noid-privacy/CHANGELOG.md

Changelog

All notable changes to NoID Privacy will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

---

[2.2.0] - 2025-12-08

🚀 Enhanced Framework - 630+ Settings

Major update with expanded AI lockdown, improved privacy coverage, and ASR quick-toggle fix.

---

🌟 Release Highlights

✅ 630+ Settings - Expanded from 580+ (Privacy, AntiAI, EdgeHardening, AdvSec Wireless Display)
✅ NonInteractive Mode - Full GUI integration via config.json
✅ Third-Party AV Support - Automatic detection, graceful ASR skip
✅ AntiAI Enhanced - 32 policies (was 24), Recall Export Block, Edge Copilot disabled
✅ Pre-Framework ASR Snapshot - Preserves rule state before multi-module runs
✅ Smart Registry Backup - JSON fallback for protected keys
✅ Critical Bugfixes - ASR Quick-Toggle, NonInteractive strict-mode, DNS offline

✅ Added

NonInteractive Mode (GUI Integration)

• Complete config.json support for automated execution
• All 7 modules fully configurable without prompts when values are provided in config.json
• Enables GUI-driven hardening in non-interactive mode (no Read-Host prompts)

Pre-Framework ASR Snapshot

• Captures all 19 ASR rules before multi-module runs
• Ensures original system state is preserved
• Prevents ASR rule loss during complex operations

AntiAI Module Enhancements (24 → 32 policies)

• Recall Export Block (prevents snapshot export)
• Advanced Copilot Blocks (URI handlers, Edge sidebar)
• Improved Edge Copilot sidebar disable (5 additional policies)
• Hardware Copilot key remapped to Notepad
• CapabilityAccessManager AI blocking

AdvancedSecurity: Wireless Display / Miracast Hardening

• New Wireless Display security available in all AdvancedSecurity profiles (Balanced/Enterprise/Maximum)
• Default: Block receiving projections and require PIN for incoming connections
• Optional: Complete disable (blocks sending projections, mDNS discovery, ports 7236/7250, and Wi-Fi Direct adapters)

AdvancedSecurity: Discovery Protocols Security (Maximum profile)

• Optional WS-Discovery + mDNS complete disable
• Blocks automatic device discovery (printers, TVs, scanners)
• Firewall rules for UDP 3702 (WS-Discovery) and UDP 5353 (mDNS)
• Prevents network mapping and mDNS spoofing attacks

AdvancedSecurity: IPv6 Disable (Maximum profile - mitm6 mitigation)

• Optional complete IPv6 disable (DisabledComponents = 0xFF)
• Prevents mitm6 attacks (DHCPv6 spoofing → DNS takeover → NTLM relay)
• Defense-in-depth (WPAD already disabled by framework)
• Recommended for air-gapped/standalone systems

Privacy Module Expansion (55+ → 77 settings)

• Cloud Clipboard toggle (user-configurable)
• Enhanced compliance verification
• Improved bloatware detection
• Better OneDrive sync compatibility

Third-Party Antivirus Detection

• Automatic detection of Kaspersky, Norton, Bitdefender, etc.
• ASR module gracefully skipped when 3rd-party AV active
• Clear user notification explaining why
• All other modules continue normally (613 settings)

Smart Registry Backup System

• JSON fallback for protected system keys
• Handles access-denied scenarios gracefully
• Empty marker files for non-existent keys
• Improved restore reliability

Documentation

• AV Compatibility section: "Designed for Microsoft Defender – Works with Any Antivirus"
• Clear 632 vs 613 explanation for Defender vs. 3rd-party AV setups
• Improved troubleshooting guides

🔨 Fixed

ASR Quick-Toggle Bug (Critical)

• Fixed: Quick-toggling ASR rules caused 3 advanced rules to disappear
• Affected rules: Safe Mode Reboot, Copied System Tools, Webshell Creation
• Root cause: Set-MpPreference was called with single rule instead of full rule set
• Fix: Now reads existing rules, updates target, writes complete set back

NonInteractive Strict-Mode Error

• Fixed fatal error when dot-sourcing NonInteractive.ps1 in GUI context
• Safe check for $global:NonInteractiveMode variable

Registry Backup Protected Keys

• Enhanced JSON fallback for protected system keys
• Prevents backup failures on restricted registry paths
• Creates marker files for rollback tracking

DNS Offline Handling

• Graceful handling when system temporarily offline during DNS test
• Configuration proceeds and activates when connection restored

Module Progress Feedback

• Improved status messages during long operations
• No more "stuck at 95%" feeling

📊 What Changed

Component	v2.1.0	v2.2.0
Total Settings	580+	632
AntiAI Policies	24	32
Privacy Settings	55+	77
NonInteractive Mode	❌	✅
3rd-Party AV Detection	❌	✅
Pre-Framework ASR Snapshot	❌	✅
Smart Registry Backup	Basic	JSON Fallback

---

[2.1.0] - 2025-11-23

🎉 Production Release - Complete Windows 11 Security Framework

The first complete, production-ready release of NoID Privacy v2.x - 580+ settings, 7 modules, full BAVR pattern implementation.

---

🌟 Release Highlights

✅ All 7 Modules Production-Ready - Complete framework with 580+ security settings
✅ Zero-Day Protection - CVE-2025-9491 mitigation (SRP .lnk protection)
✅ 100% BAVR Coverage - Every setting can be backed up, applied, verified, and restored
✅ Professional Code Quality - All lint warnings resolved, comprehensive error handling
✅ Zero Tracking - No cookies, no analytics, no telemetry (we practice what we preach)

✅ Added - Complete Framework

All 7 Security Modules

SecurityBaseline (425 settings) - Microsoft Security Baseline for Windows 11 25H2

• 335 Registry policies (Computer + User Configuration)
• 67 Security Template settings (Password Policy, Account Lockout, User Rights, Security Options)
• 23 Advanced Audit policies (Complete security event logging)
• Credential Guard, BitLocker policies, VBS & HVCI
• No LGPO.exe dependency (100% native PowerShell)

ASR (19 rules) - Attack Surface Reduction

• 18 rules in Block mode, 1 configurable (PSExec/WMI)
• Blocks ransomware, macros, exploits, credential theft
• Office/Adobe/Email protection
• ConfigMgr detection for compatibility

DNS (5 checks) - Secure DNS with DoH encryption

• 3 providers: Quad9 (default), Cloudflare, AdGuard
• REQUIRE mode (no unencrypted fallback) or ALLOW mode (VPN-friendly)
• IPv4 + IPv6 dual-stack support
• DNSSEC validation

Privacy (55+ settings) - Telemetry & Privacy Hardening

• 3 operating modes: MSRecommended (default), Strict, Paranoid
• Telemetry minimized to Security-Essential level
• Bloatware removal with auto-restore via winget (policy-based on 25H2+ Ent/Edu)
• OneDrive telemetry off (sync functional)
• App permissions default-deny

AntiAI (24 policies) - AI Lockdown

• Generative AI Master Switch (blocks ALL AI models system-wide)
• Windows Recall (complete deactivation + component protection)
• Windows Copilot (system-wide disabled + hardware key remapped)
• Click to Do, Paint AI, Notepad AI, Settings Agent - all disabled

EdgeHardening (20 policies) - Microsoft Edge Security Baseline

• SmartScreen enforced, Tracking Prevention strict
• SSL/TLS hardening, Extension security
• IE Mode restrictions
• Native PowerShell implementation (no LGPO.exe)

AdvancedSecurity (44 settings) - Beyond Microsoft Baseline

• SRP .lnk Protection (CVE-2025-9491) - Zero-day mitigation for ClickFix malware
• RDP Hardening - Disabled by default, TLS + NLA enforced
• Legacy Protocol Blocking - SMBv1, NetBIOS, LLMNR, WPAD, PowerShell v2
• TLS Hardening - 1.0/1.1 OFF, 1.2/1.3 ON
• Windows Update - 3 GUI-equivalent settings (interactive configuration)
• Finger Protocol - Blocked (ClickFix malware protection)

Core Features

Complete BAVR Pattern (Backup-Apply-Verify-Restore)

• All 580+ settings now fully verified in Verify-Complete-Hardening.ps1
• EdgeHardening: 20 verification checks added
• AdvancedSecurity: 42 verification checks added
• 100% coverage achieved (was 89.4%)

Bloatware Removal & Restore

• REMOVED_APPS_LIST.txt created in backup folder with reinstall instructions
• REMOVED_APPS_WINGET.json metadata enables automatic reinstallation via winget
• Session restore attempts auto-restore first, falls back to manual Microsoft Store reinstall
• Policy-based removal for Windows 11 25H2+ Ent/Edu editions

Documentation & Repository

• FEATURES.md - Complete settings reference
• SECURITY-ANALYSIS.md - Home user impact analysis
• README.md - Professional restructure with improved visual hierarchy
• CHANGELOG.md - Comprehensive release history
• .gitignore - Clean repository (ignores Logs/, Backups/, Reports/)

---

🔨 Fixed - Critical Bugfixes

DNS Module Crash (CRITICAL)

• Fixed System.Object[] to System.Int32 type conversion error in Get-PhysicalAdapters
• Removed unary comma operator causing DNS configuration failure
• Prevents complete DNS module failure on certain network configurations

Bloatware Count Accuracy

• Corrected misleading console output showing "2 apps removed" instead of actual count
• Fixed pipeline contamination from Register-Backup output in Remove-Bloatware.ps1
• Now shows accurate count (e.g., "14 apps removed")

Restore Logging System

• Implemented dedicated RESTORE_Session_XXXXXX_timestamp.log file
• Captures all restore activities from A-Z with detailed logging
• Fixed empty Message parameter validation errors in Write-RestoreLog

User Selection Logs

• Moved user selection messages from INFO to DEBUG (cleaner console output)
• Affects: Privacy mode selection, DNS provider selection, ASR mode selection
• Console now shows only critical information, detailed logs in log file

Code Quality & Linting

• Removed all unused variables ($isAdmin in Invoke-AdvancedSecurity.ps1)
• Fixed PSScriptAnalyzer warnings across entire project
• Resolved double backslash escaping in documentation paths

Terminal Services GPO Cleanup

• Enhanced GPO cleanup with explicit value removal
• Improved restore consistency for Terminal Services registry keys
• Cosmetic variance only (no functional impact)

Temporary File Leaks

• SecurityBaseline: Added finally blocks to prevent temp file pollution
• Ensures cleanup of secedit.exe temp files even on errors
• Prevents TEMP folder accumulation

---

📊 What Changed

Framework Completion

• Status: 7/7 modules (100%) - All production-ready
• Total Settings: 580+ (was 521)
• BAVR Coverage: 100% (was 89.4%)
• Verification: EdgeHardening (20 checks) + AdvancedSecurity (44 checks) added

Module Structure

• All 7 modules now use consistent /Config/ folder structure
• ASR: Data/ → Config/
• EdgeHardening: ParsedSettings/ → Config/

Documentation Improvements

• README: Professional restructure, improved navigation
• Added "Why NoID Privacy?" section (Security ↔ Privacy connection)
• Added "Our Privacy Promise" section (Zero tracking)
• Fixed all inconsistent list formatting (trailing spaces → proper bullets)

Restore System

• Production tested with full apply-restore cycle verification
• Restores to clean baseline state
• AdvancedSecurity: 100% perfect restoration

---

⚠️ Breaking Changes

License Change

• MIT (v1.x) → GPL v3.0 (v2.x+)
• Reason: Complete rewrite from scratch (100% new codebase)
• Impact: Derivatives must comply with GPL v3.0 copyleft requirements
• Note: v1.8.x releases remain under MIT license (unchanged)
• Dual-Licensing: Commercial licenses available for closed-source use

---

📈 Before/After Comparison

Before v2.1.0:

Modules:             5/7 (71%)
Settings:            521
BAVR Coverage:       89.4%
Restore Accuracy:    Unknown
Code Quality:        Lint warnings present
Temp File Cleanup:   Partial

After v2.1.0:

Modules:             7/7 (100%)
Settings:            580+
BAVR Coverage:       100%
Restore:             Verified (full cycle)
Code Quality:        PSScriptAnalyzer clean
Temp File Cleanup:   Complete

---

📚 Additional Resources

• Full Documentation: See README.md and FEATURES.md
• Security Analysis: See SECURITY-ANALYSIS.md
• Bug Reports: GitHub Issues
• Discussions: GitHub Discussions

---

Made with 🛡️ for the Windows Security Community