Harden System Security v1.0.32.0

What's New

• Added displaying Last Boot Time to the home page.

• Added displaying System Manufacturer and Model to the home page.

• Added displaying Open Network Ports counts to the home page. It displays both TCP and UDP ports counts that are currently open on the system. It is updated every 4 seconds and just like other real-time info on the Home page, it will not run in the background when you navigate away from the Home page, so it won't use any unnecessary system resources.

• Added the ability to change Computer Name in the home page. The Computer Name tile is now clickable and when you press it, you will be able to set a new Computer Name. This feature will only be available when you run the app as Administrator and after changing the Computer Name, a system restart will be required for the changes to take effect.

• Added displaying the names of all of the available GPUs on the system to the home page. The GPU tile is clickable so if you click on it, a new area will open displaying the full technical details of every GPU on the system.

• The information titles on the Home page now have proper rounded corners.

• Reduced the amount of empty spaces in the Home page.

• The system time and time zone now display in the same tile on the Home page.

• Added displaying the currently active Power Plan's name on the Home page.

• Added displaying the real time SSD Temperature on the Home page. It is updated every 2 seconds and just like other real-time info on the Home page, it will not run in the background when you navigate away from the Home page, so it won't use any unnecessary system resources.

• Finalized implementing the French language for the both apps. Thanks @AnthonyMahe for the contributions!

PRs

• #968
• #963

How To Download

Harden System Security v1.0.31.0

What's New

Firewall Rules Management

The Windows Firewall page now includes a new Management section. From there, you can:

• Browse for individual files to allow or block through Windows Firewall, controlling whether they can make network connections.

• Browse for folders to allow or block all executable files within them, including executables in all subfolders.

  • This is very useful if you install a new application that contains multiple executables, as you can simply select the installation folder to allow or block all of them at once quickly.

• List all of the Firewall rules created by the Harden System Security app.

• Delete any Firewall rules created by the Harden System Security app.

• Copy one or more Firewall rule to clipboard.

• Search through the Firewall rules and sort them.

Dual-Use Program Blocking via Windows Firewall

You can now block network access through Windows Firewall for high-risk dual-use binaries to reduce abuse for malicious downloads or data exfiltration. This implements the requested feature in #706. The full list of these programs is available in the Windows Firewall page in the wiki.

Note

All of the Windows Firewall rules are created in the Group Policy store instead of the regular local store so they are not affected by the local rules merges and they have more flexibility. All of the rules created by the Harden System Security app are part of the HardenSystemSecurity group, so you can easily identify them.

Other Changes

• Added a progress ring to Microsoft Defender -> Exclusions.

• Updated dependencies to the latest versions.

• To address an issue, changed the "Boot-Start Driver Initialization Policy" to "Good and Unknown" instead of "Good only" in the Miscellaneous configurations category.

  • Added a new sub-category that will set it to "Good only". As with all sub-categories, this will not be applied by default when you apply the Miscellaneous category and you will have to check an extra box to apply it. This is to prevent flawed 3rd party drivers from causing boot issues.

  • The "Good and Unknown" policy applies to all device usage intents now.

  • The "Good only" policy applies to the "Business", "Specialized Access Workstation" and "Privileged Access Workstation" device usage intents.

• Added a new toggle button to the Microsoft Security Baselines page, it is on/toggled by default. This toggle will apply the Optional Overrides that are recommended for enhanced user experience when using the Microsoft Security Baselines.

  • The reason for this change is that users usually apply the Microsoft Security Baseline on their system, which is mostly geared towards enterprise use, but then they find that some settings are not user-friendly for personal use. These optional overrides help to mitigate that situation. You can of course disable this toggle if you want to stick strictly to the Microsoft Security Baseline without any modifications.

• Fixes this issue by adding a new policy to the Optional Overrides to allow elevation on Secure Desktop for Standard user accounts.

PRs

• #957
• #960

How To Download

Harden System Security v1.0.30.0

What's New

• Changed a policy in the Microsoft Defender category named "Brute Force Aggressiveness" from Medium to High. It now matches Remote Encryption Protection Aggressiveness policy which has already been set to High.

PRs

• #954

How To Download

AppControl Manager v2.0.55.0

Installation

Install it from the Microsoft Store: https://apps.microsoft.com/detail/9png1jddtgp8

Documentation

What's New

Advanced UEFI Secure Boot Variable Inspector

This update introduces a new feature in the View File Certificates page for analyzing the firmware's UEFI variables and Secure Boot data directly from the application. Users can now gain full transparency into the platform's root of trust without relying on external tools or rebooting into BIOS setup.

Tip

These features are especially useful for the upcoming Secure Boot Certificate updates so you can know if your device has automatically received the new certificates or you need to take manual actions.

Key capabilities include:

• Get Platform Key: Retrieve the Platform Key (PK), the root of trust that controls access to the Key Exchange Key database and establishes ownership of the platform.

• Get Key Exchange Key: Retrieve the Key Exchange Key (KEK) database, containing keys trusted to update the signature database (db) and the forbidden signature database (dbx).

• Get Signature Database: Retrieve the Signature Database (db), containing the list of trusted certificates and hashes allowed to execute on this system.

• Get Forbidden Signature Database: Retrieve the Forbidden Signature Database (dbx), containing the revocation list of compromised certificates and hashes that are blocked from booting.

The default variation of all of them can be independently retrieved as well, representing the factory default state provided by the system manufacturer.

Note

Potential for Detecting Virtual Machines

Virtual machines running on hypervisors such as Hyper-V, VMware, or VirtualBox show different values than a real bare metal system.

• Hyper-V: At the time of this writing, Hyper-V VMs do not display all of the Default variations of UEFI variables; in fact, you will encounter an error when attempting to get the values of PKDefault or dbxDefault. Whether the VM is shielded or not does not have any effect on the results.

• VirtualBox: At the time of this writing, attempting to get many of the UEFI variables mentioned in this post results in an error on VirtualBox VMs.

• VMware: At the time of this writing, attempting to get the Platform Key or Default Platform Key in VMware Workstation VMs results in 0 certificates, an anomaly that can be considered an indicator of a VM. Additionally, getting the default DBX database results in significantly fewer forbidden hashes than those available on the host. The Default and non-default DB both have certificates with the subject VMware, Inc., which can clearly help identify that the system is a VM.

Other Changes

• Improved memory management and resource usage throughout the app.

PRs

• #954

How to verify the MSIXBundle's authenticity:

gh attestation verify "Path To MSIXBundle" --repo HotCakeX/Harden-Windows-Security --format json

You can install the GitHub CLI from Winget:

winget install --id GitHub.cli

Harden System Security v1.0.29.0

What's New

• Added a new page called CSP. This page allows you to inspect and query Windows Configuration Service Provider (CSP) policies and unlocks a wealth of deeply structured, real-time configuration intelligence. It parses Policy DDF (Device Description Framework) files that are either sourced from local XML files you browse for or downloaded directly from Microsoft's server to generate a comprehensive catalog of available system settings.

  • The Harden System Security app interacts with the local MDM (Mobile Device Management) client to query the live system state of these policies via their OMA-URIs (Open Mobile Alliance Uniform Resource Identifier), providing real-time visibility into current configurations, default values, and allowed operations (Get, Add, Replace, Delete).

  • You have the option to export all of the results to a JSON file as backup. It is full of information about the current system state.

Note

On systems not enrolled in an MDM such as Microsoft Intune, there will naturally be limited data available to display.

• The Optional Windows Features category now has a sub-category that allows you to control the inclusion of recommended features and capabilities to be enabled. It's added as a Checkbox in the Protect page. It is checked when system is not a virtual machine and unchecked when it's a virtual machine. Fixes this issue.

• Fixed the detection of Intel TDD when it is applied via Intune. Fixes this issue.

PRs

• #949

How To Download

AppControl Manager v2.0.54.0

Installation

Install it from the Microsoft Store: https://apps.microsoft.com/detail/9png1jddtgp8

Documentation

What's New

• Fixed an issue where you'd have to click/tap the Deploy button twice in the Deployment page to deploy a signed policy: #948

• The View File Certificates page now shows the certificates of files with revoked, expired or Hash mismatch certificates: #947

PRs

• #950

How to verify the MSIXBundle's authenticity:

gh attestation verify "Path To MSIXBundle" --repo HotCakeX/Harden-Windows-Security --format json

You can install the GitHub CLI from Winget:

winget install --id GitHub.cli

Harden System Security v1.0.28.0

What's New

• Updated Intune policies of Device Guard category to have the recently added security features: Machine Identity Isolation

• Aligned the Intune policies of Windows Firewall category, mostly for the Domain profile, and improved their detections on the system.

• Added 2 more remaining countries to the Country IP Blocking page, it is now complete and contains the list of all countries in the world.

• Updated Intune policies for Exploit Mitigations to align with what the app locally applies.

PRs

• #943

How To Download

Harden System Security v1.0.27.0

What's New

Introducing Intune Support

You can now scale the security policies you trust locally to your entire fleet of Windows devices. The Harden System Security app introduces an Intune dashboard, allowing you to bridge the gap between local hardening and cloud management.

• Unified Policy Control: Instantly view your existing Device Configuration policies or push the hardened standards directly to the cloud.

• Complete Group Management: Effortlessly search, sort, add, remove, and export Entra groups without leaving the app.

• Streamlined Assignments: Deploy new policies and assign them to the right security groups in a single workflow.

---

• Added many new detections for Intune applied policies, especially for Microsoft Defender and Windows Firewall categories. See this discussion for more context

• Implemented a policy for Windows Firewall category: Disables mDNS UDP-In Firewall Rules. It adds an extra measure of security in public places, like a coffee shop but might interfere with Miracast screen sharing, which relies on the Public profile or home networks where the Private profile is not selected. It is not for Gaming, School or Development device usage intents.

• Implemented another policy for Windows Firewall category: Sets all network locations to public. Public means less trust to other devices in the network. It is not for Gaming, School or Development device usage intents.

• The list of optional features and capabilities now populate faster than before.

PRs

• #941

How To Download

Harden System Security v1.0.26.0

What's New

• Added real-time CPU temperature to the Home page.

• Added advanced CPU details to the home page.

• Added Computer name to the home page.

• Added OS edition, version and build information to the home page.

• Added RAM speed and generation details to the home page.

• Added real-time total amount of Internet uploaded data and downloaded data to the home page.

• Features in the home page that display real-time data such as CPU temperature, network speed and so on, are highly optimized, fast and only active when the user is on the home page. If you navigate away to another page, they will stop gathering data and will not run in the background so they do not consume unnecessary resources.

• The time it takes from clicking on the app icon on taskbar or start menu to launch it to the home page load is less than 1 second and will stay that way.

• Localized the home page information for all of the supported languages.

• Added context menu options for copying rows and individual details to the Microsoft Security Baseline page.

• Added context menu options for copying rows and individual details to the Microsoft 365 Apps Security Baseline page.

• CTRL + C keyboard shortcut can be used to copy one or multiple rows to the clipboard.

• Added support for restoring Attack Surface Reduction rules during the new system restoration feature that was added in the previous update. Please note that backups made from the ASR category since the latest version (last Wednesday) will not be eligible for restoration because the type of data being backed up in the JSON file has changed in this version. You'll need to use the "Backup" button in the Protect page again, or just use the export button in the ASR page, to create the more complete and enriched backup file that is usable for restoration.

• Improved the experience when picking up a file path to save the exported backup data to. If you accidentally remove the .json extension in the file path preview, it will be automatically added back so that you will always end up with a proper JSON file.

• Added support for restoring Microsoft security Baseline and Microsoft 365 Apps Security Baselines for the Backup/Restore feature introduced in the previous update. What this means is that you can apply the Microsoft Baselines on a system, tune and modify it and then create a backup of your desired golden system state and reuse the same backup on as many other systems as possible by simply importing it to the Harden System Security app. This is very useful for businesses and enterprise to have a reliable and secure way to consume Microsoft Security baselines effortlessly. Automation via CLI is also available.

• Added icons for the restoration mode and its options in the Protect page.

PRs

• #937

How To Download

AppControl Manager v2.0.53.0

Installation

Install it from the Microsoft Store: https://apps.microsoft.com/detail/9png1jddtgp8

Documentation

What's New

• Added real-time CPU temperature to the Home page.

• Added advanced CPU details to the home page.

• Added Computer name to the home page.

• Added OS edition, version and build information to the home page.

• Added RAM speed and generation details to the home page.

• Added real-time total amount of Internet uploaded data and downloaded data to the home page.

• Features in the home page that display real-time data such as CPU temperature, network speed and so on, are highly optimized, fast and only active when the user is on the home page. If you navigate away to another page, they will stop gathering data and will not run in the background so they do not consume unnecessary resources.

• The time it takes from clicking on the app icon on taskbar or start menu to launch it to the home page load is less than 1 second and will stay that way.

• Localized the home page information for all of the supported languages.

• Significantly improved the speed and performance of the Event Log Policy Creation. Now the scans of Code Integrity and App Locker event logs from local system or custom EVTX files take half of the time compared to the previous version. This performance boost is achieved by implementing new algorithms and optimizations in the scanning engine, rather than simply using more CPU cores and parallelism. The system resource usage actually remains the same as before or even lower in some cases, while the speed is greatly improved.

PRs

• #937

How to verify the MSIXBundle's authenticity:

gh attestation verify "Path To MSIXBundle" --repo HotCakeX/Harden-Windows-Security --format json

You can install the GitHub CLI from Winget:

winget install --id GitHub.cli