Hardening script update v2023.8.8

What's changed

1. Removed Edge browser policies that are not applicable when you sign in using a persoanl Microsoft account instead of Microsoft Entra ID. This is a new security change by Microsoft that is coming into effect starting Edge version 116, few days from now. Edge Group Policies documentation, clearly mentions which policies are like that. There is nothing to be worried about, you can configure these settings from Edge browser settings page. In Edge browser versions 116 and above, the status of these policies in edge://policy/ are "Ignored" when signed in with a personal Microsoft account. You don't have to take any additional acctions, the script automatically takes care of removing them if they exist. Policies with "Ignored" status do not cause any problem, but to keep things clean, removing the following Edge browser policies from the Windows Hardening script:

   1. WebRtcLocalhostIpHandling
   2. SSLErrorOverrideAllowed
   3. PrimaryPasswordSetting
   4. PDFSecureMode
   5. NewPDFReaderEnabled

2. Removed the Top Security category and instead placed each hardening measure that was in there into its correct category. This way users have more granular control and can enable individual hardening measures instead of using all of them at once. Some of them cause inconvenience more than the others while providing security, please check out the description of each of them in the Readme.

   1. Added "Don't display last signed-in" to the Lock Screen category.
   2. Added "Blocking Untrusted Fonts" to the Miscellaneous category.
   3. Added "Automatically deny all UAC prompts on Standard accounts" to the User Account Control category.
   4. Added "Hides the entry points for Fast User Switching" to the User Account Control category.
   5. Added "Only elevate executables that are signed and validated" to the User Account Control category.

3. In the Readme, made it clear that individual hardening measures that prompt for additional confirmation before running, like the ones mentioned above, are marked with icon.

4. In the Readme, added a note to "Hides the entry points for Fast User Switching" in User Account Control Category and "Don't display last signed-in" in Lock screen category policies that require additional confirmation before running. If any of those 2 policies is used, you won't be able to use "Forgot my PIN" feature in lock screen or logon screen. If you forget your PIN, you won't be able to recover it.

   • As mentioned earlier, they were previously in the Top Security category, now they are part of their correct categories, and just like before they are not applied by default unless you manually confirm them to be applied.

5. When running the Harden Windows Security script with PowerShell core, you will see better new styling now.

6. Added a new hardening measure in the Lock screen category. It sets Windows Hello PIN as the default Credential Provider and excludes the Credential Providers listed below. We do this because if the "Don't display last signed-in" policy is used, it defaults to Password on logon screen. Smart cards are old and insecure compared to Windows Hello or WHfB, if Microsoft account password sign-in is available it defeats the purpose of having a local PIN that's tied to a device. Goes without saying that you shouldn't use this policy if local password or Smart card is the only way you use to log in. If that's the case then first connect your Windows account to Microsoft account and then use this policy. List of the Credential Providers that are blocked by this policy:

   • Smartcard Reader Selection Provider - {1b283861-754f-4022-ad47-a5eaaa618894}
   • Smartcard WinRT Provider - {1ee7337f-85ac-45e2-a23c-37c753209769}
   • Smartcard Credential Provider - {8FD7E19C-3BF7-489B-A72C-846AB3678C96}
   • WLIDCredentialProvider (Microsoft Account Password sign-in on logon screen, not applicable if your Microsoft account is password-less) - {F8A0B131-5F68-486c-8040-7E8FC3C85BB6}
   • PasswordProvider - {60b78e88-ead8-445c-9cfd-0b87f74ea6cd}