Merge pull request #884 from Atlas-OS/dev

Automatic PR: Merging dev into main (4180ff9)

.github/PULL_REQUEST_TEMPLATE/Enhancement.md

@@ -8,7 +8,7 @@ Describe what your changes do.
 
 #### Does this enhancement affect existing functionality?
 
-<!-- To check a box, replace the space between the [] with a x -->
+<!-- To check a box, replace the space between the [] with an X -->
 <!-- If yes, please state what. -->
 
 - [ ] Yes

.vscode/settings.json

@@ -0,0 +1,16 @@
+{
+    "yaml.customTags": [
+        "!run: mapping",
+        "!registryKey: mapping",
+        "!registryValue: mapping",
+        "!appx: mapping",
+        "!file: mapping",
+        "!service: mapping",
+        "!scheduledTask: mapping",
+        "!taskKill: mapping",
+        "!systemPackage: mapping",
+        "!cmd: mapping",
+        "!powerShell: mapping",
+        "!writeStatus: mapping"
+    ],
+}

src/playbook/Configuration/atlas/appx.yml

@@ -79,11 +79,6 @@ actions:
   - !appx: {name: '*Microsoft.Windows.OOBENetworkCaptivePortal*', type: family}
   - !appx: {name: '*Microsoft.Windows.OOBENetworkConnectionFlow*', type: family}
 
-  # Windows Security (Defender)
-  - !appx: {name: '*Microsoft.Windows.SecHealthUI*', type: family}
-  # SmartScreen
-  - !appx: {name: '*Microsoft.Windows.Apprep.ChxApp*', type: family}
-
   # Mail and Calendar
   - !appx: {name: '*microsoft.windowscommunicationsapps*', type: family}
 
@@ -96,7 +91,6 @@ actions:
   - !appx: {name: '*Microsoft.GetHelp*', type: family}
   - !appx: {name: '*Microsoft.Getstarted*', type: family}
   - !appx: {name: '*Microsoft.Microsoft3DViewer*', type: family}
-  # - !appx: {name: '*Microsoft.MicrosoftEdge*', type: family}
   # - !appx: {name: '*microsoft.microsoftedge.stable*', type: family}
   # - !appx: {name: '*Microsoft.MicrosoftEdgeDevToolsClient*', type: family}
   - !appx: {name: '*Microsoft.MicrosoftOfficeHub*', type: family}

src/playbook/Configuration/atlas/kill-kph.yml

@@ -0,0 +1,10 @@
+---
+title: Kill & Disable KProcessHacker2
+description: Kills, removes and disables ProcessHacker using its kernel mode driver to prevent conflicts with Memory Integrity and the Microsoft Vulnerable Driver Blocklist 
+privilege: TrustedInstaller
+actions:
+  - !run:
+    exe: 'powershell.exe'
+    args: '-NoP -Ex Unrestricted -File KILLKPH.ps1'
+    exeDir: true
+    wait: true

src/playbook/Configuration/atlas/services.yml

@@ -28,22 +28,6 @@ actions:
   - !service: {name: 'AssignedAccessManagerSvc', operation: delete}
   - !service: {name: 'RetailDemo', operation: delete}
 
-  # Defender
-  - !taskKill: {name: 'SecurityHealthSystray'}
-  - !taskKill: {name: 'SecurityHealthService'}
-  - !service: {name: 'WpcMonSvc', operation: delete}
-  - !service: {name: 'wisvc', operation: delete}
-  - !service: {name: 'Sense', operation: delete}
-  - !service: {name: 'webthreatdefusersvc*', operation: delete}
-  - !service: {name: 'webthreatdefsvc', operation: delete}
-  - !service: {name: 'UevAgentService', operation: delete}
-  - !service: {name: 'wscsvc', operation: delete}
-  - !service: {name: 'SecurityHealthService', operation: delete}
-  - !registryKey: {path: 'HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv'}
-  - !registryKey: {path: 'HKLM\SYSTEM\CurrentControlSet001\Services\WdNisDrv'}
-  - !registryKey: {path: 'HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc'}
-  - !registryKey: {path: 'HKLM\SYSTEM\CurrentControlSet001\Services\WdNisSvc'}
-
   # Backup default Windows serivces & drivers
   - !run: {exe: 'BACKUP1.cmd', exeDir: true}
 
@@ -73,8 +57,6 @@ actions:
   - !service: {name: 'IpxlatCfgSvc', operation: change, startup: 4}
   # KeyIso 4 < causes issues with NVCleanstall's driver telemetry tweak
   - !service: {name: 'KtmRm', operation: change, startup: 4}
-  - !service: {name: 'LanmanServer', operation: change, startup: 4}
-  - !service: {name: 'LanmanWorkstation', operation: change, startup: 4}
   - !service: {name: 'lmhosts', operation: change, startup: 4}
   - !service: {name: 'luafv', operation: change, startup: 4}
   - !service: {name: 'MSDTC', operation: change, startup: 4}
@@ -152,18 +134,15 @@ actions:
   # FileInfo 4 < breaks installing Microsoft Store applications to different disk (now disabled via store script)
   # FileCrypt 4 < Breaks installing Microsoft Store applications to different disk (now disabled via store script)
   - !service: {name: 'GpuEnergyDrv', operation: change, startup: 4}
-  - !service: {name: 'KSecPkg', operation: change, startup: 4}
-  - !service: {name: 'mrxsmb', operation: change, startup: 4}
-  - !service: {name: 'mrxsmb20', operation: change, startup: 4}
   # NdisVirtualBus 4 < breaks network bridges
   - !service: {name: 'nvraid', operation: change, startup: 4}
   # PEAUTH 4 < breaks UWP streaming applications such as netflix, manual mode does not fix
   # Set rdbss to manual instead of disabling (fixes WSL), thanks Phlegm
-  - !service: {name: 'rdbss', operation: change, startup: 3}
+  # Commented as we're not sure if it functions normally set to manual
+  # - !service: {name: 'rdbss', operation: change, startup: 3}
   - !service: {name: 'sfloppy', operation: change, startup: 4}
   - !service: {name: 'SiSRaid2', operation: change, startup: 4}
   - !service: {name: 'SiSRaid4', operation: change, startup: 4}
-  - !service: {name: 'srv2', operation: change, startup: 4}
   - !service: {name: 'tcpipreg', operation: change, startup: 4}
   - !service: {name: 'Telemetry', operation: change, startup: 4}
   - !service: {name: 'udfs', operation: change, startup: 4}

src/playbook/Configuration/atlas/start.yml

@@ -9,15 +9,15 @@ actions:
   - !writeStatus: {status: 'Copying files'}
   - !cmd:
     exeDir: true
-    command: 'xcopy "Web" "C:\Windows\Web" /E /Y /I'
+    command: 'robocopy "Web" "C:\Windows\Web" /E /PURGE /IM /IT /NP'
     weight: 10
   - !cmd:
     exeDir: true
-    command: 'xcopy "User Account Pictures" "C:\ProgramData\Microsoft\User Account Pictures" /E /Y /I'
+    command: 'robocopy "User Account Pictures" "C:\ProgramData\Microsoft\User Account Pictures" /E /PURGE /IM /IT /NP'
     weight: 10
   - !cmd:
     exeDir: true
-    command: 'xcopy "AtlasModules" "C:\Windows\AtlasModules" /E /Y /I'
+    command: 'robocopy "AtlasModules" "C:\Windows\AtlasModules" /E /PURGE /IM /IT /NP'
     weight: 10
   - !run:
     exeDir: true
@@ -30,6 +30,10 @@ actions:
   - !cmd:
     exeDir: true
     command: 'setx path "%PATH%;C:\Windows\AtlasModules;C:\Windows\AtlasModules\Apps;C:\Windows\AtlasModules\Other;C:\Windows\AtlasModules\Tools;C:\Windows\AtlasModules\Scripts" -m'
+    # Set path for Atlas PowerShell modules
+  - !cmd:
+    exeDir: true
+    command: 'setx psmodulepath "%psmodulepath%;C:\Windows\AtlasModules\Scripts\Modules" -m'
 
   - !writeStatus: {status: 'Configuring Windows Update'}
   - !registryValue: {path: 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate', value: 'ExcludeWUDriversInQualityUpdate', data: '1', type: REG_DWORD}
@@ -67,7 +71,6 @@ actions:
   - !cmd: {command: 'DISM /Online /Disable-Feature /FeatureName:"Printing-Foundation-InternetPrinting-Client" /NoRestart', weight: 30}
   - !cmd: {command: 'DISM /Online /Disable-Feature /FeatureName:"Printing-XPSServices-Features" /NoRestart', weight: 30}
   - !cmd: {command: 'DISM /Online /Disable-Feature /FeatureName:"MSRDC-Infrastructure" /NoRestart', weight: 30}
-  - !cmd: {command: 'DISM /Online /Disable-Feature /FeatureName:"SmbDirect" /NoRestart', weight: 30}
   - !cmd: {command: 'DISM /Online /Disable-Feature /FeatureName:"Windows-Defender-Default-Definitions" /NoRestart', weight: 30}
   - !cmd: {command: 'DISM /Online /Disable-Feature /FeatureName:"WorkFolders-Client" /NoRestart', weight: 30}
 
@@ -443,3 +446,4 @@ actions:
   - !file:
     path: 'C:\Windows\SoftwareDistribution'
     weight: 20
+    ignoreErrors: true

src/playbook/Configuration/custom.yml

@@ -6,9 +6,9 @@ actions: []
 features:
   # Configure PowerShell first so that other PowerShell scripts work
   - tweaks\qol\config-powershell.yml
+  - atlas\kill-kph.yml
   - atlas\start.yml
   - atlas\services.yml
-  - atlas\appx.yml
   - atlas\components.yml
-  - atlas\packages.yml
+  - atlas\appx.yml
   - tweaks.yml

src/playbook/Configuration/tweaks.yml

@@ -19,22 +19,6 @@ features:
   - tweaks\statuses\status-ngen.yml
   - tweaks\scripts\script-ngen.yml
 
-  # -----------------------------------------------------
-  #                         Misc                         
-  # -----------------------------------------------------
-  # >>> Description <<<
-  #
-  # Miscellaneous tweaks which do not fit into other
-  # categories.
-  # -----------------------------------------------------
-  - tweaks\statuses\status-misc.yml
-  - tweaks\misc\config-time.yml
-  - tweaks\misc\disable-fast-user-switching.yml
-  - tweaks\misc\disable-game-mode.yml
-  - tweaks\misc\fix-no-downloads-bug.yml
-  - tweaks\misc\oem-information.yml
-  - tweaks\misc\rebuild-perf-counters.yml
-
   # -----------------------------------------------------
   #                      Networking                        
   # -----------------------------------------------------
@@ -75,10 +59,9 @@ features:
   - tweaks\performance\config-mmcss.yml
   - tweaks\performance\disable-automatic-maintenance.yml
   - tweaks\performance\disable-background-apps.yml
-  - tweaks\performance\disable-perf-track.yml
-  - tweaks\performance\disable-rsop-logging.yml
   - tweaks\performance\extend-cache.yml
   - tweaks\performance\no-search-invalid-shortcuts.yml
+  - tweaks\performance\disable-fth.yml
 
   # -------------------------------------------------------------------------- #
   #  performance\system                                                        #
@@ -114,7 +97,9 @@ features:
   - tweaks\privacy\disable-lockscreen-camera.yml
   - tweaks\privacy\disable-online-speech-recognition.yml
   - tweaks\privacy\disable-pca.yml
+  - tweaks\privacy\disable-perf-track.yml
   - tweaks\privacy\disable-privacy-experience.yml
+  - tweaks\privacy\disable-rsop-logging.yml
   - tweaks\privacy\disable-speech-auto-updates.yml
   - tweaks\privacy\disable-tailored-experiences.yml
   - tweaks\privacy\disable-user-tracking.yml
@@ -199,6 +184,7 @@ features:
   #  qol\explorer                                                              #
   # -------------------------------------------------------------------------- #
   - tweaks\qol\explorer\always-more-details-transfer.yml
+  - tweaks\qol\explorer\disable-check-boxes.yml
   - tweaks\qol\explorer\disable-folder-type-discovery.yml
   - tweaks\qol\explorer\disable-folders-this-pc.yml
   - tweaks\qol\explorer\disable-network-navigation-pane.yml
@@ -242,9 +228,7 @@ features:
   # -------------------------------------------------------------------------- #
   #  qol\security                                                              #
   # -------------------------------------------------------------------------- #
-  - tweaks\qol\security\disable-online-file-security-warn.yml
-  - tweaks\qol\security\disable-smartscreen.yml
-  - tweaks\qol\disable-uac-secure-desktop.yml
+  - tweaks\qol\security\disable-uac-secure-desktop.yml
 
   # -------------------------------------------------------------------------- #
   #  qol\shell                                                                 #
@@ -261,7 +245,7 @@ features:
   - tweaks\qol\shell\disable-notifications.yml
   - tweaks\qol\shell\disable-shared-experiences.yml
   # This is easier for some people to use shortcuts
-  # instead of searching through Settings.
+  # instead of searching through Settings
   # - tweaks\qol\shell\notification-quick-settings.yml
   - tweaks\qol\shell\old-alt-tab.yml
 
@@ -291,6 +275,7 @@ features:
   - tweaks\qol\taskbar\hide-meet-now.yml
   - tweaks\qol\taskbar\hide-task-view.yml
   - tweaks\qol\taskbar\no-store-taskbar-pin.yml
+  - tweaks\qol\taskbar\config-pins.yml
 
   # -----------------------------------------------------
   #                       Security                       
@@ -305,7 +290,8 @@ features:
   # This account should be deleted after OOBE
   # - tweaks\security\delete-defaultuser0.yml
   - tweaks\security\disable-remote-assistance.yml
-  # No longer needed as Atlas only runs on new Windows versions
+  # Not needed on modern versions of Windows
+  # https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls
   # - tweaks\security\strong-dotnet-crypto.yml
 
   # -----------------------------------------------------
@@ -326,6 +312,8 @@ features:
   - tweaks\debloat\legacy-photo-viewer.yml
   - tweaks\debloat\prevent-edge-update.yml
   - tweaks\debloat\scheduled-tasks.yml
+  - tweaks\debloat\hide-unused-security-pages.yml
+  - tweaks\debloat\config-storage-sense.yml
 
   # -----------------------------------------------------
   #                        Scripts                       
@@ -336,7 +324,6 @@ features:
   # or batch scripts for more advanced operations.
   # -----------------------------------------------------
   - tweaks\statuses\status-scripts.yml
-  - tweaks\scripts\script-storage-sense.yml
   - tweaks\scripts\script-core-isolation.yml
   - tweaks\scripts\script-mitigations.yml
   - tweaks\scripts\script-devices.yml
@@ -346,3 +333,20 @@ features:
   - tweaks\scripts\script-wallpaper.yml
   - tweaks\scripts\script-finalize.yml
   - tweaks\scripts\script-backup2.yml
+
+  # -----------------------------------------------------
+  #                         Misc                         
+  # -----------------------------------------------------
+  # >>> Description <<<
+  #
+  # Miscellaneous tweaks which do not fit into other
+  # categories.
+  # -----------------------------------------------------
+  - tweaks\statuses\status-misc.yml
+  - tweaks\misc\config-time.yml
+  - tweaks\misc\disable-fast-user-switching.yml
+  - tweaks\misc\disable-game-mode.yml
+  - tweaks\misc\fix-no-downloads-bug.yml
+  - tweaks\misc\oem-information.yml
+  - tweaks\misc\rebuild-perf-counters.yml
+  - tweaks\misc\delete-nsudo.yml

src/playbook/Configuration/tweaks/debloat/config-storage-sense.yml

@@ -0,0 +1,31 @@
+---
+title: Configure Storage Sense
+description: Configures Storage Sense to automatically cleanup temporary files every month
+privilege: TrustedInstaller
+actions:
+    # Reference: https://gist.github.com/he3als/3d9dcf6e796aa920c24a98130165fb17
+
+    # Enable Storage Sense
+  - !registryValue: {path: 'HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy', value: '01', type: REG_DWORD, data: '1'}
+    # Run Storage Sense
+  - !registryValue: {path: 'HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy', value: '1024', type: REG_DWORD, data: '1'}
+    # Run Storage Sense every month
+  - !registryValue: {path: 'HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy', value: '2048', type: REG_DWORD, data: '30'}
+    # Enable cleaning temporary files
+  - !registryValue: {path: 'HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy', value: '04', type: REG_DWORD, data: '1'}
+    # Disable the 'Downloads' from being cleared
+  - !registryValue: {path: 'HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy', value: '32', type: REG_DWORD, data: '0'}
+    # Disable OneDrive cleanup
+  - !registryValue: {path: 'HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy', value: '02', type: REG_DWORD, data: '0'}
+  - !registryValue: {path: 'HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy', value: '128', type: REG_DWORD, data: '0'}
+    # Clean Recycle Bin every month
+  - !registryValue: {path: 'HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy', value: '08', type: REG_DWORD, data: '1'}
+  - !registryValue: {path: 'HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy', value: '256', type: REG_DWORD, data: '30'}
+
+    # Enable cleaning temp files
+  - !run:
+    exe: 'schtasks.exe'
+    args: '/change /tn "Microsoft\Windows\DiskCleanup\SilentCleanup" /enable'
+    wait: true
+
+    # There's also subkeys for OneDrive cleanup, but as OneDrive is uninstalled, they probably aren't relevant

src/playbook/Configuration/tweaks/debloat/hide-unused-security-pages.yml

@@ -0,0 +1,21 @@
+---
+title: Hide Unused Windows Security Pages
+description: Hides Windows Security pages that are not commonly needed/used to have a more clean UI
+privilege: TrustedInstaller
+actions:
+    # Remove bloat pages
+  - !registryValue:
+    path: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options'
+    value: 'UILockdown'
+    data: '1'
+    type: REG_DWORD
+  - !registryValue:
+    path: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health'
+    value: 'UILockdown'
+    data: '1'
+    type: REG_DWORD
+  - !registryValue:
+    path: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection'
+    value: 'UILockdown'
+    data: '1'
+    type: REG_DWORD

src/playbook/Configuration/tweaks/misc/delete-nsudo.yml

@@ -0,0 +1,6 @@
+---
+title: Delete Temporary NSudo
+description: Deletes the temporary NSudo used for de-elevation in AME Wizard
+privilege: TrustedInstaller
+actions:
+  - !file: {path: 'C:\Windows\AtlasModules\Tools\NSudoLG.exe'}

src/playbook/Configuration/tweaks/performance/disable-fth.yml

@@ -0,0 +1,17 @@
+---
+title: Disable Fault Tolerant Heap (FTH)
+description: FTH is a feature in Windows 7+ that applies mitigations (non-CPU related) to applications that repeatedly crash to prevent further crashes, but when the FTH is active for a certain application, there's a performance hit.
+privilege: TrustedInstaller
+actions:
+    # https://devblogs.microsoft.com/oldnewthing/20120125-00/?p=8463
+    # Document listed as only affected in Windows 7, is also in 7+
+    # https://docs.microsoft.com/en-us/windows/win32/win7appqual/fault-tolerant-heap
+    # https://www.3dcadworld.com/windows-7-fault-tolerant-heap-prevents-crashing/
+
+  - !registryValue:
+    path: 'HKLM\SOFTWARE\Microsoft\FTH'
+    value: 'Enabled'
+    data: '0'
+    type: REG_DWORD
+    # Reset FTH entries
+  - !run: {exe: 'rundll32.exe', args: 'fthsvc.dll,FthSysprepSpecialize'}

src/playbook/Configuration/tweaks/privacy/disable-location-tracking.yml

@@ -1,6 +1,6 @@
 ---
 title: Disable Location Tracking
-description: Disables location tracking (also called Find My Device) for privacy
+description: Disables location tracking feature (also called Find My Device) for privacy
 privilege: TrustedInstaller
 actions:
   - !registryValue:

src/playbook/Configuration/tweaks/privacy/telemetry/disable-dotnet-cli-telemetry.yml

@@ -1,6 +1,6 @@
 ---
 title: Disable .NET CLI Telemetry
-description: Disables .NET CLI telemetry
+description: Disables .NET CLI telemetry for privacy
 privilege: TrustedInstaller
 actions:
     # https://learn.microsoft.com/en-us/dotnet/core/tools/telemetry