About this tool
Windows 11 (local device)
Security Baseline Script Assistant

Windows 11 Security Baseline Script Assistant

This page explains what the assistant does, who it is for, and how to use the generated PowerShell script safely alongside your own backups, change control, and Windows 11 hardening plans.

Overview

What this assistant is designed to do

The Windows 11 Security Baseline Script Assistant helps you turn individual hardening controls into a single, readable PowerShell script. You choose which controls to apply, then the tool builds a script that includes registry changes, configuration tweaks, and clearly marked manual checklists you can follow step by step.

Who it is for

  • Home users who want stronger defaults on personal Windows 11 machines.
  • Small businesses that need a repeatable baseline for a handful of devices.
  • IT admins and homelab builders who prefer readable scripts they can customize.

The tool is a helper, not a remote management platform. Nothing is pushed automatically to your devices.

What the script includes

  • Controls grouped by severity and impact, including crypto and legacy protocol settings.
  • Comments that explain each registry change in plain language.
  • Manual-only items that appear as clearly labelled checklists inside the script.
  • A simple “pre / post” JSON snapshot so you can track what was selected on each run.

How to use it in a safe workflow

  • Generate the script from the main assistant and save it to a secure admin folder.
  • Read through every section, especially strict or high impact items, and comment out anything you do not want.
  • Create a system backup, restore point, or image before making changes.
  • Test on a non-critical Windows 11 device from an elevated PowerShell session.
  • Only move to primary devices after you are comfortable with the effects and any domain interactions.

How the “pre / post” reporting works

Each time you run the script, it writes a small JSON file under C:\SecurityTools\Reports\Win11Baseline. The report records the date, machine name, OS version, and the list of controls you selected. This gives you a simple audit trail you can pair with your own configuration backups and change log notes.

These reports stay on your system. They are not transmitted to CyberLife Coach or to any third party.

This tool includes a curated subset of DISA STIG controls selected for real world use by home users, entrepreneurs, digital nomads, and small businesses. It is not a full STIG implementation but a practical baseline designed to reduce your attack surface.

Important notice

This assistant and the generated PowerShell script run entirely on your local device. Your selections and output are not sent to CyberLife Coach, to any server, or to any third party. The script is a generic starting point and is provided for educational and informational use only. It is not tailored to your specific environment, does not guarantee compliance with NIST, CIS, DISA STIGs, or any other framework, and carries no warranty or guarantee.

You are responsible for reviewing, testing, and validating every line before use. Always create reliable backups, test in a non-critical environment, and confirm you are authorized to make changes on any systems you manage. Do not apply these settings to employer or school managed devices without explicit written approval from the appropriate owner or administrator.