The registry tweak in attached ZIP file disables some old ciphers and enables new ones. Requirement for import is my concern, not what the tweak actually does. When I install Windows 11 from official unedited image and try to import this file, OS displays an error about lack of privileges/permissions, even for administrator. I have to import this tweak using one of several scripts or software that uses TrustedInstaller level of privileges/permissions. The issue is that once I configure my OS (or use my pre-configured image with many components removed with DISM), OS let's me import this file as administrator without requiring TrustedInstaller level of privileges/permissions or showing any errors. Why? I am concerned that some settings I adjust end up providing administrators with privileges/permissions they are not supposed to have by default, creating some kind of "Half-Rooted" mode, but I don't know for sure. Other aspects of OS file system and registry do not appear to be affected by settings I adjust and require elevation to TrustedInstaller level when they are supposed to do so. For all I know, some Windows Defender feature can be responsible for the strict rules in official OS image and removal of Windows Defender component also removes those restrictions, but again, I don't know...
I downloaded your reg file. Mounted install.Wim using dism++ and imported this reg tweak without any problems. I know that some settings cannot be imported into a running system, but can easily into the image.
Yes, I can integrate those registry entries without issues when OS image is offline, but I need to know what protects those registry entries once stock/default Windows 11 image is deployed. Something in stock/default OS image protects those entries once OS image is deployed, but the OS image I configure does not protect those entries once my OS image is deployed. I need to know why how stock/default OS image protects mentioned registry entries.