Hardening Categories • How To Use • Features • Related • Support • Security Reccomendations • Resources • License
From Top to bottom in order:
- Commands that require Administrator Privileges
- Windows Security aka Defender
- Attack surface reduction rules
- Bitlocker Settings
- TLS Security
- Lock Screen
- UAC (User Account Control)
- Device Guard
- Windows Firewall
- Optional Windows Features
- Windows Networking
- Miscellaneous Configurations
- Commands that don't require Administrator Privileges
- Non-Admin Commands that only affect the current user and do not make machine-wide changes.
To run the script:
# Download the latest version of the script to the current user folder
iwr -Uri "https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1" -OutFile "Harden-Windows-Security.ps1"
# set execution policy temporarily to bypass for the current PowerShell session only
Set-ExecutionPolicy Bypass -Scope Process
# run the script
.\Harden-Windows-Security.ps1
Note if there are multiple Windows user accounts in your computer, it's recommended to run this script in each of them, without administrator privileges, because Non-admin commands only apply to the current user and are not machine wide.
Note When the script is running for the first time, please keep an eye on the PowerShell console because you might need to provide input for Bitlocker activation.
Note Things with #TopSecurity tag can break functionalities or cause difficulties so this script does NOT enable them by default. press Control + F and search for #TopSecurity in the script to find those commands and how to enable them if you want.
- Always up-to-date and works with latest build of Windows (Currently Windows 11 - compatible and fully tested a Lot on stable and Insider Dev builds)
- Doesn't break anything
- Doesn't remove or disable Windows functionlities against Microsoft's recommendation
- Above each command there are comments that explain what it does, why it's there, provide extra important information about it and links to additional resources for better understanding
- When a hardening command is no longer necessary because it's applied by default by Microsoft on new builds of Windows, it will also be removed from this script in order to prevent any problems and because it won't be necessary anymore.
- The script can be run infinite number of times, it's made in a way that it won't make any duplicate changes at all.
PowerShell Gallery - Also available in PowerShell Gallery
🎯 if you have any questions, requests, suggestions etc. about this script, please open a new discussion on Github- Use the latest version of the PowerShell, easiest and fastest way to install it is using Microsoft Store but also available on Github.
- When you decide to install a program or app in Windows, first use the Microsoft Store and Winget, somebody created a nice web interface for interacting with Winget CLI here. if the program or app you are looking for isn't available in there, then download it from its official website.
- Use Secure DNS; Windows 11 natively supports DNS over HTTPS and DNS over TLS.
- Only use Microsoft Edge for browser; it's De-googled, available by default on Windows OS, has tightly integrated valuable Security features such as Windows Defender Application Guard, Windows Defender SmartScreen, Hardware Enforced Stack Protection, Arbitrary Code Guard (ACG), Control Flow Guard (CFG), Tracking Prevention and Trusted built-in VPN from Cloudflare just to name a few.
- Always enable 2FA (Two Factor Authentication) on websites, apps and services that you use. preferably, use Microsoft Authenticator app which has backup and restore feature so you never lose access to your TOTPs (Time-Based One-Time Passwords) even if you lose your phone. available for Android and IOS. you can also use Microsoft Authenticator on Windows 11 (PC, Laptop or Tablet) using Windows Subsystem for Android (WSA) and access your authenticator codes without the need to use your phone (again thanks to the secure automatic backup/restore feature). use an open-source and trusted Android store such as Aurora Store to install and keep it up-to-date.
- More Security Recommendations coming soon...
- Microsoft Learn - Technical Documentation
- ADMX - Group Policy Administrative Templates Catalog
- GPS - Group Policy Search
- Germany Intelligence Agency - BND - Federal Office for Information Security
- Microsoft Tech Community - Official blogs and documentations
- Microsoft Security baselines - Security baselines from Microsoft
MIT License
Microsoft Tech Community Profile · GitHub @HotCakeX · Steam @HotCakeX · Xbox: @HottCakeX · Reddit