Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/flick9000/winscript/llms.txt

Use this file to discover all available pages before exploring further.

These options target lower-level security and privacy surface areas in Windows — from locking physical access at the lock screen to preventing OEM-level software injection. Each setting is independent and can be applied individually.

Disable Lockscreen Camera Access

By default, Windows allows camera apps (and some sign-in experiences) to access the camera directly from the lock screen without authentication. Setting NoLockScreenCamera to 1 under the Personalization policy key blocks this.
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "NoLockScreenCamera" /t REG_DWORD /d 1 /f

Disable Biometrics

Disables the Windows Biometric Service and its credential provider, which are responsible for fingerprint readers, facial recognition, and other biometric sign-in methods.
Disabling biometrics will break Windows Hello, including PIN-backed facial recognition and fingerprint login. Users will need to sign in with a password or other non-biometric method after applying this setting.
reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "0" /f

Remove User ‘defaultuser0’

During the Out-of-Box Experience (OOBE) — the initial Windows setup wizard — Windows creates a temporary local account named defaultuser0 to facilitate the setup process. This account is intended to be removed automatically, but it frequently persists on the system after setup is complete, appearing as a ghost account in local user management. This command removes it.
Remove-LocalUser -Name "defaultuser0"
This command will produce an error if defaultuser0 does not exist on the system, which is expected behavior. The error can be safely ignored.

Disable Windows Platform Binary Table (WPBT)

The Windows Platform Binary Table is an ACPI firmware feature that allows PC manufacturers (OEMs) to embed executables directly in firmware. Windows reads this table at boot and can run these binaries with SYSTEM-level privileges — before the operating system fully loads and without any user consent or notification.
WPBT has been used by some OEMs to install persistent software (such as device management tools or vendor utilities) that survives operating system reinstalls, since the executable lives in firmware rather than on the disk. Disabling WPBT execution prevents firmware-embedded programs from running during boot. This does not affect normal driver or hardware functionality.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "DisableWpbtExecution" /t REG_DWORD /d 1 /f

Disable BitLocker Auto-Encryption

Modern Windows installations on compatible hardware may automatically enable BitLocker drive encryption during setup — particularly on devices with a TPM chip. While encryption protects data at rest, automatic encryption can be a concern if the recovery key is silently escrowed to a Microsoft account, potentially exposing it to third-party access without explicit user awareness. Setting PreventDeviceEncryption to 1 stops Windows from automatically activating BitLocker encryption. This has no effect on manually configured BitLocker volumes that were already encrypted before applying this setting.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\BitLocker" /v "PreventDeviceEncryption" /t REG_DWORD /d 1 /f

Build docs developers (and LLMs) love