290 lines
9.7 KiB
PowerShell
290 lines
9.7 KiB
PowerShell
$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent
|
|
$RootPath = Split-Path $RootPath -Parent
|
|
. "$RootPath\Helpers\AuditGroupFunctions.ps1"
|
|
$avstatus = CheckForActiveAV
|
|
$windefrunning = CheckWindefRunning
|
|
if((Get-WmiObject -class Win32_OperatingSystem).Caption -eq "Microsoft Windows 10 Enterprise Evaluation" -or
|
|
(Get-WmiObject -class Win32_OperatingSystem).Caption -eq "Microsoft Windows 10 Enterprise"){
|
|
[AuditTest] @{
|
|
Id = "3.1.1"
|
|
Task = "Configuration of the lowest possible telemetry-level (Enterprise Windows 10)"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection" `
|
|
-Name "AllowTelemetry" `
|
|
| Select-Object -ExpandProperty "AllowTelemetry"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
else{
|
|
[AuditTest] @{
|
|
Id = "3.1.1"
|
|
Task = "Configuration of the lowest possible telemetry-level (Non-Enterprise Windows 10)"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection" `
|
|
-Name "AllowTelemetry" `
|
|
| Select-Object -ExpandProperty "AllowTelemetry"
|
|
|
|
$saferClients = @("*Server*","*Education*","*Enterprise*")
|
|
$productname = Get-ComputerInfo | select -ExpandProperty OsName
|
|
if (($productname -notcontains $saferClients) -and ($regValue -eq 1)){
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Your OS $productname does not support 'Diagnostic data off'."
|
|
Status = "Warning"
|
|
}
|
|
}
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "3.1.2 A"
|
|
Task = "Deactivation of the telemetry service and ETW-sessions - disable service DiagTrack"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DiagTrack" `
|
|
-Name "Start" `
|
|
| Select-Object -ExpandProperty "Start"
|
|
|
|
if ($regValue -ne 4) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 4"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "3.1.2 B"
|
|
Task = "Deactivation of the telemetry service and ETW-sessions - disable service Autologger-Diagtrack-Listener"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener" `
|
|
-Name "Start" `
|
|
| Select-Object -ExpandProperty "Start"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "3.1.3 A"
|
|
Task = "Deactivation of telemetry according to Microsoft - Disable Windows Update Service"
|
|
Test = {
|
|
try {
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" `
|
|
-Name "Start" `
|
|
| Select-Object -ExpandProperty "Start"
|
|
|
|
if ($regValue -ne 4) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 4"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "3.1.3 B"
|
|
Task = "Deactivation of telemetry according to Microsoft - Cloud-Based-Protection: disable MAPS"
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" `
|
|
-Name "SpynetReporting" `
|
|
| Select-Object -ExpandProperty "SpynetReporting"
|
|
|
|
if ($regValue -ne 0) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 0"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|
|
[AuditTest] @{
|
|
Id = "3.1.3 C"
|
|
Task = "Deactivation of telemetry according to Microsoft - Cloud-Based-Protection: never send sample files"
|
|
Test = {
|
|
try {
|
|
if($avstatus){
|
|
|
|
if ((-not $windefrunning)) {
|
|
return @{
|
|
Message = "This rule requires Windows Defender Antivirus to be enabled."
|
|
Status = "None"
|
|
}
|
|
}
|
|
}
|
|
$regValue = Get-ItemProperty -ErrorAction Stop `
|
|
-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" `
|
|
-Name "SubmitSamplesConsent" `
|
|
| Select-Object -ExpandProperty "SubmitSamplesConsent"
|
|
|
|
if ($regValue -ne 2) {
|
|
return @{
|
|
Message = "Registry value is '$regValue'. Expected: 2"
|
|
Status = "False"
|
|
}
|
|
}
|
|
}
|
|
catch [System.Management.Automation.PSArgumentException] {
|
|
return @{
|
|
Message = "Registry value not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
catch [System.Management.Automation.ItemNotFoundException] {
|
|
return @{
|
|
Message = "Registry key not found."
|
|
Status = "False"
|
|
}
|
|
}
|
|
|
|
return @{
|
|
Message = "Compliant"
|
|
Status = "True"
|
|
}
|
|
}
|
|
}
|