v2.14, 2018-04-06

- Fix and reorganize Telemetry tweaks
 - Update "Enable Remote Desktop" to enable firewall rules (thx @timmytandian)
 - Add "Uninstall Internet Explorer" (thx @mhujer)
 - Add "Enable strong cryptography for .NET Framework" (thx @Sta2s)
 - Add "Enable Audio" for Server
 - Add default preset for making custom presets easier (thx @Conder000)

Win10.ps1

@@ -1,7 +1,7 @@
 ##########
 # Win10 / WinServer2016 Initial Setup Script
 # Author: Disassembler <disassembler@dasm.cz>
-# Version: v2.13, 2018-03-18
+# Version: v2.14, 2018-04-06
 # Source: https://github.com/Disassembler0/Win10-Initial-Setup-Script
 ##########
 
@@ -44,6 +44,7 @@ $tweaks = @(
 	"EnableF8BootMenu",             # "DisableF8BootMenu",
 	"SetDEPOptOut",                 # "SetDEPOptIn",
 	"DisableScriptHost",            # "EnableScriptHost",
+	"EnableDotNetStrongCrypto",     # "DisableDotNetStrongCrypto",
 	# "EnableMeltdownCompatFlag"    # "DisableMeltdownCompatFlag",
 
 	### Service Tweaks ###
@@ -123,6 +124,7 @@ $tweaks = @(
 	"DisableXboxFeatures",          # "EnableXboxFeatures",
 	"DisableAdobeFlash",            # "EnableAdobeFlash",
 	# "UninstallMediaPlayer",       # "InstallMediaPlayer",
+	# "UninstallInternetExplorer",  # "InstallInternetExplorer",
 	# "UninstallWorkFolders",       # "InstallWorkFolders",
 	# "InstallLinuxSubsystem",      # "UninstallLinuxSubsystem",
 	# "InstallHyperV",              # "UninstallHyperV",
@@ -138,6 +140,7 @@ $tweaks = @(
 	# "DisablePasswordPolicy",      # "EnablePasswordPolicy",
 	# "DisableCtrlAltDelLogin",     # "EnableCtrlAltDelLogin",
 	# "DisableIEEnhancedSecurity",  # "EnableIEEnhancedSecurity",
+	# "EnableAudio",                # "DisableAudio",
 
 	### Unpinning ###
 	# "UnpinStartMenuTiles",
@@ -161,8 +164,12 @@ $tweaks = @(
 Function DisableTelemetry {
 	Write-Output "Disabling Telemetry..."
 	Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0
-	Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0
 	Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0
+	Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0
+	If (!(Test-Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy")) {
+		New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy" | Out-Null
+	}
+	Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy" -Name "TailoredExperiencesWithDiagnosticDataEnabled" -Type DWord -Value 0
 	Disable-ScheduledTask -TaskName "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" | Out-Null
 	Disable-ScheduledTask -TaskName "Microsoft\Windows\Application Experience\ProgramDataUpdater" | Out-Null
 	Disable-ScheduledTask -TaskName "Microsoft\Windows\Autochk\Proxy" | Out-Null
@@ -175,8 +182,12 @@ Function DisableTelemetry {
 Function EnableTelemetry {
 	Write-Output "Enabling Telemetry..."
 	Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 3
-	Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 3
 	Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 3
+	Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -ErrorAction SilentlyContinue
+	If (!(Test-Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy")) {
+		New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy" | Out-Null
+	}
+	Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy" -Name "TailoredExperiencesWithDiagnosticDataEnabled" -Type DWord -Value 2
 	Enable-ScheduledTask -TaskName "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" | Out-Null
 	Enable-ScheduledTask -TaskName "Microsoft\Windows\Application Experience\ProgramDataUpdater" | Out-Null
 	Enable-ScheduledTask -TaskName "Microsoft\Windows\Autochk\Proxy" | Out-Null
@@ -369,20 +380,12 @@ Function DisableAdvertisingID {
 		New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" | Out-Null
 	}
 	Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" -Name "Enabled" -Type DWord -Value 0
-	If (!(Test-Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy")) {
-		New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy" | Out-Null
-	}
-	Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy" -Name "TailoredExperiencesWithDiagnosticDataEnabled" -Type DWord -Value 0
 }
 
 # Enable Advertising ID
 Function EnableAdvertisingID {
 	Write-Output "Enabling Advertising ID..."
 	Remove-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" -Name "Enabled" -ErrorAction SilentlyContinue
-	If (!(Test-Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy")) {
-		New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy" | Out-Null
-	}
-	Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy" -Name "TailoredExperiencesWithDiagnosticDataEnabled" -Type DWord -Value 2
 }
 
 # Disable Cortana
@@ -695,6 +698,21 @@ Function EnableScriptHost {
 	Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Script Host\Settings" -Name "Enabled" -ErrorAction SilentlyContinue
 }
 
+# Enable strong cryptography for .NET Framework (version 4 and above)
+# https://stackoverflow.com/questions/36265534/invoke-webrequest-ssl-fails
+Function EnableDotNetStrongCrypto {
+	Write-output "Enabling .NET strong cryptography..."
+	Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -Type DWord -Value 1
+	Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -Type DWord -Value 1
+}
+
+# Disable strong cryptography for .NET Framework (version 4 and above)
+Function DisableDotNetStrongCrypto {
+	Write-output "Disabling .NET strong cryptography..."
+	Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -ErrorAction SilentlyContinue
+	Remove-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -ErrorAction SilentlyContinue
+}
+
 # Enable Meltdown (CVE-2017-5754) compatibility flag - Required for January 2018 and all subsequent Windows updates
 # This flag is normally automatically enabled by compatible antivirus software (such as Windows Defender).
 # Use the tweak only if you have confirmed that your AV is compatible but unable to set the flag automatically or if you don't use any AV at all.
@@ -814,6 +832,7 @@ Function EnableRemoteDesktop {
 	Write-Output "Enabling Remote Desktop w/o Network Level Authentication..."
 	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Type DWord -Value 0
 	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Type DWord -Value 0
+	Enable-NetFirewallRule -Name "RemoteDesktop*"
 }
 
 # Disable Remote Desktop
@@ -821,6 +840,7 @@ Function DisableRemoteDesktop {
 	Write-Output "Disabling Remote Desktop..."
 	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Type DWord -Value 1
 	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Type DWord -Value 1
+	Disable-NetFirewallRule -Name "RemoteDesktop*"
 }
 
 # Disable Autoplay
@@ -1975,6 +1995,18 @@ Function InstallMediaPlayer {
 	Enable-WindowsOptionalFeature -Online -FeatureName "WindowsMediaPlayer" -NoRestart -WarningAction SilentlyContinue | Out-Null
 }
 
+# Uninstall Internet Explorer
+Function UninstallInternetExplorer {
+	Write-Output "Uninstalling Internet Explorer..."
+	Disable-WindowsOptionalFeature -Online -FeatureName "Internet-Explorer-Optional-amd64" -NoRestart -WarningAction SilentlyContinue | Out-Null
+}
+
+# Install Internet Explorer
+Function InstallInternetExplorer {
+	Write-Output "Installing Internet Explorer..."
+	Enable-WindowsOptionalFeature -Online -FeatureName "Internet-Explorer-Optional-amd64" -NoRestart -WarningAction SilentlyContinue | Out-Null
+}
+
 # Uninstall Work Folders Client - Not applicable to Server
 Function UninstallWorkFolders {
 	Write-Output "Uninstalling Work Folders Client..."
@@ -2192,6 +2224,20 @@ Function EnableIEEnhancedSecurity {
 	Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" -Name "IsInstalled" -Type DWord -Value 1
 }
 
+# Enable Audio
+Function EnableAudio {
+	Write-Output "Enabling Audio..."
+	Set-Service "Audiosrv" -StartupType Automatic
+	Start-Service "Audiosrv" -WarningAction SilentlyContinue
+}
+
+# Disable Audio
+Function DisableAudio {
+	Write-Output "Disabling Audio..."
+	Stop-Service "Audiosrv" -WarningAction SilentlyContinue
+	Set-Service "Audiosrv" -StartupType Manual
+}
+
 
 
 ##########

test/Default.bat

@@ -0,0 +1,3 @@
+@ECHO OFF
+
+powershell.exe -NoProfile -ExecutionPolicy Bypass -File "..\Win10.ps1" -preset "Default.preset"

test/Default.preset

@@ -0,0 +1,134 @@
+# Default preset
+
+RequireAdmin
+
+DisableTelemetry
+DisableWiFiSense
+# DisableSmartScreen
+DisableWebSearch
+DisableAppSuggestions
+DisableBackgroundApps
+DisableLockScreenSpotlight
+DisableLocationTracking
+DisableMapUpdates
+DisableFeedback
+DisableAdvertisingID
+DisableCortana
+DisableErrorReporting
+SetP2PUpdateLocal
+DisableAutoLogger
+DisableDiagTrack
+DisableWAPPush
+
+# SetUACLow
+# EnableSharingMappedDrives
+DisableAdminShares
+# DisableSMB1
+SetCurrentNetworkPrivate
+# SetUnknownNetworksPrivate
+# DisableNetDevicesAutoInst
+# EnableCtrldFolderAccess
+# DisableFirewall
+# DisableDefender
+# DisableDefenderCloud
+EnableF8BootMenu
+SetDEPOptOut
+DisableScriptHost
+EnableDotNetStrongCrypto
+# EnableMeltdownCompatFlag
+
+# DisableUpdateMSRT
+# DisableUpdateDriver
+DisableUpdateRestart
+DisableHomeGroups
+DisableSharedExperiences
+DisableRemoteAssistance
+EnableRemoteDesktop
+DisableAutoplay
+DisableAutorun
+# EnableStorageSense
+# DisableDefragmentation
+# DisableSuperfetch
+# DisableIndexing
+# SetBIOSTimeUTC
+# EnableHibernation
+# DisableSleepButton
+# DisableSleepTimeout
+# DisableFastStartup
+
+DisableActionCenter
+DisableLockScreen
+# DisableLockScreenRS1
+HideNetworkFromLockScreen
+HideShutdownFromLockScreen
+DisableStickyKeys
+ShowTaskManagerDetails"
+ShowFileOperationsDetails
+# EnableFileDeleteConfirm
+HideTaskbarSearchBox
+HideTaskView
+ShowSmallTaskbarIcons
+ShowTaskbarTitles
+HideTaskbarPeopleIcon
+ShowTrayIcons
+DisableSearchAppInStore
+DisableNewAppPrompt
+# SetControlPanelViewIcons
+SetVisualFXPerformance
+# AddENKeyboard
+# EnableNumlock
+
+ShowKnownExtensions
+ShowHiddenFiles
+HideSyncNotifications
+HideRecentShortcuts
+SetExplorerThisPC
+ShowThisPCOnDesktop
+# ShowUserFolderOnDesktop
+HideDesktopFromThisPC
+# HideDesktopFromExplorer
+HideDocumentsFromThisPC
+# HideDocumentsFromExplorer
+HideDownloadsFromThisPC
+# HideDownloadsFromExplorer
+HideMusicFromThisPC
+# HideMusicFromExplorer
+HidePicturesFromThisPC
+# HidePicturesFromExplorer
+HideVideosFromThisPC
+# HideVideosFromExplorer
+Hide3DObjectsFromThisPC
+# Hide3DObjectsFromExplorer
+# DisableThumbnails
+DisableThumbsDB
+
+DisableOneDrive
+UninstallOneDrive
+UninstallMsftBloat
+UninstallThirdPartyBloat
+# UninstallWindowsStore
+DisableXboxFeatures
+DisableAdobeFlash
+# UninstallMediaPlayer
+# UninstallInternetExplorer
+# UninstallWorkFolders
+# InstallLinuxSubsystem
+# InstallHyperV
+SetPhotoViewerAssociation
+AddPhotoViewerOpenWith
+# UninstallPDFPrinter
+UninstallXPSPrinter
+RemoveFaxPrinter
+
+# HideServerManagerOnLogin
+# DisableShutdownTracker
+# DisablePasswordPolicy
+# DisableCtrlAltDelLogin
+# DisableIEEnhancedSecurity
+# EnableAudio
+
+# UnpinStartMenuTiles
+# UnpinTaskbarIcons
+
+WaitForKey
+Restart

test/Win10-ApplyAll.preset

@@ -34,6 +34,7 @@ DisableDefenderCloud
 EnableF8BootMenu
 SetDEPOptOut
 DisableScriptHost
+EnableDotNetStrongCrypto
 EnableMeltdownCompatFlag
 
 DisableUpdateMSRT
@@ -109,6 +110,7 @@ UninstallWindowsStore
 DisableXboxFeatures
 DisableAdobeFlash
 UninstallMediaPlayer
+UninstallInternetExplorer
 UninstallWorkFolders
 InstallLinuxSubsystem
 InstallHyperV
@@ -123,6 +125,7 @@ RemoveFaxPrinter
 # DisablePasswordPolicy
 # DisableCtrlAltDelLogin
 # DisableIEEnhancedSecurity
+# EnableAudio
 
 UnpinStartMenuTiles
 UnpinTaskbarIcons

test/Win10-RestoreAll.preset

@@ -34,6 +34,7 @@ EnableDefenderCloud
 DisableF8BootMenu
 SetDEPOptIn
 EnableScriptHost
+DisableDotNetStrongCrypto
 DisableMeltdownCompatFlag
 
 EnableUpdateMSRT
@@ -109,6 +110,7 @@ InstallWindowsStore
 EnableXboxFeatures
 EnableAdobeFlash
 InstallMediaPlayer
+InstallInternetExplorer
 InstallWorkFolders
 UninstallLinuxSubsystem
 UninstallHyperV
@@ -123,6 +125,7 @@ AddFaxPrinter
 # EnablePasswordPolicy
 # EnableCtrlAltDelLogin
 # EnableIEEnhancedSecurity
+# DisableAudio
 
 WaitForKey
 Restart

test/WinServer2016-ApplyAll.preset

@@ -34,6 +34,7 @@ DisableDefenderCloud
 EnableF8BootMenu
 SetDEPOptOut
 DisableScriptHost
+EnableDotNetStrongCrypto
 EnableMeltdownCompatFlag
 
 DisableUpdateMSRT
@@ -109,6 +110,7 @@ UninstallWindowsStore
 DisableXboxFeatures
 DisableAdobeFlash
 UninstallMediaPlayer
+UninstallInternetExplorer
 # UninstallWorkFolders
 # InstallLinuxSubsystem
 InstallHyperV
@@ -123,6 +125,7 @@ DisableShutdownTracker
 DisablePasswordPolicy
 DisableCtrlAltDelLogin
 DisableIEEnhancedSecurity
+EnableAudio
 
 # UnpinStartMenuTiles
 UnpinTaskbarIcons

test/WinServer2016-RestoreAll.preset

@@ -34,6 +34,7 @@ EnableDefenderCloud
 DisableF8BootMenu
 SetDEPOptIn
 EnableScriptHost
+DisableDotNetStrongCrypto
 DisableMeltdownCompatFlag
 
 EnableUpdateMSRT
@@ -109,6 +110,7 @@ InstallWindowsStore
 EnableXboxFeatures
 EnableAdobeFlash
 InstallMediaPlayer
+InstallInternetExplorer
 # InstallWorkFolders
 # UninstallLinuxSubsystem
 UninstallHyperV
@@ -123,6 +125,7 @@ EnableShutdownTracker
 EnablePasswordPolicy
 EnableCtrlAltDelLogin
 EnableIEEnhancedSecurity
+DisableAudio
 
 WaitForKey
 Restart