[Bug]: RuntimeBroker.exe StrictCFG not compatible with Windows 11 on ARM hardware (virtualized)

[HenkPoley]

Tools category

Harden Windows Security Module

Does Your System Meet The Requirements?

• Yes, I acknowledge that I've read the requirements and my system meets them. 👍

Is your Windows Installation Genuine?

• Yes, I acknowledge that the installation media of the Windows OS I used the tool on was downloaded from the official Microsoft website and I didn't tamper or modify it. 💯

Did You Read The Frequently Asked Questions?

• Yes, I've referred to the FAQs and my issue is not covered/explained in there.

Please Explain The Bug

After enabling "some unknown" setting, when I opened the Start menu and typed, it would not show the search GUI. Also the search bar on the taskbar does nothing.

Reset my VM, ran Windows Update, enabled Smart App Control, and applied the rules one by one starting from the bottom, rebooting every time in between. Attack Surface Reduction breaks the search GUI.

Not sure how to proceed from here. Maybe I'll have some more time to look into this later. It is of course a Microsoft bug. This is inside an UTM (Apple M1) VM. So no virtualisation based security (no nested VMs). Might be relevant.

August 2024 Windows Updates installed (of course).

Error Details

N/A

[HenkPoley]

Ah, I see it just enabled the 19 known Attack Surface Reduction rules: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#attacksurfacereductionrules

I guess I'll need to flip some switches to figure out which causes this Windows Search GUI issue.

[HenkPoley]

Hmm, I can't seem to figure out how to disable the Attack Surface rules. I guess you set some policy, so this does not work:

Add-MpPreference -AttackSurfaceReductionRules_Actions Disabled -AttackSurfaceReductionRules_Ids <some ID>

[HenkPoley]

Looking at:

Harden-Windows-Security/Harden-Windows-Security Module/Main files/Resources/EventViewerCustomViews/Attack Surface Reduction rule events.xml

Line 1 in 8b0e994

<ViewerConfig><QueryConfig><QueryParams><UserQuery /></QueryParams><QueryNode><Name LanguageNeutralValue="Attack Surface Reduction rule events">Attack Surface Reduction rule events</Name><QueryList><Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational"><Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1121 or EventID=1122 or EventID=5007)]]</Select><Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1121 or EventID=1122 or EventID=5007)]]</Select></Query></QueryList></QueryNode></QueryConfig><ResultsConfig><Columns><Column Name="Level" Type="System.String" Path="Event/System/Level" Visible="">255</Column><Column Name="Keywords" Type="System.String" Path="Event/System/Keywords">70</Column><Column Name="Date and Time" Type="System.DateTime" Path="Event/System/TimeCreated/@SystemTime" Visible="">305</Column><Column Name="Source" Type="System.String" Path="Event/System/Provider/@Name" Visible="">215</Column><Column Name="Event ID" Type="System.UInt32" Path="Event/System/EventID" Visible="">215</Column><Column Name="Task Category" Type="System.String" Path="Event/System/Task" Visible="">215</Column><Column Name="User" Type="System.String" Path="Event/System/Security/@UserID">50</Column><Column Name="Operational Code" Type="System.String" Path="Event/System/Opcode">110</Column><Column Name="Log" Type="System.String" Path="Event/System/Channel">80</Column><Column Name="Computer" Type="System.String" Path="Event/System/Computer">170</Column><Column Name="Process ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessID">70</Column><Column Name="Thread ID" Type="System.UInt32" Path="Event/System/Execution/@ThreadID">70</Column><Column Name="Processor ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessorID">90</Column><Column Name="Session ID" Type="System.UInt32" Path="Event/System/Execution/@SessionID">70</Column><Column Name="Kernel Time" Type="System.UInt32" Path="Event/System/Execution/@KernelTime">80</Column><Column Name="User Time" Type="System.UInt32" Path="Event/System/Execution/@UserTime">70</Column><Column Name="Processor Time" Type="System.UInt32" Path="Event/System/Execution/@ProcessorTime">100</Column><Column Name="Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@ActivityID">85</Column><Column Name="Relative Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@RelatedActivityID">140</Column><Column Name="Event Source Name" Type="System.String" Path="Event/System/Provider/@EventSourceName">140</Column></Columns></ResultsConfig></ViewerConfig>

Under Event viewer Microsoft-Windows-Windows Defender/Operational I see no EventID=1121 or EventID=1122

But I do see a lot of EventID=5007. But from a cursory glance those appear to be configuration 'changes' (often just applying the enforced settings?). No blocked events or errors or anything.

[HotCakeX]

Hi,
The miscellaneous category adds custom views to the event viewer, one of them is for Attack Surface Reduction rules.

On the readme, items that have blue checkmark are configured via Group policy, so to configure the ASR rules, you need to use the Group policy editor in this path:

Computer Configuration - Administrative Templates - Windows Components - Microsoft Defender Antivirus - Microsoft Defender Exploit Guard - Attack Surface Reduction -> Configure Attack Surface Reduction rules

if you set any of them to 0, it means disabled.

here is the reference
https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference

I'll test it myself too in few minutes, my host is on build 24H2 so need to update my 23H2 build VM.

[HotCakeX]

I did some tests on the latest build of 23H2, applied all categories, including ASR rules, restarted, everything is working normally, here are some screenshots

[HenkPoley]

• I've set all the items in Local Group Policies for Attack Surface Reduction to 0. Didn't help.
• Then tried using PowerShell to set them to Disabled using Set-MpPreference. Didn't help.
• Then set the Attack Surface Reduction group policy to Disabled. Again used Set-MpPreference to set them to Disable. Now (Get-MpPreference).AttackSurfaceReductionRules_Ids shows an empty list at least.

But the Windows Search GUI still doesn't work.

Maybe I made some mistake and it's the Protect-WindowsSecurity -GUI setting just before or after Attack Surface Reduction. I'll spend some more time on it, but not right now 😅

[HotCakeX]

• I've set all the items in Local Group Policies for Attack Surface Reduction to 0. Didn't help.
• Then tried using PowerShell to set them to Disabled using Set-MpPreference. Didn't help.
• Then set the Attack Surface Reduction group policy to Disabled. Again used Set-MpPreference to set them to Disable. Now (Get-MpPreference).AttackSurfaceReductionRules_Ids shows an empty list at least.

But the Windows Search GUI still doesn't work.

Maybe I made some mistake and it's the Protect-WindowsSecurity -GUI setting just before or after Attack Surface Reduction. I'll spend some more time on it, but not right now 😅

When the ASR rules are applied via Group policy, the cmdlets won't make permanent changes because the Group policies just re-apply the policies frequently to keep the system compliant, the only way to disable them permanently is through Group policy itself.

I'm adding individual ASR rule configuration to the GUI in the next update for easier management.

You can use the Unprotect-WindowsSecurity to undo the applied protections automatically.

And that's understandable, take your time, in the meantime i'll close the issue since the title isn't applicable anymore and this doesn't seem like a reproducible bug i can actively work on fixing.

I don't know your exact setup but hopefully your hardware met the requirements for Win 11 and there wasn't any modifications prior to running the module that could've caused this problem.

Please feel free to reopen or create new issue if there's more :)

[HenkPoley]

Maybe it had to do with the Microsoft Defender settings.

After a '(repair Windows)' install from the Settings reset page, search GUI works again. these are the Confirm-SystemCompliance settings. I'll set some options with Protect-WindowsSecurity -GUI until search breaks and then compare the state.

-------------Microsoft Defender Category-------------

FriendlyName                                                                             Compliant Value
------------                                                                             --------- -----
Mandatory ASLR                                                                           True      ON
Process Mitigations for: msedge.exe                                                      True      DisableExtensionPoints,CFG,StrictCFG,MicrosoftSignedOnly,AllowStoreSignedBinaries,EnforceModuleDependencySigning,BlockRemoteImageLoads,BlockLowLabelImageLoads,UserShadowStack,UserShadowStackStrictMode
Process Mitigations for: explorer.exe                                                    False     N/A
Process Mitigations for: vmcompute.exe                                                   True      CFG,StrictCFG
Process Mitigations for: vmwp.exe                                                        True      CFG,StrictCFG
Process Mitigations for: QuickAssist.exe                                                 True      DisableExtensionPoints,StrictHandle,BlockDynamicCode,MicrosoftSignedOnly,AllowStoreSignedBinaries,EnforceModuleDependencySigning,DisableNonSystemFonts,BlockRemoteImageLoads,BlockLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,UserShadowStack,UserShadowStackStrictMode
Process Mitigations for: Acrobat.exe                                                     True      ForceRelocateImages,RequireInfo,StrictHandle,EnforceModuleDependencySigning,DisableNonSystemFonts,BlockRemoteImageLoads,BlockLowLabelImageLoads,EnableRopStackPivot,EnableRopCallerCheck,UserShadowStack
Process Mitigations for: OneDrive.exe                                                    True      StrictHandle,DisableExtensionPoints,MicrosoftSignedOnly,AllowStoreSignedBinaries,EnforceModuleDependencySigning,EnableRopStackPivot,EnableRopCallerCheck
Process Mitigations for: EXCEL.EXE                                                       True      StrictHandle,DisableExtensionPoints,MicrosoftSignedOnly,AllowStoreSignedBinaries,EnforceModuleDependencySigning,EnableRopStackPivot,EnableRopCallerCheck
Process Mitigations for: MSACCESS.EXE                                                    True      StrictHandle,DisableExtensionPoints,MicrosoftSignedOnly,AllowStoreSignedBinaries,EnforceModuleDependencySigning,EnableRopStackPivot,EnableRopCallerCheck
Process Mitigations for: MSPUB.EXE                                                       True      StrictHandle,DisableExtensionPoints,MicrosoftSignedOnly,AllowStoreSignedBinaries,EnforceModuleDependencySigning,EnableRopStackPivot,EnableRopCallerCheck
Process Mitigations for: ONENOTE.EXE                                                     True      StrictHandle,DisableExtensionPoints,MicrosoftSignedOnly,AllowStoreSignedBinaries,EnforceModuleDependencySigning,EnableRopStackPivot,EnableRopCallerCheck
Process Mitigations for: OUTLOOK.EXE                                                     True      StrictHandle,DisableExtensionPoints,MicrosoftSignedOnly,AllowStoreSignedBinaries,EnforceModuleDependencySigning,EnableRopStackPivot,EnableRopCallerCheck
Process Mitigations for: POWERPNT.EXE                                                    True      StrictHandle,DisableExtensionPoints,MicrosoftSignedOnly,AllowStoreSignedBinaries,EnforceModuleDependencySigning,EnableRopStackPivot,EnableRopCallerCheck
Process Mitigations for: WINWORD.EXE                                                     True      StrictHandle,DisableExtensionPoints,MicrosoftSignedOnly,AllowStoreSignedBinaries,EnforceModuleDependencySigning,EnableRopStackPivot,EnableRopCallerCheck
Process Mitigations for: lsass.exe                                                       True      DisableExtensionPoints,BlockDynamicCode,DisallowChildProcessCreation,BlockRemoteImageLoads,MicrosoftSignedOnly
Process Mitigations for: SmartScreen.exe                                                 True      DisableExtensionPoints,CFG,StrictCFG,MicrosoftSignedOnly
Process Mitigations for: Regsvr32.exe                                                    True      BlockLowLabelImageLoads
Process Mitigations for: WindowsSandbox.exe                                              True      StrictHandle,DisableExtensionPoints,CFG,StrictCFG,MicrosoftSignedOnly,EnforceModuleDependencySigning,BlockRemoteImageLoads,BlockLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus
Process Mitigations for: WindowsSandboxClient.exe                                        True      StrictHandle,DisableExtensionPoints,CFG,StrictCFG,MicrosoftSignedOnly,EnforceModuleDependencySigning,BlockRemoteImageLoads,BlockLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus
Process Mitigations for: RuntimeBroker.exe                                               False     DisableExtensionPoints
Process Mitigations for: msedgewebview2.exe                                              True      DisableExtensionPoints,CFG,StrictCFG,EnforceModuleDependencySigning
Process Mitigations for: csrss.exe                                                       True      BlockRemoteImageLoads
Process Mitigations for: services.exe                                                    True      BlockRemoteImageLoads
Process Mitigations for: rundll32.exe                                                    False     N/A
Process Mitigations for: SMSS.exe                                                        True      BlockRemoteImageLoads
Process Mitigations for: Wininit.exe                                                     True      BlockRemoteImageLoads
Process Mitigations for: NisSrv.exe                                                      True      MicrosoftSignedOnly
Fast weekly Microsoft recommended driver block list update                               False     False
Microsoft Defender Platform Updates Channel                                              N/A       NotConfigured
Microsoft Defender Engine Updates Channel                                                N/A       NotConfigured
Controlled Folder Access Exclusions                                                      N/A       C:\Program Files\PowerShell\7\createdump.exe, C:\Program Files\PowerShell\7\pwsh.exe, C:\Windows\System32\powercfg.exe
Allow Switch To Async Inspection                                                         True      True
OOBE Enable Rtp And Sig Update                                                           True      True
Intel TDT Enabled                                                                        True      True
Smart App Control State                                                                  False     Eval
Controlled Folder Access                                                                 True      1
Enable Restore Point scanning                                                            True      True
Performance Mode Status                                                                  True      0
Enable Convert Warn To Block                                                             True      True
BruteForce Protection Aggressiveness                                                     True      1
BruteForce Protection Max Block Time                                                     True      0
BruteForce Protection Configured State                                                   True      1
Remote Encryption Protection Max Block Time                                              True      0
Remote Encryption Protection Aggressiveness                                              True      2
Remote Encryption Protection Configured State                                            True      1
Cloud Block Level                                                                        True      6
Email Scanning                                                                           True      True
Send file samples when further analysis is required                                      True      3
Join Microsoft MAPS (aka SpyNet)                                                         True      2
File Hash Computation                                                                    True      True
Extended cloud check (Seconds)                                                           True      50
Detection for potentially unwanted applications                                          False     2
Catchup Quick Scan                                                                       True      True
Check For Signatures Before Running Scan                                                 True      True
Enable Network Protection                                                                True      1
Interval to check for security intelligence updates                                      True      3
Allows Microsoft Defender Antivirus to update over a metered connection                  True      True
Optional Diagnostic Data Required for Smart App Control etc.                             False
Configure diagnostic data opt-in settings user interface                                 False
Enhanced Phishing Protection                                                             False
Enhanced Phishing Protection: Notify Unsafe App                                          False
Enhanced Phishing Protection: Notify Password Reuse                                      False
Enhanced Phishing Protection: Notify Malicious                                           False
Enhanced Phishing Protection: Capture Threat Window                                      True      1
Purge Items After Delay                                                                  True      1
Maximum size of downloaded files and attachments to be scanned                           True      10000000
Scanning Mapped Network Drives For Full Scan                                             True      0
Scanning Network Files                                                                   True      0
Removable Drive Scanning                                                                 True      0
Reparse Point Scanning                                                                   True      0
Maximum depth to scan archive files                                                      True      4294967295
Check for the latest virus and spyware security intelligence on startup                  True      1
Define the number of days before virus security intelligence is considered out of date   True      2
Define the number of days before spyware security intelligence is considered out of date True      2
Block At First Sight                                                                     True      0
Severe Threat level default action = Remove                                              True      3
High Threat level default action = Remove                                                True      3
Moderate Threat level default action = Quarantine                                        True      2
Low Threat level default action = Quarantine                                             True      2


-------------Attack Surface Reduction Rules Category-------------

FriendlyName                                                                                     Compliant Value
------------                                                                                     --------- -----
Block Office communication application from creating child processes                             False     0
Block process creations originating from PSExec and WMI commands                                 False     0
Block untrusted and unsigned processes that run from USB                                         False     0
Block Win32 API calls from Office macros                                                         False     0
Block Adobe Reader from creating child processes                                                 False     0
Block Office applications from creating executable content                                       False     0
Block all Office applications from creating child processes                                      False     0
Block credential stealing from the Windows local security authority subsystem (lsass.exe)        False     0
Block executable content from email client and webmail                                           False     0
Block executable files from running unless they meet a prevalence; age or trusted list criterion False     0
Block execution of potentially obfuscated scripts                                                False     0
Block persistence through WMI event subscription                                                 False     0
Block Office applications from injecting code into other processes                               False     0
Block abuse of exploited vulnerable signed drivers                                               False     0
Use advanced protection against ransomware                                                       False     0
Block JavaScript or VBScript from launching downloaded executable content                        False     0
Block rebooting machine in Safe Mode                                                             False     0
Block use of copied or impersonated system tools                                                 False     0
Block Webshell creation for Servers                                                              False     0


-------------Bitlocker Category Category-------------

FriendlyName                                                                                 Compliant Value
------------                                                                                 --------- -----
DMA protection                                                                               False     False
Hibernate is set to full                                                                     False     False
Secure OS Drive encryption                                                                   False     False
Disallow Standard User PIN Reset                                                             False
Require additional authentication at startup                                                 False
Don't allow Bitlocker without TPM                                                            False
Don't Allow using TPM alone                                                                  False
Allow using TPM + PIN                                                                        False
Allow using TPM + key                                                                        False
Allow using TPM + Startup Key + PIN                                                          False
Correct Encryption method for OS drive                                                       False
Correct Encryption method for fixed data drives                                              False
Correct Encryption method for removable drives                                               False
Use Enhanced PIN                                                                             False
Full disk encryption for OS drive                                                            False
Full disk encryption for removable drives                                                    False
Prevent access to BitLocker-protected removable data drives from earlier versions of Windows False
Do not install BitLocker To Go Reader on FAT formatted removable drives                      False
Configure minimum PIN length for startup                                                     False
Disallow standby states (S1-S3) when sleeping (plugged in)                                   False
Disallow standby states (S1-S3) when sleeping (on battery)                                   False
Show Hibernate Option                                                                        False


-------------TLS Category-------------

FriendlyName                                 Compliant Value
------------                                 --------- -----
ECC Curves and their positions               False     curve25519, NistP256, NistP384
Configure the correct TLS Cipher Suites      False     False
Disable TLS 1.0 client - Disabled By Default False
Disable TLS 1.0 client - Enabled             False
Disable TLS 1.0 server - Disabled By Default False
Disable TLS 1.0 server - Enabled             False
Disable TLS 1.1 client - Disabled By Default False
Disable TLS 1.1 client - Enabled             False
Disable TLS 1.1 server - Disabled By Default False
Disable TLS 1.1 server - Enabled             False
Disable NULL Cipher Suite                    False
Disable 56/56 Cipher Suite                   False
Disable 40/128 Cipher Suite                  False
Disable RC2 56/128 Cipher Suite              False
Disable RC2 128/128 Cipher Suite             False
Disable RC4 40/128 Cipher Suite              False
Disable RC4 56/128 Cipher Suite              False
Disable RC4 64/128 Cipher Suite              False
Disable RC4 128/128 Cipher Suite             False
Disable Triple DES 168 Cipher Suite          False
Disable MD5 Hashing Algorithm                False


-------------Lock Screen Category-------------

FriendlyName                                                           Compliant Value
------------                                                           --------- -----
Require digits in Windows Hello PIN                                    False
Require lower case letters in Windows Hello PIN                        False
Set Expiration for Windows Hello PIN                                   False
Save history of Windows Hello PIN                                      False
Don't Display Network Selection UI on lock screen                      False
Machine inactivity limit                                               False
Interactive logon: Do not require CTRL+ALT+DEL                         False
Interactive logon: Machine account lockout threshold                   False
Interactive logon: Display user information when the session is locked False
Interactive logon: Don't display username at sign-in                   False
Account lockout threshold                                              True      5
Account lockout duration                                               True      1440
Reset account lockout counter after                                    True      1440
Interactive logon: Don't display last signed-in                        False


-------------User Account Control Category-------------

FriendlyName                                                                    Compliant Value
------------                                                                    --------- -----
Hide Fast User Switching entry points                                           False
UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode False     4,5
UAC: Automatically deny elevation requests on Standard accounts                 False     4,3
UAC: Only elevate executables that are signed and                               False     4,0


-------------Device Guard Category-------------

FriendlyName                                                            Compliant Value
------------                                                            --------- -----
Enable Virtualization Based Security                                    False     False
Require Platform Security Features                                      True      VBS with Secure Boot
Hypervisor Enforced Code Integrity - UEFI Lock                          False     False
Require HVCI MAT (Memory Attribute Table)                               True      True
Credential Guard Configuration - UEFI Lock                              False     False
System Guard Launch                                                     False     False
Configure Kernel Shadow Stacks Launch                                   False
Enable Local Security Authority (LSA) process Protection with UEFI Lock True      1


-------------Windows Firewall Category-------------

FriendlyName                                   Compliant Value
------------                                   --------- -----
mDNS UDP-In Firewall Rules are disabled        False     False
Enable Windows Firewall for Public profile     False
Display notifications for Public profile       False
Configure Log file size for Public profile     False
Log blocked connections for Public profile     False
Configure Log file path for Public profile     False
Enable Windows Firewall for Private profile    False
Display notifications for Private profile      False
Configure Log file size for Private profile    False
Log blocked connections for Private profile    False
Configure Log file path for Private profile    False
Enable Windows Firewall for Domain profile     False
Set Default Outbound Action for Domain profile False
Set Default Inbound Action for Domain profile  False
Block all Domain profile connections           False
Configure Log file path for domain profile     False
Configure Log file size for domain profile     False
Log blocked connections for domain profile     False
Log successful connections for domain profile  False


-------------Optional Windows Features Category-------------

FriendlyName                                                 Compliant Value
------------                                                 --------- -----
PowerShell v2 is disabled                                    False     Enabled
PowerShell v2 Engine is disabled                             False     Enabled
Work Folders client is disabled                              False     Enabled
Internet Printing Client is disabled                         False     Enabled
Windows Media Player (legacy) is disabled                    True      Not Present
Microsoft Defender Application Guard is not present          True      Disabled
Windows Sandbox is enabled                                   False     Disabled
Hyper-V is enabled                                           False     Disabled
WMIC is not present                                          True      Not Present
Internet Explorer mode functionality for Edge is not present True      Not Present
Legacy Notepad is not present                                True      Not Present
WordPad is not present                                       True      Not Present
PowerShell ISE is not present                                True      Not Present
Steps Recorder is not present                                True      Not Present


-------------Windows Networking Category-------------

FriendlyName                                                    Compliant Value
------------                                                    --------- -----
Network Location of all connections set to Public               True      True
Disable Netbios                                                 False
Disable Smart Name Resolution                                   False
Disable Multicast                                               False
Disable HTTP Printing                                           False
Disable Web PnP Download                                        False
Disable LMHOSTS lookup protocol on all network adapters         False     1
Network access: Remotely accessible registry paths              False     7,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion
Network access: Remotely accessible registry paths and subpaths False     7,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog


-------------Miscellaneous Category-------------

FriendlyName                                                             Compliant Value
------------                                                             --------- -----
All users are part of the Hyper-V Administrators group                   True      True
Disable Location                                                         False
Include command line in process creation events                          False
Disable Location Scripting                                               False
Disable Windows Location Provider                                        False
Enable RPC Endpoint Mapper Client Authentication                         False
Enable Svchost Mitigation                                                False
Boot-Start Driver Initialization Policy set to Good only                 False
Request claims and compound authentication for DAC and Kerberos armoring False
Enable enhanced search in Window                                         False
Set Microsoft Edge (Stable) to update over Metered connections           False
Set Microsoft Edge (Beta) to update over Metered connections             False
Set Microsoft Edge (Dev) to update over Metered connections              False
WinVerifyTrust Signature Validation part 1                               False
WinVerifyTrust Signature Validation part 2                               False
Enable SMB Encryption                                                    False


-------------Windows Update Category-------------

FriendlyName                                                                                      Compliant Value
------------                                                                                      --------- -----
Allow updates to be downloaded automatically over metered connections                             True      1
Enable features introduced via servicing that are off by default                                  True      1
Specify deadlines for automatic updates and restarts                                              True      1
Number of days before quality updates are installed on devices automatically                      True      0
Number of grace period days before quality updates are installed on devices automatically         True      1
Number of days before feature updates are installed on devices automatically                      True      0
Number of grace period days before feature updates are installed on devices automatically         True      1
Set the computer to receive security updates and other important downloads through Windows update True      0
Automatically download updates and install them on maintenance day                                True      4
Install updates during automatic maintenance                                                      True      1
Set scheduled install day to every day                                                            True      0
Set scheduled install time to any time                                                            True      24
Install updates for other Microsoft products                                                      True      1
Enable restart notification for Windows update                                                    True      1


-------------Microsoft Edge Category-------------

FriendlyName                                                                            Compliant Value
------------                                                                            --------- -----
Block 3rd party cookies                                                                 False
Set Dns Over Https Mode to use system DoH settings                                      False
Automatically upgrade HTTP connections to HTTPS                                         False
Enable Encrypted Client Hello                                                           False
Block Basic authentication for HTTP                                                     False
Allow Edge to receive new features even after using policies                            False
Enforces the audio process to run sandboxed                                             False
Recommends that the share additional operating system region setting to be set to never False
Disable TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - (CBC - SHA1)                               False
Disable TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - (CBC - SHA1)                               False
Disable TLS_RSA_WITH_AES_256_CBC_SHA - (NO PFS - CBC - SHA1)                            False
Disable TLS_RSA_WITH_AES_128_CBC_SHA - (NO PFS - CBC - SHA1)                            False
Disable TLS_RSA_WITH_AES_128_GCM_SHA256 - (NO PFS)                                      False
Disable TLS_RSA_WITH_AES_256_GCM_SHA384 - (NO PFS)                                      False


-------------Non-Admin Category-------------

FriendlyName                                                       Compliant Value
------------                                                       --------- -----
Show File extensions                                               False     1
Show hidden files                                                  False     2
Disable websites accessing local language list                     True      1
Turn off safe search in Windows search                             False
Enable Clipboard History                                           False
Enable sync of Clipboard history in Windows between devices        False
Enable Clipboard sync                                              False
Turn on Show text suggestions when typing on the physical keyboard False
Turn on Multilingual text suggestions                              False
Turn off sticky key shortcut of pressing shift key 5 time fast     True      506
Disables show reminders and incoming VoIP calls on the lock screen False


            ⣿⡟⠙⠛⠋⠩⠭⣉⡛⢛⠫⠭⠄⠒⠄⠄⠄⠈⠉⠛⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿
            ⣿⡇⠄⠄⠄⠄⣠⠖⠋⣀⡤⠄⠒⠄⠄⠄⠄⠄⠄⠄⠄⠄⣈⡭⠭⠄⠄⠄⠉⠙
            ⣿⡇⠄⠄⢀⣞⣡⠴⠚⠁⠄⠄⢀⠠⠄⠄⠄⠄⠄⠄⠄⠉⠄⠄⠄⠄⠄⠄⠄⠄
            ⣿⡇⠄⡴⠁⡜⣵⢗⢀⠄⢠⡔⠁⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄
            ⣿⡇⡜⠄⡜⠄⠄⠄⠉⣠⠋⠠⠄⢀⡄⠄⠄⣠⣆⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⢸
            ⣿⠸⠄⡼⠄⠄⠄⠄⢰⠁⠄⠄⠄⠈⣀⣠⣬⣭⣛⠄⠁⠄⡄⠄⠄⠄⠄⠄⢀⣿
            ⣏⠄⢀⠁⠄⠄⠄⠄⠇⢀⣠⣴⣶⣿⣿⣿⣿⣿⣿⡇⠄⠄⡇⠄⠄⠄⠄⢀⣾⣿
            ⣿⣸⠈⠄⠄⠰⠾⠴⢾⣻⣿⣿⣿⣿⣿⣿⣿⣿⣿⢁⣾⢀⠁⠄⠄⠄⢠⢸⣿⣿
            ⣿⣿⣆⠄⠆⠄⣦⣶⣦⣌⣿⣿⣿⣿⣷⣋⣀⣈⠙⠛⡛⠌⠄⠄⠄⠄⢸⢸⣿⣿
            ⣿⣿⣿⠄⠄⠄⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠇⠈⠄⠄⠄⠄⠄⠈⢸⣿⣿
            ⣿⣿⣿⠄⠄⠄⠘⣿⣿⣿⡆⢀⣈⣉⢉⣿⣿⣯⣄⡄⠄⠄⠄⠄⠄⠄⠄⠈⣿⣿
            ⣿⣿⡟⡜⠄⠄⠄⠄⠙⠿⣿⣧⣽⣍⣾⣿⠿⠛⠁⠄⠄⠄⠄⠄⠄⠄⠄⠃⢿⣿
            ⣿⡿⠰⠄⠄⠄⠄⠄⠄⠄⠄⠈⠉⠩⠔⠒⠉⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠐⠘⣿
            ⣿⠃⠃⠄⠄⠄⠄⠄⠄⣀⢀⠄⠄⡀⡀⢀⣤⣴⣤⣤⣀⣀⠄⠄⠄⠄⠄⠄⠁⢹


Your compliance score is 97 out of 263!

[HenkPoley]

I can run Protect-WindowsSecurity -GUI, and apply 'Microsoft Defender' rules. Which breaks the search GUI ⬅️.

I'll diff this in a jiffy:

-------------Microsoft Defender Category-------------

FriendlyName                                                                             Compliant Value
------------                                                                             --------- -----
Mandatory ASLR                                                                           True      ON
Process Mitigations for: msedge.exe                                                      True      DisableExtensionPoints,CFG,StrictCFG,MicrosoftSignedOnly,AllowStoreSignedBinaries,EnforceModuleDependencySigning,BlockRemoteImageLoads,BlockLowLabelImageLoads,UserShadowStack,UserShadowStackStrictMode
Process Mitigations for: explorer.exe                                                    True      StrictHandle,DisableExtensionPoints
Process Mitigations for: vmcompute.exe                                                   True      CFG,StrictCFG
Process Mitigations for: vmwp.exe                                                        True      CFG,StrictCFG
Process Mitigations for: QuickAssist.exe                                                 True      DisableExtensionPoints,StrictHandle,BlockDynamicCode,MicrosoftSignedOnly,AllowStoreSignedBinaries,EnforceModuleDependencySigning,DisableNonSystemFonts,BlockRemoteImageLoads,BlockLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,UserShadowStack,UserShadowStackStrictMode
Process Mitigations for: Acrobat.exe                                                     True      ForceRelocateImages,RequireInfo,StrictHandle,EnforceModuleDependencySigning,DisableNonSystemFonts,BlockRemoteImageLoads,BlockLowLabelImageLoads,EnableRopStackPivot,EnableRopCallerCheck,UserShadowStack
Process Mitigations for: OneDrive.exe                                                    True      StrictHandle,DisableExtensionPoints,MicrosoftSignedOnly,AllowStoreSignedBinaries,EnforceModuleDependencySigning,EnableRopStackPivot,EnableRopCallerCheck
Process Mitigations for: EXCEL.EXE                                                       True      StrictHandle,DisableExtensionPoints,MicrosoftSignedOnly,AllowStoreSignedBinaries,EnforceModuleDependencySigning,EnableRopStackPivot,EnableRopCallerCheck
Process Mitigations for: MSACCESS.EXE                                                    True      StrictHandle,DisableExtensionPoints,MicrosoftSignedOnly,AllowStoreSignedBinaries,EnforceModuleDependencySigning,EnableRopStackPivot,EnableRopCallerCheck
Process Mitigations for: MSPUB.EXE                                                       True      StrictHandle,DisableExtensionPoints,MicrosoftSignedOnly,AllowStoreSignedBinaries,EnforceModuleDependencySigning,EnableRopStackPivot,EnableRopCallerCheck
Process Mitigations for: ONENOTE.EXE                                                     True      StrictHandle,DisableExtensionPoints,MicrosoftSignedOnly,AllowStoreSignedBinaries,EnforceModuleDependencySigning,EnableRopStackPivot,EnableRopCallerCheck
Process Mitigations for: OUTLOOK.EXE                                                     True      StrictHandle,DisableExtensionPoints,MicrosoftSignedOnly,AllowStoreSignedBinaries,EnforceModuleDependencySigning,EnableRopStackPivot,EnableRopCallerCheck
Process Mitigations for: POWERPNT.EXE                                                    True      StrictHandle,DisableExtensionPoints,MicrosoftSignedOnly,AllowStoreSignedBinaries,EnforceModuleDependencySigning,EnableRopStackPivot,EnableRopCallerCheck
Process Mitigations for: WINWORD.EXE                                                     True      StrictHandle,DisableExtensionPoints,MicrosoftSignedOnly,AllowStoreSignedBinaries,EnforceModuleDependencySigning,EnableRopStackPivot,EnableRopCallerCheck
Process Mitigations for: lsass.exe                                                       True      DisableExtensionPoints,BlockDynamicCode,DisallowChildProcessCreation,BlockRemoteImageLoads,MicrosoftSignedOnly
Process Mitigations for: SmartScreen.exe                                                 True      DisableExtensionPoints,CFG,StrictCFG,MicrosoftSignedOnly
Process Mitigations for: Regsvr32.exe                                                    True      BlockLowLabelImageLoads
Process Mitigations for: WindowsSandbox.exe                                              True      StrictHandle,DisableExtensionPoints,CFG,StrictCFG,MicrosoftSignedOnly,EnforceModuleDependencySigning,BlockRemoteImageLoads,BlockLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus
Process Mitigations for: WindowsSandboxClient.exe                                        True      StrictHandle,DisableExtensionPoints,CFG,StrictCFG,MicrosoftSignedOnly,EnforceModuleDependencySigning,BlockRemoteImageLoads,BlockLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus
Process Mitigations for: RuntimeBroker.exe                                               True      DisableExtensionPoints,CFG,StrictCFG,EnforceModuleDependencySigning
Process Mitigations for: msedgewebview2.exe                                              True      DisableExtensionPoints,CFG,StrictCFG,EnforceModuleDependencySigning
Process Mitigations for: csrss.exe                                                       True      BlockRemoteImageLoads
Process Mitigations for: services.exe                                                    True      BlockRemoteImageLoads
Process Mitigations for: rundll32.exe                                                    True      BlockRemoteImageLoads,BlockLowLabelImageLoads
Process Mitigations for: SMSS.exe                                                        True      BlockRemoteImageLoads
Process Mitigations for: Wininit.exe                                                     True      BlockRemoteImageLoads
Process Mitigations for: NisSrv.exe                                                      True      MicrosoftSignedOnly
Fast weekly Microsoft recommended driver block list update                               False     False
Microsoft Defender Platform Updates Channel                                              N/A       NotConfigured
Microsoft Defender Engine Updates Channel                                                N/A       NotConfigured
Controlled Folder Access Exclusions                                                      N/A
Allow Switch To Async Inspection                                                         True      True
OOBE Enable Rtp And Sig Update                                                           True      True
Intel TDT Enabled                                                                        True      True
Smart App Control State                                                                  False     Eval
Controlled Folder Access                                                                 True      1
Enable Restore Point scanning                                                            True      True
Performance Mode Status                                                                  True      0
Enable Convert Warn To Block                                                             True      True
BruteForce Protection Aggressiveness                                                     True      1
BruteForce Protection Max Block Time                                                     True      0
BruteForce Protection Configured State                                                   True      1
Remote Encryption Protection Max Block Time                                              True      0
Remote Encryption Protection Aggressiveness                                              True      2
Remote Encryption Protection Configured State                                            True      1
Cloud Block Level                                                                        True      6
Email Scanning                                                                           True      True
Send file samples when further analysis is required                                      True      3
Join Microsoft MAPS (aka SpyNet)                                                         True      2
File Hash Computation                                                                    True      True
Extended cloud check (Seconds)                                                           True      50
Detection for potentially unwanted applications                                          False     2
Catchup Quick Scan                                                                       True      True
Check For Signatures Before Running Scan                                                 True      True
Enable Network Protection                                                                True      1
Interval to check for security intelligence updates                                      True      3
Allows Microsoft Defender Antivirus to update over a metered connection                  True      True
Optional Diagnostic Data Required for Smart App Control etc.                             False
Configure diagnostic data opt-in settings user interface                                 False
Enhanced Phishing Protection                                                             False
Enhanced Phishing Protection: Notify Unsafe App                                          False
Enhanced Phishing Protection: Notify Password Reuse                                      False
Enhanced Phishing Protection: Notify Malicious                                           False
Enhanced Phishing Protection: Capture Threat Window                                      True      1
Purge Items After Delay                                                                  True      1
Maximum size of downloaded files and attachments to be scanned                           True      10000000
Scanning Mapped Network Drives For Full Scan                                             True      0
Scanning Network Files                                                                   True      0
Removable Drive Scanning                                                                 True      0
Reparse Point Scanning                                                                   True      0
Maximum depth to scan archive files                                                      True      4294967295
Check for the latest virus and spyware security intelligence on startup                  True      1
Define the number of days before virus security intelligence is considered out of date   True      2
Define the number of days before spyware security intelligence is considered out of date True      2
Block At First Sight                                                                     True      0
Severe Threat level default action = Remove                                              True      3
High Threat level default action = Remove                                                True      3
Moderate Threat level default action = Quarantine                                        True      2
Low Threat level default action = Quarantine                                             True      2


-------------Attack Surface Reduction Rules Category-------------

FriendlyName                                                                                     Compliant Value
------------                                                                                     --------- -----
Block Office communication application from creating child processes                             False     0
Block process creations originating from PSExec and WMI commands                                 False     0
Block untrusted and unsigned processes that run from USB                                         False     0
Block Win32 API calls from Office macros                                                         False     0
Block Adobe Reader from creating child processes                                                 False     0
Block Office applications from creating executable content                                       False     0
Block all Office applications from creating child processes                                      False     0
Block credential stealing from the Windows local security authority subsystem (lsass.exe)        False     0
Block executable content from email client and webmail                                           False     0
Block executable files from running unless they meet a prevalence; age or trusted list criterion False     0
Block execution of potentially obfuscated scripts                                                False     0
Block persistence through WMI event subscription                                                 False     0
Block Office applications from injecting code into other processes                               False     0
Block abuse of exploited vulnerable signed drivers                                               False     0
Use advanced protection against ransomware                                                       False     0
Block JavaScript or VBScript from launching downloaded executable content                        False     0
Block rebooting machine in Safe Mode                                                             False     0
Block use of copied or impersonated system tools                                                 False     0
Block Webshell creation for Servers                                                              False     0


-------------Bitlocker Category Category-------------

FriendlyName                                                                                 Compliant Value
------------                                                                                 --------- -----
DMA protection                                                                               False     False
Hibernate is set to full                                                                     False     False
Secure OS Drive encryption                                                                   False     False
Disallow Standard User PIN Reset                                                             False
Require additional authentication at startup                                                 False
Don't allow Bitlocker without TPM                                                            False
Don't Allow using TPM alone                                                                  False
Allow using TPM + PIN                                                                        False
Allow using TPM + key                                                                        False
Allow using TPM + Startup Key + PIN                                                          False
Correct Encryption method for OS drive                                                       False
Correct Encryption method for fixed data drives                                              False
Correct Encryption method for removable drives                                               False
Use Enhanced PIN                                                                             False
Full disk encryption for OS drive                                                            False
Full disk encryption for removable drives                                                    False
Prevent access to BitLocker-protected removable data drives from earlier versions of Windows False
Do not install BitLocker To Go Reader on FAT formatted removable drives                      False
Configure minimum PIN length for startup                                                     False
Disallow standby states (S1-S3) when sleeping (plugged in)                                   False
Disallow standby states (S1-S3) when sleeping (on battery)                                   False
Show Hibernate Option                                                                        False


-------------TLS Category-------------

FriendlyName                                 Compliant Value
------------                                 --------- -----
ECC Curves and their positions               False     curve25519, NistP256, NistP384
Configure the correct TLS Cipher Suites      False     False
Disable TLS 1.0 client - Disabled By Default False
Disable TLS 1.0 client - Enabled             False
Disable TLS 1.0 server - Disabled By Default False
Disable TLS 1.0 server - Enabled             False
Disable TLS 1.1 client - Disabled By Default False
Disable TLS 1.1 client - Enabled             False
Disable TLS 1.1 server - Disabled By Default False
Disable TLS 1.1 server - Enabled             False
Disable NULL Cipher Suite                    False
Disable 56/56 Cipher Suite                   False
Disable 40/128 Cipher Suite                  False
Disable RC2 56/128 Cipher Suite              False
Disable RC2 128/128 Cipher Suite             False
Disable RC4 40/128 Cipher Suite              False
Disable RC4 56/128 Cipher Suite              False
Disable RC4 64/128 Cipher Suite              False
Disable RC4 128/128 Cipher Suite             False
Disable Triple DES 168 Cipher Suite          False
Disable MD5 Hashing Algorithm                False


-------------Lock Screen Category-------------

FriendlyName                                                           Compliant Value
------------                                                           --------- -----
Require digits in Windows Hello PIN                                    False
Require lower case letters in Windows Hello PIN                        False
Set Expiration for Windows Hello PIN                                   False
Save history of Windows Hello PIN                                      False
Don't Display Network Selection UI on lock screen                      False
Machine inactivity limit                                               False
Interactive logon: Do not require CTRL+ALT+DEL                         False
Interactive logon: Machine account lockout threshold                   False
Interactive logon: Display user information when the session is locked False
Interactive logon: Don't display username at sign-in                   False
Account lockout threshold                                              True      5
Account lockout duration                                               True      1440
Reset account lockout counter after                                    True      1440
Interactive logon: Don't display last signed-in                        False


-------------User Account Control Category-------------

FriendlyName                                                                    Compliant Value
------------                                                                    --------- -----
Hide Fast User Switching entry points                                           False
UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode False     4,5
UAC: Automatically deny elevation requests on Standard accounts                 False     4,3
UAC: Only elevate executables that are signed and                               False     4,0


-------------Device Guard Category-------------

FriendlyName                                                            Compliant Value
------------                                                            --------- -----
Enable Virtualization Based Security                                    False     False
Require Platform Security Features                                      True      VBS with Secure Boot
Hypervisor Enforced Code Integrity - UEFI Lock                          False     False
Require HVCI MAT (Memory Attribute Table)                               True      True
Credential Guard Configuration - UEFI Lock                              False     False
System Guard Launch                                                     False     False
Configure Kernel Shadow Stacks Launch                                   False
Enable Local Security Authority (LSA) process Protection with UEFI Lock True      1


-------------Windows Firewall Category-------------

FriendlyName                                   Compliant Value
------------                                   --------- -----
mDNS UDP-In Firewall Rules are disabled        False     False
Enable Windows Firewall for Public profile     False
Display notifications for Public profile       False
Configure Log file size for Public profile     False
Log blocked connections for Public profile     False
Configure Log file path for Public profile     False
Enable Windows Firewall for Private profile    False
Display notifications for Private profile      False
Configure Log file size for Private profile    False
Log blocked connections for Private profile    False
Configure Log file path for Private profile    False
Enable Windows Firewall for Domain profile     False
Set Default Outbound Action for Domain profile False
Set Default Inbound Action for Domain profile  False
Block all Domain profile connections           False
Configure Log file path for domain profile     False
Configure Log file size for domain profile     False
Log blocked connections for domain profile     False
Log successful connections for domain profile  False


-------------Optional Windows Features Category-------------

FriendlyName                                                 Compliant Value
------------                                                 --------- -----
PowerShell v2 is disabled                                    False     Enabled
PowerShell v2 Engine is disabled                             False     Enabled
Work Folders client is disabled                              False     Enabled
Internet Printing Client is disabled                         False     Enabled
Windows Media Player (legacy) is disabled                    True      Not Present
Microsoft Defender Application Guard is not present          True      Disabled
Windows Sandbox is enabled                                   False     Disabled
Hyper-V is enabled                                           False     Disabled
WMIC is not present                                          True      Not Present
Internet Explorer mode functionality for Edge is not present True      Not Present
Legacy Notepad is not present                                True      Not Present
WordPad is not present                                       True      Not Present
PowerShell ISE is not present                                True      Not Present
Steps Recorder is not present                                True      Not Present


-------------Windows Networking Category-------------

FriendlyName                                                    Compliant Value
------------                                                    --------- -----
Network Location of all connections set to Public               True      True
Disable Netbios                                                 False
Disable Smart Name Resolution                                   False
Disable Multicast                                               False
Disable HTTP Printing                                           False
Disable Web PnP Download                                        False
Disable LMHOSTS lookup protocol on all network adapters         False     1
Network access: Remotely accessible registry paths              False     7,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion
Network access: Remotely accessible registry paths and subpaths False     7,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog


-------------Miscellaneous Category-------------

FriendlyName                                                             Compliant Value
------------                                                             --------- -----
All users are part of the Hyper-V Administrators group                   False     False
Disable Location                                                         False
Include command line in process creation events                          False
Disable Location Scripting                                               False
Disable Windows Location Provider                                        False
Enable RPC Endpoint Mapper Client Authentication                         False
Enable Svchost Mitigation                                                False
Boot-Start Driver Initialization Policy set to Good only                 False
Request claims and compound authentication for DAC and Kerberos armoring False
Enable enhanced search in Window                                         False
Set Microsoft Edge (Stable) to update over Metered connections           False
Set Microsoft Edge (Beta) to update over Metered connections             False
Set Microsoft Edge (Dev) to update over Metered connections              False
WinVerifyTrust Signature Validation part 1                               False
WinVerifyTrust Signature Validation part 2                               False
Enable SMB Encryption                                                    False


-------------Windows Update Category-------------

FriendlyName                                                                                      Compliant Value
------------                                                                                      --------- -----
Allow updates to be downloaded automatically over metered connections                             True      1
Enable features introduced via servicing that are off by default                                  True      1
Specify deadlines for automatic updates and restarts                                              True      1
Number of days before quality updates are installed on devices automatically                      True      0
Number of grace period days before quality updates are installed on devices automatically         True      1
Number of days before feature updates are installed on devices automatically                      True      0
Number of grace period days before feature updates are installed on devices automatically         True      1
Set the computer to receive security updates and other important downloads through Windows update True      0
Automatically download updates and install them on maintenance day                                True      4
Install updates during automatic maintenance                                                      True      1
Set scheduled install day to every day                                                            True      0
Set scheduled install time to any time                                                            True      24
Install updates for other Microsoft products                                                      True      1
Enable restart notification for Windows update                                                    True      1


-------------Microsoft Edge Category-------------

FriendlyName                                                                            Compliant Value
------------                                                                            --------- -----
Block 3rd party cookies                                                                 False
Set Dns Over Https Mode to use system DoH settings                                      False
Automatically upgrade HTTP connections to HTTPS                                         False
Enable Encrypted Client Hello                                                           False
Block Basic authentication for HTTP                                                     False
Allow Edge to receive new features even after using policies                            False
Enforces the audio process to run sandboxed                                             False
Recommends that the share additional operating system region setting to be set to never False
Disable TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - (CBC - SHA1)                               False
Disable TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - (CBC - SHA1)                               False
Disable TLS_RSA_WITH_AES_256_CBC_SHA - (NO PFS - CBC - SHA1)                            False
Disable TLS_RSA_WITH_AES_128_CBC_SHA - (NO PFS - CBC - SHA1)                            False
Disable TLS_RSA_WITH_AES_128_GCM_SHA256 - (NO PFS)                                      False
Disable TLS_RSA_WITH_AES_256_GCM_SHA384 - (NO PFS)                                      False


-------------Non-Admin Category-------------

FriendlyName                                                       Compliant Value
------------                                                       --------- -----
Show File extensions                                               False     1
Show hidden files                                                  False     2
Disable websites accessing local language list                     True      1
Turn off safe search in Windows search                             False
Enable Clipboard History                                           False
Enable sync of Clipboard history in Windows between devices        False
Enable Clipboard sync                                              False
Turn on Show text suggestions when typing on the physical keyboard False
Turn on Multilingual text suggestions                              False
Turn off sticky key shortcut of pressing shift key 5 time fast     True      506
Disables show reminders and incoming VoIP calls on the lock screen False


            ⣿⡟⠙⠛⠋⠩⠭⣉⡛⢛⠫⠭⠄⠒⠄⠄⠄⠈⠉⠛⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿
            ⣿⡇⠄⠄⠄⠄⣠⠖⠋⣀⡤⠄⠒⠄⠄⠄⠄⠄⠄⠄⠄⠄⣈⡭⠭⠄⠄⠄⠉⠙
            ⣿⡇⠄⠄⢀⣞⣡⠴⠚⠁⠄⠄⢀⠠⠄⠄⠄⠄⠄⠄⠄⠉⠄⠄⠄⠄⠄⠄⠄⠄
            ⣿⡇⠄⡴⠁⡜⣵⢗⢀⠄⢠⡔⠁⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄
            ⣿⡇⡜⠄⡜⠄⠄⠄⠉⣠⠋⠠⠄⢀⡄⠄⠄⣠⣆⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⢸
            ⣿⠸⠄⡼⠄⠄⠄⠄⢰⠁⠄⠄⠄⠈⣀⣠⣬⣭⣛⠄⠁⠄⡄⠄⠄⠄⠄⠄⢀⣿
            ⣏⠄⢀⠁⠄⠄⠄⠄⠇⢀⣠⣴⣶⣿⣿⣿⣿⣿⣿⡇⠄⠄⡇⠄⠄⠄⠄⢀⣾⣿
            ⣿⣸⠈⠄⠄⠰⠾⠴⢾⣻⣿⣿⣿⣿⣿⣿⣿⣿⣿⢁⣾⢀⠁⠄⠄⠄⢠⢸⣿⣿
            ⣿⣿⣆⠄⠆⠄⣦⣶⣦⣌⣿⣿⣿⣿⣷⣋⣀⣈⠙⠛⡛⠌⠄⠄⠄⠄⢸⢸⣿⣿
            ⣿⣿⣿⠄⠄⠄⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠇⠈⠄⠄⠄⠄⠄⠈⢸⣿⣿
            ⣿⣿⣿⠄⠄⠄⠘⣿⣿⣿⡆⢀⣈⣉⢉⣿⣿⣯⣄⡄⠄⠄⠄⠄⠄⠄⠄⠈⣿⣿
            ⣿⣿⡟⡜⠄⠄⠄⠄⠙⠿⣿⣧⣽⣍⣾⣿⠿⠛⠁⠄⠄⠄⠄⠄⠄⠄⠄⠃⢿⣿
            ⣿⡿⠰⠄⠄⠄⠄⠄⠄⠄⠄⠈⠉⠩⠔⠒⠉⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠐⠘⣿
            ⣿⠃⠃⠄⠄⠄⠄⠄⠄⣀⢀⠄⠄⡀⡀⢀⣤⣴⣤⣤⣀⣀⠄⠄⠄⠄⠄⠄⠁⢹


Your compliance score is 99 out of 263!

[HenkPoley]

Green = broken

% diff -u Confirm-SystemCompliance.1.search-works.txt Confirm-SystemCompliance.2.search-broken.txt 
--- Confirm-SystemCompliance.1.search-works.txt	2024-08-14 12:05:02.750363387 +0200
+++ Confirm-SystemCompliance.2.search-broken.txt	2024-08-14 12:05:24.384680063 +0200
@@ -4,7 +4,7 @@
 ------------                                                                             --------- -----
 Mandatory ASLR                                                                           True      ON
 Process Mitigations for: msedge.exe                                                      True      DisableExtensionPoints,CFG,StrictCFG,MicrosoftSignedOnly,AllowStoreSignedBinaries,EnforceModuleDependencySigning,BlockRemoteImageLoads,BlockLowLabelImageLoads,UserShadowStack,UserShadowStackStrictMode
-Process Mitigations for: explorer.exe                                                    False     N/A
+Process Mitigations for: explorer.exe                                                    True      StrictHandle,DisableExtensionPoints
 Process Mitigations for: vmcompute.exe                                                   True      CFG,StrictCFG
 Process Mitigations for: vmwp.exe                                                        True      CFG,StrictCFG
 Process Mitigations for: QuickAssist.exe                                                 True      DisableExtensionPoints,StrictHandle,BlockDynamicCode,MicrosoftSignedOnly,AllowStoreSignedBinaries,EnforceModuleDependencySigning,DisableNonSystemFonts,BlockRemoteImageLoads,BlockLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus,EnableImportAddressFilter,EnableRopStackPivot,EnableRopCallerCheck,UserShadowStack,UserShadowStackStrictMode
@@ -22,18 +22,18 @@
 Process Mitigations for: Regsvr32.exe                                                    True      BlockLowLabelImageLoads
 Process Mitigations for: WindowsSandbox.exe                                              True      StrictHandle,DisableExtensionPoints,CFG,StrictCFG,MicrosoftSignedOnly,EnforceModuleDependencySigning,BlockRemoteImageLoads,BlockLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus
 Process Mitigations for: WindowsSandboxClient.exe                                        True      StrictHandle,DisableExtensionPoints,CFG,StrictCFG,MicrosoftSignedOnly,EnforceModuleDependencySigning,BlockRemoteImageLoads,BlockLowLabelImageLoads,EnableExportAddressFilter,EnableExportAddressFilterPlus
-Process Mitigations for: RuntimeBroker.exe                                               False     DisableExtensionPoints
+Process Mitigations for: RuntimeBroker.exe                                               True      DisableExtensionPoints,CFG,StrictCFG,EnforceModuleDependencySigning
 Process Mitigations for: msedgewebview2.exe                                              True      DisableExtensionPoints,CFG,StrictCFG,EnforceModuleDependencySigning
 Process Mitigations for: csrss.exe                                                       True      BlockRemoteImageLoads
 Process Mitigations for: services.exe                                                    True      BlockRemoteImageLoads
-Process Mitigations for: rundll32.exe                                                    False     N/A
+Process Mitigations for: rundll32.exe                                                    True      BlockRemoteImageLoads,BlockLowLabelImageLoads
 Process Mitigations for: SMSS.exe                                                        True      BlockRemoteImageLoads
 Process Mitigations for: Wininit.exe                                                     True      BlockRemoteImageLoads
 Process Mitigations for: NisSrv.exe                                                      True      MicrosoftSignedOnly
 Fast weekly Microsoft recommended driver block list update                               False     False
 Microsoft Defender Platform Updates Channel                                              N/A       NotConfigured
 Microsoft Defender Engine Updates Channel                                                N/A       NotConfigured
-Controlled Folder Access Exclusions                                                      N/A       C:\Program Files\PowerShell\7\createdump.exe, C:\Program Files\PowerShell\7\pwsh.exe, C:\Windows\System32\powercfg.exe
+Controlled Folder Access Exclusions                                                      N/A
 Allow Switch To Async Inspection                                                         True      True
 OOBE Enable Rtp And Sig Update                                                           True      True
 Intel TDT Enabled                                                                        True      True
@@ -272,7 +272,7 @@
 
 FriendlyName                                                             Compliant Value
 ------------                                                             --------- -----
-All users are part of the Hyper-V Administrators group                   True      True
+All users are part of the Hyper-V Administrators group                   False     False
 Disable Location                                                         False
 Include command line in process creation events                          False
 Disable Location Scripting                                               False
@@ -363,4 +363,4 @@
             ⣿⠃⠃⠄⠄⠄⠄⠄⠄⣀⢀⠄⠄⡀⡀⢀⣤⣴⣤⣤⣀⣀⠄⠄⠄⠄⠄⠄⠁⢹
 
 
-Your compliance score is 97 out of 263!
+Your compliance score is 99 out of 263!

[HenkPoley]

That dials is down considerably

I'll be flipping these settings in the Windows Defender Exploit Protection GUI.

The Exploit Protection feature that breaks the Windows Search GUI (on Dutch ARM Windows 11):

RuntimeBroker.exe StrictCFG

I can disable this one setting, log out and log back in (no reboot), and the Windows Search GUI works again.

[HenkPoley]

Use strict CFG - In strict mode, all binaries loaded into the process must be compiled for Control Flow Guard (or have no executable code in them - such as resource dlls) in order to be loaded.
Note
Control flow guard has no audit mode. Binaries are compiled with this mitigation enabled.

Src: https://learn.microsoft.com/en-us/defender-endpoint/exploit-protection-reference#configuration-options-5

If I'm reading this correctly Microsoft might have forgot to compile in CFG for some DLL?

Or it crashes due to a control flow violation of course. Where would you find that in Event Viewer?

Some more:

To verify that your binary has CFG data, use the dumpbin /headers /loadconfig command. CFG-enabled binaries have Guard in the list of EXE or DLL characteristics, and Guard Flags include CF Instrumented and FID table present.

Src: https://learn.microsoft.com/en-us/cpp/build/reference/guard-enable-control-flow-guard?view=msvc-170

dumpbin is installed with the "Desktop development with C++" workload from Visual Studio Build Tools 2022. I'll have to track all DLLs loaded by RuntimeBroker.exe (e.g. look them up with Process Explorer).

Hey look, Process Explorer has a 'Control Flow Guard' column in the Lower Pane, DLL tab.

[HotCakeX]

@HenkPoley Very nice research and find, thanks for doing that, I'm thinking about not using the StrictCFG mitigation for RuntimeBroker.exe when ARM hardware is detected but let me know if you have other ideas to work around it.

[HenkPoley]

IMHO Microsoft should fix this. But for the time being you can add a "This breaks Windows Search" checkbox to the righthand column 🤣

[HotCakeX]

Good idea, i'll be adding tooltips to the right-hand sub-categories column for more info in the upcoming design change! 😊🙏

We can file a feedback for it in Feedback hub too but i think letting one of the Windows developers working on ARM know about this will get it fixed sooner

[HenkPoley]

Now to wonder what triggers this. Found some culprits with relation to RuntimeBroker.exe, the Control Flow Guard column is empty (no 'CFG', and neither 'n/a'):

[HenkPoley]

Wouldn't be surprised if C:\Windows\System32\pm0013.dll "Microsoft Dutch Language Data and Code" is blocked from loading in strict CFG mode, and thus there is no GUI.

[HenkPoley]

Do you happen to have a reason for setting Strict CFG on RuntimeBroker.exe?

I mean, does Microsoft claim it should work?

[HotCakeX]

System Informer usually shows more info about the processes, especially when you enable its kernel-mode driver in the settings
https://www.systeminformer.com/downloads

I remember seeing this in one of the old insider preview release notes
https://blogs.windows.com/windows-insider/2024/07/26/announcing-windows-11-insider-preview-build-22635-4000-beta-channel/

We are rolling out an update to the Widgets Board to improve security and the APIs for creating widgets and feeds for users in EEA regions. As part of this update, the Microsoft Start Experiences app will power the Microsoft Start widget and feed experiences.

Maybe not related or maybe that change triggered something, i just remember seeing it.

strict CFG for RuntimeBroker.exe works on x64 systems that's why i never caught it (don't have ARM devices atm). As for the reason, in the CSV file they're talked about briefly but it's basically what the reference page mentions and since CFG is enabled by default and Strict CFG worked, and because it enforces the mitigations on the binaries loaded by RuntimeBroker.exe i enabled it. I will be conditionally enabling it instead. Hopefully that's the only mitigation that's incompatible on ARM version

[HenkPoley]

I think there is a similar issue with OneDrive.exe (which I noticed did not start anymore).

[HotCakeX]

I think there is a similar issue with OneDrive.exe (which I noticed did not start anymore).

Well i'm beginning to think for the ARM architecture, it's better to skip the process mitigations entirely just to be on the safe side. Security is the goal but not at the cost of losing functionality.

[HenkPoley]

I'll look into which setting caused the issue later. (Strict) CFG is not set at all for OneDrive.exe, so that's not it.

[HenkPoley]

For OneDrive.exe the issue is "API-aanroep valideren (CallerCheck)" = EnableRopCallerCheck, disabling that makes it work again.

Found the changed/missing item with Confirm-SystemCompliance

[HotCakeX]

Thank you, does Windows Sandbox work on ARM with the mitigations?

[HenkPoley]

If you can supply me with an ARM machine that support (nested) virtualisation under Windows, I can test Windows Sandbox for you 😝😉

(That's not on M1 MacBooks sadly, no native Windows / "Apple BootCamp", nor nested virtualisation.)