Andreas/noid-privacy
1
0
Fork 0
mirror of https://github.com/NexusOne23/noid-privacy.git synced 2026-02-07 04:01:52 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
noid-privacy/Modules/AntiAI/Private/Disable-CopilotAdvanced.ps1

207 lines
8.7 KiB
PowerShell
Raw Normal View History

v2.2.0 - Complete Security Hardening Framework (632 Settings)
2025-12-08 10:32:49 +01:00
#Requires -Version 5.1
<#
.SYNOPSIS
Advanced Copilot blocking - URI handlers, Edge sidebar, region policy, network block.
.DESCRIPTION
Multi-layer advanced Copilot blocking for Windows 11 24H2/25H2+:
LAYER 1: RECALL EXPORT BLOCK (KB5055627)
- AllowRecallExport = 0 (prevents snapshot export)
LAYER 2: URI PROTOCOL HANDLERS
- Blocks ms-copilot: and ms-edge-copilot: deep links
- Prevents Start menu search and third-party app launching
LAYER 3: EDGE COPILOT SIDEBAR
- Disables sidebar completely
- Blocks page context access
- 5 registry policies
LAYER 4: REGION POLICY OVERRIDE (Optional)
- Modifies IntegratedServicesRegionPolicySet.json
- Disables Copilot at OS level regardless of region
LAYER 5: NETWORK BLOCK (Optional)
- Hosts file redirect for copilot endpoints
.PARAMETER DryRun
Simulates the operation without making changes.
.PARAMETER SkipNetworkBlock
Skip hosts file modification (less aggressive).
.PARAMETER SkipRegionPolicy
Skip IntegratedServicesRegionPolicySet.json modification.
.EXAMPLE
Disable-CopilotAdvanced
.NOTES
Requires Administrator privileges.
v2.2.2: Performance fix for firewall snapshot (60-120s to 2-5s) + version alignment
2025-12-22 06:46:53 +01:00
Part of NoID Privacy AntiAI Module v2.2.2
v2.2.0 - Complete Security Hardening Framework (632 Settings)
2025-12-08 10:32:49 +01:00
#>
function Disable-CopilotAdvanced {
[CmdletBinding()]
param(
[Parameter(Mandatory = $false)]
[switch]$DryRun
)
Write-Log -Level DEBUG -Message "Disabling Copilot (Advanced Layers)" -Module "AntiAI"
$result = [PSCustomObject]@{
Success = $false
Applied = 0
Errors = @()
RecallExportBlocked = $false
URIHandlersBlocked = $false
EdgeSidebarDisabled = $false
}
try {
if ($DryRun) {
Write-Log -Level DEBUG -Message "[DRYRUN] Would apply advanced Copilot blocks" -Module "AntiAI"
$result.Applied = 3 # 3 official MS features: RecallExport, URIHandlers, EdgeSidebar
$result.Success = $true
return $result
}
# ============================================================================
# LAYER 1: RECALL EXPORT BLOCK (KB5055627 - NEW)
# ============================================================================
Write-Log -Level DEBUG -Message "Layer 1: Blocking Recall Export..." -Module "AntiAI"
$aiPolicyPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI"
if (-not (Test-Path $aiPolicyPath)) {
New-Item -Path $aiPolicyPath -Force | Out-Null
}
try {
$existing = Get-ItemProperty -Path $aiPolicyPath -Name "AllowRecallExport" -ErrorAction SilentlyContinue
if ($null -ne $existing) {
Set-ItemProperty -Path $aiPolicyPath -Name "AllowRecallExport" -Value 0 -Force | Out-Null
} else {
New-ItemProperty -Path $aiPolicyPath -Name "AllowRecallExport" -Value 0 -PropertyType DWord -Force | Out-Null
}
Write-Log -Level DEBUG -Message "AllowRecallExport = 0 (export disabled)" -Module "AntiAI"
$result.RecallExportBlocked = $true
$result.Applied++
}
catch {
Write-Log -Level WARNING -Message "Failed to set AllowRecallExport: $_" -Module "AntiAI"
$result.Errors += "AllowRecallExport: $_"
}
# ============================================================================
# LAYER 2: URI PROTOCOL HANDLERS (ms-copilot:, ms-edge-copilot:)
# ============================================================================
Write-Log -Level DEBUG -Message "Layer 2: Blocking URI handlers..." -Module "AntiAI"
$uriHandlers = @("ms-copilot", "ms-edge-copilot")
$uriBlocked = 0
foreach ($handler in $uriHandlers) {
$handlerPath = "Registry::HKEY_CLASSES_ROOT\$handler"
try {
if (Test-Path $handlerPath) {
# Rename the key to disable it (preserves for restore)
$backupPath = "Registry::HKEY_CLASSES_ROOT\${handler}_DISABLED_BY_NOID"
# Check if already disabled
if (-not (Test-Path $backupPath)) {
# Delete the original handler (blocks the protocol)
Remove-Item -Path $handlerPath -Recurse -Force -ErrorAction Stop
# Create marker for restore
New-Item -Path $backupPath -Force | Out-Null
New-ItemProperty -Path $backupPath -Name "OriginallyExisted" -Value 1 -PropertyType DWord -Force | Out-Null
New-ItemProperty -Path $backupPath -Name "DisabledBy" -Value "NoID Privacy AntiAI" -PropertyType String -Force | Out-Null
New-ItemProperty -Path $backupPath -Name "DisabledAt" -Value (Get-Date -Format "o") -PropertyType String -Force | Out-Null
Write-Log -Level DEBUG -Message "Blocked URI handler: $handler" -Module "AntiAI"
$uriBlocked++
}
else {
Write-Log -Level DEBUG -Message "URI handler already blocked: $handler" -Module "AntiAI"
$uriBlocked++
}
}
else {
Write-Log -Level DEBUG -Message "URI handler not found (already removed): $handler" -Module "AntiAI"
$uriBlocked++
}
}
catch {
Write-Log -Level WARNING -Message "Failed to block URI handler $handler : $_" -Module "AntiAI"
$result.Errors += "URI $handler : $_"
}
}
if ($uriBlocked -gt 0) {
$result.URIHandlersBlocked = $true
$result.Applied++
}
# ============================================================================
# LAYER 3: EDGE COPILOT SIDEBAR
# ============================================================================
Write-Log -Level DEBUG -Message "Layer 3: Disabling Edge Copilot Sidebar..." -Module "AntiAI"
$edgePolicyPath = "HKLM:\SOFTWARE\Policies\Microsoft\Edge"
if (-not (Test-Path $edgePolicyPath)) {
New-Item -Path $edgePolicyPath -Force | Out-Null
}
$edgePolicies = @(
@{ Name = "EdgeSidebarEnabled"; Value = 0; Desc = "Edge sidebar" },
@{ Name = "ShowHubsSidebar"; Value = 0; Desc = "Hubs sidebar visibility" },
@{ Name = "HubsSidebarEnabled"; Value = 0; Desc = "Hubs sidebar" },
@{ Name = "CopilotPageContext"; Value = 0; Desc = "Copilot page context" },
@{ Name = "CopilotCDPPageContext"; Value = 0; Desc = "Copilot CDP context" }
)
$edgeApplied = 0
foreach ($policy in $edgePolicies) {
try {
$existing = Get-ItemProperty -Path $edgePolicyPath -Name $policy.Name -ErrorAction SilentlyContinue
if ($null -ne $existing) {
Set-ItemProperty -Path $edgePolicyPath -Name $policy.Name -Value $policy.Value -Force | Out-Null
} else {
New-ItemProperty -Path $edgePolicyPath -Name $policy.Name -Value $policy.Value -PropertyType DWord -Force | Out-Null
}
Write-Log -Level DEBUG -Message "Edge: $($policy.Name) = $($policy.Value)" -Module "AntiAI"
$edgeApplied++
}
catch {
Write-Log -Level WARNING -Message "Failed to set Edge policy $($policy.Name): $_" -Module "AntiAI"
}
}
if ($edgeApplied -eq $edgePolicies.Count) {
$result.EdgeSidebarDisabled = $true
$result.Applied++
}
# NOTE: Layer 4 (RegionPolicy) and Layer 5 (NetworkBlock) REMOVED
# Reason: NOT Microsoft Best Practice
# - IntegratedServicesRegionPolicySet.json: Community workaround, can break with updates
# - Hosts file blocking: "Not officially supported" per Microsoft Q&A
# We only use official Registry Policies as per MS documentation
# Determine overall success
$result.Success = ($result.RecallExportBlocked -or $result.URIHandlersBlocked -or
$result.EdgeSidebarDisabled) -and ($result.Errors.Count -eq 0)
Write-Log -Level DEBUG -Message "Advanced Copilot blocks applied: $($result.Applied)" -Module "AntiAI"
}
catch {
$result.Errors += "Critical error: $($_.Exception.Message)"
Write-Error $result.Errors[-1]
}
return $result
}
Reference in a new issue Copy permalink