What's New
This release ensures that the Harden Windows Security module/app is compatible with the Windows 11 24H2 build. The latest Windows build introduces numerous new group policies for configurations that were previously accessible only through methods like CIM. Consequently, many of these configurations are now implemented via group policies, providing a more streamlined and unified process.
The Readme content and style have been updated for better readability. A reminder that the Readme document is the main source of all of the security measures that is applied by the Harden Windows Security module/app.
All of the registry keys, policies, process mitigations and so on have been verified to continue to be compatible with the latest build of Windows, which currently is 24H2.
More policies will be added in the next update after further testing and verification.
Updated the DLLs from Microsoft Nuget packages to the latest versions.
Microsoft Defender Category
- Intel TDT policy is now applied through Group Policy.
- Disabling Performance mode of Microsoft Defender (For Dev Drives) is now applied through Group Policy.
- Real-time protection and Security Intelligence Updates during OOBE policy is now applied through Group Policy.
- Brute-Force Protection policy is now applied through Group Policy.
- Brute-Force Protection aggressiveness policy is now applied through Group Policy.
- Remote Encryption Protection policy is now applied through Group Policy.
- Remote Encryption Protection aggressiveness policy is now applied through Group Policy.
- New policy: Enable Network Protection to be configured into block or audit mode on Windows Server.
Identified 2 issues with the group policies on build 26100.1742 and 26100.1882. Mentioned them in the Microsoft Tech Community as well.
The following group policies do not actually apply the policies on the system when they are enabled in the specified build.
Windows Components\Microsoft Defender Antivirus\Network Inspection System\
Turn on asynchronous inspection
And
Windows Components\Microsoft Defender Antivirus\Network Inspection System\
Convert warn verdict to block
After applying them and checking the output of the cmdlet/CIM via the Get-MpPreference, even after system restart,
we can see that the values of EnableConvertWarnToBlock and AllowSwitchToAsyncInspection are still false.
That is why the Harden Windows Security module will continue to enforce and apply them through the CIM. The checks and balances in the module/app make sure everything stays compliant regardless of the method of enforcement.
- During Process mitigations compliance verification, if a process has more mitigations applied to it than the ones required by the Harden Windows Security application, it will be considered compliant. Previous behavior would only consider them compliant if they were exact match but that would miss the situations where currently applied mitigations were more than the required mitigations. The log messages have been improved to provide detailed info about each process.
BitLocker Category
-
Added more logging messages during compliance checking of the BitLocker category to let user know why OS drive is not compliant.
-
BitLocker group policies are completely self-sufficient and no longer depend on the Microsoft Security Baselines.
-
Improved the BitLocker encryption for Non-OS Drives. The ExternalKey key protectors that belong to previous OS installations and are leftovers are now properly taken care of and renewed to be bound to the new OS Drive.
User Account Control (UAC) Category
-
New Policy: Sets the behavior of the elevation prompt for Standard users to Prompt for Credentials on the Secure Desktop. Microsoft Security Baselines 23H2 would set this to Deny elevation requests but since Windows is moving towards the Adminless future, it is required to perform elevation from Standard users. This policy ensures that the elevation prompt is secure and the user is prompted to enter the credentials on the Secure Desktop.
-
Added this only for compliance checking: UAC: Behavior of the elevation prompt for administrators in Enhanced Privilege Protection Mode. This policy is by default set to the most secure value, which is Prompt for Credentials on the Secure Desktop. Adding it to compliance checking in the UAC category provides easy verification for the user to ensure it is set to the correct value because it is an important policy.
-
New policy: Configures the type of Admin Approval Mode to be Admin Approval Mode with enhanced privilege protection. This is another new policy added in the build 24H2.
Windows Update Category
There are no configuration changes. Only updated the group policy objects to match the new policies' locations in the 24H2 build. All of them are related to update auto-restart grace period and deadlines and how their locations are different between 23H2 and 24H2 builds.
-
The SetComplianceDeadline policy is changed. In 24H2, it is broken down to 2 different policies. They are also Intune compatible which means unified compliance check between group policy or Intune deployments.
Optional Windows Features
There is a bug in Windows 11 24H2 builds 26100.1742 and 26100.1882, related to the DISM module cmdlet, Get-WindowsCapability -Online and Internet Explorer mode! Watch the video:
2024-10-04.00-02-05.mp4
As a workaround, Internet explorer mode removal was moved to the end of the Optional Windows Features category instead of being in the middle. This change makes sure the category will complete successfully.
The problem with the cmdlet will most likely be fixed after a system restart. That means when Internet explorer mode which is for the legacy rendering in the Edge browser and is totally unnecessary, is removed, you will have to perform a system restart before that cmdlet can be used again.
As you can see in the video, this is not related to the Harden Windows Security.
Non-Admin Category
- Removed the 2 policies that were used to enable Clipboard syncing for the current user. They were an optional sub-category of the Non-Admin category.
PR: #347