Hey everyone! I'm looking to harden some standalone Windows 11 Pro machines according to the CIS Benchmark v4.0. I've read through the official CIS documentation, but doing everything manually through Group Policy Objects (GPO) or local settings is taking a lot of time.
Has anyone created or used a PowerShell script or any automation that aligns with the CIS Windows 11 Pro v4 guidelines? I'd appreciate any partial implementations too, as I can modify or build on them.
I'm especially interested in:
- PowerShell scripts for local security policies
- Registry tweaks based on CIS controls
- Reliable open-source tools or GitHub repositories
- Tips for settings to avoid that might cause usability issues or bugs
This is for a personal project in a lab environment, but I'd like to adhere closely to the benchmark. Any help or resources would be fantastic! Thanks!
4 Answers
For a non-PowerShell solution, check out the Microsoft utility LGPO.exe. You can harden one Windows 11 PC with group policy settings, save those settings with LGPO, and then apply them to the other PCs. Just keep in mind you'll need LGPO.exe on each machine you apply it to.
You should definitely give [HardeningKitty](https://github.com/scipag/HardeningKitty) a shot. It’s really useful! If you want to customize further, there's a config file maker that you can use to adjust settings according to your needs. Just be cautious with the hail mary option; it can be a bit extreme!
If you're not using AD DS or Intune, you might want to look into starting from scratch with DSC, Ansible, or some other configuration management tool to build your own configuration based on CIS baselines. I found this project called [HardeningKitty](https://github.com/scipag/HardeningKitty), which you could check out, but I haven't used it myself. Just asking, is it really necessary for your lab setup to follow CIS compliance? If it were an enterprise scenario, I'd suggest just using an existing tool that has pre-built configurations.
Also, the Microsoft Security Compliance Toolkit has a tool called LGPO. You can get it [here](https://www.microsoft.com/en-us/download/details.aspx?id=55319). It allows you to apply the exported GPO to your local system, so you would first download the CIS GPO and then use LGPO to apply it.
I’m testing things in my lab first too, just to showcase compliance later. But I'm not too familiar with scripting, so I want to make sure I get it right.