Andreas/noid-privacy
1
0
Fork 0
mirror of https://github.com/NexusOne23/noid-privacy.git synced 2026-02-07 04:01:52 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
noid-privacy/README.md
NexusOne23 d8e49ddeb1 Docs: Fix markdown formatting, dates, and add framework diagram 
- README.md: Fix arrows, emojis, broken markdown (11 fixes)
- FEATURES.md: Update dates
- CHANGELOG.md: Fix Quad9 as default DNS
- CONTRIBUTING.md: Close unclosed code block
- SECURITY.md: Update date
- SECURITY-ANALYSIS.md: Translate German text to English
- assets: Add framework-architecture.png
2025-12-08 11:25:45 +01:00

878 lines
30 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 🛡️ NoID Privacy - Professional Windows 11 Security & Privacy Hardening Framework
> **⚠️ DISCLAIMER: USE AT YOUR OWN RISK.**
> This tool makes deep modifications to the Windows Registry and System Services. While extensive backups are created, the authors accept **no responsibility for any damage, data loss, or system instability**. Always review changes before applying.
<div align="center">
[![PowerShell](https://img.shields.io/badge/PowerShell-5.1%2B-blue.svg?logo=powershell)](https://github.com/PowerShell/PowerShell)
[![Windows 11](https://img.shields.io/badge/Windows%2011-25H2-0078D4.svg?logo=windows11)](https://www.microsoft.com/windows/)
[![License](https://img.shields.io/badge/license-GPL--3.0-green.svg?logo=gnu)](LICENSE)
[![Version](https://img.shields.io/badge/version-2.2.0-blue.svg)](CHANGELOG.md)
[![Status](https://img.shields.io/badge/status-production--ready-brightgreen.svg)]()
---
### 🔒 Complete Windows 11 Security Framework
**630+ Settings • 7 Modules • Full Backup & Restore**
[📥 Quick Start](#-quick-start) • [📚 Documentation](#documentation) • [🎯 Key Features](#-key-features) • [💬 Community](https://github.com/NexusOne23/noid-privacy/discussions)
---
![NoID Privacy Framework](assets/framework-architecture.png)
**7 Independent Security Modules • Modular Design • Complete BAVR Pattern**
</div>
---
## ⚠️ CRITICAL: Domain-Joined Systems & System Backup
> **⚡ READ THIS BEFORE RUNNING** This tool modifies critical Windows security settings!
### 🏢 Domain-Joined Systems (Active Directory)
**WARNING:** This tool is **NOT recommended for production domain-joined systems** without AD team coordination!
**Why?**
- This tool modifies **local Group Policies**
- Domain Group Policies **override local policies every 90 minutes**
- Your hardening **may be reset automatically** by domain GPOs
- Can lead to configuration conflicts and "flapping" behavior
**RECOMMENDED USE CASES:**
- Standalone systems (Home/Workgroup)
- Home/Personal PCs (not domain-joined)
- Virtual machines (testing/lab environments)
- Air-gapped systems
- Test/development domain-joined systems (non-production)
**For Enterprise/Domain Environments:**
- **Integrate these settings into your Domain Group Policies instead!**
- Coordinate with your Active Directory team before using this tool
---
### 💾 System Backup REQUIRED
**Before running this tool, you MUST create:**
1. **Windows System Restore Point** (recommended)
2. **Full System Image/Backup** (critical!)
3. **VM Snapshot** (if running in virtual machine)
**Why?**
- This tool creates **internal backups** for rollback (Registry, Services, Tasks)
- However, a **full system backup** protects against:
- Unforeseen system issues
- Hardware failures during hardening
- Configuration conflicts
- Critical errors
**Backup Tools:**
- Windows Backup (Settings → System → Storage → Backup)
- System Image (wbadmin, Macrium Reflect, Acronis)
- Hyper-V/VMware: Checkpoint/Snapshot
**⚠️ IMPORTANT: Create your backup BEFORE running the tool. The tool does NOT verify backup existence.**
---
## ⚡ In 30 Seconds
**What?** Microsoft Security Baseline + Advanced Hardening for Windows 11 25H2
**How?** PowerShell: **Backup** **Apply** **Verify** **Restore** (100% reversible!)
**For whom?** Professionals, power users, SMBs **without Intune/Active Directory**
**630+ Security Settings • 7 Modules • 100% BAVR Coverage* • Production-Ready**
*_For all settings changed by NoID Privacy_
---
## 🤔 Why "NoID Privacy" when it's mostly Security?
**Because security and privacy are inseparable. You can't have one without the other.**
**🛡️ Security Foundation**
- 425 settings: MS Security Baseline for Win11 25H2
- 24 settings: MS Security Baseline for Edge
- 19 rules: Attack Surface Reduction
- VBS + Credential Guard: Hardware-level protection
**🔒 Privacy Layer**
- DNS: Block telemetry, tracking, ads (DoH)
- Telemetry: 3 modes (MSRecommended/Strict/Paranoid)
- AntiAI: 13 features disabled (Recall, Copilot, Paint AI, Notepad AI, Edge AI)
- Bloatware: 24 pre-installed apps removed
**🎯 The Result:** A hardened system that's both secure against attacks and private from surveillance.
---
## 🌟 Why NoID Privacy?
<div align="center">
| **SECURITY** | **PRIVACY** | **RELIABILITY** | **SAFETY** |
|:---:|:---:|:---:|:---:|
| **Microsoft Baseline 25H2** | **AI Lockdown** | **Professional Quality** | **100% Reversible** |
| 630+ Security Settings | No Recall / Copilot / AI | 100% Verification Coverage | BAVR Architecture |
| 19 ASR Rules (Block Mode) | Telemetry & Ads Blocked | Detailed Logging | Exact Pre-State Restore |
| Zero-Day CVE-2025-9491 | DNS-over-HTTPS (DoH) | Modular Design | Designed for Zero Data Loss |
| VBS & Credential Guard | Edge Browser Hardened | Open Source / Auditable | Safe for Production |
👉 [3-Minute Quick Start](#-quick-start) • 📖 [Full Feature List](Docs/FEATURES.md)
</div>
---
## 🚀 What Makes This Different?
**Full BAVR pattern (Backup → Apply → Verify → Restore) • Zero external binaries • 100% native PowerShell**
| Feature | **NoID Privacy** | HardeningKitty | ChrisTitus winutil | O&O ShutUp10++ |
|:---|:---:|:---:|:---:|:---:|
| **Focus** | **MS Baseline 25H2 + ASR + DNS + Privacy (630+ settings)** | CIS/MS baseline audit & CSV-based hardening | System tweaks, debloat & app installs | Privacy toggles & telemetry control |
| **BAVR Pattern** | **Backup → Apply → Verify → Restore (all modules)** | Audit + HailMary apply + partial restore | System Restore point (no verify) | System Restore + profile export |
| **Verification** | **630+ automated compliance checks** | Audit mode with severity scoring | No compliance scan | No compliance scan |
| **Dependencies** | **Zero (runs on stock PS 5.1/7+)** | PowerShell only | winget/chocolatey required | Portable EXE (closed-source) |
| **AI Lockdown** | **32 policies (Copilot+/Recall/25H2)** | No dedicated AI profile | Individual AI tweaks | Multiple AI/Copilot toggles |
🔄 **BAVR** = Backup-Apply-Verify-Restore (Every change is reversible)
✈️ **Air-Gapped Ready** — No LGPO.exe, no DLLs, no external downloads
---
## 🔒 Our Privacy Promise
**"We practice what we preach"**
| | |
|---|---|
| 🍪 **Zero Cookies** | No cookie banners, no tracking cookies, no consent popups |
| 📊 **Zero Analytics** | No Google Analytics, no third-party tracking scripts |
| 🔍 **Zero Telemetry** | No usage tracking, no telemetry only minimal license validation |
| ✅ **100% Verifiable** | Open source - inspect the code yourself |
**Actions speak louder than privacy policies.** Unlike other "privacy" tools that track you, we actually respect your privacy.
---
## 🎯 Key Features
### 🔐 Security Baseline (425 Settings)
**Microsoft Security Baseline 25H2 - 100% Implementation**
- **335 Registry Policies** Computer + User Configuration
- **67 Security Template Settings** Password Policy, Account Lockout, User Rights, Security Options
- **23 Advanced Audit Policies** Complete security event logging
- **Credential Guard** Passwords can't be stolen from memory
- **BitLocker Policies** USB drive protection, enhanced PIN, DMA attack prevention
- **VBS & HVCI** Virtualization-based security
### 🛡️ Attack Surface Reduction (19 Rules)
**19 ASR Rules (18 Block + 1 Configurable)**
- Helps block common ransomware, macro, exploit, and credential theft techniques
- Office/Adobe/Email protection
- Script & executable blocking
- PSExec/WMI: Audit mode (if management tools used), Block mode otherwise
- Configurable exceptions for compatibility
### 🌐 Secure DNS (3 Providers)
**DNS-over-HTTPS with Secure Default (REQUIRE)**
- **Quad9** (Default) Security-focused, malware blocking, 9.9.9.9
- **Cloudflare** Fastest resolver, 1.1.1.1
- **AdGuard** Ad/tracker blocking built-in
- REQUIRE mode (default): no unencrypted fallback
- ALLOW mode (optional): fallback allowed for VPN/mobile/enterprise networks
- IPv4 + IPv6 dual-stack support
### 🔒 Privacy Hardening (77 Settings)
**3 Operating Modes**
- **MSRecommended** (Default) MS-supported, max compatibility
- **Strict** Maximum privacy (AllowTelemetry=0 Enterprise/Education only, Force Deny breaks UCC apps)
- **Paranoid** Hardcore (not recommended)
**Features:**
- Telemetry minimized to Security-Essential level
- Bloatware removal (policy-based on 25H2+ Ent/Edu)
- OneDrive telemetry off (sync functional)
- App permissions default-deny
### 🤖 AI Lockdown (32 Policies)
**13 AI Features Disabled (incl. Master Switch)**
- **Master Switch** Disables generative AI models system-wide
- **Windows Recall** Complete deactivation (component removal + protection)
- **Windows Copilot** System-wide disabled + hardware key remapped
- **Click to Do** Screenshot AI analysis disabled
- **Paint AI** Cocreator, Generative Fill, Image Creator all blocked
- **Notepad AI** GPT features disabled
- **Settings Agent** AI-powered settings search disabled
### 🌐 Edge Hardening (24 Policies)
**Microsoft Edge Security Baseline**
- SmartScreen enforced
- Tracking Prevention strict
- SSL/TLS hardening
- Extension security
- IE Mode restrictions
### 🔧 Advanced Security (50 Settings)
**Beyond Microsoft Baseline**
- **SRP .lnk Protection** — CVE-2025-9491 zero-day mitigation
- **RDP Hardening** — Disabled by default, TLS + NLA enforced
- **Wireless Display Security** — Miracast hardening, screen interception protection
- **Legacy Protocol Blocking** — SMBv1, NetBIOS, LLMNR, WPAD, PowerShell v2
- **TLS Hardening** — 1.0/1.1 OFF, 1.2/1.3 ON
- **UPnP/SSDP Blocking** — Port forwarding attack prevention
- **Discovery Protocols** — Optional WS-Discovery + mDNS disable (Maximum profile)
- **Windows Update** — Interactive configuration
- **Finger Protocol** — Blocked (ClickFix malware protection)
---
## 🔄 BAVR Pattern - Our Unique Approach
**Every change is tracked, verified, and 100% reversible!**
```
[1/4] BACKUP Full system state backup before changes
[2/4] APPLY Settings applied with comprehensive logging
[3/4] VERIFY Automated compliance checks confirm success
[4/4] RESTORE One command reverts everything
```
**What sets us apart:**
- **100% BAVR Coverage*** All settings we change are verified and restorable
- **Professional Code Quality** Advanced functions, comprehensive error handling
- **Complete Restore** Registry, Services, Tasks, Files - everything
- **Production-Ready** Tested on Windows 11 25H2, PowerShell 5.1+
**Before v2.2.0:** 89.4% verification coverage (62 settings missing)
**After v2.2.0:** 100% verification coverage (all 630+ settings verified)
---
## ⚠️ What This Does NOT Protect Against
**Important Limitations:**
| Threat | Why Not Protected |
|--------|-------------------|
| **Social Engineering** | If users deliberately bypass all warnings and run malicious files |
| **Supply-Chain Attacks** | Malware embedded in legitimate signed software |
| **Physical Access** | Stolen device without BitLocker (use BitLocker!) |
| **Nation-State Actors** | Sophisticated targeted attacks require enterprise EDR/XDR |
| **Zero-Day Exploits** | Unknown vulnerabilities not yet patched by Microsoft |
**What you need additionally:**
- **Regular Windows Updates** — Critical for security patches
- **BitLocker** — For lost/stolen device protection
- **User Awareness** — Don't click suspicious links/attachments
- **Backups** — 3-2-1 backup strategy for ransomware resilience
> **NoID Privacy hardens your system significantly, but no security solution provides 100% protection.**
> Defense in depth is always recommended.
---
## 📥 Quick Start
### ⚡ One-Liner Install (Recommended)
**Step 1:** Open PowerShell as Administrator
- Press `Win + X` → Click **"Terminal (Admin)"**
**Step 2:** Run installer
```powershell
# Download and run (Windows 11 25H2 recommended)
irm https://raw.githubusercontent.com/NexusOne23/noid-privacy/main/install.ps1 | iex
```
**What it does:**
1. Checks Administrator privileges
2. Verifies Windows 11 25H2
3. Downloads latest release from GitHub
4. Extracts & unblocks all files
5. Starts interactive mode
**Alternative - Manual Install:**
```powershell
# 1. Clone repository
git clone https://github.com/NexusOne23/noid-privacy.git
cd noid-privacy
# 2. Run as Admin
.\Start-NoIDPrivacy.bat
# 3. Verify after reboot
.\Tools\Verify-Complete-Hardening.ps1
```
> **Downloaded ZIP?** Run `Start-NoIDPrivacy.bat` - it automatically unblocks all files!
---
## 💻 Usage Examples
### Interactive Mode (Recommended)
```powershell
# Start interactive menu
.\Start-NoIDPrivacy.bat
# Follow prompts:
# 1. Select modules (all or custom)
# 2. Choose settings (DNS provider, Privacy mode, etc.)
# 3. Automatic backup → apply → verify
# 4. Reboot prompt
```
### Direct Execution
```powershell
# Apply all modules
.\NoIDPrivacy.ps1 -Module All
# Apply specific module
.\NoIDPrivacy.ps1 -Module Privacy
# Dry-run (no changes)
.\NoIDPrivacy.ps1 -Module All -DryRun
```
### Verification
```powershell
# Full verification (632 checks with Paranoid mode)
.\Tools\Verify-Complete-Hardening.ps1
# Expected output (all modules enabled, Paranoid mode):
# SecurityBaseline: 425/425 verified
# ASR: 19/19 verified
# DNS: 5/5 verified
# Privacy: 77/77 verified
# AntiAI: 32/32 verified
# EdgeHardening: 24/24 verified
# AdvancedSecurity: 50/50 verified
# Total: 632/632 (100%)
```
### Restore
```powershell
# Restore from latest backup
.\Core\Rollback.ps1 -RestoreLatest
# Or via interactive menu
.\Start-NoIDPrivacy.bat
# Select "Restore from backup"
```
---
## 📊 Module Overview
| Module | Settings | Description | Status |
|--------|----------|-------------|--------|
| **SecurityBaseline** | 425 | Microsoft Security Baseline 25H2 | v2.2.0 |
| **ASR** | 19 | Attack Surface Reduction Rules | v2.2.0 |
| **DNS** | 5 | Secure DNS with DoH encryption | v2.2.0 |
| **Privacy** | 77 | Telemetry, Bloatware, OneDrive hardening (MSRecommended) | v2.2.0 |
| **AntiAI** | 32 | AI lockdown (13 features, 32 compliance checks) | v2.2.0 |
| **EdgeHardening** | 24 | Microsoft Edge security (24 policies) | v2.2.0 |
| **AdvancedSecurity** | 50 | Beyond MS Baseline (SRP, Legacy protocols, Wireless Display, Discovery Protocols, IPv6) | v2.2.0 |
| **TOTAL** | **632** | **Complete Framework (Paranoid mode)** | **Production** |
**Release Highlights:**
- **v2.2.0:** 100% verification coverage (all 630+ settings verified)
- **v2.2.0:** Improved Advanced Security module with SRP .lnk protection
- **v2.2.0:** Enhanced RDP hardening with TLS + NLA enforced
- **v2.2.0:** Legacy protocol blocking (SMBv1, NetBIOS, LLMNR, WPAD, PowerShell v2)
- **v2.2.0:** TLS hardening (1.0/1.1 OFF, 1.2/1.3 ON)
- **v2.2.0:** Windows Update interactive configuration
- **v2.2.0:** Finger Protocol blocked (ClickFix malware protection)
- **v2.2.0:** Enhanced Registry Backup (Smart JSON-Fallback for protected system keys)
📖 [Detailed Module Documentation](Docs/FEATURES.md)
---
## ✅ Perfect For
### **Ideal Use Cases**
**Small/Medium Business (SMB)**
- No Active Directory/Intune licenses
- Cloud-first (Microsoft 365, Google Workspace)
- Remote/hybrid work security
- Compliance without enterprise infrastructure
**Freelancers & Consultants**
- Client data protection
- Secure workstations without domain
- Professional security standards
- Safe experimentation (complete backup)
**Power Users & Privacy-Conscious**
- Real security, not just "debloat"
- AI/Telemetry lockdown
- Understand every setting
- Full control + reversibility
**IT Pros Without Intune**
- Standalone Windows 11 hardening
- Microsoft Baseline compliance locally
- Quick deploy for clients
- No domain controller required
### **Not Ideal For**
**Enterprise with Intune/AD**
- Use [Microsoft Security Baselines](https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10) with Group Policy instead
**Windows 10 or Older**
- This tool is designed for Windows 11 (24H2/25H2 recommended, 23H2 compatible)
**Legacy Software Dependencies**
- If you rely on unsafe SMB1/RPC/DCOM
**Strict MDM Reporting**
- If compliance must be centrally reported
---
## ⚙️ Requirements & Compatibility
### Hardware & OS
NoID Privacy is designed for modern, officially supported Windows 11 systems.
If your PC can run Windows 11 according to Microsoft's **official requirements**, it is compatible with NoID Privacy:
- **OS:** Windows 11 24H2/25H2 recommended (23H2 compatible)
- **CPU:** Any CPU on Microsoft's Windows 11 support list (Intel 8th Gen / AMD Ryzen 2000+)
- **Firmware:** UEFI with **Secure Boot** enabled
- **TPM:** 2.0 (required for BitLocker, Credential Guard, VBS)
- **RAM:** 8 GB minimum, 16 GB recommended for VBS
- **Admin Rights:** Required
> **Short version:** If Windows 11 is officially supported on your PC, NoID Privacy is supported too.
**Tested & Compatible:**
| OS Version | Status |
|------------|--------|
| Windows 11 25H2 (Build 26200+) | **Fully Tested** |
| Windows 11 24H2 (Build 26100+) | Compatible |
| Windows 11 23H2 (Build 22631+) | Some features N/A |
### Legacy Devices & Protocols
The **AdvancedSecurity** and **SecurityBaseline** modules intentionally disable legacy and insecure protocols:
- **TLS 1.0/1.1** (TLS 1.2+ required)
- **NetBIOS** name resolution, **LLMNR**, **WPAD**
- **PowerShell v2**
- **Administrative shares** (C$, ADMIN$) in some scenarios
- **NTLMv1/LM** authentication (NTLMv2 only)
This can affect **very old hardware and software**, for example:
- NAS, printers, IP cameras, and IoT devices that only support TLS 1.0/1.1
- Legacy Windows systems (XP, 7) and old Samba implementations
- Old management tools that rely on hidden admin shares
**In practice:** Environments using hardware and software from **~2018 onwards** are fully compatible.
If you still depend on legacy devices, use the built-in **BAVR** pattern (Backup → Apply → Verify → Restore) to roll back if something breaks.
### 🛡️ Antivirus Compatibility
#### Designed for Microsoft Defender Works with Any Antivirus
**NoID Privacy is optimized for the default Windows 11 security stack:**
```
Windows 11 + Microsoft Defender + NoID Privacy = 100% Feature Coverage (630+ Settings)
```
This is the **recommended setup** just install Windows 11, keep Defender active, and run NoID Privacy. You get:
-**All 7 modules** (Security Baseline, ASR, DNS, Privacy, AntiAI, Edge, Advanced Security)
-**19 ASR rules** protecting against ransomware, exploits, and malware
-**Full enterprise-grade hardening** with zero additional software
---
#### Already Using Third-Party Antivirus?
**No problem!** NoID Privacy automatically detects third-party antivirus software and adapts:
| Your Setup | What Happens | Coverage |
|------------|--------------|----------|
| **Defender Active** | All modules applied | **632 settings** (100%) |
| **3rd-Party AV** (Kaspersky, Norton, Bitdefender, etc.) | ASR skipped, all other modules applied | **613 settings** (~97%) |
**Why?** ASR (Attack Surface Reduction) rules are a **Microsoft Defender exclusive feature**. Third-party antivirus products provide their own equivalent protection. NoID Privacy detects this and gracefully skips ASR while applying everything else.
When a third-party antivirus is detected, you'll see a clear notification:
```
========================================
ASR Module Skipped
========================================
Third-party antivirus detected: Kaspersky Total Security
ASR rules require Windows Defender to be active.
Your antivirus (Kaspersky Total Security) has its own protection features.
This is NOT an error - ASR will be skipped.
```
**Why?** Third-party antivirus products typically provide their own equivalent protection features. The rest of the hardening (Security Baseline, DNS, Privacy, Edge, Advanced Security) will still be applied.
**All other modules work normally** regardless of your antivirus choice.
---
## 🔒 Security & Quality
### Code Quality
- **PSScriptAnalyzer:** Available for static analysis
- **Pester Tests:** Unit and integration tests in `Tests/` directory (`.\Tests\Run-Tests.ps1`)
- **Verification:** 630+ automated compliance checks in production
- **Production-Ready:** Professional error handling and comprehensive logging
- **Best Practices:** Advanced Functions, CmdletBinding, Validated Parameters
### What This Tool Does
- Hardens Windows 11 to enterprise standards
- Implements Microsoft Security Baseline 25H2
- Protects against zero-day exploits (CVE-2025-9491)
- Minimizes telemetry to Security-Essential level
- Locks down AI features (Recall, Copilot, etc.)
- Configures BitLocker policies, Credential Guard, VBS
### What This Tool Does NOT Do
- Install third-party antivirus (uses Windows Defender)
- Configure domain-specific policies
- Modify BIOS/UEFI settings
- Break critical Windows functionality
- Prevent re-enabling features
### Reversibility
- **What CAN be restored:** Services, Registry, Firewall, DNS, Tasks, AI features
- **What CAN be auto-restored:** Most removed bloatware apps via `winget` during session restore (where mappings exist)
- **What may still need manual reinstall:** Unmapped/third-party bloatware apps (use Microsoft Store)
- **Backup System:** Complete system state before applying
- **REMOVED_APPS_LIST.txt:** Created during bloatware removal with a full list of removed apps for manual reinstall if needed
- **Documented Changes:** All changes logged
---
## ⚙️ Configuration
### Default Settings
All settings configured for **maximum security with maintained usability**:
- Services: Telemetry services controlled, critical services protected
- Firewall: Inbound blocked, outbound allowed
- Privacy: Default-deny for app permissions (user can enable individually)
- BitLocker: Policies set, user must enable manually
- AI Features: Disabled via Registry (100% reversible)
### Customization
All module settings can be customized via JSON files in `Modules/*/Config/`:
```powershell
# Example: Adjust DNS provider
Edit: Modules/DNS/Config/Providers.json
# Example: Modify Privacy mode
Edit: Modules/Privacy/Config/Privacy-MSRecommended.json
# Example: Configure ASR exceptions
Edit: Modules/ASR/Config/ASR-Rules.json
```
---
## 🔧 Troubleshooting
> **Can't install software after hardening?** See [Temporarily Disable ASR Rule](#temporarily-disable-asr-rule-for-software-installation) for step-by-step solution
### Common Issues
**"Access Denied" errors**
- Not running as Administrator
- Right-click PowerShell → "Run as Administrator"
**VBS/Credential Guard not active after reboot**
- Hardware incompatibility (no TPM 2.0 or virtualization disabled)
- Enable virtualization in BIOS/UEFI
- Verify: `.\Tools\Verify-Complete-Hardening.ps1`
**BitLocker not activating**
- No TPM 2.0 or insufficient disk space
- Check TPM: `Get-Tpm`
- Manual activation: Control Panel → BitLocker
**ASR blocking legitimate software installation**
- ASR rule "Block executable files unless they meet prevalence" blocks unknown installers
- See [Temporarily Disable ASR Rule](#temporarily-disable-asr-rule-for-software-installation) below
---
### Temporarily Disable ASR Rule for Software Installation
**Problem:** ASR blocks installation of legitimate software (e.g., downloaded installers not in Microsoft's reputation database)
**Blocked Rule:** `01443614-cd74-433a-b99e-2ecdc07bfc25` ("Block executable files unless they meet prevalence, age, or trusted list")
**Solution:** Temporarily set the rule to AUDIT mode (warns only, doesn't block)
**Step 1: Disable Tamper Protection** (GUI method - easiest)
1. Press `Win` key → Type "Windows Security" → Enter
2. Go to: **Virus & threat protection**
3. Click: **Manage settings**
4. Scroll down to: **Tamper Protection** Toggle **OFF**
**Step 2: Set ASR Rule to AUDIT** (PowerShell as Admin)
```powershell
# Get current ASR configuration
$currentIds = (Get-MpPreference).AttackSurfaceReductionRules_Ids
$currentActions = (Get-MpPreference).AttackSurfaceReductionRules_Actions
# Convert to arrays
$ids = @($currentIds)
$actions = @($currentActions)
# Find the prevalence rule
$targetGuid = "01443614-cd74-433a-b99e-2ecdc07bfc25"
$index = [array]::IndexOf($ids, $targetGuid)
# Set to AUDIT (2 = Audit, 1 = Block)
$actions[$index] = 2
# Apply changes
Set-MpPreference -AttackSurfaceReductionRules_Ids $ids -AttackSurfaceReductionRules_Actions $actions
Write-Host " ASR Prevalence Rule: AUDIT (Installation now possible)" -ForegroundColor Green
```
**Step 3: Install your software**
**Step 4: Re-enable the ASR Rule** (PowerShell as Admin)
```powershell
# Get current ASR configuration
$currentIds = (Get-MpPreference).AttackSurfaceReductionRules_Ids
$currentActions = (Get-MpPreference).AttackSurfaceReductionRules_Actions
# Convert to arrays
$ids = @($currentIds)
$actions = @($currentActions)
# Find the prevalence rule
$targetGuid = "01443614-cd74-433a-b99e-2ecdc07bfc25"
$index = [array]::IndexOf($ids, $targetGuid)
# Set back to BLOCK
$actions[$index] = 1
# Apply changes
Set-MpPreference -AttackSurfaceReductionRules_Ids $ids -AttackSurfaceReductionRules_Actions $actions
Write-Host " ASR Prevalence Rule: BLOCK (Protection restored)" -ForegroundColor Green
```
**Step 5: Re-enable Tamper Protection** (Windows Security Toggle ON)
**IMPORTANT:** Always re-enable both the ASR rule AND Tamper Protection after installation!
---
### Windows Insider Program Compatibility
**Problem:** After applying Privacy hardening (MSRecommended mode), Windows Insider enrollment requires extra steps.
**Cause:** Privacy module sets `AllowTelemetry=1` (Required diagnostic data) via Group Policy, which prevents the user from enabling "Optional diagnostic data" in Settings - a requirement for Insider Program enrollment.
**Solution:**
**Step 1: Temporarily remove the telemetry policy** (PowerShell as Admin)
```powershell
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry"
```
**Step 2: Reboot** (recommended for policy changes to take effect)
```powershell
Restart-Computer
```
**Step 3: Join Windows Insider Program**
1. Go to: Settings > Windows Update > Windows Insider Program
2. Click: **Get Started**
3. When prompted, enable "Optional diagnostic data"
4. Complete Insider enrollment and select your channel (Dev/Beta/Release Preview)
**Step 4 (Optional): Re-apply Privacy hardening**
```powershell
.\NoIDPrivacy.ps1 -Module Privacy
```
**Note:** Once enrolled in the Insider Program, Windows will continue to receive preview builds even after re-applying Privacy hardening with `AllowTelemetry=1`.
---
### Logs
All operations logged to:
```
Logs/NoIDPrivacy_YYYYMMDD_HHMMSS.log
```
**Example:** `NoIDPrivacy_20251117_142345.log`
---
## 📚 Documentation
### Core Documentation
- **[Features](Docs/FEATURES.md)** - Complete 630+ setting reference
- **[Changelog](CHANGELOG.md)** - Version history
- **[Quick Start](#-quick-start)** - Installation guide (see above)
- **[Troubleshooting](#troubleshooting)** - Common issues (see above)
### 💬 Community
- **[💬 Discussions](https://github.com/NexusOne23/noid-privacy/discussions)** - Questions, ideas, and commercial licensing inquiries
- **[🐛 Issues](https://github.com/NexusOne23/noid-privacy/issues)** - Bug reports only
- **[📚 Documentation](Docs/FEATURES.md)** - Complete feature reference
---
## 🙏 Acknowledgments
- **Microsoft Security Baseline Team** for Windows 11 25H2 guidance
- **PowerShell Community** for best practices and patterns
- **Open Source Contributors** for testing and feedback
---
## 📜 License
### Dual-License Model
NoID Privacy is available under a **dual-licensing** model:
#### 🆓 Open Source License (GPL v3.0)
**For individuals, researchers, and open-source projects:**
This project is licensed under the **GNU General Public License v3.0** (GPL-3.0).
**You CAN:**
- ✔️ Use the software freely for personal and commercial purposes
- ✔️ Modify the source code
- ✔️ Distribute the software
- ✔️ Distribute your modifications
⚠️ **You MUST:**
- 📝 Disclose your source code when distributing
- 🔓 License your modifications under GPL v3.0
- 📄 Include the original copyright notice
- 📋 State significant changes made to the software
[Read the full GPL v3.0 License](LICENSE)
#### 💼 Commercial License
**For companies and organizations that want to:**
- Integrate this software into closed-source/proprietary products
- Distribute this software without disclosing source code
- Receive dedicated commercial support and warranties
- Avoid GPL v3.0 copyleft requirements
**Contact:**
- **Email:** [support@noid-privacy.com](mailto:support@noid-privacy.com) (Preferred for commercial inquiries)
- **GitHub:** [💬 Discussions](https://github.com/NexusOne23/noid-privacy/discussions) (Public questions)
---
### Third-Party Components
This software implements security configurations based on:
- **Microsoft Security Baselines** - Public documentation
- **Microsoft Defender ASR Rules** - Official documentation
- **DNS Providers** - Cloudflare, Quad9, AdGuard (public services)
Microsoft, Windows, and Edge are trademarks of Microsoft Corporation. This project is not affiliated with Microsoft.
---
## ⚠️ Disclaimer
This script modifies critical system settings. Use at your own risk. Always:
1. **Create a system backup** before running
2. **Test in a VM** first
3. **Review the code** to understand changes
4. **Verify compatibility** with your environment
The authors are not responsible for any damage or data loss.
---
## 📈 Project Status
**Current Version:** 2.2.0
**Last Updated:** December 8, 2025
**Status:** Production-Ready
### Release Highlights v2.2.0
- 630+ settings (expanded from 580+)
- NonInteractive mode for GUI integration
- Third-party AV detection and graceful ASR skip
- AntiAI enhanced to 32 policies (was 24)
- Pre-Framework ASR snapshot
- Smart Registry Backup with JSON fallback
📋 [See Full Changelog](CHANGELOG.md)
---
<div align="center">
**Made with 🛡️ for the Windows Security Community**
[Report Bug](https://github.com/NexusOne23/noid-privacy/issues) [Request Feature](https://github.com/NexusOne23/noid-privacy/issues) [Discussions](https://github.com/NexusOne23/noid-privacy/discussions)
**Star this repo** if you find it useful!
</div>
Reference in a new issue View git blame Copy permalink