Releases: HotCakeX/Harden-Windows-Security
Harden Windows Security v.0.5.5
What's New
-
Added Compliance checking and system auditing functionality to the GUI with built-in search functionality.
-
Added Sidebar tabbed experience with animation for ease of use. It has virtually unlimited space for new features and pages with scrollable style.
-
Using MVVM design pattern.
-
Native WPF GUI with no 3rd party dependency or any compiled binaries.
-
When ARM hardware is detected, all process mitigations will be skipped. More info here. If you have ARM hardware and want to contribute to this project, you can help me verify each process mitigation on your ARM hardware so I can enable the ones that are compatible.
-
The experience and logic for enabling logging has been improved.
-
You can now manually enter the path where the logs will be saved to as well. Previously, you'd only have to use the button on the GUI to browse for one.
-
Added custom tooltips for each category and sub-category in the protection tab with small meaningful details to help you decide which option to choose.
-
Required PowerShell version has been increased from 7.4.2 to 7.4.4. The Harden Windows Security heavily relies on the latest .NET components shipped with PowerShell, that's why you don't need to install .NET runtime separately.
-
When logging is enabled, the logs are written to the file in real time instead of at the end of the operation.
-
Significantly improved the toast notifications experience, they are now modern Windows 11 style toast notifications. Due to this improved experience, 5 official Microsoft-Signed DLLs are bundled with the Harden Windows Security program. Links to them can be found below:
-
The Harden Windows Security program can now be fully used in both Visual Studio (native C#) and Visual Studio Code (native PowerShell). Its hybrid design allows it to be highly interoperable.
What's Next
-
Unprotect-WindowsSecuritywill be added to the GUI. -
Attack Surface Reduction rules will be individually configurable in a new section in the GUI.
-
BitLocker enrollment and activation through the GUI.
-
And more.
Resolves #318
PR: #319
WDACConfig Update v0.4.4
Harden Windows Security Module v.0.5.4
What's New
- You can now use mouse or touch on any empty spaces on the GUI (User Interface) to drag it and move it around.
- Added a progress bar to the GUI to display better visuals when work is being done.
- Implemented lots of best practices in the code.
PR: #317
WDACConfig Update v0.4.3
What's New
-
The ConvertTo-WDACPolicy command now shows blocked and audited events by default unless you use the
-LogTypeparameter to narrow it down. The previous default behavior was Audit logs only. -
The ConvertTo-WDACPolicy now has a new optional parameter called -Level. The level determining rule generation can be one of the following: Auto, FilePublisher, Publisher, or Hash.
-
The fallback level is always Hash.
-
By default, which is the same as not using this parameter, the most secure levels are prioritized. If a log contains the requisite details for the FilePublisher level, it will be utilized. If not, the Publisher level will be attempted. Should this also fail, the Hash level will be employed.
-
Enterprises and organizations typically favor the Publisher level over FilePublisher for its streamlined maintenance, making this adjustment particularly advantageous for these user groups.
-
-
The
Edit-SignedWDACConfigandEdit-WDACConfigcommands now support the same levels that theConvertTo-WDACPolicysupports when creating policy based on the event logs. -
Improved globalization to ensure compatibility with any culture.
-
Provided ready to use Visual Studio solution (.NET 9).
-
ConvertTo-WDACPolicy -PolicyToAddLogsTonow supports policies that contain Macros.
PR: #312
Harden Windows Security Module v.0.5.3
Harden Windows Security Module v.0.5.2
What's New
- Added Intune policy verification support for 7 more Microsoft Defender policies.
- Added the last remaining policy for the User Account Control category in the Intune policies, verification already implemented for it.
- Added ShowHibernate to the BitLocker Intune CSP policies, verification already implemented for it.
- Added 2 more policies to the Windows Networking Intune CSP, "Turn off multicast" and "Turn off downloading of print drivers over HTTP", verification already implemented for them.
PR: #311
Harden Windows Security Module v.0.5.1
What's New
-
🦄 Transitioning from conventional registry-based verifications to assessing the Effective Status of implemented security settings wherever feasible in a hybrid way. This approach engages deeply with the operating system, ensuring greater accuracy.
-
🔥Intune policies verification. The Compliance checking is no longer limited to only Group Policy/Registry settings. If your workstation is controlled using Intune (modern workplace management) then you can use the Harden Windows Security module to verify the implementation of the policies and see what security score you receive according to this repo's guidelines.
-
Over time, more policies will be added for auditing, especially those in the Microsoft Security Baselines that are available as group policy packages and in the Intune portal.
-
Currently, over 160 policies are supported to be verified when they are applied through Intune portal. This number will keep going up in future updates.
-
-
✅ Added title and custom icon to the Harden Windows Security GUI.
-
✅ Re-implemented the entire compliance checking logic natively in C# achieving enhanced execution speed, strictly typed code, and a more interoperable codebase.
-
✅ Adjusted some compliance checks to be more practical.
-
☁️ Updated many of the Intune policies.
-
✅ Implemented many of the remaining policies in Intune CSPs ready to be consumed.
-
✅ Removed the
SpecialPollIntervalthat would configure the Windows time sync interval. When you run the Miscellaneous category next time, its registry key will automatically be removed if it exists. The reason for the removal is that Windows now has an even lower time interval by default, so this policy is no longer necessary.- The Harden Windows Security module always gracefully and automatically cleans up the policies that are decommissioned and no longer relevant, so the user does not have to manually remove them.
-
✅ Added a new policy to the Miscellaneous category: a policy that requests claims and compound authentication for Dynamic Access Control and Kerberos armoring.
- More Kerberos hardening policies are on the way after further testing.
-
♾️There is a new record for the execution speed of the
Confirm-SystemCompliancecmdlet. It now completes in only 7 seconds, all categories of it. This improved speed is despite the fact that so many new features were added and a lot more data sources are being processed.
PR: #308
Harden Windows Security Module v.0.5.0
Harden Windows Security Module v.0.4.9
Harden Windows Security Module v.0.4.8
What's New
- Improved the execution speed of Confirm-SystemCompliance. I once improved it in version 0.4.5 but this time it's become even faster.
-
Provided Intune policy files for the remaining categories.
- Use this post as a getting started guide.
-
Fixed compliance checking total displayed number. It would show an increased total number after the first run in the same session.
-
Updated the BitLocker wiki page with additional info regarding key protector setup using Intune and Group Policy.
PR: #300