— Enhanced Lockdown Script for a School Shared Computer on Windows 11 Pro —

This script must be run once as an administrator.

It configures network isolation, system-wide lockdown policies, NTFS restrictions,

disables automatic update and telemetry functions, and installs a scheduled cleanup task

that clears user Temp folders and wipes Brave Browser data (ensuring a fresh state on every boot).

========================================

1. Network Isolation (LAN Restrictions)

========================================

$gateway = “192.168.12.1”
$subnetCIDR = “192.168.12.0/24”

Write-Output “Setting up network isolation for subnet $subnetCIDR with gateway $gateway”

Remove any existing custom firewall rules

Remove-NetFirewallRule -DisplayName “Allow Gateway Outbound” -ErrorAction SilentlyContinue
Remove-NetFirewallRule -DisplayName “Allow Gateway Inbound” -ErrorAction SilentlyContinue
Remove-NetFirewallRule -DisplayName “Block LAN Outbound” -ErrorAction SilentlyContinue
Remove-NetFirewallRule -DisplayName “Block LAN Inbound” -ErrorAction SilentlyContinue

Allow traffic only to/from the gateway

New-NetFirewallRule -DisplayName “Allow Gateway Outbound” -Direction Outbound -Action Allow -RemoteAddress $gateway -Protocol Any
New-NetFirewallRule -DisplayName “Allow Gateway Inbound” -Direction Inbound -Action Allow -RemoteAddress $gateway -Protocol Any

Block all other traffic to/from the LAN subnet

New-NetFirewallRule -DisplayName “Block LAN Outbound” -Direction Outbound -Action Block -RemoteAddress $subnetCIDR -Protocol Any
New-NetFirewallRule -DisplayName “Block LAN Inbound” -Direction Inbound -Action Block -RemoteAddress $subnetCIDR -Protocol Any

====================================

2. System Lockdown Policies (Global)

====================================

Write-Output “Applying system lockdown policies via HKLM Group Policy keys.”

Create/update HKLM policies to disable CMD and Registry Tools for all users

New-Item -Path “HKLM:\Software\Policies\Microsoft\Windows\System” -Force | Out-Null
Set-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows\System” -Name “DisableCMD” -Value 1 -Force
Set-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows\System” -Name “DisableRegistryTools” -Value 1 -Force

==============================

3. NTFS Permissions Restrictions

==============================

Write-Output “Restricting write access on common folders for standard/guest users.”

Deny write/append permissions on C:\Users\Public for the “Users” group

if (Test-Path “C:\Users\Public”) {
icacls “C:\Users\Public” /deny “Users:(W,AD)” | Out-Null
Write-Output “Applied NTFS restrictions on C:\Users\Public.”
}

===================================================

4. Disable Windows Update, Telemetry, and Related Tasks

===================================================

Write-Output “Disabling Windows Update, telemetry services, and their scheduled tasks.”

Stop and disable Windows Update service (wuauserv)

Stop-Service -Name wuauserv -Force -ErrorAction SilentlyContinue
Set-Service -Name wuauserv -StartupType Disabled

Stop and disable Update Orchestrator service (UsoSvc)

Stop-Service -Name UsoSvc -Force -ErrorAction SilentlyContinue
Set-Service -Name UsoSvc -StartupType Disabled

Stop and disable Connected User Experiences and Telemetry service (DiagTrack)

Stop-Service -Name DiagTrack -Force -ErrorAction SilentlyContinue
Set-Service -Name DiagTrack -StartupType Disabled

Limit telemetry via registry (if supported on Windows 11 Pro)

New-Item -Path “HKLM:\Software\Policies\Microsoft\Windows\DataCollection” -Force | Out-Null
Set-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows\DataCollection” -Name “AllowTelemetry” -Value 0 -Force

Disable scheduled tasks under Windows Update and Update Orchestrator

Get-ScheduledTask -TaskPath “\Microsoft\Windows\WindowsUpdate\” | Disable-ScheduledTask -ErrorAction SilentlyContinue
Get-ScheduledTask -TaskPath “\Microsoft\Windows\UpdateOrchestrator\” | Disable-ScheduledTask -ErrorAction SilentlyContinue

Disable Customer Experience Improvement Program tasks (telemetry)

Get-ScheduledTask -TaskPath “\Microsoft\Windows\Customer Experience Improvement Program\” | Disable-ScheduledTask -ErrorAction SilentlyContinue

Optionally, disable additional tasks known for background communications

Get-ScheduledTask -TaskPath “\Microsoft\Windows\Device Setup Manager\” | Disable-ScheduledTask -ErrorAction SilentlyContinue

==================================================

5. Cleanup Script & Scheduled Task for Daily Reset

==================================================

Write-Output “Installing scheduled cleanup task to run at startup.”

Define the cleanup script path

$cleanupScriptPath = “C:\CleanupScript.ps1”

Build the cleanup script content:

– Clears Temp folders for every user under C:\Users.

– Iterates through each user folder to remove Brave Browser user data,

ensuring a fresh (virgin) Brave state including its Tor mode.

$cleanupScriptContent = @’

— Startup Cleanup Script —

Run as SYSTEM to clear temporary files and remove Brave Browser data from all user profiles.

Define base user path

$usersPath = “C:\Users”

Clear temporary files from each user’s Temp folder

Get-ChildItem -Path $usersPath -Directory | ForEach-Object {
$tempPath = Join-Path $_.FullName “AppData\Local\Temp”
if (Test-Path $tempPath) {
Remove-Item -Path “$tempPath*” -Recurse -Force -ErrorAction SilentlyContinue
}
}

Remove Brave Browser user data from all user profiles to force a fresh start

Get-ChildItem -Path $usersPath -Directory | ForEach-Object {
$braveData = Join-Path $_.FullName “AppData\Local\BraveSoftware\Brave-Browser\User Data”
if (Test-Path $braveData) {
Remove-Item -Path $braveData -Recurse -Force -ErrorAction SilentlyContinue
}
}
‘@

Save the cleanup script to disk

Set-Content -Path $cleanupScriptPath -Value $cleanupScriptContent -Force
Write-Output “Cleanup script saved to $cleanupScriptPath”

Create a scheduled task to run the cleanup script at every startup with highest privileges

$action = New-ScheduledTaskAction -Execute “PowerShell.exe” -Argument “-NoProfile -ExecutionPolicy Bypass -File "$cleanupScriptPath“”
$trigger = New-ScheduledTaskTrigger -AtStartup
$principal = New-ScheduledTaskPrincipal -UserId “SYSTEM” -RunLevel Highest
$taskName = “SystemCleanupTask”

Register-ScheduledTask -TaskName $taskName -Action $action -Trigger $trigger -Principal $principal -Force
Write-Output “Scheduled task ‘$taskName’ registered to run at startup.”

Write-Output “Lockdown configuration complete. The system now enforces:

LAN communication only with the gateway,
Global lockdown of CMD and Registry Editor,
NTFS restrictions on C:\Users\Public,
Disabled automatic Windows Update, telemetry, and related background tasks,
And a startup cleanup that resets Temp data and Brave Browser data.”

LockdownScript

— Enhanced Lockdown Script for a School Shared Computer on Windows 11 Pro —

This script must be run once as an administrator.

It configures network isolation, system-wide lockdown policies, NTFS restrictions,

disables automatic update and telemetry functions, and installs a scheduled cleanup task

that clears user Temp folders and wipes Brave Browser data (ensuring a fresh state on every boot).

========================================

1. Network Isolation (LAN Restrictions)

========================================

Remove any existing custom firewall rules

Allow traffic only to/from the gateway

Block all other traffic to/from the LAN subnet

====================================

2. System Lockdown Policies (Global)

====================================

Create/update HKLM policies to disable CMD and Registry Tools for all users

==============================

3. NTFS Permissions Restrictions

==============================

Deny write/append permissions on C:\Users\Public for the “Users” group

===================================================

4. Disable Windows Update, Telemetry, and Related Tasks

===================================================

Stop and disable Windows Update service (wuauserv)

Stop and disable Update Orchestrator service (UsoSvc)

Stop and disable Connected User Experiences and Telemetry service (DiagTrack)

Limit telemetry via registry (if supported on Windows 11 Pro)

Disable scheduled tasks under Windows Update and Update Orchestrator

Disable Customer Experience Improvement Program tasks (telemetry)

Optionally, disable additional tasks known for background communications

==================================================

5. Cleanup Script & Scheduled Task for Daily Reset

==================================================

Define the cleanup script path

Build the cleanup script content:

– Clears Temp folders for every user under C:\Users.

– Iterates through each user folder to remove Brave Browser user data,

ensuring a fresh (virgin) Brave state including its Tor mode.

— Startup Cleanup Script —

Run as SYSTEM to clear temporary files and remove Brave Browser data from all user profiles.

Define base user path

Clear temporary files from each user’s Temp folder

Remove Brave Browser user data from all user profiles to force a fresh start

Save the cleanup script to disk

Create a scheduled task to run the cleanup script at every startup with highest privileges

Recent Posts

Recent Comments

Archives

Categories

Meta