Skip to content

Commit deabc1d

Browse files
authored
Merge pull request #98 from Harvester57/Batc-files-security
feat: Add policy to enable secure mode for batch file processing.
2 parents ba0c2c3 + d7b8be9 commit deabc1d

File tree

5 files changed

+43
-0
lines changed

5 files changed

+43
-0
lines changed

AdditionalSystemHardening.admx

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -544,5 +544,16 @@
544544
<decimal value="0" />
545545
</disabledValue>
546546
</policy>
547+
<!-- Enhanced security for batch file processing -->
548+
<policy name="LockBatchFilesWhenInUse" class="Machine" displayName="$(string.LockBatchFilesWhenInUse)" explainText="$(string.LockBatchFilesWhenInUse_Explain)" key="SOFTWARE\Microsoft\Command Processor" valueName="LockBatchFilesWhenInUse">
549+
<parentCategory ref="System" />
550+
<supportedOn ref="windows:SUPPORTED_Windows_10_0" />
551+
<enabledValue>
552+
<decimal value="1" />
553+
</enabledValue>
554+
<disabledValue>
555+
<decimal value="0" />
556+
</disabledValue>
557+
</policy>
547558
</policies>
548559
</policyDefinitions>

CHANGELOG.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
44

55
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
66

7+
## [v1.2.3] - 2026-02-29
8+
9+
### Added
10+
11+
- Policy to configure secure mode for batch file processing (LockBatchFilesWhenInUse)
12+
713
## [v1.2.2] - 2026-02-11
814

915
### Added

README.md

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,20 @@ To install the policies on a standalone machine or for testing purposes:
5050

5151
### System policies
5252

53+
<details>
54+
<summary><strong>Enable secure mode for batch file processing</strong></summary>
55+
56+
- **Registry path(s):** SOFTWARE\Microsoft\Command Processor
57+
- **Registry key(s):** LockBatchFilesWhenInUse
58+
- **Values:** 0/1
59+
- **Description:** This policy gives administrators additional controls over the processing of batch files and CMD scripts.
60+
61+
If you enable this policy, a more secure mode for processing batch files is enabled, which ensures they do not change during execution by holding an opportunistic lock. This enhances the performance and security of batch file processing when Code Integrity is enabled, as signature validation will only be required to be performed a single time, instead of per statement executed in the batch file.
62+
63+
Note: This functionality is supported on Windows 11 Insider Preview Build 26300.7939 or later.
64+
65+
</details>
66+
5367
<details>
5468
<summary><strong>Enable Virtualization-Based Security in Mandatory mode</strong></summary>
5569

en-US/AdditionalSystemHardening.adml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -210,6 +210,12 @@ If you enable this policy, remote access to the SCM is disabled. This will disab
210210
If you disable or do not configure this policy, remote access to the SCM is enabled.
211211

212212
See: https://www.gtworek.com/disabling-remote-access-to-windows-services/</string>
213+
<string id="LockBatchFilesWhenInUse">Enable secure mode for batch file processing</string>
214+
<string id="LockBatchFilesWhenInUse_Explain">This policy gives administrators additional controls over the processing of batch files and CMD scripts.
215+
216+
If you enable this policy, a more secure mode for processing batch files is enabled, which ensures they do not change during execution by holding an opportunistic lock. This enhances the performance and security of batch file processing when Code Integrity is enabled, as signature validation will only be required to be performed a single time, instead of per statement executed in the batch file.
217+
218+
Note: This functionality is supported on Windows 11 Insider Preview Build 26300.7939 or later.</string>
213219
</stringTable>
214220
<presentationTable>
215221
<presentation id="MSCacheV2_Iteration">

fr-FR/AdditionalSystemHardening.adml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -212,6 +212,12 @@ Si vous activez cette stratégie, l'accès distant au SCM est désactivé. Cela
212212
Si vous désactivez ou ne configurez pas cette stratégie, l'accès distant au SCM est autorisé.
213213

214214
Voir : https://www.gtworek.com/disabling-remote-access-to-windows-services/</string>
215+
<string id="LockBatchFilesWhenInUse">Activer le mode sécurisé pour le traitement des fichiers batch</string>
216+
<string id="LockBatchFilesWhenInUse_Explain">Cette stratégie donne aux administrateurs des contrôles supplémentaires sur le traitement des fichiers batch et des scripts CMD.
217+
218+
Si vous activez cette stratégie, un mode plus sécurisé pour le traitement des fichiers batch est activé, garantissant qu'ils ne changent pas pendant l'exécution en conservant un verrou opportuniste. Cela améliore les performances et la sécurité du traitement des fichiers batch lorsque l'intégrité du code est activée, car la validation de la signature ne sera requise qu'une seule fois, au lieu d'une fois par instruction exécutée dans le fichier batch.
219+
220+
Remarque : Cette fonctionnalité est prise en charge sur Windows 11 Insider Preview Build 26300.7939 ou ultérieur.</string>
215221
</stringTable>
216222
<presentationTable>
217223
<presentation id="MSCacheV2_Iteration">

0 commit comments

Comments
 (0)