Windows Hardening and Optimization PowerShell Pack

By /

Listen to this Post

This PowerShell pack provides comprehensive post-installation hardening, optimization, and cleaning for Windows 11 systems. Created by cybersecurity professionals, it implements security best practices from ANSSI and CIS benchmarks while removing unnecessary components and optimizing system performance.

Key Features

  • Bloatware Removal: Automatically removes Cortana, OneDrive, and other unnecessary applications
  • Security Hardening: Disables vulnerable protocols (LLMNR, NetBIOS, SMBv1) and services
  • Privacy Protection: Reduces telemetry and data collection
  • Performance Optimization: Configures performance plans, TRIM, and hibernation settings
  • Compliance: Implements ANSSI & CIS recommended security configurations

You Should Know: PowerShell Commands and Implementation Details

1. Bloatware Removal Commands

 Remove Microsoft bloatware apps
Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage
Get-AppxPackage Microsoft.YourPhone | Remove-AppxPackage
Get-AppxPackage Microsoft.ZuneMusic | Remove-AppxPackage
Get-AppxPackage Microsoft.ZuneVideo | Remove-AppxPackage
Get-AppxPackage Microsoft.WindowsMaps | Remove-AppxPackage

2. Disabling Vulnerable Protocols

 Disable SMBv1 (extremely vulnerable protocol)
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -NoRestart

Disable LLMNR (Link-Local Multicast Name Resolution)
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -Type DWord -Value 0

Disable NetBIOS over TCP/IP
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" -Name "NetbiosOptions" -Type DWord -Value 2

3. Security Hardening Commands

 Enable Windows Defender Exploit Guard
Set-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-993A6D77406C -AttackSurfaceReductionRules_Actions Enabled

Enable PUA (Potentially Unwanted Applications) protection
Set-MpPreference -PUAProtection 1

Enable PowerShell logging (important for security monitoring)
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1

4. Performance Optimization

 Set power plan to High Performance
powercfg -setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c

Enable TRIM for SSDs
fsutil behavior set DisableDeleteNotify 0

Disable hibernation (reclaims disk space)
powercfg -h off

5. Windows Services Optimization

 Disable unnecessary services
Stop-Service -Name "DiagTrack" -Force
Set-Service -Name "DiagTrack" -StartupType Disabled

Stop-Service -Name "dmwappushservice" -Force
Set-Service -Name "dmwappushservice" -StartupType Disabled

Stop-Service -Name "lfsvc" -Force
Set-Service -Name "lfsvc" -StartupType Disabled

6. ANSSI & CIS Compliance Settings

 Set password policy
Set-ADDefaultDomainPasswordPolicy -Identity domain.local -ComplexityEnabled $true -LockoutDuration 00:30:00 -LockoutObservationWindow 00:30:00 -LockoutThreshold 5 -MaxPasswordAge 90.00:00:00 -MinPasswordAge 1.00:00:00 -MinPasswordLength 14 -PasswordHistoryCount 24 -ReversibleEncryptionEnabled $false

Configure UAC (User Account Control)
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Type DWord -Value 2
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Type DWord -Value 1

What Undercode Say

This PowerShell pack represents a comprehensive approach to Windows 11 hardening that combines security best practices with system optimization. The implementation covers multiple critical areas:

  1. Attack Surface Reduction: By removing unnecessary components and disabling vulnerable protocols, the script significantly reduces the system’s attack surface.

  2. Compliance Alignment: The inclusion of ANSSI and CIS benchmark recommendations ensures the system meets recognized security standards.

  3. Performance Benefits: The optimization commands help maintain system responsiveness while the security measures are applied.

  4. Automation Advantage: Having these settings applied automatically saves significant time compared to manual configuration, especially for multiple systems.

For those implementing this in enterprise environments, consider these additional commands:

 Enable Windows Defender Application Guard (enterprise feature)
Enable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-ApplicationGuard" -NoRestart

Configure Windows Defender Firewall with advanced logging
Set-NetFirewallProfile -Profile Domain,Public,Private -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log -LogMaxSizeKilobytes 16384 -LogAllowed True -LogBlocked True

Enable LSA Protection (requires UEFI lock)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Type DWord -Value 1

For monitoring the effectiveness of these changes, these commands are useful:

 Verify applied security settings
Get-MpComputerStatus | Select-Object RealTimeProtectionEnabled, AntivirusEnabled, AntispywareEnabled

Check firewall status
Get-NetFirewallProfile | Select-Object Name, Enabled

List all running services
Get-Service | Where-Object {$_.Status -eq "Running"} | Select-Object DisplayName, Status

Expected Output:

The script should produce:

1. A clean Windows 11 installation without bloatware

2. HTML report of configuration changes

3. Optimized system performance

4. Hardened security configuration meeting ANSSI/CIS standards

5. Disabled vulnerable protocols and services

  1. Enabled security features like Exploit Guard and PUA protection

References:

Reported By: Mustapha Mhidi – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: