All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog.
- New policy to enable or disable the support for KASAN
- Fix the Registry path for the Mandatory VBS flag introduced in v1.0.36
- New policy to configure the Mandatory mode for Virtualization-Based Security
- New policy to configure the behavior of the Sudo command, introduced in Windows 11 24H2
- Cf. @mobilejon blog post about the command: https://mobile-jon.com/2024/10/14/deep-dive-into-windows-sudo/
- New policy to control the state of the generative AI features in Acrobat and Acrobat Reader products
- Added all the steps required to update the bootloader against the BlackLotus vulnerability CVE-2023-24932
supportedOnvalue for the DTLS 1.3 policy
- Dropdown selection list for Schannel verbosity levels
- Mitigation for the BlackLotus vulnerability CVE-2023-24932
- Support for DTLS 1.3 in Schannel section
- Typo in the MsCacheV2 hardening policy description : MSCHAPv2 -> MsCacheV2
- Improved the overall wording of the description
- Added the new policy "Enable support for TLS 1.2 only" for WinHTTP (#16)
- Thanks @Deas-h for the suggestion :)
- Updated the default value for PBKDF2-HMAC-SHA1 rounds and the associated policy description
- Added "Prevent standard users to install root certificates" policy
- Added a new category of policies, for Domain Controllers specific parameters
- This is empty for now, will soon be populated...
- Added "Configure the maximum/minimum SMB2 client dialect supported" policies
- Added a NOTE to the "Enable PowerShell Constrained Language Mode" policy
- Updated the "Available Settings" pages
- Typos and wording, both for en-US and fr-FR templates
- Configuration profiles for Schannel TLS cipher suites
- Loosely based on Mozilla recommendations, ANSSI recommendations and best practices
- Apply "EnableCertPaddingCheck" as REG_SZ, not DWORD
- Improve Schannel-related descriptions
- "Disable the strong-name bypass feature" policy for .NET Framework
- More infos in the .NET documentation: https://learn.microsoft.com/en-us/dotnet/standard/assembly/disable-strong-name-bypass-feature
- "Disable the SAM server TCP listener"
- More details in this Twitter thread: https://twitter.com/agowa338/status/1581205232238796800
- Credits to @tyranid for the registry key
- "Disable Time-Travel Debugging" policy (#11)
- "Remove current working directory from DLL search" policy (#10)
- Typo in the fr-FR description of the "Number of PBKDF2 iterations for cached logons credentials hashing" policy
- Typo in the "Disabled list of the NET 2 Strong Crypto" policy (#9)
- "Disable the WPBT functionnality" policy (#8)
- New policy to enable/disable kCET support on 21H2+ systems
- Thanks to Yarden Shafir (@yarden_shafir) and Connor McGarr (@33y0re)
- Cf. https://connormcgarr.github.io/hvci/ (#Conclusion)
- "Disable standard user in safe boot mode" policy (#5)
- Strict Authenticode signatures verification (#4)
- Changed the default value for the MSCHAPv2 hashing algorithm required rounds to 1 048 576 (
NL$IterationCount = 1024)
- Fixed a typo in fr-FR
- Remove support for Diffie-Hellman and PKCS 1024 bit modulus
- Reworked the MSCHAPv2 hashing algorithm description, and changed the minimum value allowed for the
NL$IterationCountkey