Andreas/noid-privacy
1
0
Fork 0
mirror of https://github.com/NexusOne23/noid-privacy.git synced 2026-02-06 19:51:54 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

v2.2.2: Performance fix for firewall snapshot (60-120s to 2-5s) + version alignment

Browse source
This commit is contained in:
NexusOne23 2025-12-22 06:46:53 +01:00
parent 73b7e7c68e
commit 877e01df37
65 changed files with 183 additions and 137 deletions
Download patch file Download diff file Expand all files Collapse all files

25
CHANGELOG.md
View file

@ -7,6 +7,31 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
---
## [2.2.2] - 2025-12-22
### 🚀 Performance Release
**Major performance improvement for AdvancedSecurity firewall operations.**
### ⚡ Performance
**Firewall Snapshot Performance Fix (Critical)**
- Fixed: Firewall rules backup took 60-120 seconds (especially in offline mode)
- Root cause: `Get-NetFirewallPortFilter` was called individually for each of ~300+ firewall rules (~200ms per call)
- Fix: Batch query approach - load all port filters once into hashtable, then fast lookup by InstanceID
- Result: **60-120 seconds → 2-5 seconds** (both online and offline)
- Affected files:
- `Modules/AdvancedSecurity/Private/Backup-AdvancedSecuritySettings.ps1`
- `Modules/AdvancedSecurity/Private/Disable-RiskyPorts.ps1`
### ✅ Changed
**Version Alignment**
- All 60+ framework files updated to v2.2.2
- Module manifests (.psd1), module loaders (.psm1), core scripts, utilities, tests, and documentation synchronized
---
## [2.2.1] - 2025-12-19
### 🔧 Maintenance Release

12
CONTRIBUTING.md
View file

@ -68,7 +68,7 @@ Modules/
```
Modules/AdvancedSecurity/
├── AdvancedSecurity.psd1 # Manifest with version 2.2.1
├── AdvancedSecurity.psd1 # Manifest with version 2.2.2
├── AdvancedSecurity.psm1 # Loads Private/*.ps1 and Public/*.ps1
├── Config/
│ ├── RDP.json # RDP hardening config
@ -105,7 +105,7 @@ Modules/AdvancedSecurity/
```powershell
@{
RootModule = 'YourModule.psm1'
ModuleVersion = '2.2.1'
ModuleVersion = '2.2.2'
GUID = 'YOUR-GUID-HERE' # Generate with [guid]::NewGuid()
Author = 'Your Name'
CompanyName = 'NoID Privacy'
@ -128,7 +128,7 @@ Modules/AdvancedSecurity/
Tags = @('Security', 'Hardening', 'Windows11')
ProjectUri = 'https://github.com/yourusername/noid-privacy'
ReleaseNotes = @"
v2.2.1 - Initial Release
v2.2.2 - Initial Release
- Feature 1
- Feature 2
"@
@ -141,7 +141,7 @@ v2.2.1 - Initial Release
```powershell
@{
RootModule = 'AdvancedSecurity.psm1'
ModuleVersion = '2.2.1'
ModuleVersion = '2.2.2'
GUID = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
Author = 'NexusOne23'
Description = 'Advanced Security hardening beyond Microsoft Security Baseline'
@ -155,7 +155,7 @@ v2.2.1 - Initial Release
PSData = @{
Tags = @('Security', 'Hardening', 'RDP', 'TLS', 'Windows11')
ReleaseNotes = @"
v2.2.1 - Production Release
v2.2.2 - Production Release
- RDP NLA enforcement + optional complete disable
- WDigest credential protection
- Administrative shares disable (domain-aware)
@ -781,4 +781,4 @@ mkdir "Modules\YourModule\Config"
---
**Questions? Study AdvancedSecurity v2.2.1 - it's the reference implementation!** 🎯
**Questions? Study AdvancedSecurity v2.2.2 - it's the reference implementation!** 🎯

8
Core/Config.ps1
View file

@ -8,7 +8,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: PowerShell 5.1+
#>
@ -79,7 +79,7 @@ function New-DefaultConfig {
)
$defaultConfig = @{
version = "2.2.1"
version = "2.2.2"
modules = @{
SecurityBaseline = @{
enabled = $true
@ -114,7 +114,7 @@ function New-DefaultConfig {
priority = 6
status = "IMPLEMENTED"
description = "Microsoft Edge v139 Security Baseline: 20 security policies including SmartScreen enforcement, site isolation, SSL/TLS hardening, extension blocklist, IE Mode restrictions, and Spectre mitigations. No LGPO.exe dependency."
version = "2.2.1"
version = "2.2.2"
baseline = "Edge v139"
policies = 20
features = @{
@ -133,7 +133,7 @@ function New-DefaultConfig {
priority = 7
status = "IMPLEMENTED"
description = "Advanced Security hardening beyond MS Baseline: RDP NLA/Disable, WDigest protection, Admin Shares disable, Risky ports/services, Legacy TLS disable, WPAD disable, PowerShell v2 removal, SRP .lnk protection, Windows Update (3 GUI settings), Finger Protocol block. Opt-in by design (use -SecurityProfile Balanced/Enterprise/Maximum)"
version = "2.2.1"
version = "2.2.2"
policies = 36
features = @{
rdp_hardening = $true

4
Core/Framework.ps1
View file

@ -8,7 +8,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: PowerShell 5.1+
.EXAMPLE
@ -24,7 +24,7 @@
# All configuration comes from config.json via Initialize-Config.
# Script-level variables
$script:FrameworkVersion = "2.2.1"
$script:FrameworkVersion = "2.2.2"
$script:FrameworkRoot = Split-Path -Parent $PSScriptRoot
$script:ExecutionStartTime = Get-Date

2
Core/Logger.ps1
View file

@ -8,7 +8,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: PowerShell 5.1+
#>

2
Core/NonInteractive.ps1
View file

@ -12,7 +12,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Usage in modules:
1. Call Test-NonInteractiveMode to check if prompts should be skipped

6
Core/Rollback.ps1
View file

@ -8,7 +8,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: PowerShell 5.1+
#>
@ -64,7 +64,7 @@ function Initialize-BackupSystem {
displayName = "" # Auto-generated based on modules
sessionType = "unknown" # wizard | advanced | manual
timestamp = Get-Date -Format "o"
frameworkVersion = "2.2.1"
frameworkVersion = "2.2.2"
modules = @()
totalItems = 0
restorable = $true
@ -2246,7 +2246,7 @@ function Restore-Session {
"HKCU:\Software\Microsoft\Windows\CurrentVersion\SystemSettings\AccountNotifications",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement",
"HKCU:\SOFTWARE\Microsoft\Personalization\Settings",
# NEW: Input Personalization Settings (v2.2.1 - FIX missing HKCU restore)
# NEW: Input Personalization Settings (v2.2.2 - FIX missing HKCU restore)
"HKCU:\SOFTWARE\Microsoft\InputPersonalization",
"HKCU:\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics"

2
Core/Validator.ps1
View file

@ -8,7 +8,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: PowerShell 5.1+
#>

26
Docs/FEATURES.md
View file

@ -1,9 +1,9 @@
# NoID Privacy - Complete Feature List
**Framework Version:** v2.2.1
**Framework Version:** v2.2.2
**Total Security Settings:** 633 (Paranoid mode)
**Modules:** 7 (All Production-Ready)
**Last Updated:** December 8, 2025
**Last Updated:** December 22, 2025
---
@ -11,13 +11,13 @@
| Module | Settings | Status | Description |
|--------|----------|--------|-------------|
| **SecurityBaseline** | 425 | ✅ v2.2.1 | Microsoft Security Baseline for Windows 11 v25H2 |
| **ASR** | 19 | ✅ v2.2.1 | Attack Surface Reduction rules |
| **DNS** | 5 | ✅ v2.2.1 | Secure DNS with DoH encryption |
| **Privacy** | 78 | ✅ v2.2.1 | Telemetry control, OneDrive hardening (Strict: 70 Registry + 2 Services + 6 OneDrive) |
| **AntiAI** | 32 | ✅ v2.2.1 | AI lockdown (15 features, 32 compliance checks) |
| **EdgeHardening** | 24 | ✅ v2.2.1 | Microsoft Edge browser security (24 policies) |
| **AdvancedSecurity** | 50 | ✅ v2.2.1 | Advanced hardening beyond MS Baseline (incl. Wireless Display, Discovery Protocols, IPv6) |
| **SecurityBaseline** | 425 | ✅ v2.2.2 | Microsoft Security Baseline for Windows 11 v25H2 |
| **ASR** | 19 | ✅ v2.2.2 | Attack Surface Reduction rules |
| **DNS** | 5 | ✅ v2.2.2 | Secure DNS with DoH encryption |
| **Privacy** | 78 | ✅ v2.2.2 | Telemetry control, OneDrive hardening (Strict: 70 Registry + 2 Services + 6 OneDrive) |
| **AntiAI** | 32 | ✅ v2.2.2 | AI lockdown (15 features, 32 compliance checks) |
| **EdgeHardening** | 24 | ✅ v2.2.2 | Microsoft Edge browser security (24 policies) |
| **AdvancedSecurity** | 50 | ✅ v2.2.2 | Advanced hardening beyond MS Baseline (incl. Wireless Display, Discovery Protocols, IPv6) |
| **TOTAL** | **633** | ✅ **100%** | **Complete Framework (Paranoid mode)** |
---
@ -238,7 +238,7 @@ Clipchamp.Clipchamp, SpotifyAB.SpotifyMusic
## 🤖 Module 5: AntiAI (32 Policies)
**Description:** Disable 15 Windows AI features via 32 registry policies (v2.2.1)
**Description:** Disable 15 Windows AI features via 32 registry policies (v2.2.2)
### 15 AI Features Disabled:
@ -724,7 +724,7 @@ Some UI elements in Paint and Photos apps may **still be visible** but non-funct
```
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
NoID Privacy v2.2.1
NoID Privacy v2.2.2
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Total Settings: 633 ✅
@ -744,5 +744,5 @@ Framework Completion: 🎉 100% COMPLETE
---
**Last Updated:** December 8, 2025
**Framework Version:** v2.2.1
**Last Updated:** December 22, 2025
**Framework Version:** v2.2.2

2
Docs/LICENSE-HISTORY.md
View file

@ -35,7 +35,7 @@ See [LICENSE](LICENSE) for full text.
**Impact:**
- **v1.8.3 and earlier:** Remain under MIT License (cannot be changed retroactively)
- **v2.2.1 and later:** Licensed under GPL v3.0
- **v2.0.0 and later:** Licensed under GPL v3.0
- Forks of v1.x can remain MIT-licensed
- Forks of v2.x must comply with GPL v3.0

2
Docs/NONINTERACTIVE-MODE.md
View file

@ -277,7 +277,7 @@ $env:NOIDPRIVACY_NONINTERACTIVE = "true"
---
## Exit Codes (v2.2.1+)
## Exit Codes (v2.0.0+)
The framework returns structured exit codes for CI/CD integration:

4
Modules/ASR/ASR.psd1
View file

@ -1,6 +1,6 @@
@{
RootModule = 'ASR.psm1'
ModuleVersion = '2.2.1'
ModuleVersion = '2.2.2'
GUID = 'b2c3d4e5-f6a7-8901-bcde-f23456789012'
Author = 'NexusOne23'
CompanyName = 'Open Source Project'
@ -25,7 +25,7 @@
LicenseUri = ''
ProjectUri = ''
ReleaseNotes = @"
v2.2.1 - Production Release
v2.2.2 - Production Release
- All 19 ASR rules implementation
- Hybrid approach: Registry backup + Set-MpPreference application
- SCCM/Configuration Manager detection

2
Modules/ASR/ASR.psm1
View file

@ -11,7 +11,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: PowerShell 5.1+, Administrator privileges, Windows Defender
#>

4
Modules/AdvancedSecurity/AdvancedSecurity.psd1
View file

@ -2,7 +2,7 @@
# Module manifest for AdvancedSecurity
# Version
ModuleVersion = '2.2.1'
ModuleVersion = '2.2.2'
# Unique ID
GUID = 'e7f5a3d2-8c9b-4f1e-a6d3-9b2c8f4e5a1d'
@ -48,7 +48,7 @@
LicenseUri = ''
ProjectUri = ''
ReleaseNotes = @'
v2.2.1 (2025-12-08)
v2.2.2 (2025-12-08)
- Production release of AdvancedSecurity module
- 49 advanced hardening settings implemented (was 36)
- NEW: Wireless Display (Miracast) security hardening

2
Modules/AdvancedSecurity/AdvancedSecurity.psm1
View file

@ -1,5 +1,5 @@
# AdvancedSecurity Module Loader
# Version: 2.2.1
# Version: 2.2.2
# Description: Advanced Security Hardening - Beyond Microsoft Security Baseline
# Get module path

2
Modules/AdvancedSecurity/Config/AdminShares.json
View file

@ -2,7 +2,7 @@
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Administrative Shares Configuration",
"description": "Configuration for disabling administrative shares (C$, ADMIN$, etc.) to prevent lateral movement",
"version": "2.2.1",
"version": "2.2.2",
"Administrative_Shares": {
"description": "Disable automatic creation and remove existing administrative shares",

2
Modules/AdvancedSecurity/Config/Credentials.json
View file

@ -2,7 +2,7 @@
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Credential Protection Configuration",
"description": "Configuration for credential hardening including WDigest protection",
"version": "2.2.1",
"version": "2.2.2",
"WDigest_Protection": {
"description": "Prevent WDigest from storing plaintext passwords in LSASS memory",

2
Modules/AdvancedSecurity/Config/RDP.json
View file

@ -2,7 +2,7 @@
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "RDP Hardening Configuration",
"description": "Configuration for RDP (Remote Desktop Protocol) hardening including NLA enforcement and optional complete disable",
"version": "2.2.1",
"version": "2.2.2",
"NLA_Enforcement": {
"description": "Network Level Authentication (NLA) enforcement settings",

40
Modules/AdvancedSecurity/Private/Backup-AdvancedSecuritySettings.ps1
View file

@ -186,22 +186,34 @@ function Backup-AdvancedSecuritySettings {
# 8. Firewall Rules Snapshot
Write-Host ""
Write-Host " ============================================" -ForegroundColor Cyan
Write-Host " FIREWALL RULES BACKUP - PLEASE WAIT" -ForegroundColor Cyan
Write-Host " ============================================" -ForegroundColor Cyan
Write-Host " Creating snapshot for risky ports..." -ForegroundColor White
Write-Host " Creating firewall snapshot for risky ports..." -ForegroundColor Cyan
Write-Host " Ports: 79, 137-139, 1900, 2869, 5355, 3702, 5353, 5357, 5358" -ForegroundColor Gray
Write-Host ""
Write-Host " [!] This operation takes 60-120 seconds" -ForegroundColor Yellow
Write-Host " System is working - do not interrupt!" -ForegroundColor Yellow
Write-Host " ============================================" -ForegroundColor Cyan
Write-Host ""
Write-Log -Level INFO -Message "Backing up firewall rules snapshot for risky ports (79, 137, 138, 139, 1900, 2869, 5355, 3702, 5353, 5357, 5358)..." -Module "AdvancedSecurity"
$firewallRules = Get-NetFirewallRule | Where-Object {
$portFilter = $_ | Get-NetFirewallPortFilter
(($portFilter.LocalPort -in @(79, 137, 138, 139, 1900, 2869, 5355, 3702, 5353, 5357, 5358)) -or
($portFilter.RemotePort -in @(79, 137, 138, 139, 1900, 2869, 5355, 3702, 5353, 5357, 5358))) -and
($_.Direction -eq 'Inbound' -or $_.Direction -eq 'Outbound')
# PERFORMANCE FIX: Batch query instead of per-rule queries
# Old approach: Get-NetFirewallRule | ForEach { Get-NetFirewallPortFilter } = 300+ queries × 200ms = 60-120s!
# New approach: Get all port filters once, then filter via hashtable = 2-5s total
$riskyPorts = @(79, 137, 138, 139, 1900, 2869, 5355, 3702, 5353, 5357, 5358)
# Step 1: Get all firewall rules once
$allRules = Get-NetFirewallRule -ErrorAction SilentlyContinue
# Step 2: Get all port filters in one batch query and build hashtable by InstanceID
$allPortFilters = @{}
Get-NetFirewallPortFilter -ErrorAction SilentlyContinue | ForEach-Object {
$allPortFilters[$_.InstanceID] = $_
}
# Step 3: Filter rules by risky ports (fast hashtable lookup)
$firewallRules = $allRules | Where-Object {
$portFilter = $allPortFilters[$_.InstanceID]
if ($portFilter) {
(($portFilter.LocalPort -in $riskyPorts) -or ($portFilter.RemotePort -in $riskyPorts)) -and
($_.Direction -eq 'Inbound' -or $_.Direction -eq 'Outbound')
}
else {
$false
}
} | Select-Object Name, DisplayName, Enabled, Direction, Action
$firewallData = @{

2
Modules/AdvancedSecurity/Private/Block-FingerProtocol.ps1
View file

@ -21,7 +21,7 @@ function Block-FingerProtocol {
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: Administrator privileges
REFERENCES:

18
Modules/AdvancedSecurity/Private/Disable-RiskyPorts.ps1
View file

@ -41,16 +41,22 @@ function Disable-RiskyPorts {
$disabledRules = 0
$errors = @()
# PERFORMANCE: Get all firewall rules ONCE and cache port filters
# PERFORMANCE FIX: Batch query instead of per-rule queries
# Old approach: foreach { Get-NetFirewallPortFilter } = 300+ queries × 200ms = 60s+
# New approach: Get all port filters once via hashtable = 2-5s total
Write-Log -Level INFO -Message "Loading firewall rules for analysis..." -Module "AdvancedSecurity"
$allRules = Get-NetFirewallRule | Where-Object { $_.Direction -eq 'Inbound' -and $_.Enabled -eq $true }
$allRules = Get-NetFirewallRule -ErrorAction SilentlyContinue | Where-Object { $_.Direction -eq 'Inbound' -and $_.Enabled -eq $true }
# Pre-fetch port filters to avoid repeated Get-NetFirewallPortFilter calls
# NOTE: We cache both the rule and its ports so we can later filter ONLY
# ALLOW rules for disabling. NoID block rules must remain enabled.
# Get all port filters in one batch query and build hashtable by InstanceID
$allPortFilters = @{}
Get-NetFirewallPortFilter -ErrorAction SilentlyContinue | ForEach-Object {
$allPortFilters[$_.InstanceID] = $_
}
# Build cache with fast hashtable lookup
$rulesWithPorts = @()
foreach ($rule in $allRules) {
$portFilter = $rule | Get-NetFirewallPortFilter -ErrorAction SilentlyContinue
$portFilter = $allPortFilters[$rule.InstanceID]
if ($portFilter) {
$rulesWithPorts += [PSCustomObject]@{
Rule = $rule

2
Modules/AdvancedSecurity/Private/Set-SRPRules.ps1
View file

@ -27,7 +27,7 @@ function Set-SRPRules {
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: Administrator privileges
REFERENCES:

2
Modules/AdvancedSecurity/Private/Set-WindowsUpdate.ps1
View file

@ -22,7 +22,7 @@ function Set-WindowsUpdate {
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: Administrator privileges
Based on: Windows Settings > Windows Update > Advanced options
#>

2
Modules/AdvancedSecurity/Public/Invoke-AdvancedSecurity.ps1
View file

@ -11,7 +11,7 @@ function Invoke-AdvancedSecurity {
- Enterprise: Conservative approach with domain-safety checks
- Maximum: Maximum hardening for air-gapped/high-security environments
Features implemented (v2.2.1):
Features implemented (v2.2.2):
- RDP NLA enforcement + optional complete disable
- WDigest credential protection
- Administrative shares disable (domain-aware)

2
Modules/AntiAI/AntiAI.psd1
View file

@ -1,6 +1,6 @@
@{
RootModule = 'AntiAI.psm1'
ModuleVersion = '2.2.1'
ModuleVersion = '2.2.2'
GUID = 'f8e9d7c6-5b4a-3c2d-1e0f-9a8b7c6d5e4f'
Author = 'NexusOne23'
CompanyName = 'Open Source Project'

4
Modules/AntiAI/AntiAI.psm1
View file

@ -11,7 +11,7 @@
.NOTES
Module: AntiAI
Version: 2.2.1
Version: 2.2.2
Author: NoID Privacy
#>
@ -29,7 +29,7 @@ $privateFunctions = @(
'Disable-Recall'
'Set-RecallProtection'
'Disable-Copilot'
'Disable-CopilotAdvanced' # NEW v2.2.1: URI handlers, Edge sidebar, Recall export
'Disable-CopilotAdvanced' # NEW v2.2.2: URI handlers, Edge sidebar, Recall export
'Disable-ClickToDo'
'Disable-SettingsAgent'
'Disable-ExplorerAI' # NEW: File Explorer AI Actions menu

2
Modules/AntiAI/Private/Disable-CopilotAdvanced.ps1
View file

@ -40,7 +40,7 @@
.NOTES
Requires Administrator privileges.
Part of NoID Privacy AntiAI Module v2.2.1
Part of NoID Privacy AntiAI Module v2.2.2
#>
function Disable-CopilotAdvanced {
[CmdletBinding()]

2
Modules/AntiAI/Private/Test-AntiAICompliance.ps1
View file

@ -42,7 +42,7 @@
.NOTES
Author: NoID Privacy
Version: 2.2.1 (Extended validation)
Version: 2.2.2 (Extended validation)
Requires: Windows 11 24H2+, Administrator privileges
#>

8
Modules/AntiAI/Public/Invoke-AntiAI.ps1
View file

@ -52,7 +52,7 @@
.NOTES
Author: NoID Privacy
Version: 2.2.1
Version: 2.2.2
Requires: Windows 11 24H2 or later, Administrator privileges
Impact: All AI features completely disabled, reboot required
#>
@ -70,7 +70,7 @@ function Invoke-AntiAI {
Write-Host "" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
Write-Host " ANTI-AI MODULE v2.2.1" -ForegroundColor Cyan
Write-Host " ANTI-AI MODULE v2.2.2" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
Write-Host ""
Write-Host "Disables 15 AI features (32 policies):" -ForegroundColor White
@ -171,7 +171,7 @@ function Invoke-AntiAI {
@{ Path = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Paint"; Name = "DisableImageCreator"; Type = "DWord" },
@{ Path = "HKLM:\SOFTWARE\Policies\WindowsNotepad"; Name = "DisableAIFeatures"; Type = "DWord" },
@{ Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI"; Name = "DisableSettingsAgent"; Type = "DWord" },
# NEW v2.2.1: Advanced Copilot Blocking
# NEW v2.2.2: Advanced Copilot Blocking
@{ Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI"; Name = "AllowRecallExport"; Type = "DWord" },
@{ Path = "HKLM:\SOFTWARE\Policies\Microsoft\Edge"; Name = "EdgeSidebarEnabled"; Type = "DWord" },
@{ Path = "HKLM:\SOFTWARE\Policies\Microsoft\Edge"; Name = "ShowHubsSidebar"; Type = "DWord" },
@ -355,7 +355,7 @@ function Invoke-AntiAI {
}
# ============================================================================
# ADVANCED COPILOT BLOCKING (NEW v2.2.1)
# ADVANCED COPILOT BLOCKING (NEW v2.2.2)
# ============================================================================
Write-Host ""
Write-Host " [Advanced Copilot Blocks]" -ForegroundColor Cyan

2
Modules/DNS/DNS.psd1
View file

@ -2,7 +2,7 @@
# Module manifest for DNS module
RootModule = 'DNS.psm1'
ModuleVersion = '2.2.1'
ModuleVersion = '2.2.2'
GUID = 'a8f7b3c9-4e5d-4a2b-9c1d-8f3e5a7b9c2d'
Author = 'NexusOne23'
CompanyName = 'Open Source Project'

2
Modules/DNS/DNS.psm1
View file

@ -12,7 +12,7 @@
.NOTES
Author: NoID Privacy
Version: 2.2.1
Version: 2.2.2
Requires: PowerShell 5.1+, Administrator privileges
#>

4
Modules/EdgeHardening/EdgeHardening.psd1
View file

@ -3,7 +3,7 @@
RootModule = 'EdgeHardening.psm1'
# Version number of this module
ModuleVersion = '2.2.1'
ModuleVersion = '2.2.2'
# ID used to uniquely identify this module
GUID = '8e3f4c2a-9b1d-4e7a-a2c5-6f8b3d9e1a4c'
@ -48,7 +48,7 @@
LicenseUri = ''
ProjectUri = ''
ReleaseNotes = @"
v2.2.1 - Production Release
v2.2.2 - Production Release
- Microsoft Edge v139 Security Baseline implementation
- 20 security policies (native PowerShell, no LGPO.exe)
- SmartScreen enforcement with override prevention

2
Modules/EdgeHardening/EdgeHardening.psm1
View file

@ -16,7 +16,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: PowerShell 5.1+, Administrator privileges
#>

2
Modules/EdgeHardening/Public/Invoke-EdgeHardening.ps1
View file

@ -48,7 +48,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: PowerShell 5.1+, Administrator privileges
IMPORTANT: This applies Microsoft's recommended security baseline.

2
Modules/EdgeHardening/Public/Test-EdgeHardening.ps1
View file

@ -23,7 +23,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Can be run without Administrator privileges
#>

2
Modules/Privacy/Privacy.psd1
View file

@ -1,6 +1,6 @@
@{
RootModule = 'Privacy.psm1'
ModuleVersion = '2.2.1'
ModuleVersion = '2.2.2'
GUID = 'a9f7c8d3-2e5b-4a1f-9c3d-7e8f5a6b2c4d'
Author = 'NexusOne23'
CompanyName = 'Open Source Project'

2
Modules/Privacy/Privacy.psm1
View file

@ -16,7 +16,7 @@
.NOTES
Module: Privacy
Version: 2.2.1
Version: 2.2.2
Author: NoID Privacy
#>

6
Modules/Privacy/Private/Backup-PrivacySettings.ps1
View file

@ -38,12 +38,12 @@ function Backup-PrivacySettings {
"HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore",
"HKLM:\SOFTWARE\Policies\Microsoft\Dsh",
"HKLM:\SOFTWARE\Policies\Microsoft\FindMyDevice",
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput", # AllowLinguisticDataCollection (v2.2.1)
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput", # AllowLinguisticDataCollection (v2.2.2)
"HKLM:\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics",
# HKCU User Keys
"HKCU:\Software\Policies\Microsoft\Windows\Explorer",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo",
# NEW: Anti-Advertising & Search Settings (v2.2.1)
# NEW: Anti-Advertising & Search Settings (v2.2.2)
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Search",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\SearchSettings",
@ -52,7 +52,7 @@ function Backup-PrivacySettings {
"HKCU:\Software\Microsoft\Windows\CurrentVersion\SystemSettings\AccountNotifications",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement",
"HKCU:\SOFTWARE\Microsoft\Personalization\Settings",
# NEW: Input Personalization Settings (v2.2.1 - FIX missing HKCU backup)
# NEW: Input Personalization Settings (v2.2.2 - FIX missing HKCU backup)
"HKCU:\SOFTWARE\Microsoft\InputPersonalization",
"HKCU:\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics"

2
Modules/Privacy/Public/Invoke-PrivacyHardening.ps1
View file

@ -354,7 +354,7 @@ function Invoke-PrivacyHardening {
$bloatwareListPath = Join-Path $moduleBackupPath "REMOVED_APPS_LIST.txt"
$listContent = @()
$listContent += "================================================================"
$listContent += " REMOVED APPS - NoID Privacy v2.2.1"
$listContent += " REMOVED APPS - NoID Privacy v2.2.2"
$listContent += " Session: $(Split-Path $moduleBackupPath -Leaf)"
$listContent += " Date: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
$listContent += "================================================================"

2
Modules/SecurityBaseline/Public/Invoke-SecurityBaseline.ps1
View file

@ -44,7 +44,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1 - Self-Contained Edition
Version: 2.2.2 - Self-Contained Edition
Requires: PowerShell 5.1+, Administrator privileges
BREAKING CHANGE from v1.0:

4
Modules/SecurityBaseline/SecurityBaseline.psd1
View file

@ -1,6 +1,6 @@
@{
RootModule = 'SecurityBaseline.psm1'
ModuleVersion = '2.2.1'
ModuleVersion = '2.2.2'
GUID = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
Author = 'NexusOne23'
CompanyName = 'Open Source Project'
@ -26,7 +26,7 @@
LicenseUri = ''
ProjectUri = ''
ReleaseNotes = @"
v2.2.1 - Self-Contained Edition
v2.2.2 - Self-Contained Edition
- NO LGPO.exe REQUIRED! Fully self-contained implementation
- 425 Microsoft Security Baseline settings for Windows 11 25H2
- 335 Registry policies (Computer + User)

2
Modules/SecurityBaseline/SecurityBaseline.psm1
View file

@ -13,7 +13,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: PowerShell 5.1+, Administrator privileges
#>

8
NoIDPrivacy-Interactive.ps1
View file

@ -19,7 +19,7 @@
resulting from its use. USE AT YOUR OWN RISK.
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: PowerShell 5.1+, Administrator
For CLI mode use: NoIDPrivacy.ps1 -Module <name>
#>
@ -30,7 +30,7 @@
# No parameters - interactive mode only
$ErrorActionPreference = 'Stop'
$Host.UI.RawUI.WindowTitle = "NoID Privacy v2.2.1"
$Host.UI.RawUI.WindowTitle = "NoID Privacy v2.2.2"
# Set script root path (required by modules to load configs)
$script:RootPath = $PSScriptRoot
@ -90,7 +90,7 @@ function Write-Banner {
Clear-Host
Write-Host ""
Write-Host " ========================================" -ForegroundColor Cyan
Write-Host " NoID Privacy v2.2.1 " -ForegroundColor Cyan
Write-Host " NoID Privacy v2.2.2 " -ForegroundColor Cyan
Write-Host " ========================================" -ForegroundColor Cyan
Write-Host ""
Write-Host " Professional Windows 11 Security & Privacy Hardening Framework" -ForegroundColor Gray
@ -105,7 +105,7 @@ function Write-Banner {
$osBuild = if ($os) { $os.BuildNumber } else { $null }
$psVersion = $PSVersionTable.PSVersion.ToString()
$envLine = " Version 2.2.1"
$envLine = " Version 2.2.2"
if ($osBuild) {
$envLine += " | Windows Build $osBuild"
}

6
NoIDPrivacy.ps1
View file

@ -50,7 +50,7 @@
resulting from its use. USE AT YOUR OWN RISK.
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: PowerShell 5.1+, Administrator privileges, Windows 11
License: GPL-3.0 (Core CLI). See LICENSE for full terms.
@ -135,7 +135,7 @@ try {
$logDirectory = Join-Path $script:RootPath "Logs"
Initialize-Logger -LogDirectory $logDirectory -MinimumLevel $logLevel
Write-Log -Level INFO -Message "=== NoID Privacy Framework v2.2.1 ===" -Module "Main"
Write-Log -Level INFO -Message "=== NoID Privacy Framework v2.2.2 ===" -Module "Main"
Write-Log -Level INFO -Message "Starting framework initialization..." -Module "Main"
# Load other Core modules
@ -216,7 +216,7 @@ catch {
# Display banner
Write-Host ""
Write-Host "========================================" -ForegroundColor Cyan
Write-Host " NoID Privacy - v2.2.1" -ForegroundColor Cyan
Write-Host " NoID Privacy - v2.2.2" -ForegroundColor Cyan
Write-Host " Windows 11 Security Hardening" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
Write-Host ""

27
README.md
View file

@ -8,7 +8,7 @@
[![PowerShell](https://img.shields.io/badge/PowerShell-5.1%2B-blue.svg?logo=powershell)](https://github.com/PowerShell/PowerShell)
[![Windows 11](https://img.shields.io/badge/Windows%2011-25H2-0078D4.svg?logo=windows11)](https://www.microsoft.com/windows/)
[![License](https://img.shields.io/badge/license-GPL--3.0-green.svg?logo=gnu)](LICENSE)
[![Version](https://img.shields.io/badge/version-2.2.1-blue.svg)](CHANGELOG.md)
[![Version](https://img.shields.io/badge/version-2.2.2-blue.svg)](CHANGELOG.md)
[![Status](https://img.shields.io/badge/status-production--ready-brightgreen.svg)]()
---
@ -391,13 +391,13 @@ cd noid-privacy
| Module | Settings | Description | Status |
|--------|----------|-------------|--------|
| **SecurityBaseline** | 425 | Microsoft Security Baseline 25H2 | v2.2.1 |
| **ASR** | 19 | Attack Surface Reduction Rules | v2.2.1 |
| **DNS** | 5 | Secure DNS with DoH encryption | v2.2.1 |
| **Privacy** | 78 | Telemetry, Bloatware, OneDrive hardening (Strict) | v2.2.1 |
| **AntiAI** | 32 | AI lockdown (15 features, 32 compliance checks) | v2.2.1 |
| **EdgeHardening** | 24 | Microsoft Edge security (24 policies) | v2.2.1 |
| **AdvancedSecurity** | 50 | Beyond MS Baseline (SRP, Legacy protocols, Wireless Display, Discovery Protocols, IPv6) | v2.2.1 |
| **SecurityBaseline** | 425 | Microsoft Security Baseline 25H2 | v2.2.2 |
| **ASR** | 19 | Attack Surface Reduction Rules | v2.2.2 |
| **DNS** | 5 | Secure DNS with DoH encryption | v2.2.2 |
| **Privacy** | 78 | Telemetry, Bloatware, OneDrive hardening (Strict) | v2.2.2 |
| **AntiAI** | 32 | AI lockdown (15 features, 32 compliance checks) | v2.2.2 |
| **EdgeHardening** | 24 | Microsoft Edge security (24 policies) | v2.2.2 |
| **AdvancedSecurity** | 50 | Beyond MS Baseline (SRP, Legacy protocols, Wireless Display, Discovery Protocols, IPv6) | v2.2.2 |
| **TOTAL** | **633** | **Complete Framework (Paranoid mode)** | **Production** |
**Release Highlights:**
@ -852,17 +852,20 @@ The authors are not responsible for any damage or data loss.
## 📈 Project Status
**Current Version:** 2.2.1
**Last Updated:** December 19, 2025
**Current Version:** 2.2.2
**Last Updated:** December 22, 2025
**Status:** Production-Ready
### Release Highlights v2.2.2
- **Performance:** Firewall snapshot 60-120s → 2-5s (batch query fix)
- Version alignment across 60+ framework files
### Release Highlights v2.2.1
- **Critical Fix:** Multi-run session bug (auditpol backup failures when running multiple times)
- **Fix:** `.Count` property bug in 5 files (Where-Object single-object results)
- **Improved:** ASR prompt text ("untrusted" → "new software" - more neutral)
- Full codebase review of backup/restore system (2970 lines)
- Wireless Display security verified against MS Policy CSP docs
### Release Highlights v2.2.0

2
SECURITY.md
View file

@ -174,5 +174,5 @@ For licensing questions, see [LICENSE](LICENSE) or open a [Discussion](https://g
---
**Last Updated**: December 8, 2025
**Last Updated**: December 22, 2025
**Policy Version**: 1.1

4
Start-NoIDPrivacy.bat
View file

@ -7,12 +7,12 @@ REM This script launches NoIDPrivacy-Interactive.ps1 with
REM Administrator privileges (auto-elevation).
REM
REM Author: NexusOne23
REM Version: 2.2.1
REM Version: 2.2.2
REM ========================================
setlocal
title NoID Privacy v2.2.1
title NoID Privacy v2.2.2
REM Get the directory where this batch file is located
set "SCRIPT_DIR=%~dp0"

2
Tests/Run-Tests.ps1
View file

@ -17,7 +17,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: PowerShell 5.1+, Pester 5.0+
.EXAMPLE

2
Tests/Setup-TestEnvironment.ps1
View file

@ -8,7 +8,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: PowerShell 5.1+
.EXAMPLE

2
Tests/Unit/ASR.Tests.ps1
View file

@ -8,7 +8,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: Pester 5.0+
#>

2
Tests/Unit/AdvancedSecurity.Tests.ps1
View file

@ -8,7 +8,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: Pester 5.0+
#>

2
Tests/Unit/AntiAI.Tests.ps1
View file

@ -8,7 +8,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: Pester 5.0+
#>

2
Tests/Unit/DNS.Tests.ps1
View file

@ -8,7 +8,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: Pester 5.0+
#>

2
Tests/Unit/EdgeHardening.Tests.ps1
View file

@ -8,7 +8,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: Pester 5.0+
#>

2
Tests/Unit/ModuleTemplate.Tests.ps1
View file

@ -8,7 +8,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: Pester 5.0+
#>

2
Tests/Unit/Privacy.Tests.ps1
View file

@ -8,7 +8,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: Pester 5.0+
#>

2
Tools/Parse-EdgeBaseline.ps1
View file

@ -18,7 +18,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: PowerShell 5.1+
.EXAMPLE

2
Tools/Parse-SecurityBaseline.ps1
View file

@ -25,7 +25,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: PowerShell 5.1+
.EXAMPLE

8
Tools/Verify-Complete-Hardening.ps1
View file

@ -27,7 +27,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
#>
#Requires -Version 5.1
@ -3180,7 +3180,7 @@ try {
<body>
<div class="container">
<div class="header">
<h1>NoID Privacy v2.2.1</h1>
<h1>NoID Privacy v2.2.2</h1>
<p class="subtitle">Complete Hardening Compliance Report</p>
<span class="badge">All $totalSettings Settings Verified</span>
</div>
@ -3200,7 +3200,7 @@ try {
</div>
<div class="meta-item">
<span class="meta-label">Framework Version</span>
<span class="meta-value">NoID Privacy v2.2.1</span>
<span class="meta-value">NoID Privacy v2.2.2</span>
</div>
</div>
@ -3642,7 +3642,7 @@ try {
</div>
<div class="footer">
<p>Generated by NoID Privacy v2.2.1</p>
<p>Generated by NoID Privacy v2.2.2</p>
<p>Professional Windows 11 Security & Privacy Hardening Framework</p>
</div>
</div>

2
Utils/Compatibility.ps1
View file

@ -8,7 +8,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: PowerShell 5.1+
#>

2
Utils/Dependencies.ps1
View file

@ -7,7 +7,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: PowerShell 5.1+
#>

2
Utils/Hardware.ps1
View file

@ -8,7 +8,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: PowerShell 5.1+
#>

2
Utils/Registry.ps1
View file

@ -8,7 +8,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: PowerShell 5.1+
#>

2
Utils/Service.ps1
View file

@ -8,7 +8,7 @@
.NOTES
Author: NexusOne23
Version: 2.2.1
Version: 2.2.2
Requires: PowerShell 5.1+
#>

6
config.json
View file

@ -1,5 +1,5 @@
{
"version": "2.2.1",
"version": "2.2.2",
"modules": {
"SecurityBaseline": {
"enabled": true,
@ -48,7 +48,7 @@
"description": "Microsoft Edge v139 Security Baseline: 24 security policies",
"_comment": "Interactive: Allow extensions (Y/N, default: Y)",
"allowExtensions": true,
"version": "2.2.1",
"version": "2.2.2",
"baseline": "Edge v139",
"policies": 24,
"features": {
@ -75,7 +75,7 @@
"disableWirelessDisplay": false,
"disableDiscoveryProtocols": true,
"disableIPv6": false,
"version": "2.2.1",
"version": "2.2.2",
"policies": 50,
"features": {
"rdp_hardening": true,