Sets Early launch antimalware engine's status to 1 which is Good + Unknown. CSP

• By being launched first by the kernel, ELAM is ensured to be launched before any third-party software and is therefore able to detect malware in the boot process and prevent it from initializing. ELAM drivers must be specially signed by Microsoft to ensure they are started by the Windows kernel early in the boot process.

• A sub-category that sets Early launch antimalware engine's status to 8 which is Good only. The default value is 3, which allows good, unknown and 'bad but critical'. that is the default value, because setting it to 8 can prevent your computer from booting if the driver it relies on is critical but at the same time unknown or bad.

Enables svchost.exe mitigations. built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. These stricter security policies include a policy requiring all binaries loaded in these processes to be signed by Microsoft, and a policy disallowing dynamically generated code. CSP

• Requires Business Windows licenses. e.g., Windows 11 Pro for Workstations, Enterprise or Education.

• This causes some UI elements in the search settings in Windows settings to become unavailable for Standard user accounts to view, because it will be a managed feature by an Administrator.

Creates custom views for Windows Event Viewer to help keep tabs on important security events:

• Attack Surface Reduction Rules

• Controlled Folder Access

• Exploit Protection

• Network Protection

• MSI and Scripts for App Control Auditing

• Sudden Shut down events (due to power outage)

• Code Integrity Operational

• Restarts (By user or by the System/Apps)

• Workstation Locks and Unlocks

• Checks to make sure Other Logon/Logoff Events Audit is active CSP

• Failed Login attempts via PIN at lock screen

  • Error/Status code 0xC0000064 indicates wrong PIN entered at lock screen

• USB storage Connects & Disconnects (Flash drives, phones etc.)

Reduced Telemetry. This sub-category applies all of the policies mentioned below. They do not have any effect on security.

• Disable Online Tips. CSP

• Disable Find My Device feature. CSP

• Disable Automatic Update of Speech Data. CSP

• Turn off the advertising ID. CSP

• Turn off cloud optimized content. CSP

• Do not show Windows tips. CSP

• Do not show feedback notifications. CSP

• Turn off Automatic Download and Update of Map Data. CSP

• Disable Message Service Cloud Sync for cellular text messages. CSP

• Disable support for web-to-app linking with app URI handlers. CSP

• Disable "Continue experiences on this device" feature. CSP

• Disable Font Providers. CSP

• Don't search the web or display web results in Search. CSP

• Do not allow web search. More Info

Displays the following file extensions in File Explorer which are not displayed by default, not even when you enable "Show known file extensions" in File Explorer settings:

• .url - Prevents internet shortcuts from masquerading as legitimate files. This mitigates security risks where attackers use hidden extensions to disguise phishing links or malicious redirects as safe documents.

• .pif - Program Information Files (PIF) function similarly to .exe files and are frequently used by attackers to hide malware behind a less familiar file type.

• .link - Attackers frequently rely on the default hidden state of shortcuts to disguise malicious payloads as harmless documents. Revealing the extension allows you to verify the true file type and identify deceptive shortcuts before execution.