๐ผ Management Samenvatting
Windows Spotlight downloads lock screen images en tips van Microsoft, wat telemetry genereert en onnodige cloud connectivity introduceert.
Aanbeveling
IMPLEMENT
Risico zonder
Low
Risk Score
2/10
Implementatie
1u (tech: 0.5u)
Van toepassing op:
โ Windows 10
โ Windows 11
โ Windows 11
SPOTLIGHT TELEMETRY: Lock screen images downloaded van Microsoft cloud, User interaction tracked (likes, dislikes), Location data used voor targeted content. PRIVACY: Microsoft knows: welke images users like, Lock screen interaction patterns, Approximate user location (via IP). ENTERPRISE: No business value (lock screen images irrelevant), Professional appearance (corporate lock screen better), Bandwidth (image downloads). COMPLIANCE: Data minimization, Unnecessary cloud connectivity.
PowerShell Modules Vereist
Primary API: Intune / Group Policy
Connection:
Required Modules:
Connection:
RegistryRequired Modules:
Implementatie
Schakel uit Spotlight: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent\DisableWindowsSpotlightFeatures is 1. EFFECT: Static lock screen (no dynamic images), No tips/tricks, No telemetry, Can set corporate lock screen image via GPO.
Vereisten
- Windows 10/11
- Corporate lock screen image (optioneel)
Implementatie
Gebruik PowerShell-script allow-windows-spotlight-user-is-set-to-block.ps1 (functie Invoke-Remediation) โ Schakel uit Spotlight.
Intune: Cloud Content โ DisableWindowsSpotlightFeatures is 1
monitoring
Gebruik PowerShell-script allow-windows-spotlight-user-is-set-to-block.ps1 (functie Invoke-Monitoring) โ Verifieer DisableWindowsSpotlightFeatures is 1.
Compliance en Auditing
- AVG - Data minimization
- BIO 14.02 - Privacy
Remediatie
Gebruik PowerShell-script allow-windows-spotlight-user-is-set-to-block.ps1 (functie Invoke-Remediation) โ Herstellen.
Compliance & Frameworks
- BIO: 14.02.01 - Privacy bescherming
- ISO 27001:2022: A.18.1.4 - Privacy
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Intune Security Options: Windows Spotlight User Blocked
.DESCRIPTION
CIS - Spotlight features blocked.
.NOTES
Filename: spotlight-user.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Registry: HKCU/HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent\DisableWindowsSpotlightFeatures|Expected: 1
#>
#Requires -Version 5.1
#Requires -RunAsAdministrator
[CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert)
$ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent"; $RegName = "DisableWindowsSpotlightFeatures"; $ExpectedValue = 1
function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }
function Test-Compliance {
$r = [PSCustomObject]@{ScriptName = "spotlight-user.ps1"; PolicyName = "Spotlight User"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Blocked"; Details = @() }; function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue }
try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v -and $v.$RegName -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Spotlight blocked" }else { $r.Details += "Spotlight enabled" } }else { $r.Details += "Niet geconfigureerd" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r
}
function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "Spotlight blocked" -ForegroundColor Green }
function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r }
function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue }
try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }
Risico zonder implementatie
Risico zonder implementatie
Low: Laag privacy risk: Spotlight telemetry. Professional appearance met corporate lock screen preferred.
Management Samenvatting
Schakel uit Windows Spotlight. Blokkeert telemetry, maakt mogelijk corporate lock screen. Implementatie: 30-60 min.
- Implementatietijd: 1 uur
- FTE required: 0.01 FTE