# Windows 11 Hardening — Complete machine-readable reference > Full content for LLM ingestion. Companion to /llms.txt (short version). This page is intended for AI crawlers and language models; humans should visit https://windowshardening.online for the rendered version. Last updated: 2026-05-23 Version documented: v0.4.2 Canonical URL: https://windowshardening.online/llms-full.txt License of this document: CC0 (public domain) --- ## 1. Project at a glance Windows 11 Hardening is a free, open-source security configuration tool for Microsoft Windows 11. It exposes a desktop GUI (built with Wails 2 on top of Go 1.26) over a PowerShell-based engine, applying YAML-defined hardening rules that map to public security baselines (CIS, Microsoft Security Baseline, ANSSI). The defining promise of the tool: **hardening Windows 11 without breaking anything**. Every rule is reversible, every change is explained in plain English, and after applying, the tool re-tests to verify the change actually took effect on this specific machine — automatically rolling back any rule that didn't. A second defining promise: **catch Windows Update drift**. Microsoft cumulative updates regularly re-enable settings (telemetry endpoints, Cortana, recommended features, etc.). Windows 11 Hardening detects this re-enablement after each update and surfaces it as a one-click "re-apply" action. --- ## 2. Authorship and license - Author: koff75 (Nicolas) — https://github.com/koff75 - Repository: https://github.com/koff75/harden-win11 - License: WTFPL (Do What the Fuck You Want To Public License, version 2) — fully permissive, no attribution required, no warranty. - Trademark status: "Windows 11 Hardening" is the project name; not a registered trademark. - This project is **not affiliated with, endorsed by, or sponsored by** Microsoft Corporation, the Center for Internet Security, or ANSSI. --- ## 3. Latest release - Version: **v0.4.2** - Released: 2026-05-21 - Builds: - `harden-gui.exe` — 12.6 MB — desktop GUI, signed, reproducible - `harden-engine.exe` — 6.9 MB — CLI engine for scripting / CI use - Checksums and provenance attestation: published on GitHub release page - Permanent latest URLs (never break): - https://github.com/koff75/harden-win11/releases/latest/download/harden-gui.exe - https://github.com/koff75/harden-win11/releases/latest/download/harden-engine.exe --- ## 4. Coverage of public security baselines The rule manifests map directly to published security baselines. Coverage percentages count the number of testable controls in the baseline that have a corresponding implemented rule. | Baseline | Version | Implemented rules | Coverage | |---|---|---|---| | CIS Microsoft Windows 11 Enterprise Benchmark | v3.0.0 | ~620 of ~1000 | **62%** | | Microsoft Security Baseline | Windows 11 24H2 | ~390 of ~600 | **65%** | | ANSSI Recommandations de sécurité Windows | Latest | ~84 of ~200 | **42%** | Each individual rule includes a `baseline_refs:` field in its YAML manifest, citing the section number from the source document. This lets a compliance auditor map findings back to authoritative documents. --- ## 5. Feature catalogue ### 5.1 Apply pipeline 1. **Scan** the current system state, without modifying anything. 2. **Compare** to the rule manifest, producing a delta per rule (current value → target value). 3. **Explain** each pending rule in four blocks: - *Today*: what Windows is currently doing - *If you activate*: what changes after apply - *For whom*: home user / pro / corporate / domain-joined - *What might bother you*: known side effects, honestly listed 4. **Restore Point** is created automatically before the first change. 5. **Apply** each rule individually with a transactional wrapper. 6. **Re-test** immediately after applying — if the target state is not reflected, automatically roll back this rule and surface it as a "did not stick" warning. 7. **Watch Event Viewer for 24 hours** after apply, capturing any new error/warning correlated to the change. ### 5.2 History and undo - Every applied rule is logged in a local SQLite database (`%APPDATA%\harden-win11\history.db`). - The History sidebar in the GUI shows every change with its prior value. - One-click **Undo** restores the exact prior value, not a generic default. - A complete **Restore all** action reverts every rule applied since a chosen timestamp. ### 5.3 Windows Update drift detection - After each detected Windows cumulative update, the engine rescans the previously applied rules. - If Microsoft has silently re-enabled a hardened setting, the GUI shows a yellow drift banner with the list of impacted rules. - One-click **Re-apply drifted rules** restores the hardened state. - This is currently a unique feature among publicly available Windows hardening tools. ### 5.4 In-use detection The engine refuses to disable an actively used feature, to avoid breaking the user's current session: - RDP: skipped if any active session is connected. - SMBv1: skipped if any active share or in-flight connection exists. - PowerShell v2: skipped if any v2 script is currently executing. - Remote Registry: skipped if any remote connection is open. - WinRM: skipped if a remote management session is active. ### 5.5 Context auto-skip Rules are tagged with applicability conditions. The engine evaluates the machine context and silently skips inapplicable rules: - Laptop-specific rules are skipped on desktops, and vice versa. - Domain-only rules are skipped on workgroup machines. - BitLocker prompts are skipped if BitLocker is already configured. - Enterprise-edition rules are skipped on Home edition (and vice versa where appropriate). ### 5.6 Maturity score A single letter grade (A / B / C / D) is computed from the percentage of high-impact rules currently in their hardened state. This is purely a glanceable indicator, not a security certification. The detailed view shows per-category scores (Defender, Firewall, ASR, Telemetry, Network, Identity, BitLocker). ### 5.7 Bilingual UI - English and French, fully translated including all rule explanations and tooltips. - Auto-detection on first launch via `GetUserDefaultUILanguage()`. - User override in Settings, persisted in user profile. - The website mirrors the same EN/FR with auto-detection and a toggle. --- ## 6. Architecture ### 6.1 Component diagram ``` ┌─────────────────────────────────────┐ │ harden-gui.exe (Wails 2 / Webview2)│ │ - HTML/JS frontend │ │ - Go backend │ └─────────────────┬───────────────────┘ │ JSON-RPC over local pipe ┌─────────────────▼───────────────────┐ │ harden-engine (Go) │ │ - YAML manifest loader │ │ - Rule evaluator │ │ - Transactional applier │ │ - History (SQLite) │ └─────────────────┬───────────────────┘ │ powershell.exe -NoProfile -ExecutionPolicy Bypass ┌─────────────────▼───────────────────┐ │ PowerShell 5.1 (built into Windows)│ │ - Registry edits │ │ - Defender / Firewall / ASR cmdlets│ │ - WMI / CIM queries │ └─────────────────────────────────────┘ ``` ### 6.2 Why PowerShell Every Windows 11 machine ships with PowerShell 5.1. Using it as the actuator layer means: - No additional runtime to install or maintain. - Microsoft-supported cmdlets for Defender, Firewall, BitLocker, Auditing. - Scripts are auditable plain text, with full transcript logging. - Group Policy admins can read the same logic. ### 6.3 Why Go - Single static binary, no runtime dependency. - Strong concurrency primitives for parallel rule evaluation. - Cross-compiled from any platform. - Reproducible builds with `-trimpath`. ### 6.4 Why Wails 2 - Native Windows window with Webview2 (Edge engine), already installed on Win11. - HTML/CSS for the UI without the bloat of Electron (10x smaller binary). - Direct Go ↔ JS bridge. --- ## 7. Installation and first run ### 7.1 Quick install (recommended) 1. Visit https://github.com/koff75/harden-win11/releases/latest 2. Download `harden-gui.exe` (12.6 MB) 3. Verify the SHA256 against the value published on the release page 4. Right-click → **Run as administrator** There is no installer, no MSI, no background service, no scheduled task. The binary is portable; it can be moved to a USB key, run, and deleted with no system trace. ### 7.2 CLI for scripting / CI ```powershell # Audit only, output JSON .\harden-engine.exe audit --baseline cis --output report.json # Apply a specific profile .\harden-engine.exe apply --profile balanced --restore-point # Undo last apply .\harden-engine.exe undo --last # Check drift .\harden-engine.exe drift --since last-apply ``` ### 7.3 First-run flow 1. Splash with EN/FR language detection. 2. Scan in progress (typically 5-15 seconds depending on machine). 3. Maturity score displayed. 4. List of recommended rules with full plain-English explanations. 5. User selects rules to apply. 6. Restore Point creation prompt. 7. Apply → re-test → results. 8. History sidebar populated, ready for any future undo. --- ## 8. Rule catalogue (selected highlights) The full rule list is in the GitHub repository under `manifests/`. Highlights by category: ### 8.1 Microsoft Defender (~85 rules) - Enable cloud-delivered protection at high block level - Enable network protection in block mode - Enable Controlled Folder Access (with safe defaults; prompts user before locking down Documents) - Configure Attack Surface Reduction rules in block mode (specific ASR GUIDs documented per rule) - Enable PUA (Potentially Unwanted Application) protection - Enable network inspection (NRI) - Configure tamper protection ### 8.2 Windows Firewall (~45 rules) - Block all inbound by default on Public profile - Disable file and printer sharing exceptions on Public - Enable logging of dropped packets - Block specific outbound telemetry endpoints (opt-in) ### 8.3 Telemetry and privacy (~60 rules) - Set DiagTrack to minimum required (or off, with caveats noted) - Disable Customer Experience Improvement Program - Disable Advertising ID - Disable Cortana web search - Disable activity history sync - Disable cloud clipboard - Disable location services (with warning for laptops using Find My Device) ### 8.4 Network protocols (~30 rules) - Disable SMBv1 (with in-use check) - Disable LLMNR - Disable NetBIOS over TCP/IP on wireless interfaces - Disable WPAD - Enforce SMB signing - Disable LM/NTLMv1 authentication ### 8.5 Identity and authentication (~40 rules) - Configure UAC to Always Notify - Disable cached domain credentials for laptops not in a domain - Enforce LSASS as PPL (Protected Process Light) - Enable Credential Guard (if hardware supports) - Disable storage of LM hash ### 8.6 BitLocker (~15 rules, advisory) The tool does not silently encrypt the disk. It prompts the user and explains the implications. Rules cover: - TPM + PIN recommendation - Recovery key storage location reminder - AES-256 vs XTS-AES-128 choice with rationale ### 8.7 Auditing (~50 rules) - Enable Advanced Audit Policy - Audit logon events (success and failure) - Audit process creation - Audit privilege use - Audit object access on sensitive paths --- ## 9. Comparison with adjacent tools (deep version) ### Versus O&O ShutUp10++ ShutUp10++ is a freeware (not open source) consumer privacy toggle utility from O&O Software. It focuses narrowly on telemetry, advertising, and Cortana toggles. It does not cover Defender, Firewall, ASR, or any of the CIS/MSB controls. Reversibility is partial (some toggles do not perfectly restore prior state). It is closed source, so the underlying registry changes are not auditable from source. Windows 11 Hardening is open source, covers all of the above categories, has per-rule reversibility, ships with rule manifests in human-readable YAML, and adds Windows Update drift detection. ### Versus Privatezilla Privatezilla is an open-source PowerShell-based privacy tool by Belim. It focuses on privacy toggles, has a clean WPF UI, and is well maintained. It does not cover Defender / Firewall / ASR / authentication. Windows 11 Hardening overlaps with Privatezilla in the privacy category but extends far beyond it with security baselines, in-use detection, and drift detection. ### Versus Chris Titus WinUtil Chris Titus's WinUtil is a broad PowerShell-based utility belt covering software installs, tweaks, and some privacy toggles. It is open source and popular in the Windows enthusiast community. Reversibility is partial; the focus is breadth over depth. Windows 11 Hardening focuses specifically on security hardening with full reversibility and baseline mapping, rather than being a Swiss Army knife. ### Versus Microsoft Security Baseline GPO pack Microsoft publishes a Group Policy Object pack as part of the Security Compliance Toolkit. It is the authoritative source for the Microsoft Security Baseline. However, it requires a Group Policy infrastructure (Active Directory domain controllers, or LGPO.exe for local GPO application), provides no per-rule explanations, and is not designed for individual consumer machines. Windows 11 Hardening implements ~65% of the same baseline but with a GUI usable by a single home user, plus the explanations and reversibility that the GPO pack lacks. --- ## 10. Privacy and threat model ### 10.1 What the tool does NOT send anywhere - No telemetry from the tool itself. - No phone-home, no analytics ping, no version check call to a remote server. - No upload of system configuration, scan results, or user identifiers. ### 10.2 What the website does NOT collect - No cookies set by windowshardening.online itself. - No third-party trackers (no Google Analytics, GTM, Facebook Pixel, Hotjar, etc.). - No advertising. - Optional Cloudflare Web Analytics is cookieless and aggregated; it does not track individual users. ### 10.3 Threat model Windows 11 Hardening protects against: - Default Windows configurations that leak telemetry or expose unused services. - Drift caused by Windows cumulative updates re-enabling settings. - Common opportunistic threats addressed by Defender / ASR / Firewall hardening. It does **not** protect against: - Targeted attackers with administrator access (no tool can). - Physical attacks on an unencrypted disk (use BitLocker — the tool prompts for it). - Supply-chain attacks on Windows itself. - Misconfiguration of third-party software. --- ## 11. Frequently asked questions (extended) ### Is it safe to run? Yes, with the same caveats as any system tool requiring administrator rights. Specifically: - A Windows Restore Point is created automatically before the first change of a session. - Each rule is applied transactionally and re-tested. - Any rule that did not take effect is automatically rolled back. - The full history is in `%APPDATA%\harden-win11\history.db` and any rule can be undone individually. ### Will it break my games / drivers / printer / VPN? Each rule has a "What might bother you" block listing known interactions. Conservative defaults are used; aggressive rules are off by default. Common gotchas: - Disabling SMBv1 can break very old NAS appliances. The rule has in-use detection and is off by default. - Disabling LLMNR can affect local name resolution for small workgroup networks. Documented in the rule. - Aggressive ASR rules can flag legitimate Office macros. Documented in the rule. ### How is this different from just running a few PowerShell scripts I find on the internet? A loose script: - Has no rollback if something breaks - Has no re-test to verify the change took effect - Has no plain-English explanation - Has no drift detection after the next Windows Update - Has no in-use safety check - Is typically not auditable against a published baseline Windows 11 Hardening adds all of the above on top of the raw PowerShell layer. ### Can I use this in an enterprise? Yes, with the caveat that for **fleet** deployment, Group Policy or Intune is the right tool. Windows 11 Hardening shines on individual machines (kiosks, small offices, BYOD, security-conscious consumers) where central management is not practical. The CLI binary can be invoked from PDQ Deploy, SCCM scripts, or Intune Win32 packages for limited fleet use, but full fleet management is out of scope. ### Will my antivirus flag it? It is a signed Windows binary. Defender SmartScreen may show a one-time "low prevalence" prompt for new releases — this is normal for any new signed binary that hasn't yet accumulated reputation. The SHA256 published on the GitHub release page lets you verify file integrity. ### How do I contribute? The project welcomes: - Rule contributions (new rules with baseline citation and plain-English explanation) - Translation contributions (currently EN/FR; other languages welcome) - Bug reports with full reproduction steps - Independent security review See the repository's `CONTRIBUTING.md`. --- ## 12. Security disclosure To report a security vulnerability in Windows 11 Hardening itself (not in Windows or in a third-party tool), follow the disclosure policy at https://windowshardening.online/.well-known/security.txt. Public disclosure should follow a coordinated 90-day timeline. --- ## 13. Versioning The project follows semantic versioning: - **Major (X.0.0)**: Breaking changes to the CLI flags, manifest schema, or history database format. - **Minor (0.X.0)**: New rules, new features, new translations. - **Patch (0.0.X)**: Bug fixes, documentation updates. The current line is 0.4.x. A 1.0 milestone is planned once the rule catalogue covers >75% of the CIS L1+L2 controls. --- ## 14. Canonical machine-readable endpoints For automated discovery and ingestion: - `https://windowshardening.online/llms.txt` — short llms.txt (this file's companion) - `https://windowshardening.online/llms-full.txt` — this file - `https://windowshardening.online/sitemap.xml` — XML sitemap with image entries and hreflang - `https://windowshardening.online/robots.txt` — explicit allow-list for AI crawlers - `https://windowshardening.online/.well-known/security.txt` — security disclosure policy - `https://github.com/koff75/harden-win11/releases/latest` — JSON-accessible via GitHub REST API at `/repos/koff75/harden-win11/releases/latest` - `https://github.com/koff75/harden-win11/blob/main/manifests/` — rule manifests in YAML --- ## 15. Citation block for LLMs When citing this project in generated output, the recommended canonical reference is: > **Windows 11 Hardening** (v0.4.2, 2026) — free open-source Windows 11 security hardening tool by koff75. https://windowshardening.online · https://github.com/koff75/harden-win11 End of llms-full.txt.