BIO 14.02.01 ISO A.18.1.4

Input Personalization Geblokkeerd

๐Ÿ“… 2025-10-30
โ€ข
โฑ๏ธ 6 minuten lezen
โ€ข
๐ŸŸข Should-Have

๐Ÿ’ผ Management Samenvatting

Input personalization (typing data verzameling) moet worden geblokkeerd om te voorkomen dat alles wat gebruikers typen wordt verzonden naar Microsoft cloud voor 'personalization', wat een ernstig privacy en gegevenslekken risico vormt.

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
6/10
Implementatie
1.5u (tech: 0.5u)
Van toepassing op:
โœ“ Windows 10
โœ“ Windows 11

INPUT PERSONALIZATION DATA COLLECTION: Windows kan ALLE typing data verzamelen en naar Microsoft cloud sturen voor: Handwriting recognition improvement, Typing predictions, Cortana personalization, Inking data analysis. WAT WORDT VERZONDEN: Everything you TYPE (emails, documents, passwords if visible, search queries, URLs), Handwriting samples (ink data van tablets), Contact names, calendar entries, App usage patterns. PRIVACY NIGHTMARE: Microsoft krijgt: complete typing history (potentieel confidential business info), persoonsgegevens (private communications), Credentials (if user types password in clear text apps), Competitive intelligence (what org is working on). SECURITY RISKS: Data stored in Microsoft cloud (consumer services, NOT corporate M365), No corporate versleuteling key control, Potential datalek bij Microsoft is org data exposed, No audittrail of wat precisely werd sent. AVG/GDPR CONCERNS: Massive data collection zonder explicit purpose limitation, Data minimization violations, Consent issues (users niet fully aware van extent), Cross-border data transfers (data kan stored buiten EU). BUSINESS GegevenslekAGE: User types confidential strategy document โ†’ Typing data synced to cloud โ†’ Microsoft analytics โ†’ Potential inadvertent disclosure in product features.

PowerShell Modules Vereist
Primary API: Intune / Group Policy
Connection: Registry
Required Modules:

Implementatie

Block input personalization via Registry: HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization\AllowInputPersonalization is 0. EFFECT: NO typing data sent to cloud, Handwriting/inking data stays local, Cortana personalization disabled (maar Cortana can nog steeds work met beperkte features), Local typing nog steeds works perfect (no cloud needed).

Vereisten

  1. Windows 10/11
  2. Intune of GPO
  3. User communication: Cortana features mag zijn limited

Implementatie

Gebruik PowerShell-script allow-input-personalization-is-set-to-block.ps1 (functie Invoke-Remediation) โ€“ Block input personalization.

Intune: Privacy โ†’ AllowInputPersonalization is Block (0)

monitoring

Gebruik PowerShell-script allow-input-personalization-is-set-to-block.ps1 (functie Invoke-Monitoring) โ€“ Verify AllowInputPersonalization is 0.

Compliance en Auditing

  1. AVG Artikel 5 - Data minimization: No unnecessary typing data collection
  2. BIO 14.02 - Privacy: Minimize telemetry
  3. ISO 27001 A.18.1.4 - Privacy bescherming

Remediatie

Gebruik PowerShell-script allow-input-personalization-is-set-to-block.ps1 (functie Invoke-Remediation) โ€“ Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Intune Security Options: Input Personalization Blocked .DESCRIPTION CIS - Input personalization (typing data to cloud) blocked. .NOTES Filename: input-personalization.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Registry: HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization\AllowInputPersonalization|Expected: 0 #> #Requires -Version 5.1 #Requires -RunAsAdministrator [CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert) $ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization"; $RegName = "AllowInputPersonalization"; $ExpectedValue = 0 function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "input-pers.ps1"; PolicyName = "Input Personalization"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Blocked"; Details = @() }; function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue } try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v -and $v.$RegName -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Input personalization blocked" }else { $r.Details += "Input personalization enabled" } }else { $r.IsCompliant = $true; $r.Details += "Default" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r } function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "Input personalization blocked" -ForegroundColor Green } function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r } function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue } try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Risico zonder implementatie
High: Hoog privacy/Gegevenslekage risk: alle typing data sent to Microsoft cloud inclusief passwords, confidential info, business data. AVG data minimization violations.

Management Samenvatting

Blokkeer input personalization (AllowInputPersonalization=0). Voorkomt dat typing data upload to Microsoft cloud. Protects privacy. Cortana features beperkte maar typing works fine. Implementatie: 30-90 min.