Windows 11 Security Baseline Script Assistant

Step 1 · Choose your Windows 11 controls

Pick the protections you want in your script.

Profiles blend severity and compatibility. Relaxed focuses on safer changes. Strict turns on more aggressive crypto and legacy protocol controls. Custom lets you hand-pick every item.

Profiles Relaxed Strict Custom

Relaxed applies all critical items plus medium and low items that rarely break modern systems. Strict adds stronger crypto and session key requirements that may affect very old domains or devices.

BitLocker full disk encryption enabled Critical Manual steps

Confirms that all fixed drives use BitLocker or equivalent full disk encryption. The script adds a checklist of GUI steps and reminders instead of changing this automatically.
BitLocker pre-boot PIN configured Critical Manual steps

Documents how to require a BitLocker PIN at startup using the BitLocker policy “Require additional authentication at startup”. The script does not try to force this remotely.
Data Execution Prevention (DEP) set to OptOut Critical Manual steps

Adds a short guide to set DEP to at least OptOut with BCDEDIT /set {current} nx OptOut. Includes a reminder to suspend BitLocker first and reboot. No BCDEdit is run for you.
Enable SEHOP (Structured Exception Handling Overwrite Protection) Critical Recommended

Ensures SEHOP is enabled by setting DisableExceptionChainValidation to 0 under the Session Manager kernel key, which helps block certain memory corruption exploits.
Disable reversible password encryption Critical Manual steps

Adds a brief checklist to confirm “Store passwords using reversible encryption” is disabled in Local Security Policy. This is handled through policy, not registry scripting here.
Block solicited Remote Assistance Critical

Sets fAllowToGetHelp to 0 under the Terminal Services policy key so users cannot invite external helpers into their sessions.
WinRM client: block Basic authentication Critical

Sets AllowBasic to 0 for the WinRM client, preventing plain-text Basic auth over WinRM from this machine.
WinRM service: block Basic authentication Critical

Disables Basic auth on the WinRM service listener by setting AllowBasic to 0 under the WinRM Service policy key.
Block anonymous SAM account enumeration Critical

Prevents anonymous users from listing local accounts by setting RestrictAnonymousSAM to 1 under the LSA key.
Restrict anonymous enumeration of shares Critical

Sets RestrictAnonymous to 1, limiting anonymous enumeration of shared resources on the system.
Restrict anonymous access to named pipes and shares Critical

Sets RestrictNullSessAccess to 1 so anonymous sessions cannot reach named pipes or shares beyond those explicitly allowed.
Do not store LAN Manager password hashes Critical Recommended

Sets NoLMHash to 1 so the system no longer stores weak LM hashes when users change passwords.
SNMP client not installed Medium Manual steps

Adds short instructions to verify SNMP is not installed and how to remove it via “Turn Windows features on or off”.
Telnet client not installed Medium Manual steps

Documents how to confirm the Telnet client is not present and how to remove it if needed, since Telnet sends traffic in clear text.
TFTP client not installed Medium Manual steps

Provides a short checklist for verifying and removing the legacy TFTP client through Windows features, reducing use of insecure protocols.
Disable SMB 1.0 optional feature Medium Higher impact

Uses Disable-WindowsOptionalFeature for SMB1Protocol to turn off the SMBv1 Windows feature. This may affect very old NAS devices or Windows 2003-era servers.
Disable SMBv1 on the SMB server Medium

Sets SMB1 to 0 under the LanmanServer parameters, disabling the SMBv1 server component for file sharing.
Disable SMBv1 on the SMB client Medium

Sets the SMBv1 client driver start value to 4 (disabled) so the system does not initiate SMBv1 connections.
Disable insecure guest logons to SMB servers Medium

Sets AllowInsecureGuestAuth to 0 so anonymous guest access to SMB shares is blocked.
Prioritize stronger ECC curves Medium Crypto

Sets the ECC curve order to prefer NistP384 before NistP256 for TLS, ensuring stronger curves are tried first.
Enable enhanced anti-spoofing for facial recognition Medium

Turns on enhanced anti-spoofing for Windows Hello devices that support it by setting EnhancedAntiSpoofing to 1.
Enable Defender SmartScreen for Explorer Medium Recommended

Enables Explorer SmartScreen and sets the level to Block so suspicious downloads are blocked or strongly warned.
Require DEP for File Explorer Medium

Ensures File Explorer cannot turn off DEP by clearing any NoDataExecutionPrevention override under Explorer policies.
Keep shell protocol in protected mode Medium

Makes sure the shell protocol runs in protected mode by clearing any PreXPSP2ShellProtocolBehavior override that would disable it.
Enable Kernel DMA Protection policy Medium Device compatibility

Sets DeviceEnumerationPolicy to 0 for Kernel DMA Protection, helping defend against drive-by DMA attacks on Thunderbolt-class ports.
Require strong Netlogon session keys Medium Domain impact

Sets RequireStrongKey to 1 under Netlogon parameters so secure channels use strong session keys when talking to domain controllers.
Harden Kerberos encryption types Medium Domain impact

Sets SupportedEncryptionTypes to 0x7ffffff8, blocking legacy DES and RC4 Kerberos encryption suites in favor of modern ones.
Disable AppCompat program inventory telemetry Low

Sets DisableInventory to 1 so Application Compatibility Inventory does not collect data and send details to Microsoft.
Turn off Microsoft consumer experiences Low

Sets DisableWindowsConsumerFeatures to 1 so Windows does not push suggested apps and consumer content from the Store.
Keep Explorer heap termination on corruption enabled Low

Clears any NoHeapTerminationOnCorruption override so Explorer terminates when heap corruption is detected, rather than trying to keep legacy plug-ins alive.

Tip: For standalone laptops and small offices, Relaxed is usually the safest first pass. Use Strict in homelabs and well-managed domains where you are prepared to troubleshoot legacy systems.

Step 2 · Review, test, then run

Generated Windows 11 baseline script

Review every line, test on a non-critical machine, then run in an elevated PowerShell session. Manual-only items appear as commented checklists inside the script. A simple JSON “pre / post” snapshot is written under C:\SecurityTools\Reports\Win11Baseline.

How to use: Save the script, open PowerShell as Administrator, and run Invoke-Win11Baseline to apply these settings. To reverse registry-based settings, run Invoke-Win11BaselineRollback. Manual checklist items must be applied and reverted by hand.

Reporting: Each run writes a small JSON file that records the machine name, OS version, timestamp, and the list of selected controls before and after changes. Use this alongside your own configuration backups for audit and rollback planning.

How to use this assistant safely

Before you run the script

Use this only on Windows systems you own or are explicitly allowed to manage.
Create a backup, restore point, or golden image before applying changes.
Generate the script and skim every section, especially Strict profile items.
Comment out any blocks that conflict with your domain, devices, or policies.
Test on a non-critical machine first, from an elevated PowerShell window.

Good next steps

Save your adjusted script into version control or a secured admin share.
Document which baseline controls you applied and to which machines.
Revisit this baseline as your hardware, domain settings, and risk profile evolve.
Coordinate with your security or IT lead before rolling out to production fleets.

Important notice

This assistant runs entirely in your browser. Your selections and the generated script are not sent to CyberLife Coach, to any server, or to any third party. The output is a generic starting point and is provided for educational and informational use only. It is not a substitute for professional advice, does not guarantee compliance with any standard, and is used at your own risk. Always test in a safe environment, verify every line, and ensure you have reliable backups before making changes. Do not apply these settings to employer or school managed devices without explicit approval.

No warranty or guarantees Local only, no data leaves this device