Harden Windows Security Module Update v0.1.1

Updated confirm-SystemCompliance and Unprotect-WindowsSecurity cmdlets to support changes in the latest Hardening script version: https://github.com/HotCakeX/Harden-Windows-Security/releases/tag/v2023.08.20

Some minor code improvements and visual upgrades

Adjusted the Credential providers section checks in lock screen category

Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1

@@ -12,7 +12,7 @@
     # RootModule = ''
 
     # Version number of this module.
-    ModuleVersion        = '0.1.0'
+    ModuleVersion        = '0.1.1'
 
     # Supported PSEditions
     CompatiblePSEditions = @('Core')
@@ -50,7 +50,7 @@
 '@
 
     # Minimum version of the PowerShell engine required by this module
-    PowerShellVersion    = '7.3.4'
+    PowerShellVersion    = '7.3.5'
 
     # Name of the PowerShell host required by this module
     # PowerShellHostName = ''
@@ -126,6 +126,11 @@
             # ReleaseNotes of this module
             ReleaseNotes = @'
 
+## Version 0.1.1
+Updated confirm-SystemCompliance and Unprotect-WindowsSecurity cmdlets to support changes in the latest Hardening script version: https://github.com/HotCakeX/Harden-Windows-Security/releases/tag/v2023.08.20
+Some minor code improvements and visual upgrades
+Adjusted the Credential providers section checks in lock screen category
+
 ## Version 0.1.0
 Added TPM check, Secureboot check and Latest Windows version check to the cmdlets of this module
 Windows optional features now use the Windows PowerShell instead of PowerShell core because: https://github.com/PowerShell/PowerShell/issues/13866

Harden-Windows-Security Module/Main files/Protect-WindowsSecurity.psm1

@@ -27,7 +27,6 @@ Function Protect-WindowsSecurity {
         }
     }
 
-
     try {
         Invoke-WithoutProgress {
             Invoke-RestMethod 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1' -OutFile .\Harden-Windows-Security.ps1

Harden-Windows-Security Module/Resources/Registry resources.csv

@@ -90,7 +90,7 @@ Origin,Category,Key,Name,FriendlyName,Type,Value
 "Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128,Enabled,Disable RC4 128/128 Cipher Suite,DWORD,0
 "Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168,Enabled,Disable Triple DES 168 Cipher Suite,DWORD,0
 "Registry Keys",TLS,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5,Enabled,Disable MD5 Hashing Algorithm,DWORD,0
-"Group Policy","LockScreen",HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System,ExcludedCredentialProviders,Excluded Credential Providers,SZ,"{60b78e88-ead8-445c-9cfd-0b87f74ea6cd},{F8A0B131-5F68-486c-8040-7E8FC3C85BB6},{8FD7E19C-3BF7-489B-A72C-846AB3678C96},{1ee7337f-85ac-45e2-a23c-37c753209769},{1b283861-754f-4022-ad47-a5eaaa618894}"
+"Group Policy","LockScreen",HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System,ExcludedCredentialProviders,Excluded Credential Providers,SZ,"{60b78e88-ead8-445c-9cfd-0b87f74ea6cd},{F8A0B131-5F68-486c-8040-7E8FC3C85BB6}"
 "Group Policy","LockScreen",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System,DefaultCredentialProvider,Set default Credential Provider,SZ,"{D6886603-9D2F-4EB2-B667-1971041FA96B}"
 "Group Policy","LockScreen",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PassportForWork\PINComplexity,Digits,Require digits in Windows Hello PIN,DWORD,1
 "Group Policy","LockScreen",HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PassportForWork\PINComplexity,LowercaseLetters,Require lower case letters in Windows Hello PIN,DWORD,1

Harden-Windows-Security Module/Resources/TotalNumberOfTrueCompliantValues.txt

@@ -1 +1 @@
-228
+231

Harden-Windows-Security Module/Resources/Unprotect-WindowsSecurity.ps1

@@ -130,7 +130,7 @@ try {
 
     Write-Progress -Activity 'Deleting all registry keys created by the hardening script' -Status 'Processing' -PercentComplete 60
 
-    [System.Array]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
+    [System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
     foreach ($Item in $Items) { 
         if (Test-Path -Path $item.path) {       
             Remove-ItemProperty -Path $Item.path -Name $Item.key -Force -ErrorAction SilentlyContinue 
@@ -172,7 +172,9 @@ try {
     Set-MpPreference -AllowSwitchToAsyncInspection $False
     Set-MpPreference -OobeEnableRtpAndSigUpdate $False
     Set-MpPreference -IntelTDTEnabled $False
-
+    Set-MpPreference -DisableRestorePoint $True
+    Set-MpPreference -PerformanceModeStatus Enabled
+    Set-MpPreference -EnableConvertWarnToBlock $False   
     # Set Microsoft Defender engine and platform update channels to NotConfigured State           
     Set-MpPreference -EngineUpdatesChannel NotConfigured
     Set-MpPreference -PlatformUpdatesChannel NotConfigured
@@ -182,10 +184,10 @@ try {
 
     # Remove Process Mitigations
 
-    [System.Array]$ProcessMitigations = Import-Csv '.\ProcessMitigations.csv' -Delimiter ','
+    [System.Object[]]$ProcessMitigations = Import-Csv '.\ProcessMitigations.csv' -Delimiter ','
     # Group the data by ProgramName
-    [System.Array]$GroupedMitigations = $ProcessMitigations | Group-Object ProgramName
-    [System.Array]$AllAvailableMitigations = (Get-ItemProperty -Path 'Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*')
+    [System.Object[]]$GroupedMitigations = $ProcessMitigations | Group-Object ProgramName
+    [System.Object[]]$AllAvailableMitigations = (Get-ItemProperty -Path 'Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*')
 
     Write-Progress -Activity 'Removing Process Mitigations for apps' -Status 'Processing' -PercentComplete 90
 

Harden-Windows-Security Module/version.txt

@@ -1 +1 @@
-0.1.0
+0.1.1

README.md

@@ -299,7 +299,7 @@ You will need to restart your device once. After restart, wait at least for 5-10
 
 [Optional Overrides for Microsoft Security Baselines](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Overrides-for-Microsoft-Security-Baseline)
 
-<img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif" width="25" alt="Blue Check mark denoting Group Policy"> Highly recommended to apply these overrides, the script will ask you whether you want to apply them or not.
+<img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif" width="25" alt="Blue Check mark denoting Group Policy"> Highly recommended to apply these overrides, the script will ask you whether you want to apply them or not. Use Optional Overrides when applying the script on Azure VMs.
 
 <p align="right"><a href="#menu-back-to-top">💡 (back to categories)</a></p>
 
@@ -622,13 +622,12 @@ NistP384
   - [History](https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityhistory) of the **3** most recent selected PINs is preserved to prevent the user from reusing them
   - [Must include lower-case letters](https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexitylowercaseletters)
 
-- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif" width="25" alt="Blue Check mark denoting Group Policy"> <img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/200iq.gif" width="35" alt="Requires Additional Confirmation"> Sets Windows Hello PIN as [the default Credential Provider](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-credentialproviders#defaultcredentialprovider) and [excludes](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-credentialproviders#excludedcredentialproviders) the Credential Providers listed below. We do this because if the "Don't display last signed-in" policy is used, it defaults to Password on logon screen. Smart cards are old and insecure compared to Windows Hello or [WHfB](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/), if Microsoft account password sign-in is available it defeats the purpose of having a [local PIN that's tied to a device](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password#a-pin-is-tied-to-the-device). **Goes without saying that you shouldn't use this policy if local password or Smart card is the only way you use to log in.** If that's the case then first connect your Windows account to Microsoft account and then use this policy.
-
-  * Smartcard Reader Selection Provider - `{1b283861-754f-4022-ad47-a5eaaa618894}`
-  * Smartcard WinRT Provider - `{1ee7337f-85ac-45e2-a23c-37c753209769}`
-  * Smartcard Credential Provider - `{8FD7E19C-3BF7-489B-A72C-846AB3678C96}`
-  * WLIDCredentialProvider (Microsoft Account Password sign-in) - `{F8A0B131-5F68-486c-8040-7E8FC3C85BB6}`
-  * PasswordProvider - `{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}`
+- <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/bluemark.gif" width="25" alt="Blue Check mark denoting Group Policy"> <img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/200iq.gif" width="35" alt="Requires Additional Confirmation"> Sets Windows Hello PIN as [the default Credential Provider](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-credentialproviders#defaultcredentialprovider) and [excludes](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-credentialproviders#excludedcredentialproviders) the Credential Providers listed below. We do this because if the "Don't display last signed-in" policy is used, it defaults to Password on logon screen.
+    * Remote Desktop Sessions that only accept Username/Password won't work with this policy, so use [Passwordless RDP with Windows Hello for Business](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop).
+   * **Goes without saying that you shouldn't use this policy if local password is the only way you use to log in.** If that's the case first connect your Windows account to Microsoft account and then use this policy.
+      1. WLIDCredentialProvider (Microsoft Account Password sign-in) - `{F8A0B131-5F68-486c-8040-7E8FC3C85BB6}`
+
+      2. PasswordProvider - `{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}`
 
 <p align="right"><a href="#menu-back-to-top">💡 (back to categories)</a></p>