Seite 1 von 1
Déploiement de Stratégie de Groupes Locales
Verfasst: 02 Jul 2020, 20:48
von guillaume
Bonjour tout le monde,
Je me demandais quelle serait la meilleure option pour pousser une stratégie de groupe locale pour les utilisateurs et ordinateurs via OPSI sur les ordinateurs au bureau. En effet
nous ne voulons pas utiliser d'AD pour le peu de personnes que l'on a sur site et limiter nos frais au maximum.
- Est ce qu'il vaut mieux privilégier un import d'un fichier texte d'une stratégie provenant d'une machine de test par exemple ?
- Est ce qu'il vaut mieux privilégier la création d'entrées dans la base de registre ?
- Est ce qu'il vaut mieux cloner le fichier config-win-10 ou config-win-base et affiner les options pour configurer selon nos besoins ?
L'idée est de forcer ou bloquer certaines choses comme les mises à jour de sécurités Windows, interdire l'installation des MAJ Chrome et Firefox (pour les installer seulement via OPSI), activer le numlock, activer l'ICMP dans le firewall, activer le bureau distant sur les ordinateurs et aussi dans le Firewall etc ...
Je reste à votre écoute pour discuter autour de ça et prendre la meilleure option.
Merci !
Re: Déploiement de Stratégie de Groupes Locales
Verfasst: 06 Jul 2020, 12:31
von SisterOfMercy
Well, because no one seems to be responding as of yet...
I use registry entries, plain and simple. I make a snapshot of the registry, then change something in gpedit.msc, and make another snapshot of the registry.
The only downside with this that it is not easy to see what policies are in effect, and when it is deployed you can not see this from gpedit.msc.
Directly using the registry always works, so you do not have to work with policies that are not applying, or have to use them with a domain.
I recommend keeping your references in the opsi script (IE: the url where you found it), and to not put all your policy settings in one large script, because that has bitten me a bit.
Re: Déploiement de Stratégie de Groupes Locales
Verfasst: 06 Jul 2020, 19:06
von guillaume
Thanks a lot,
I'm going to think about that because in the same way i'd like to set Firefox and Chrome restrictions (plugins installation for example) and add Favorties too.
So i'll have some registry key to change or add on computers at the same time ... That is not an emergency but i'll work on it and give a feedback for the community if others users are in the same case.
When you tell
and to not put all your policy settings in one large script, because that has bitten me a bit
What's the rule or bests practices ? A script for all FW and AV rules, a script for all internet browsers rules etc or something else ?
Re: Déploiement de Stratégie de Groupes Locales
Verfasst: 02 Jun 2021, 17:48
von guillaume
Hi Sister of Mercy,
I start deploying restrictions on Firefox and Chrome ... it looks like to work correctly ! I was wondering if you have a good way to manage computers and not only applications with registry changes ? If yes how did you do it ?
Thanks for your help
---
Bonjour Sister of Mercy,
J'ai commencé à déployer des restrictions pour Firefox et Chrome ... ca semble fonctionner correctement ! Je me demandais si tu avais une idée pour gérer des machines et pas seulement des logiciels avec des changements dans la base de registre ? Si oui, comment fais tu cela ?
Merci pour ton aide
Re: Déploiement de Stratégie de Groupes Locales
Verfasst: 09 Jul 2021, 15:55
von guillaume
Bonjour,
J'ai commencé à mettre en place des gestions et restriction sur firefox et chrome, mais je voudrais étendre cela à d'autres applications et à Windows 10. Je me demande si mon approche est correcte et sinon comment corriger cela pour que je puisse être plus agile dans les restrictions appliquées.
Je m'explique :
- Je n'utilise et ne veut pas d'AD pour l'instant
- J'applique mes restrictions via la base de registre
- Plus je regarde ca et plus je trouve que ca manque de finesse ...
- Pour la réversibilité, ca demande à coder mon fichier de désinstallation avec un REG DELETE pour chaque commande
Code: Alles auswählen
[Winbatch_install]
"%ScriptPath%\$SetupFile$" /S
; Désactivation des mises à jour automatiques
REG ADD "HKLM\Software\Policies\Mozilla\Firefox" /v DisableAppUpdate /t REG_DWORD /d 1 /f
; Activer les mises à jour automatiques des plugins
REG ADD "HKLM\Software\Policies\Mozilla\Firefox" /v ExtensionUpdate /t REG_DWORD /d 1 /f
; Désactivation de l'enregistrement des mots de passe dans Firefox
REG ADD "HKLM\Software\Policies\Mozilla\Firefox" /v PasswordManagerEnabled /t REG_DWORD /d 0 /f
; Désactivation de la fonction Pocket
REG ADD "HKLM\Software\Policies\Mozilla\Firefox" /v DisablePocket /t REG_DWORD /d 1 /f
; Désactivation de la synchroniation des comptes Firefox
REG ADD "HKLM\Software\Policies\Mozilla\Firefox" /v DisableFirefoxAccounts /t REG_DWORD /d 1 /f
; Installation des plugins autorisés
REG ADD "HKLM\Software\Policies\Mozilla\Firefox\InstallAddonsPermission" /v Default /t REG_DWORD /d 1 /f
REG ADD "HKLM\Software\Policies\Mozilla\Firefox\InstallAddonsPermission\Allow" /v 1 /t REG_SZ /d https://addons.mozilla.org/firefox/downloads/file/3775705/connecteur_pour_antidote-10.2.82-fx.xpi /f
REG ADD "HKLM\Software\Policies\Mozilla\Firefox\InstallAddonsPermission\Allow" /v 1 /t REG_SZ /d https://addons.mozilla.org/firefox/downloads/file/3484096/web_developer-2.0.5-an+fx.xpi /f
Je me dis que une configuration comme config-win10 pourrait être une bonne chose en y mettant tout ce que je veux activer ou non comme restrictions, mais je ne sais pas par ou commencer ...
- Est ce que je fais une configuration de gestion du registre pour chaque logiciel ?
- Est ce que je fais une configuration de gestion du registre pour Windows ?
- Est ce que je modifie le fchier de configuration config-win10 ? Mais en cas de mise à jour de OPSI, est ce que je risque de tout perdre ?
- Est ce que je fais quelque chose de combiné pour mes logiciels et Windows ?
Merci pour vos conseils, vos morceaux de script et vos idées pour mieux travailler ceci.
Guillaume
Re: Déploiement de Stratégie de Groupes Locales
Verfasst: 14 Jul 2021, 15:05
von SisterOfMercy
Why are you not using Registry sections in your script?
https://download.uib.de/4.2/documentati ... t-registry
Example:
Code: Alles auswählen
Registry_system /SysNative
Registry_RDP_AllProfiles /AllNTUserDats
[Registry_system]
; Set services startup timeout to 300 seconds
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
set "ServicesPipeTimeout" = REG_DWORD:0x000493e0
[Registry_RDP_AllProfiles]
; Do not check RDP certs
openkey [HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client]
set "AuthenticationLevelOverride" = REG_DWORD:00000000
Re: Déploiement de Stratégie de Groupes Locales
Verfasst: 16 Sep 2021, 21:46
von guillaume
Bonjour SisterofMercy,
Je ne sais pas bien par ou commencer pour mettre cela en place...
Est ce que je dois faire cela dans le fichier setup.ins ou bien créer un fichier spécifiquement pour ca pour chaque application ?
Comment est ce que je peux procéder pour effectuer aussi des restrictions, configurations pour Windows ?
Si tu as des propositions, des recommandations je suis tout à fait preneur !
Merci
Guillaume
Re: Déploiement de Stratégie de Groupes Locales
Verfasst: 17 Okt 2021, 18:55
von SisterOfMercy
(translated via google translate)
Do I have to do this in the setup.ins file or create a file specifically for CA for each application?
How can I proceed to also perform restrictions, configurations for Windows?
You do this in setup.ins, no need to create a seperate file.
Please view this example of a windows thing I am using:
Code: Alles auswählen
; Copyright (c) uib gmbh (www.uib.de)
; This sourcecode is owned by uib
; and published under the Terms of the General Public License.
; credits: http://www.opsi.org/en/credits/
;
; License Management removed
encoding=utf8
; system package
;
; disable defragmentation done
; enable ssd trim support
; prefetch/superfetch done
; fsutil settings done
; pagefile settings
; network settings? -> https://docs.microsoft.com/en-us/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics
; indexing options done
; system restore
; power management?
; defender settings?
; related tasks
; device manager settings -> of interface
; worker threads
; wmi logging settings
; readyboot
[Actions]
SetLogLevel=9
requiredWinstVersion >= "4.11.5.14"
;DefVar $MsiId32$
;DefVar $UninstallProgram32$
;DefVar $MsiId64$
;DefVar $UninstallProgram64$
DefVar $LogDir$
DefVar $ProductId$
DefVar $MinimumSpace$
;DefVar $InstallDir32$
;DefVar $InstallDir64$
DefVar $ExitCode$
DefVar $INST_SystemType$
;DefVar $INST_architecture$
DefVar $INST_MsVersion$
DefStringList $result$
DefVar $RegistryKey$
DefVar $testName$
DefVar $firstrun$
DefVar $firstrun_override$
set $firstrun_override$ = GetProductProperty("firstrun_override","False")
DefVar $wireless_networking$
Set $wireless_networking$ = GetProductProperty("wireless_networking_disable","false")
DefVar $bluetooth_disable$
Set $bluetooth_disable$ = GetProductProperty("bluetooth_disable","false")
DefVar $ntp_server$
Set $ntp_server$ = GetProductProperty("ntp_server","nl.pool.ntp.org")
DefVar $ntp_servers$
DefVar $ntp_index$
DefVar $ntp_index1$
DefVar $ntp_server_entry$
DefStringList $ntp_serverlist$
DefStringList $ntp_serverlist2$
DefStringList $ProductInfo$
DefVar $DisplayVersion$
DefVar $DisplayName$
set $ProductInfo$ = getProductMap
set $DisplayVersion$ = getValue("productversion", $ProductInfo$)
set $DisplayName$ = getValue("name", $ProductInfo$)
set $INST_MsVersion$ = GetMsVersionInfo
Set $INST_SystemType$ = GetSystemType
;set $INST_architecture$ = GetProductProperty("install_architecture","system specific")
Set $LogDir$ = "%opsiLogDir%"
; ----------------------------------------------------------------
; - Please edit the following values -
; ----------------------------------------------------------------
;$ProductId$ should be the name of the product in opsi
; therefore please: only lower letters, no umlauts,
; no white space use '-' as a seperator
Set $ProductId$ = "win10-settings-system"
Set $MinimumSpace$ = "500 MB"
; the path were we find the product after the installation
;Set $InstallDir32$ = "%ProgramFiles32Dir%\<path to the product>"
;Set $InstallDir64$ = "%ProgramFiles64Dir%\<path to the product>"
; ----------------------------------------------------------------
if not(HasMinimumSpace ("%SystemDrive%", $MinimumSpace$))
LogError "Not enough space on %SystemDrive%, " + $MinimumSpace$ + " on drive %SystemDrive% needed for " + $ProductId$
isFatalError
; Stop process and set installation status to failed
endif
if not(CompareDotSeparatedNumbers($INST_MsVersion$, "=", "10.0"))
LogError "Windows 10 is required for " + $ProductId$
isFatalError
endif
comment "Show product picture"
ShowBitmap "%ScriptPath%\" + $ProductId$ + ".png" $ProductId$
Message "Installing " + $ProductId$ + "..."
comment "Disable automatic defragmentation"
WinBatch_defragmentation /SysNative
Registry_defragmentation /SysNative
comment "Disable readyboot WMI logging"
Registry_readyboot /SysNative
comment "Disable prefetch and superfetch"
WinBatch_prefetch /SysNative
Registry_prefetch /SysNative
Files_prefetch /SysNative
comment "Disable NTFS last access timestamps"
WinBatch_last_access /SysNative
comment "Disable 8dot3 filenames on all volumes"
WinBatch_8dot3 /SysNative
Registry_8dot3 /SysNative
comment "Disable LLMNR name resolution"
Registry_llmnr /SysNative
comment "Prefer DNS responses to LLMNR and NetBT"
Registry_prefer_dns /SysNative
comment "Disable windows search indexing"
WinBatch_indexing /SysNative
Files_indexing /SysNative
Registry_indexing /SysNative
comment "Disable windows web search"
Registry_disable_websearch_AllProfiles /AllNTUserDats
comment "Disable experimental features"
Registry_disable_experimentation /SysNative
comment "Disable windows insider, hide options in settings"
Registry_disable_windows_insider /SysNative
comment "Disable peer to peer updates"
Registry_disable_peer_to_peer_updates /SysNative
Registry_disable_peer_to_peer_updates_AllProfiles /AllNTUserDats
comment "Disable updates to speech engine"
Registry_disable_speech_updates /SysNative
comment "Disable onedrive network access before login"
Registry_disable_onedrive_prelogin /SysNative
comment "Defender: Disable sending infection information"
Registry_disable_reporting_infection /SysNative
comment "Defender: Disable reporting changes in files"
Registry_disable_spynet_reporting /SysNative
comment "Defender: Disable sending samples of threats"
Registry_disable_sending_threat_samples /SysNative
comment "Disable unwanted network traffic on offline maps settings page"
Registry_disable_maps_network_traffic /SysNative
comment "Disable automatic update of map data"
Registry_disable_maps_auto_update /SysNative
comment "Launch explorer in a seperate process"
Registry_seperate_explorer_process_AllProfiles /AllNTUserDats
comment "Disable Autoplay"
Registry_disable_autoplay_AllProfiles /AllNTUserDats
comment "Disable windows remote shell access (WinRM)"
Registry_disable_windows_remote_shell /SysNative
comment "Disable edge pre-loading before login"
Registry_disable_edge_preloading /SysNative
comment "Disable windows ink workspace"
Registry_disable_windows_ink /SysNative
comment "Disable login with microsoft accounts"
Registry_disable_microsoft_account /SysNative
comment "Disable login with picture password"
Registry_disable_picture_password /SysNative
comment "Disable login with pin"
Registry_disable_hello_pin /SysNative
comment "Disable login with biometrics"
Registry_disable_hello_biometrics /SysNative
comment "Disable windows hello for business"
Registry_disable_hello_for_business /SysNative
comment "Disable use sign-in info to auto finish setting up device"
Registry_disable_automatic_logon /SysNative
comment "Disable synching of settings"
Registry_disable_settings_sync /SysNative
Registry_disable_settings_sync_AllProfiles /AllNTUserDats
comment "Disable linking phone"
Registry_disable_phone_linking /SysNative
comment "Disable windows timeline"
Registry_disable_timeline /SysNative
comment "Disable offline files"
Winbatch_disable_offline_files /SysNative
Registry_disable_offline_files /SysNative
comment "Disable cortana on lock screen"
Registry_disable_cortana_lock_screen /SysNative
comment "Disable customer experience improvement program"
Registry_disable_customer_improvement /SysNative
comment "Disable uploading text messages to cloud"
Registry_disable_cloud_text_messages /SysNative
comment "Disable transmission of typing information"
Registry_disable_typing_information_AllProfiles /AllNTUserDats
comment "Disable inventory collector"
Registry_disable_inventory_collector /SysNative
comment "Disable camera on lock screen"
Registry_disable_lock_screen_camera /SysNative
comment "Disable bluetooth advertisements"
Registry_disable_bluetooth_advertisements /SysNative
comment "Block access to local language list for browsers"
Registry_block_language_list_AllProfiles /AllNTUserDats
comment "Disable find my device"
Registry_disable_find_my_device /SysNative
comment "Enable/Disable wireless networking services on client"
if ($wireless_networking$ = "true")
Registry_wireless_disable /SysNative
else
Registry_wireless_enable /SysNative
endif
comment "Enable/Disable bluetooth services on client"
if ($bluetooth_disable$ = "true")
Registry_bluetooth_disable /SysNative
else
Registry_bluetooth_enable /SysNative
endif
comment "Disable netbios over tcp/ip"
; Do not disable "TCP/IP netbios helper" service!
Set $result$ = getRegistryKeyListSysnative("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces")
for $value$ in $result$ do sub_disable_netbios
comment "Remove various network protocols"
Files_uninstall_runfromtoken /SysNative
PatchTextFile_networksettings $LogDir$ + "\" + $ProductId$ + ".bat"
; Texan write is nodig, anders werkt het niet.
if ($INST_SystemType$ = "64 Bit System")
Dosbatch_runfromtoken_64 WINST /SysNative
Dosbatch_runfromtoken_64 WINST /SysNative
else
Dosbatch_runfromtoken_32 WINST /SysNative
Dosbatch_runfromtoken_32 WINST /SysNative
endif
Files_uninstall_runfromtoken /SysNative
comment "Set ntp server(s)"
set $ntp_serverlist$ = splitString ($ntp_server$, ",")
; write to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers
for %index1% = "1" to count($ntp_serverlist$) do sub_ntp_datetime_servers
; prepare for winbatch
for $line$ in $ntp_serverlist$ do sub_ntp_serverlist
set $ntp_servers$ = composeString ($ntp_serverlist2$, " ")
WinBatch_ntp_server /SysNative
Registry_ntp_server /SysNative
comment "Firstrun section"
Set $firstrun$ = GetRegistryValue("HKEY_LOCAL_MACHINE\SOFTWARE\OPSI-Home", $ProductId$)
if (not ($firstrun$ = "1")) or ($firstrun_override$ = "True")
Set $firstrun$ = "1"
comment "Save firstrun setting"
Registry_save_firstrun /SysNative
if ($firstrun_override$ = "True")
opsiservicecall_reset_firstrun_override
endif
; ExitWindows /Reboot
endif
[Registry_save_firstrun]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\OPSI-Home]
set "$ProductId$" = "$firstrun$"
[WinBatch_ntp_server]
"%SystemRoot%\system32\net.exe" start "W32Time"
"%SystemRoot%\system32\w32tm.exe" /config /manualpeerlist:"$ntp_servers$" /syncfromflags:manual /update
[sub_ntp_serverlist]
set $ntp_server_entry$ = stringReplace("$line$", "$line$", "$line$,0x9")
set $ntp_serverlist2$ = addtolist($ntp_serverlist2$,$ntp_server_entry$)
[sub_ntp_datetime_servers]
set $ntp_index1$ = "%index1%"
set $ntp_index$ = calculate($ntp_index1$+"-1")
set $ntp_server_entry$ = takestring($ntp_index$, $ntp_serverlist$)
Registry_set_ntp_datetime_servers /SysNative
[Registry_set_ntp_datetime_servers]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers]
set "$ntp_index1$" = "$ntp_server_entry$"
[WinBatch_defragmentation]
"%SystemRoot%\system32\net.exe" start "Schedule"
; Delete defragmentation tasks (when not using a SSD, use ultradefrag)
"%SystemRoot%\system32\schtasks.exe" /Delete /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /F
"%SystemRoot%\system32\schtasks.exe" /Delete /TN "\Microsoft\Windows\Defrag" /F
; Disable defrag service, which is never needed
"%SystemRoot%\system32\sc.exe" config defragsvc start= disabled
"%SystemRoot%\system32\net.exe" stop defragsvc
[Registry_defragmentation]
; https://docs.microsoft.com/en-us/previous-versions/windows/embedded/ms932871(v=winembedded.5)?redirectedfrom=MSDN
; The disk defragmentation service rearranges data on the disk to create contiguous sections of data. Additionally, the auto-layout service moves the most-used data closer to the center of the disk to expedite boot time.
; Disable Boot-Time defragmentation
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction]
set "Enable" = "N"
; Disable Background auto-layout
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout]
set "EnableAutoLayout" = REG_DWORD:00000000
[WinBatch_prefetch]
"%SystemRoot%\system32\net.exe" start "Schedule"
; Delete superfetch tasks
"%SystemRoot%\system32\schtasks.exe" /Delete /TN "\Microsoft\Windows\Sysmain\HybridDriveCachePrepopulate" /F
"%SystemRoot%\system32\schtasks.exe" /Delete /TN "\Microsoft\Windows\Sysmain\HybridDriveCacheRebalance" /F
"%SystemRoot%\system32\schtasks.exe" /Delete /TN "\Microsoft\Windows\Sysmain\ResPriStaticDbSync" /F
"%SystemRoot%\system32\schtasks.exe" /Delete /TN "\Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /F
"%SystemRoot%\system32\schtasks.exe" /Delete /TN "\Microsoft\Windows\Sysmain" /F
; Disable prefetch service
"%SystemRoot%\system32\sc.exe" config SysMain start= disabled
"%SystemRoot%\system32\net.exe" stop SysMain
[Registry_prefetch]
; Disable prefetching/superfetch, not only for SSDs
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters]
set "EnablePrefetcher" = REG_DWORD:00000000
set "EnableSuperfetch" = REG_DWORD:00000000
[Files_prefetch]
delete -sf "%SystemRoot%\Prefetch\"
[WinBatch_last_access]
; https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-behavior
; Disable last access times, registry key not needed!
"%SystemRoot%\system32\fsutil.exe" behavior set DisableLastAccess 1
[WinBatch_8dot3]
; Disable 8.3 file names
"%SystemRoot%\system32\fsutil.exe" behavior set Disable8dot3 1
[Registry_8dot3]
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
set "NtfsDisable8dot3NameCreation" = REG_DWORD:00000001
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies]
set "NtfsDisable8dot3NameCreation" = REG_DWORD:00000001
[WinBatch_indexing]
; Disable indexing service
"%SystemRoot%\system32\sc.exe" config WSearch start= disabled
"%SystemRoot%\system32\net.exe" stop WSearch
[Registry_indexing]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search]
set "DisableRemovableDriveIndexing" = REG_DWORD:00000001
openkey [HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer]
set "DisableIndexedLibraryExperience" = REG_DWORD:00000001
[Registry_disable_websearch_AllProfiles]
openkey [HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer]
set "DisableSearchBoxSuggestions" = REG_DWORD:00000001
[Registry_disable_maps_network_traffic]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Maps]
set "AllowUntriggeredNetworkTrafficOnSettingsPage" = REG_DWORD:00000000
[Registry_disable_maps_auto_update]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Maps]
set "AutoDownloadAndUpdateMapData" = REG_DWORD:00000000
[Registry_disable_reporting_infection]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT]
set "DontReportInfectionInformation" = REG_DWORD:00000001
[Registry_disable_spynet_reporting]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
set "SpyNetReporting" = REG_DWORD:00000000
[Registry_disable_sending_threat_samples]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
set "SubmitSamplesConsent" = REG_DWORD:00000002
[Registry_disable_onedrive_prelogin]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OneDrive]
set "PreventNetworkTrafficPreUserSignIn" = REG_DWORD:00000001
[Registry_disable_experimentation]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\System]
set "AllowExperimentation" = REG_DWORD:00000000
[Registry_disable_windows_insider]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
set "ManagePreviewBuilds" = REG_DWORD:00000001
set "ManagePreviewBuildsPolicyValue" = REG_DWORD:00000000
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility]
set "HideInsiderPage" = REG_DWORD:00000001
[Registry_disable_hello_pin]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
set "AllowDomainPINLogon" = REG_DWORD:00000001
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowSignInOptions]
set "value" = REG_DWORD:00000000
[Registry_disable_microsoft_account]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount]
set "DisableUserAuth" = REG_DWORD:00000001
; https://www.tenforums.com/tutorials/97556-allow-block-microsoft-accounts-windows-10-a.html
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
set "NoConnectedUser" = REG_DWORD:00000003
[Registry_disable_cortana_lock_screen]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search]
set "AllowCortanaAboveLock" = REG_DWORD:00000000
[Registry_disable_customer_improvement]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows]
set "CEIPEnable" = REG_DWORD:00000000
[Registry_disable_settings_sync]
; Dit is hier, ipv privacy, want een microsoft account is nodig voor dit, en die is hier gedisabled.
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync]
set "DisableSettingSync" = REG_DWORD:00000002
set "DisableSettingSyncUserOverride" = REG_DWORD:00000001
[Registry_disable_settings_sync_AllProfiles]
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync]
set "SyncPolicy" = REG_DWORD:00000005
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Accessibility]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\AppSync]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\BrowserSettings]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\DesktopTheme]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\PackageState]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Personalization]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\StartLayout]
set "Enabled" = REG_DWORD:00000000
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Windows]
set "Enabled" = REG_DWORD:00000000
[Winbatch_disable_offline_files]
; Disable indexing service
"%SystemRoot%\system32\sc.exe" config CscService start= disabled
"%SystemRoot%\system32\net.exe" stop CscService
[Registry_disable_offline_files]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetCache]
set "Enabled" = REG_DWORD:00000000
[Registry_disable_timeline]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
set "EnableActivityFeed" = REG_DWORD:00000000
[Registry_disable_phone_linking]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
set "EnableMmx" = REG_DWORD:00000000
[Registry_ntp_server]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers]
set "" = "1"
[Registry_disable_picture_password]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
set "BlockDomainPicturePassword" = REG_DWORD:00000001
[Registry_disable_hello_biometrics]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics]
set "Enabled" = REG_DWORD:00000000
[Registry_disable_hello_for_business]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork]
set "Enabled" = REG_DWORD:00000000
set "DisablePostLogonProvisioning" = REG_DWORD:00000000
[Registry_disable_automatic_logon]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
set "DisableAutomaticRestartSignOn" = REG_DWORD:00000001
[Registry_disable_windows_ink]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace]
set "AllowSuggestedAppsInWindowsInkWorkspace" = REG_DWORD:00000000
set "AllowWindowsInkWorkspace" = REG_DWORD:00000000
[Registry_disable_edge_preloading]
; Do not allow edge to pre-launch at windows startup, and do not load the start and new tab pages
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge]
set "AllowPrelaunch" = REG_DWORD:00000000
set "AllowTabPreloading" = REG_DWORD:00000000
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main]
set "AllowPrelaunch" = REG_DWORD:00000000
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\TabPreloader]
set "AllowTabPreloading" = REG_DWORD:00000000
[Registry_disable_device_history_AllProfiles]
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search]
set "DeviceHistoryEnabled" = REG_DWORD:00000000
[Registry_disable_cloud_text_messages]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging]
set "AllowMessageSync" = REG_DWORD:00000000
[Registry_disable_inventory_collector]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\AppCompat]
set "DisableInventory" = REG_DWORD:00000001
[Registry_disable_lock_screen_camera]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization]
set "NoLockScreenCamera" = REG_DWORD:00000001
[Registry_disable_bluetooth_advertisements]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Bluetooth]
set "AllowAdvertising" = REG_DWORD:00000000
[Registry_block_language_list_AllProfiles]
openkey [HKEY_CURRENT_USER\Control Panel\International\User Profile]
set "HttpAcceptLanguageOptOut" = REG_DWORD:00000001
[Registry_disable_typing_information_AllProfiles]
openkey [HKEY_CURRENT_USER\Software\Microsoft\Input\TIPC]
set "Enabled" = REG_DWORD:00000000
[Registry_disable_autoplay_AllProfiles]
; Disable Autoplay
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers]
set "DisableAutoplay" = REG_DWORD:00000001
[Registry_seperate_explorer_process_AllProfiles]
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
; Launch explorer in a seperate process, saves about 30 MB when no explorer windows are opened.
set "SeparateProcess" = REG_DWORD:00000001
[Registry_disable_peer_to_peer_updates_AllProfiles]
openkey [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization]
set "SystemSettingsDownloadMode" = REG_DWORD:00000000
[Registry_disable_peer_to_peer_updates]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config]
set "DODownloadMode" = REG_DWORD:00000000
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization]
set "DODownloadMode" = REG_DWORD:00000000
[Registry_disable_speech_updates]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Speech]
set "AllowSpeechModelUpdate" = REG_DWORD:00000000
[Files_indexing]
; De hele directory kan weg
delete -sf "%CommonAppdataDir%\Microsoft\Search\"
[Registry_readyboot]
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ReadyBoot]
set "Start" = REG_DWORD:00000000
[Registry_network]
; Disable IGMP multicasting, do not add .com to unqualified domain names
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
set "IGMPLevel" = REG_DWORD:00000000
set "UseDomainNameDevolution" = REG_DWORD:00000000
[Registry_llmnr]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient]
set "EnableMulticast" = REG_DWORD:00000000
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache\Parameters]
set "EnableMulticast" = REG_DWORD:00000000
[Registry_prefer_dns]
; Prefer DNS answers to LLMNR and/or NetBT
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient]
set "DisableSmartProtocolReordering" = REG_DWORD:00000001
[Registry_disable_windows_remote_shell]
; Do not allow remote shell access
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service]
set "AllowAutoConfig" = REG_DWORD:00000000
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS]
set "AllowRemoteShellAccess" = REG_DWORD:00000000
[PatchTextFile_networksettings]
GoToTop
; Remove QoS Packet Scheduler
AppendLine '"%SystemRoot%\system32\netcfg.exe" -u ms_pacer'
; Remove Link-Layer Topology Discovery Mapper I/O Driver
AppendLine '"%SystemRoot%\system32\netcfg.exe" -u ms_lltdio'
; Remove Link-Layer Topology Discovery Responder
AppendLine '"%SystemRoot%\system32\netcfg.exe" -u ms_rspndr'
; Remove Microsoft Network Adapter Multiplexor Protocol
AppendLine '"%SystemRoot%\system32\netcfg.exe" -u ms_implat'
; Remove Link-Layer Topology Discovery Driver
AppendLine '"%SystemRoot%\system32\netcfg.exe" -u ms_lldp'
[Dosbatch_runfromtoken_32]
; Start TrustedInstaller to be able to use that token
"%SystemRoot%\system32\net.exe" start trustedinstaller
"%SystemRoot%\system32\timeout.exe" /t 5 /nobreak
"%ScriptPath%\files\RunFromToken32.exe" trustedinstaller.exe 1 "$LogDir$\$ProductId$.bat"
[Dosbatch_runfromtoken_64]
; Start TrustedInstaller to be able to use that token
"%SystemRoot%\system32\net.exe" start trustedinstaller
"%SystemRoot%\system32\timeout.exe" /t 5 /nobreak
"%ScriptPath%\files\RunFromToken64.exe" trustedinstaller.exe 1 "$LogDir$\$ProductId$.bat"
[Files_uninstall_runfromtoken]
delete -f "$LogDir$\$ProductId$.bat"
[Registry_wireless_disable]
; WLAN AutoConfig
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wlansvc]
set "Start" = REG_DWORD:00000004
[Registry_wireless_enable]
; WLAN AutoConfig
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wlansvc]
set "Start" = REG_DWORD:00000002
[Registry_bluetooth_disable]
; AVCTP Service
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthAvctpSvc]
set "Start" = REG_DWORD:00000004
; Bluetooth Audio Gateway Service
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTAGService]
set "Start" = REG_DWORD:00000004
; Bluetooth Support Service
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv]
set "Start" = REG_DWORD:00000004
; Bluetooth User Support Service (met per-user service)
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BluetoothUserService]
set "Start" = REG_DWORD:00000004
[Registry_bluetooth_enable]
; AVCTP Service
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthAvctpSvc]
set "Start" = REG_DWORD:00000003
; Bluetooth Audio Gateway Service
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTAGService]
set "Start" = REG_DWORD:00000003
; Bluetooth Support Service
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv]
set "Start" = REG_DWORD:00000003
; Bluetooth User Support Service (met per-user service)
openkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BluetoothUserService]
set "Start" = REG_DWORD:00000003
[Registry_disable_find_my_device]
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FindMyDevice]
set "AllowFindMyDevice" = REG_DWORD:00000000
openkey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Settings\FindMyDevice]
set "LocationSyncEnabled" = REG_DWORD:00000000
[Winbatch_harddisk_settings]
; SSD Trim support aanzetten
"%SystemRoot%\system32\fsutil.exe" behavior set DisableDeleteNotify 0
[sub_disable_netbios]
Set $result$ = getRegistryKeyListSysnative("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces")
set $RegistryKey$ = "[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\" + "$value$" + "]"
Set $testName$ = GetRegistryStringValueSysNative($RegistryKey$ + "NetbiosOptions")
if not($testName$ = "")
Registry_disable_netbios /SysNative
endif
[Registry_disable_netbios]
openkey $RegistryKey$
set "NetbiosOptions" = REG_DWORD:00000002
[opsiservicecall_reset_firstrun_override]
"method": "productPropertyState_create"
"params": [
"%installingProdName%"
"firstrun_override"
"%HostID%"
"false"
]
It is not entirely complete or 'finished' but you
must be able to follow some parts. Especially the registry stuff. I am not sure how I can explain it easier than an example like this. Otherwise give me a working setup.ins with a registry setting you want set in there.
I find policy and other registry settings either on the internets, or I use a program like systracer to make a snapshot of the registry before and after the change.