Add some hardening steps from hardentools

1 files changed, 12 insertions, 0 deletions

diff --git a/win10-prep.bat b/win10-prep.bat
index e0d936e..afa4bc8 100644
--- a/win10-prep.bat
+++ b/win10-prep.bat
@@ -298,6 +298,18 @@ rem disable improve typing/inking recognition
 reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f
 rem allow long character paths
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "LongPathsEnabled" /t REG_DWORD /d "1" /f
+rem disable snipping tool
+reg add "HKLM\SOFTWARE\Policies\Microsoft\TabletPC" /v "DisableSnippingTool" /t REG_DWORD /d "1" /f
+rem disable windows script host
+reg add "HKLM\Software\Microsoft\Windows Script\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
+rem disable drive autoruns
+reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d "181" /f
+reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d "1" /f
+reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers" /v "DisableAutoplay" /t REG_DWORD /d "1" /f
+rem disable powershell
+reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f
+reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "powershell.exe" /f
+reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "2" /t REG_SZ /d "powershell_ise.exe" /f
 exit /b %errorlevel%
 
 :remove_software