You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
115 lines
7.8 KiB
115 lines
7.8 KiB
2 years ago
|
- name: process security policy
|
||
|
win_security_policy:
|
||
|
section: "{{ item.section | default('System Access') }}"
|
||
|
key: "{{ item.key }}"
|
||
|
value: "{{ item.value }}"
|
||
|
loop:
|
||
|
- { desc: "Set unlimited password age", key: MaximumPasswordAge, value: -1 }
|
||
|
- { desc: "Disable built-in admin account", key: EnableAdminAccount, value: 0 }
|
||
|
#- { desc: "Disable built-in guest account", key: EnableGuestAccount, value: 0 }
|
||
|
|
||
|
|
||
|
- name: disable Start Menu suggestions and tips/tricks
|
||
|
win_regedit:
|
||
|
path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager
|
||
|
name: "{{ item }}"
|
||
|
type: dword
|
||
|
data: 0
|
||
|
loop:
|
||
|
- SubscribedContent-338388Enabled
|
||
|
- SubscribedContent-338389Enabled
|
||
|
|
||
|
|
||
|
- name: disable PrintNightmare mitigations
|
||
|
win_regedit:
|
||
|
path: HKLM:\System\CurrentControlSet\Control\Print
|
||
|
name: RpcAuthnLevelPrivacyEnabled
|
||
|
type: dword
|
||
|
data: 0
|
||
|
|
||
|
|
||
|
- name: process MDM settings
|
||
|
win_regedit:
|
||
|
path: 'HKLM:\SOFTWARE\Microsoft\PolicyManager\default\{{ item.group }}\{{ item.name }}'
|
||
|
name: value
|
||
|
type: "{{ item.type | default('dword') }}"
|
||
|
data: "{{ item.value }}"
|
||
|
loop:
|
||
|
- { desc: "Disable game broadcasting", group: ApplicationManagement, name: AllowGameDVR, value: 0 }
|
||
|
- { desc: "Disable linking phone to PC", group: ApplicationManagement, name: AllowPhonePCLinking, value: 0 }
|
||
|
|
||
|
- { desc: "Disable Cortana", group: Experience, name: AllowCortana, value: 0 }
|
||
|
- { desc: "Disable Find My Device", group: Experience, name: AllowFindMyDevice, value: 0 }
|
||
|
- { desc: "Disable third-party suggestions in Windows Spotlight", group: Experience, name: AllowThirdPartySuggestionsInWindowsSpotlight, value: 0 }
|
||
|
- { desc: "Do not allow Feedback notifications", group: Experience, name: DoNotShowFeedbackNotifications, value: 1 }
|
||
|
|
||
|
- { desc: "Disable advanced gaming settings", group: Games, name: AllowAdvancedGamingServices, value: 0 }
|
||
|
|
||
|
- { desc: "Block Microsoft Accounts", group: LocalPoliciesSecurityOptions, name: Accounts_BlockMicrosoftAccounts, value: 3 }
|
||
|
- { desc: "Always sign communications as SMB Server", group: LocalPoliciesSecurityOptions, name: MicrosoftNetworkServer_DigitallySignCommunicationsAlways, value: 1 }
|
||
|
- { desc: "Sign communications as SMB Server if client agrees", group: LocalPoliciesSecurityOptions, name: MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees, value: 1 }
|
||
|
- { desc: "Force NTLMv2 and refuse older NTLM versions for LAN Manager", group: LocalPoliciesSecurityOptions, name: NetworkSecurity_LANManagerAuthenticationLevel, value: 5 }
|
||
|
|
||
|
- { desc: "Disable cross-device clipboard sharing", group: Privacy, name: AllowCrossDeviceClipboard, value: 0 }
|
||
|
- { desc: "Disable online speech recognition", group: Privacy, name: AllowInputPersonalization, value: 0 }
|
||
|
- { desc: "Make ads non-personalized", group: Privacy, name: DisableAdvertisingId, value: 1 }
|
||
|
- { desc: "Disable activity feed", group: Privacy, name: EnableActivityFeed, value: 0 }
|
||
|
- { desc: "Do not allow apps to publish info to online activity feed", group: Privacy, name: PublishUserActivities, value: 0 }
|
||
|
- { desc: "Do not allow apps to upload info to online activity feed", group: Privacy, name: UploadUserActivities, value: 0 }
|
||
|
|
||
|
- { desc: "Disable cloud search", group: Search, name: AllowCloudSearch, value: 0 }
|
||
|
- { desc: "Disable web search", group: Search, name: DoNotUseWebResults, value: 0 }
|
||
|
|
||
|
- { desc: "Disable online tips for Settings app", group: Settings, name: AllowOnlineTips, value: 0 }
|
||
|
- { desc: "Disable editing sign-in settings", group: Settings, name: AllowSignInOptions, value: 0 }
|
||
|
- { desc: "Disable editing and logging in with MS account in Settings", group: Settings, name: AllowYourAccount, value: 0 }
|
||
|
|
||
|
- { desc: "Do not update speech synthesis models", group: Speech, name: AllowSpeechModelUpdate, value: 0 }
|
||
|
|
||
|
- { desc: "Pin Documents folder to Start Menu", group: Start, name: AllowPinnedFolderDocuments, value: 1 }
|
||
|
- { desc: "Pin Downloads folder to Start Menu", group: Start, name: AllowPinnedFolderDownloads, value: 1 }
|
||
|
- { desc: "Unpin Explorer folder from Start Menu", group: Start, name: AllowPinnedFolderFileExplorer, value: 0 }
|
||
|
- { desc: "Unpin Home Group folder from Start Menu", group: Start, name: AllowPinnedFolderHomeGroup, value: 0 }
|
||
|
- { desc: "Unpin Music folder from Start Menu", group: Start, name: AllowPinnedFolderMusic, value: 0 }
|
||
|
- { desc: "Unpin Network folder from Start Menu", group: Start, name: AllowPinnedFolderNetwork, value: 0 }
|
||
|
- { desc: "Unpin Personal folder from Start Menu", group: Start, name: AllowPinnedFolderPersonalFolder, value: 0 }
|
||
|
- { desc: "Unpin Pictures folder from Start Menu", group: Start, name: AllowPinnedFolderPictures, value: 0 }
|
||
|
- { desc: "Pin Settings folder to Start Menu", group: Start, name: AllowPinnedFolderSettings, value: 1 }
|
||
|
- { desc: "Unpin Videos folder from Start Menu", group: Start, name: AllowPinnedFolderVideos, value: 0 }
|
||
|
- { desc: "Hide People icon from Start Menu", group: Start, name: HidePeopleBar, value: 1 }
|
||
|
|
||
|
- { desc: "Prevent users from using Insider Builds and Build Previews", group: System, name: AllowBuildPreview, value: 0 }
|
||
|
- { desc: "Disable Microsoft from running experiments in OS", group: System, name: AllowExperimentation, value: 0 }
|
||
|
- { desc: "Reduce amount of telemetry that is being sent to Microsoft", group: System, name: AllowTelemetry, value: 0 }
|
||
|
- { desc: "Do not allow factory resets", group: System, name: AllowUserToResetPhone, value: 0 }
|
||
|
- { desc: "Prevent users from changing telemetry settings in Settings UI", group: System, name: ConfigureTelemetryOptInSettingsUx, value: 1 }
|
||
|
- { desc: "Disable OneDrive and its integration to Windows Explorer", group: System, name: DisableOneDriveFileSync, value: 1 }
|
||
|
|
||
|
- { desc: "Disable XBox Accessory Management service", group: SystemServices, name: ConfigureXboxAccessoryManagementServiceStartupMode, value: 4 }
|
||
|
- { desc: "Disable XBox Live Auth Manager service", group: SystemServices, name: ConfigureXboxLiveAuthManagerServiceStartupMode, value: 4 }
|
||
|
- { desc: "Disable XBox Live Game Save service", group: SystemServices, name: ConfigureXboxLiveGameSaveServiceStartupMode, value: 4 }
|
||
|
- { desc: "Disable XBox Live Networking service", group: SystemServices, name: ConfigureXboxLiveNetworkingServiceStartupMode, value: 4 }
|
||
|
|
||
|
- { desc: "Do not allow Microsoft to collect typing data", group: TextInput, name: AllowLinguisticDataCollection, value: 0 }
|
||
|
|
||
|
- { desc: "Do not automatically connect to Wi-Fi hotspots", group: Wifi, name: AllowAutoConnectToWiFiSenseHotspots, value: 0 }
|
||
|
- { desc: "Disable Internet Connection Sharing", group: Wifi, name: AllowInternetSharing, value: 0 }
|
||
|
- { desc: "Disable Wi-Fi Direct", group: Wifi, name: AllowWiFiDirect, value: 0 }
|
||
|
|
||
|
|
||
|
- name: process GP settings
|
||
|
win_regedit:
|
||
|
path: 'HKLM:\SOFTWARE\Policies\Microsoft\{{ item.path }}'
|
||
|
name: "{{ item.name }}"
|
||
|
type: "{{ item.type | default('dword') }}"
|
||
|
data: "{{ item.value }}"
|
||
|
loop:
|
||
|
- { desc: "Disable Cortana in Windows search", path: 'Windows\Windows Search', name: AllowCortana, value: 0 }
|
||
|
- { desc: "Disable web search", path: 'Windows\Windows Search', name: DisableWebSearch, value: 1 }
|
||
|
- { desc: "Do not display web results in Search", path: 'Windows\Windows Search', name: ConnectedSearchUseWeb, value: 0 }
|
||
|
- { desc: "Turn off Find My Device", path: "FindMyDevice", name: AllowFindMyDevice, value: 0 }
|
||
|
- { desc: "Turn off Insider Preview builds", path: 'Windows\PreviewBuilds', name: AllowBuildPreview, value: 0 }
|
||
|
- { desc: "Turn off Windows Mail app", path: "Windows Mail", name: ManualLaunchAllowed, value: 0 }
|
||
|
- { desc: "Turn off OneDrive", path: 'Windows\OneDrive', name: DisableFileSyncNGSC, value: 1 }
|
||
|
- { desc: "Disable cloud content", path: 'Windows\CloudContent', name: DisableWindowsConsumerFeatures, value: 1 }
|