💼 Management Samenvatting
Search Highlights in Windows 11 taskbar toont trending searches en news van Bing, wat privacy zorgen oplevert en onnodige cloud connectivity introduceert.
Aanbeveling
IMPLEMENT
Risico zonder
Low
Risk Score
2/10
Implementatie
1u (tech: 0.5u)
Van toepassing op:
✓ Windows 11
SEARCH HIGHLIGHTS CONCERNS: Taskbar search icon shows: Trending Bing searches, News highlights, Seasonal content. PRIVACY: User interaction data sent to Microsoft (clicks, views), Location-based content (reveals user location), No business value voor enterprise. PRODUCTIVITY: Distracting content tijdens work, Bandwidth usage voor content updates. TELEMETRY: Tracking van wat users click in highlights.
PowerShell Modules Vereist
Primary API: Intune / Group Policy
Connection:
Required Modules:
Connection:
RegistryRequired Modules:
Implementatie
Schakel uit via Registry: Various locations control Search Highlights (Windows 11 feature). EFFECT: Taskbar search is simple search box (no highlights), No trending content, No telemetry over highlight interactions.
Vereisten
- Windows 11
- Intune of GPO
Implementatie
Gebruik PowerShell-script allow-search-highlights-is-set-to-0.ps1 (functie Invoke-Remediation) – Schakel uit search highlights.
Intune: Settings catalog → Search Highlights is Disabled
Monitoring
Gebruik PowerShell-script allow-search-highlights-is-set-to-0.ps1 (functie Invoke-Monitoring) – Verifieer Search Highlights disabled.
Compliance en Auditing
- AVG - Privacy
- BIO 14.02
Remediatie
Gebruik PowerShell-script allow-search-highlights-is-set-to-0.ps1 (functie Invoke-Remediation) – Herstellen.
Compliance & Frameworks
- BIO: 14.02.01 - Privacy
- ISO 27001:2022: A.18.1.4 - Privacy
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Intune Security Options: Search Highlights Disabled
.DESCRIPTION
CIS - Search highlights disabled.
.NOTES
Filename: search-highlights.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Registry: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search\EnableDynamicContentInWSB|Expected: 0
#>
#Requires -Version 5.1
#Requires -RunAsAdministrator
[CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert)
$ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search"; $RegName = "EnableDynamicContentInWSB"; $ExpectedValue = 0
function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }
function Test-Compliance {
$r = [PSCustomObject]@{ScriptName = "search-highlight.ps1"; PolicyName = "Search Highlights"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Disabled"; Details = @() }; function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue }
try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v -and $v.$RegName -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Search highlights disabled" }else { $r.Details += "Search highlights enabled" } }else { $r.IsCompliant = $true; $r.Details += "Default" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r
}
function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "Search highlights disabled" -ForegroundColor Green }
function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r }
function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue }
try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }
Risico zonder implementatie
Risico zonder implementatie
Low: Laag privacy risk: Tracking van search highlight interactions. Productivity distraction.
Management Samenvatting
Schakel uit Search Highlights in Windows 11 taskbar. Privacy + productivity. Implementatie: 30-60 min.
- Implementatietijd: 1 uur
- FTE required: 0.01 FTE