Merge pull request #98 from Harvester57/Batc-files-security

Harvester57 · web-flow · commit deabc1d8cb54 · 2026-02-28T17:09:39.000+01:00
feat: Add policy to enable secure mode for batch file processing.
diff --git a/AdditionalSystemHardening.admx b/AdditionalSystemHardening.admx
@@ -544,5 +544,16 @@
                 <decimal value="0" />
             </disabledValue>
         </policy>
+        <!-- Enhanced security for batch file processing -->
+        <policy name="LockBatchFilesWhenInUse" class="Machine" displayName="$(string.LockBatchFilesWhenInUse)" explainText="$(string.LockBatchFilesWhenInUse_Explain)" key="SOFTWARE\Microsoft\Command Processor" valueName="LockBatchFilesWhenInUse">
+            <parentCategory ref="System" />
+            <supportedOn ref="windows:SUPPORTED_Windows_10_0" />
+            <enabledValue>
+                <decimal value="1" />
+            </enabledValue>
+            <disabledValue>
+                <decimal value="0" />
+            </disabledValue>
+        </policy>
     </policies>
 </policyDefinitions>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [v1.2.3] - 2026-02-29
+
+### Added
+
+- Policy to configure secure mode for batch file processing (LockBatchFilesWhenInUse)
+
 ## [v1.2.2] - 2026-02-11
 
 ### Added
diff --git a/README.md b/README.md
@@ -50,6 +50,20 @@ To install the policies on a standalone machine or for testing purposes:
 
 ### System policies
 
+<details>
+<summary><strong>Enable secure mode for batch file processing</strong></summary>
+
+- **Registry path(s):** SOFTWARE\Microsoft\Command Processor
+- **Registry key(s):** LockBatchFilesWhenInUse
+- **Values:** 0/1
+- **Description:** This policy gives administrators additional controls over the processing of batch files and CMD scripts.
+
+    If you enable this policy, a more secure mode for processing batch files is enabled, which ensures they do not change during execution by holding an opportunistic lock. This enhances the performance and security of batch file processing when Code Integrity is enabled, as signature validation will only be required to be performed a single time, instead of per statement executed in the batch file.
+
+    Note: This functionality is supported on Windows 11 Insider Preview Build 26300.7939 or later.
+
+</details>
+
 <details>
 <summary><strong>Enable Virtualization-Based Security in Mandatory mode</strong></summary>
 
diff --git a/en-US/AdditionalSystemHardening.adml b/en-US/AdditionalSystemHardening.adml
@@ -210,6 +210,12 @@ If you enable this policy, remote access to the SCM is disabled. This will disab
 If you disable or do not configure this policy, remote access to the SCM is enabled.
 
 See: https://www.gtworek.com/disabling-remote-access-to-windows-services/</string>
+                  <string id="LockBatchFilesWhenInUse">Enable secure mode for batch file processing</string>
+                  <string id="LockBatchFilesWhenInUse_Explain">This policy gives administrators additional controls over the processing of batch files and CMD scripts.
+
+If you enable this policy, a more secure mode for processing batch files is enabled, which ensures they do not change during execution by holding an opportunistic lock. This enhances the performance and security of batch file processing when Code Integrity is enabled, as signature validation will only be required to be performed a single time, instead of per statement executed in the batch file.
+
+Note: This functionality is supported on Windows 11 Insider Preview Build 26300.7939 or later.</string>
             </stringTable>
             <presentationTable>
                   <presentation id="MSCacheV2_Iteration">
diff --git a/fr-FR/AdditionalSystemHardening.adml b/fr-FR/AdditionalSystemHardening.adml
@@ -212,6 +212,12 @@ Si vous activez cette stratégie, l'accès distant au SCM est désactivé. Cela
 Si vous désactivez ou ne configurez pas cette stratégie, l'accès distant au SCM est autorisé.
 
 Voir : https://www.gtworek.com/disabling-remote-access-to-windows-services/</string>
+                  <string id="LockBatchFilesWhenInUse">Activer le mode sécurisé pour le traitement des fichiers batch</string>
+                  <string id="LockBatchFilesWhenInUse_Explain">Cette stratégie donne aux administrateurs des contrôles supplémentaires sur le traitement des fichiers batch et des scripts CMD.
+
+Si vous activez cette stratégie, un mode plus sécurisé pour le traitement des fichiers batch est activé, garantissant qu'ils ne changent pas pendant l'exécution en conservant un verrou opportuniste. Cela améliore les performances et la sécurité du traitement des fichiers batch lorsque l'intégrité du code est activée, car la validation de la signature ne sera requise qu'une seule fois, au lieu d'une fois par instruction exécutée dans le fichier batch.
+
+Remarque : Cette fonctionnalité est prise en charge sur Windows 11 Insider Preview Build 26300.7939 ou ultérieur.</string>
             </stringTable>
             <presentationTable>
                   <presentation id="MSCacheV2_Iteration">
