Please view this example of a windows thing I am using:

Code: Alles auswählen

; Copyright (c) uib gmbh (www.uib.de)
; This sourcecode is owned by uib
; and published under the Terms of the General Public License.
; credits: http://www.opsi.org/en/credits/
;
; License Management removed

encoding=utf8

; system package
;
; disable defragmentation	done
; enable ssd trim support
; prefetch/superfetch		done
; fsutil settings			done
; pagefile settings
; network settings? -> https://docs.microsoft.com/en-us/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics
; indexing options			done
; system restore
; power management?
; defender settings?
; related tasks
; device manager settings -> of interface
; worker threads
; wmi logging settings
; readyboot

[Actions]
SetLogLevel=9
requiredWinstVersion >= "4.11.5.14"

;DefVar $MsiId32$
;DefVar $UninstallProgram32$
;DefVar $MsiId64$
;DefVar $UninstallProgram64$
DefVar $LogDir$
DefVar $ProductId$  
DefVar $MinimumSpace$
;DefVar $InstallDir32$
;DefVar $InstallDir64$
DefVar $ExitCode$
DefVar $INST_SystemType$
;DefVar $INST_architecture$
DefVar $INST_MsVersion$

DefStringList $result$
DefVar $RegistryKey$
DefVar $testName$

DefVar $firstrun$
DefVar $firstrun_override$
set $firstrun_override$ = GetProductProperty("firstrun_override","False")

DefVar $wireless_networking$
Set $wireless_networking$ = GetProductProperty("wireless_networking_disable","false")

DefVar $bluetooth_disable$
Set $bluetooth_disable$ = GetProductProperty("bluetooth_disable","false")

DefVar $ntp_server$
Set $ntp_server$ = GetProductProperty("ntp_server","nl.pool.ntp.org")
DefVar $ntp_servers$
DefVar $ntp_index$
DefVar $ntp_index1$
DefVar $ntp_server_entry$
DefStringList $ntp_serverlist$
DefStringList $ntp_serverlist2$

DefStringList $ProductInfo$
DefVar $DisplayVersion$
DefVar $DisplayName$
set $ProductInfo$ = getProductMap
set $DisplayVersion$ = getValue("productversion", $ProductInfo$)
set $DisplayName$ = getValue("name", $ProductInfo$)

set $INST_MsVersion$ = GetMsVersionInfo
Set $INST_SystemType$ = GetSystemType
;set $INST_architecture$ = GetProductProperty("install_architecture","system specific")
Set $LogDir$ = "%opsiLogDir%"

; ----------------------------------------------------------------
; - Please edit the following values                             -
; ----------------------------------------------------------------
;$ProductId$ should be the name of the product in opsi
; therefore please: only lower letters, no umlauts, 
; no white space use '-' as a seperator
Set $ProductId$       = "win10-settings-system"
Set $MinimumSpace$    = "500 MB"
; the path were we find the product after the installation
;Set $InstallDir32$      = "%ProgramFiles32Dir%\<path to the product>"
;Set $InstallDir64$      = "%ProgramFiles64Dir%\<path to the product>"
; ----------------------------------------------------------------

if not(HasMinimumSpace ("%SystemDrive%", $MinimumSpace$))
	LogError "Not enough space on %SystemDrive%, " + $MinimumSpace$ + " on drive %SystemDrive% needed for " + $ProductId$
	isFatalError
	; Stop process and set installation status to failed
endif
if not(CompareDotSeparatedNumbers($INST_MsVersion$, "=", "10.0"))
	LogError "Windows 10 is required for " + $ProductId$  
	isFatalError
endif

comment "Show product picture"
ShowBitmap "%ScriptPath%\" + $ProductId$ + ".png" $ProductId$

Message "Installing " + $ProductId$ + "..."

comment "Disable automatic defragmentation"
WinBatch_defragmentation /SysNative
Registry_defragmentation /SysNative

comment "Disable readyboot WMI logging"
Registry_readyboot /SysNative

comment "Disable prefetch and superfetch"
WinBatch_prefetch /SysNative
Registry_prefetch /SysNative
Files_prefetch /SysNative

comment "Disable NTFS last access timestamps"
WinBatch_last_access /SysNative

comment "Disable 8dot3 filenames on all volumes"
WinBatch_8dot3 /SysNative
Registry_8dot3 /SysNative

comment "Disable LLMNR name resolution"
Registry_llmnr /SysNative

comment "Prefer DNS responses to LLMNR and NetBT"
Registry_prefer_dns /SysNative

comment "Disable windows search indexing"
WinBatch_indexing /SysNative
Files_indexing /SysNative
Registry_indexing /SysNative
comment "Disable windows web search"
Registry_disable_websearch_AllProfiles /AllNTUserDats

comment "Disable experimental features"
Registry_disable_experimentation /SysNative

comment "Disable windows insider, hide options in settings"
Registry_disable_windows_insider /SysNative

comment "Disable peer to peer updates"
Registry_disable_peer_to_peer_updates /SysNative
Registry_disable_peer_to_peer_updates_AllProfiles /AllNTUserDats

comment "Disable updates to speech engine"
Registry_disable_speech_updates /SysNative

comment "Disable onedrive network access before login"
Registry_disable_onedrive_prelogin /SysNative

comment "Defender: Disable sending infection information"
Registry_disable_reporting_infection /SysNative

comment "Defender: Disable reporting changes in files"
Registry_disable_spynet_reporting /SysNative

comment "Defender: Disable sending samples of threats"
Registry_disable_sending_threat_samples /SysNative

comment "Disable unwanted network traffic on offline maps settings page"
Registry_disable_maps_network_traffic /SysNative

comment "Disable automatic update of map data"
Registry_disable_maps_auto_update /SysNative

comment "Launch explorer in a seperate process"
Registry_seperate_explorer_process_AllProfiles /AllNTUserDats

comment "Disable Autoplay"
Registry_disable_autoplay_AllProfiles /AllNTUserDats

comment "Disable windows remote shell access (WinRM)"
Registry_disable_windows_remote_shell /SysNative

comment "Disable edge pre-loading before login"
Registry_disable_edge_preloading /SysNative

comment "Disable windows ink workspace"
Registry_disable_windows_ink /SysNative

comment "Disable login with microsoft accounts"
Registry_disable_microsoft_account /SysNative

comment "Disable login with picture password"
Registry_disable_picture_password /SysNative

comment "Disable login with pin"
Registry_disable_hello_pin /SysNative

comment "Disable login with biometrics"
Registry_disable_hello_biometrics /SysNative

comment "Disable windows hello for business"
Registry_disable_hello_for_business /SysNative

comment "Disable use sign-in info to auto finish setting up device"
Registry_disable_automatic_logon /SysNative

comment "Disable synching of settings"
Registry_disable_settings_sync /SysNative
Registry_disable_settings_sync_AllProfiles /AllNTUserDats

comment "Disable linking phone"
Registry_disable_phone_linking /SysNative

comment "Disable windows timeline"
Registry_disable_timeline /SysNative

comment "Disable offline files"
Winbatch_disable_offline_files /SysNative
Registry_disable_offline_files /SysNative

comment "Disable cortana on lock screen"
Registry_disable_cortana_lock_screen /SysNative

comment "Disable customer experience improvement program"
Registry_disable_customer_improvement /SysNative

comment "Disable uploading text messages to cloud"
Registry_disable_cloud_text_messages /SysNative

comment "Disable transmission of typing information"
Registry_disable_typing_information_AllProfiles /AllNTUserDats

comment "Disable inventory collector"
Registry_disable_inventory_collector /SysNative

comment "Disable camera on lock screen"
Registry_disable_lock_screen_camera /SysNative

comment "Disable bluetooth advertisements"
Registry_disable_bluetooth_advertisements /SysNative

comment "Block access to local language list for browsers"
Registry_block_language_list_AllProfiles /AllNTUserDats

comment "Disable find my device"
Registry_disable_find_my_device /SysNative



comment "Enable/Disable wireless networking services on client"
if ($wireless_networking$ = "true")
	Registry_wireless_disable /SysNative
else
	Registry_wireless_enable /SysNative
endif

comment "Enable/Disable bluetooth services on client"
if ($bluetooth_disable$ = "true")
	Registry_bluetooth_disable /SysNative
else			
	Registry_bluetooth_enable /SysNative
endif

comment "Disable netbios over tcp/ip"
; Do not disable "TCP/IP netbios helper" service!
Set $result$ = getRegistryKeyListSysnative("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces")
for $value$ in $result$ do sub_disable_netbios

comment "Remove various network protocols"
Files_uninstall_runfromtoken /SysNative
PatchTextFile_networksettings $LogDir$ + "\" + $ProductId$ + ".bat"
; Texan write is nodig, anders werkt het niet.
if ($INST_SystemType$ = "64 Bit System")
	Dosbatch_runfromtoken_64 WINST /SysNative
	Dosbatch_runfromtoken_64 WINST /SysNative
else
	Dosbatch_runfromtoken_32 WINST /SysNative
	Dosbatch_runfromtoken_32 WINST /SysNative
endif
Files_uninstall_runfromtoken /SysNative

comment "Set ntp server(s)"
set $ntp_serverlist$ = splitString ($ntp_server$, ",")
; write to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers
for %index1% = "1" to count($ntp_serverlist$) do sub_ntp_datetime_servers
; prepare for winbatch
for $line$ in $ntp_serverlist$ do sub_ntp_serverlist
set $ntp_servers$ = composeString ($ntp_serverlist2$, " ")
WinBatch_ntp_server /SysNative
Registry_ntp_server /SysNative


comment "Firstrun section"
Set $firstrun$ = GetRegistryValue("HKEY_LOCAL_MACHINE\SOFTWARE\OPSI-Home", $ProductId$)
if (not ($firstrun$ = "1")) or ($firstrun_override$ = "True")
	Set $firstrun$ = "1"


	comment "Save firstrun setting"
	Registry_save_firstrun /SysNative
	if ($firstrun_override$ = "True")
		opsiservicecall_reset_firstrun_override
	endif
;	ExitWindows /Reboot
endif

[Registry_save_firstrun]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\OPSI-Home]
set "$ProductId$" = "$firstrun$"

[WinBatch_ntp_server]
"%SystemRoot%\system32\net.exe" start "W32Time"
"%SystemRoot%\system32\w32tm.exe" /config /manualpeerlist:"$ntp_servers$" /syncfromflags:manual /update

[sub_ntp_serverlist]
set $ntp_server_entry$ = stringReplace("$line$", "$line$", "$line$,0x9")
set $ntp_serverlist2$ = addtolist($ntp_serverlist2$,$ntp_server_entry$)	

[sub_ntp_datetime_servers]
set $ntp_index1$ = "%index1%"
set $ntp_index$ = calculate($ntp_index1$+"-1")
set $ntp_server_entry$ = takestring($ntp_index$, $ntp_serverlist$)
Registry_set_ntp_datetime_servers /SysNative

[Registry_set_ntp_datetime_servers]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers]
set "$ntp_index1$" = "$ntp_server_entry$"

[WinBatch_defragmentation]
"%SystemRoot%\system32\net.exe" start "Schedule"

; Delete defragmentation tasks (when not using a SSD, use ultradefrag)
"%SystemRoot%\system32\schtasks.exe" /Delete /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /F
"%SystemRoot%\system32\schtasks.exe" /Delete /TN "\Microsoft\Windows\Defrag" /F

; Disable defrag service, which is never needed
"%SystemRoot%\system32\sc.exe" config defragsvc start= disabled
"%SystemRoot%\system32\net.exe" stop defragsvc

[Registry_defragmentation]
; https://docs.microsoft.com/en-us/previous-versions/windows/embedded/ms932871(v=winembedded.5)?redirectedfrom=MSDN
; The disk defragmentation service rearranges data on the disk to create contiguous sections of data. Additionally, the auto-layout service moves the most-used data closer to the center of the disk to expedite boot time.
; Disable Boot-Time defragmentation
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction]
set "Enable" = "N"
; Disable Background auto-layout
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout]
set "EnableAutoLayout" = REG_DWORD:00000000

[WinBatch_prefetch]
"%SystemRoot%\system32\net.exe" start "Schedule"

; Delete superfetch tasks
"%SystemRoot%\system32\schtasks.exe" /Delete /TN "\Microsoft\Windows\Sysmain\HybridDriveCachePrepopulate" /F
"%SystemRoot%\system32\schtasks.exe" /Delete /TN "\Microsoft\Windows\Sysmain\HybridDriveCacheRebalance" /F
"%SystemRoot%\system32\schtasks.exe" /Delete /TN "\Microsoft\Windows\Sysmain\ResPriStaticDbSync" /F
"%SystemRoot%\system32\schtasks.exe" /Delete /TN "\Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /F
"%SystemRoot%\system32\schtasks.exe" /Delete /TN "\Microsoft\Windows\Sysmain" /F

; Disable prefetch service
"%SystemRoot%\system32\sc.exe" config SysMain start= disabled
"%SystemRoot%\system32\net.exe" stop SysMain

[Registry_prefetch]
; Disable prefetching/superfetch, not only for SSDs
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters]
set "EnablePrefetcher" = REG_DWORD:00000000
set "EnableSuperfetch" = REG_DWORD:00000000

[Files_prefetch]
delete -sf "%SystemRoot%\Prefetch\"

[WinBatch_last_access]
; https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-behavior
; Disable last access times, registry key not needed!
"%SystemRoot%\system32\fsutil.exe" behavior set DisableLastAccess 1

[WinBatch_8dot3]
; Disable 8.3 file names
"%SystemRoot%\system32\fsutil.exe" behavior set Disable8dot3 1

[Registry_8dot3]
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
set "NtfsDisable8dot3NameCreation" = REG_DWORD:00000001

openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies]
set "NtfsDisable8dot3NameCreation" = REG_DWORD:00000001

[WinBatch_indexing]
; Disable indexing service
"%SystemRoot%\system32\sc.exe" config WSearch start= disabled
"%SystemRoot%\system32\net.exe" stop WSearch

[Registry_indexing]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search]
set "DisableRemovableDriveIndexing" = REG_DWORD:00000001

openkey [HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer]
set "DisableIndexedLibraryExperience" = REG_DWORD:00000001

[Registry_disable_websearch_AllProfiles]
openkey [HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer]
set "DisableSearchBoxSuggestions" = REG_DWORD:00000001

[Registry_disable_maps_network_traffic]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Maps]
set "AllowUntriggeredNetworkTrafficOnSettingsPage" = REG_DWORD:00000000

[Registry_disable_maps_auto_update]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Maps]
set "AutoDownloadAndUpdateMapData" = REG_DWORD:00000000

[Registry_disable_reporting_infection]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT]
set "DontReportInfectionInformation" = REG_DWORD:00000001

[Registry_disable_spynet_reporting]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
set "SpyNetReporting" = REG_DWORD:00000000

[Registry_disable_sending_threat_samples]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
set "SubmitSamplesConsent" = REG_DWORD:00000002

[Registry_disable_onedrive_prelogin]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OneDrive]
set "PreventNetworkTrafficPreUserSignIn" = REG_DWORD:00000001

[Registry_disable_experimentation]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\System]
set "AllowExperimentation" = REG_DWORD:00000000

[Registry_disable_windows_insider]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
set "ManagePreviewBuilds" = REG_DWORD:00000001
set "ManagePreviewBuildsPolicyValue" = REG_DWORD:00000000

openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility]
set "HideInsiderPage" = REG_DWORD:00000001

[Registry_disable_hello_pin]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
set "AllowDomainPINLogon" = REG_DWORD:00000001

openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowSignInOptions]
set "value" = REG_DWORD:00000000

[Registry_disable_microsoft_account]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount]
set "DisableUserAuth" = REG_DWORD:00000001

; https://www.tenforums.com/tutorials/97556-allow-block-microsoft-accounts-windows-10-a.html
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
set "NoConnectedUser" = REG_DWORD:00000003

[Registry_disable_cortana_lock_screen]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search]
set "AllowCortanaAboveLock" = REG_DWORD:00000000

[Registry_disable_customer_improvement]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows]
set "CEIPEnable" = REG_DWORD:00000000

[Registry_disable_settings_sync]
; Dit is hier, ipv privacy, want een microsoft account is nodig voor dit, en die is hier gedisabled.
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync]
set "DisableSettingSync" = REG_DWORD:00000002
set "DisableSettingSyncUserOverride" = REG_DWORD:00000001

[Registry_disable_settings_sync_AllProfiles]
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync]
set "SyncPolicy" = REG_DWORD:00000005
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Accessibility]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\AppSync]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\BrowserSettings]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\DesktopTheme]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\PackageState]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Personalization]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\StartLayout]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Windows]
set "Enabled" = REG_DWORD:00000000

[Winbatch_disable_offline_files]
; Disable indexing service
"%SystemRoot%\system32\sc.exe" config CscService start= disabled
"%SystemRoot%\system32\net.exe" stop CscService

[Registry_disable_offline_files]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetCache]
set "Enabled" = REG_DWORD:00000000

[Registry_disable_timeline]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
set "EnableActivityFeed" = REG_DWORD:00000000

[Registry_disable_phone_linking]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
set "EnableMmx" = REG_DWORD:00000000

[Registry_ntp_server]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers]
set "" = "1"

[Registry_disable_picture_password]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
set "BlockDomainPicturePassword" = REG_DWORD:00000001

[Registry_disable_hello_biometrics]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics]
set "Enabled" = REG_DWORD:00000000

[Registry_disable_hello_for_business]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork]
set "Enabled" = REG_DWORD:00000000
set "DisablePostLogonProvisioning" = REG_DWORD:00000000

[Registry_disable_automatic_logon]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
set "DisableAutomaticRestartSignOn" = REG_DWORD:00000001

[Registry_disable_windows_ink]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace]
set "AllowSuggestedAppsInWindowsInkWorkspace" = REG_DWORD:00000000
set "AllowWindowsInkWorkspace" = REG_DWORD:00000000

[Registry_disable_edge_preloading]
; Do not allow edge to pre-launch at windows startup, and do not load the start and new tab pages
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge]
set "AllowPrelaunch" = REG_DWORD:00000000
set "AllowTabPreloading" = REG_DWORD:00000000
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main]
set "AllowPrelaunch" = REG_DWORD:00000000
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\TabPreloader]
set "AllowTabPreloading" = REG_DWORD:00000000

[Registry_disable_device_history_AllProfiles]
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search]
set "DeviceHistoryEnabled" = REG_DWORD:00000000 

[Registry_disable_cloud_text_messages]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging]
set "AllowMessageSync" = REG_DWORD:00000000

[Registry_disable_inventory_collector]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\AppCompat]
set "DisableInventory" = REG_DWORD:00000001

[Registry_disable_lock_screen_camera]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization]
set "NoLockScreenCamera" = REG_DWORD:00000001

[Registry_disable_bluetooth_advertisements]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Bluetooth]
set "AllowAdvertising" = REG_DWORD:00000000

[Registry_block_language_list_AllProfiles]
openkey [HKEY_CURRENT_USER\Control Panel\International\User Profile]
set "HttpAcceptLanguageOptOut" = REG_DWORD:00000001

[Registry_disable_typing_information_AllProfiles]
openkey [HKEY_CURRENT_USER\Software\Microsoft\Input\TIPC]
set "Enabled" = REG_DWORD:00000000

[Registry_disable_autoplay_AllProfiles]
; Disable Autoplay
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers]
set "DisableAutoplay" = REG_DWORD:00000001

[Registry_seperate_explorer_process_AllProfiles]
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
; Launch explorer in a seperate process, saves about 30 MB when no explorer windows are opened.
set "SeparateProcess" = REG_DWORD:00000001

[Registry_disable_peer_to_peer_updates_AllProfiles]
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization]
set "SystemSettingsDownloadMode" = REG_DWORD:00000000

[Registry_disable_peer_to_peer_updates]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config]
set "DODownloadMode" = REG_DWORD:00000000
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization]
set "DODownloadMode" = REG_DWORD:00000000

[Registry_disable_speech_updates]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Speech]
set "AllowSpeechModelUpdate" = REG_DWORD:00000000

[Files_indexing]
; De hele directory kan weg
delete -sf "%CommonAppdataDir%\Microsoft\Search\"

[Registry_readyboot]
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ReadyBoot]
set "Start" = REG_DWORD:00000000

[Registry_network]
; Disable IGMP multicasting, do not add .com to unqualified domain names
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
set "IGMPLevel" = REG_DWORD:00000000
set "UseDomainNameDevolution" = REG_DWORD:00000000

[Registry_llmnr]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient]
set "EnableMulticast" = REG_DWORD:00000000

openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache\Parameters]
set "EnableMulticast" = REG_DWORD:00000000

[Registry_prefer_dns]
; Prefer DNS answers to LLMNR and/or NetBT
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient]
set "DisableSmartProtocolReordering" = REG_DWORD:00000001

[Registry_disable_windows_remote_shell]
; Do not allow remote shell access
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service]
set "AllowAutoConfig" = REG_DWORD:00000000
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS]
set "AllowRemoteShellAccess" = REG_DWORD:00000000


[PatchTextFile_networksettings]
GoToTop
; Remove QoS Packet Scheduler
AppendLine '"%SystemRoot%\system32\netcfg.exe" -u ms_pacer'
; Remove Link-Layer Topology Discovery Mapper I/O Driver
AppendLine '"%SystemRoot%\system32\netcfg.exe" -u ms_lltdio'
; Remove Link-Layer Topology Discovery Responder
AppendLine '"%SystemRoot%\system32\netcfg.exe" -u ms_rspndr'
; Remove Microsoft Network Adapter Multiplexor Protocol
AppendLine '"%SystemRoot%\system32\netcfg.exe" -u ms_implat'
; Remove Link-Layer Topology Discovery Driver
AppendLine '"%SystemRoot%\system32\netcfg.exe" -u ms_lldp'

[Dosbatch_runfromtoken_32]
; Start TrustedInstaller to be able to use that token
"%SystemRoot%\system32\net.exe" start trustedinstaller
"%SystemRoot%\system32\timeout.exe" /t 5 /nobreak
"%ScriptPath%\files\RunFromToken32.exe" trustedinstaller.exe 1 "$LogDir$\$ProductId$.bat"

[Dosbatch_runfromtoken_64]
; Start TrustedInstaller to be able to use that token
"%SystemRoot%\system32\net.exe" start trustedinstaller
"%SystemRoot%\system32\timeout.exe" /t 5 /nobreak
"%ScriptPath%\files\RunFromToken64.exe" trustedinstaller.exe 1 "$LogDir$\$ProductId$.bat"

[Files_uninstall_runfromtoken]
delete -f "$LogDir$\$ProductId$.bat"

[Registry_wireless_disable]
; WLAN AutoConfig
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wlansvc]
set "Start" = REG_DWORD:00000004

[Registry_wireless_enable]
; WLAN AutoConfig
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wlansvc]
set "Start" = REG_DWORD:00000002

[Registry_bluetooth_disable]
; AVCTP Service
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthAvctpSvc]
set "Start" = REG_DWORD:00000004
; Bluetooth Audio Gateway Service
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTAGService]
set "Start" = REG_DWORD:00000004
; Bluetooth Support Service
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv]
set "Start" = REG_DWORD:00000004
; Bluetooth User Support Service (met per-user service)
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BluetoothUserService]
set "Start" = REG_DWORD:00000004

[Registry_bluetooth_enable]
; AVCTP Service
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthAvctpSvc]
set "Start" = REG_DWORD:00000003
; Bluetooth Audio Gateway Service
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTAGService]
set "Start" = REG_DWORD:00000003
; Bluetooth Support Service
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv]
set "Start" = REG_DWORD:00000003
; Bluetooth User Support Service (met per-user service)
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BluetoothUserService]
set "Start" = REG_DWORD:00000003

[Registry_disable_find_my_device]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FindMyDevice]
set "AllowFindMyDevice" = REG_DWORD:00000000
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Settings\FindMyDevice]
set "LocationSyncEnabled" = REG_DWORD:00000000

[Winbatch_harddisk_settings]
; SSD Trim support aanzetten
"%SystemRoot%\system32\fsutil.exe" behavior set DisableDeleteNotify 0

[sub_disable_netbios]
Set $result$ = getRegistryKeyListSysnative("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces")

set $RegistryKey$ = "[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\" + "$value$" + "]"
Set $testName$ = GetRegistryStringValueSysNative($RegistryKey$ + "NetbiosOptions")
if not($testName$ = "")
	Registry_disable_netbios /SysNative
endif

[Registry_disable_netbios]
openkey $RegistryKey$
set "NetbiosOptions" = REG_DWORD:00000002

[opsiservicecall_reset_firstrun_override]
"method": "productPropertyState_create"
"params":	[
			"%installingProdName%"
			"firstrun_override"
			"%HostID%"
			"false"
			]
It is not entirely complete or 'finished' but you must be able to follow some parts. Especially the registry stuff. I am not sure how I can explain it easier than an example like this. Otherwise give me a working setup.ins with a registry setting you want set in there.

I find policy and other registry settings either on the internets, or I use a program like systracer to make a snapshot of the registry before and after the change.
Bitte schreiben Sie Deutsch, when I'm responding in the German-speaking part of the forum!
Antworten