adjust privacy script

.vscode/bookmarks.json

@@ -14,22 +14,22 @@
 			"path": ".vscode/settings.json",
 			"bookmarks": [
 				{
-					"line": 502,
+					"line": 504,
 					"column": 1,
 					"label": ""
 				},
 				{
-					"line": 554,
+					"line": 556,
 					"column": 1,
 					"label": ""
 				},
 				{
-					"line": 586,
+					"line": 588,
 					"column": 1,
 					"label": ""
 				},
 				{
-					"line": 852,
+					"line": 854,
 					"column": 1,
 					"label": ""
 				}

.vscode/settings.json

@@ -59,8 +59,8 @@
 	"editor.codeActionsOnSave": {
 		// No because we don't want to fix auto generated markdown and
 		// also because Markdown All in One is default formatter
-		"source.fixAll.markdownlint": false,
-		"source.fixAll.sortJSON": false
+		"source.fixAll.markdownlint": "never",
+		"source.fixAll.sortJSON": "never"
 	},
 	"editor.comments.ignoreEmptyLines": false,
 	// PSUseConsistentIndentation

Config/ProjectSettings.ps1

@@ -273,7 +273,7 @@ $OFS = " "
 # 4. Enables some disabled unit tests and disables logging
 # 5. Enables setting preference variables for modules
 # NOTE: If changed to $true, change requires PowerShell restart
-Set-Variable -Name Develop -Scope Global -Value $true
+Set-Variable -Name Develop -Scope Global -Value $false
 
 if ($Develop)
 {

Modules/Ruleset.Initialize/Public/Initialize-Connection.ps1

@@ -292,6 +292,8 @@ function Initialize-Connection
 			if (!$ConnectionStatus)
 			{
 				# Enable loopback only HTTP
+				# HACK: This call will produce errors when switching from Core to Windows PS
+				# To repro, call some script in Core and then repeat in Windows PS
 				Set-WinRMClient -Protocol HTTP @WinRMClientParams
 				Enable-WinRMServer -Protocol HTTP -KeepDefault -Loopback -Confirm:$false
 				Test-WinRM -Protocol HTTP @TestParams -ErrorAction Stop

Scripts/Security/Set-Privacy.ps1

@@ -46,6 +46,10 @@ Configure Windows privacy
 .DESCRIPTION
 Configures Windows privacy in a restrictive way
 
+.PARAMETER IncludeOptional
+If specified, optional privacy related GPO settings are configured which are otherwise
+better left to default value for normal user experience such as use of camera.
+
 .PARAMETER Force
 If specified, no prompt for confirmation is shown to perform actions
 
@@ -80,6 +84,9 @@ https://gpsearch.azurewebsites.net
 [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = "High")]
 [OutputType([void])]
 param (
+	[Parameter()]
+	[switch] $IncludeOptional,
+
 	[Parameter()]
 	[switch] $Force
 )
@@ -104,14 +111,17 @@ if ($PSCmdlet.ShouldProcess("Operating system", "Configure Windows privacy"))
 	# GPO: Computer Configuration\Administrative Templates\Windows Components\Camera
 	#
 
-	Write-Information -MessageData "INFO: Allow Use of Camera"
-	# Enabled Value: decimal: 1
-	# Disabled Value: decimal: 0
-	$RegistryPath = "Software\Policies\Microsoft\Camera"
-	$ValueName = "AllowCamera"
-	$Value = 0
-	$ValueKind = [Microsoft.Win32.RegistryValueKind]::DWord
-	Set-PolicyFileEntry -Path $PolicyPath -Key $RegistryPath -ValueName $ValueName -Data $Value -Type $ValueKind
+	if ($IncludeOptional)
+	{
+		Write-Information -MessageData "INFO: Allow Use of Camera"
+		# Enabled Value: decimal: 1
+		# Disabled Value: decimal: 0
+		$RegistryPath = "Software\Policies\Microsoft\Camera"
+		$ValueName = "AllowCamera"
+		$Value = 0
+		$ValueKind = [Microsoft.Win32.RegistryValueKind]::DWord
+		Set-PolicyFileEntry -Path $PolicyPath -Key $RegistryPath -ValueName $ValueName -Data $Value -Type $ValueKind
+	}
 
 	#
 	# GPO: Computer Configuration\Administrative Templates\Windows Components\Credential User Interface
@@ -162,7 +172,8 @@ if ($PSCmdlet.ShouldProcess("Operating system", "Configure Windows privacy"))
 
 	if ($false)
 	{
-		# NOTE: This doesn't work as expected, lock screen is shown regardless of what's set
+		# NOTE: This applies only to users that are *not* required to press CTRL + ALT + DEL
+		# However our setup configures CTRL + ALT + DEL so this won't have any effect
 		Write-Information -MessageData "INFO: Do not display the lock screen"
 		# Enabled Value: decimal: 1
 		# Disabled Value: decimal: 0