Windows 11 Administration & Hardening

CRITICAL: Safety Rules

1. ALWAYS create a System Restore Point before changes
2. ALWAYS backup registry keys before modifying them
3. ALWAYS test on non-production systems first
4. NEVER disable Windows Update completely
5. NEVER disable Windows Defender without explicit user consent
6. Provide rollback commands for every change

# Create restore point before ANY system change
Checkpoint-Computer -Description "Before Win11 Admin changes" -RestorePointType MODIFY_SETTINGS

# Backup specific registry key before modification
reg export "HKLM\SOFTWARE\Key" "C:\Users\cesco\backups\reg_backup_$(Get-Date -Format yyyyMMdd_HHmmss).reg"

When to Activate

PROACTIVELY activate for ANY Windows 11 administration task:

• Registry modifications (HKLM, HKCU, policies)
• Service management (disable, enable, startup type)
• Group Policy configuration (local or domain)
• Bloatware removal and telemetry control
• Performance optimization (visual effects, memory, disk)
• Security hardening (CIS, STIG, DISA baselines)
• Firewall rules and network configuration
• Windows Defender settings and exclusions
• Scheduled tasks management
• Driver and hardware troubleshooting
• Windows Update control and WSUS
• User accounts, UAC, and permissions

1. Registry Administration

Common Registry Hives

Registry Operations

# Read registry value
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion" -Name "ProgramFilesDir"

# Create/set registry value
New-ItemProperty -Path "HKCU:\Software\MyApp" -Name "Setting" -Value 1 -PropertyType DWord -Force

# Modify existing value
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "EnableSmartScreen" -Value 1

# Delete registry value
Remove-ItemProperty -Path "HKCU:\Software\MyApp" -Name "Setting"

# Create registry key (folder)
New-Item -Path "HKLM:\SOFTWARE\Policies\MyPolicy" -Force

# Test if key/value exists
Test-Path "HKLM:\SOFTWARE\Policies\MyPolicy"
(Get-ItemProperty "HKLM:\SOFTWARE\MyKey" -Name "MyValue" -ErrorAction SilentlyContinue) -ne $null

# Export registry key (backup)
reg export "HKLM\SOFTWARE\Policies\Microsoft" "C:\backup\policies.reg" /y

# Import registry key (restore)
reg import "C:\backup\policies.reg"

Common Win11 Registry Tweaks

# --- TASKBAR ---
# Hide Search button (0=Hidden, 1=Icon, 2=SearchBox)
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Search" -Name "SearchboxTaskbarMode" -Value 0

# Hide Task View button
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "ShowTaskViewButton" -Value 0

# Hide Widgets
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "TaskbarDa" -Value 0

# Hide Chat/Teams icon
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "TaskbarMn" -Value 0

# Left-align taskbar (0=Left, 1=Center)
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "TaskbarAl" -Value 0

# --- EXPLORER ---
# Show file extensions
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "HideFileExt" -Value 0

# Show hidden files
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "Hidden" -Value 1

# Show full path in title bar
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState" -Name "FullPath" -Value 1

# Disable Snap Assist flyout
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "SnapAssist" -Value 0

# Classic right-click context menu (Win10 style)
New-Item -Path "HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32" -Value "" -Force

# Revert to Win11 context menu
Remove-Item -Path "HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}" -Recurse -Force

# --- STARTUP ---
# Disable startup delay
New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Serialize" -Name "StartupDelayInMSec" -Value 0 -PropertyType DWord -Force

2. Services Management

Service Operations

# List all services with status
Get-Service | Sort-Object Status, Name | Format-Table Name, DisplayName, Status, StartType

# Get specific service info
Get-Service -Name "wuauserv" | Select-Object *

# Check service dependencies
Get-Service -Name "wuauserv" -DependentServices
Get-Service -Name "wuauserv" -RequiredServices

# Change startup type
Set-Service -Name "ServiceName" -StartupType Disabled   # Disabled/Manual/Automatic/AutomaticDelayedStart

# Stop and disable
Stop-Service -Name "ServiceName" -Force
Set-Service -Name "ServiceName" -StartupType Disabled

# Start and set automatic
Set-Service -Name "ServiceName" -StartupType Automatic
Start-Service -Name "ServiceName"

Safe-to-Disable Services (Win11 Pro)

# Services commonly safe to disable on standalone workstations
# ALWAYS verify before disabling - requirements vary by environment

$safeToDisable = @(
    "DiagTrack"          # Connected User Experiences and Telemetry
    "dmwappushservice"   # WAP Push Message Routing
    "MapsBroker"         # Downloaded Maps Manager
    "RetailDemo"         # Retail Demo Service
    "WMPNetworkSvc"      # Windows Media Player Network Sharing
    "XblAuthManager"     # Xbox Live Auth Manager
    "XblGameSave"        # Xbox Live Game Save
    "XboxGipSvc"         # Xbox Accessory Management
    "XboxNetApiSvc"      # Xbox Live Networking
)

# Review before disabling
$safeToDisable | ForEach-Object {
    $svc = Get-Service -Name $_ -ErrorAction SilentlyContinue
    if ($svc) {
        [PSCustomObject]@{
            Name = $svc.Name
            DisplayName = $svc.DisplayName
            Status = $svc.Status
            StartType = $svc.StartType
        }
    }
}

# Disable after review (user must confirm)
# $safeToDisable | ForEach-Object {
#     Set-Service -Name $_ -StartupType Disabled -ErrorAction SilentlyContinue
# }

NEVER Disable These Services

- wuauserv (Windows Update)
- WinDefend (Windows Defender)
- EventLog (Windows Event Log)
- RpcSs (Remote Procedure Call)
- LSM (Local Session Manager)
- Schedule (Task Scheduler)
- Winmgmt (WMI)
- CryptSvc (Cryptographic Services)
- BITS (Background Intelligent Transfer)

3. Group Policy (Local)

GPO via PowerShell (Registry-Based)

Most local GPOs write to registry. Use Set-ItemProperty targeting policy paths:

# --- TELEMETRY & PRIVACY ---
# Disable telemetry (0=Security, 1=Basic, 2=Enhanced, 3=Full)
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -Value 0

# Disable advertising ID
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" -Name "Enabled" -Value 0

# Disable activity history
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "EnableActivityFeed" -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "PublishUserActivities" -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "UploadUserActivities" -Value 0

# --- WINDOWS UPDATE ---
# Configure Windows Update (0=NotConfigured, 1=Disabled, 2-5=various)
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Force
# Notify before download
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Micro