– STUDY WINDOWS CONFIG UTILITY · STUDY TOOLS

Study Windows Configuration Utility BETA

Windows hardening script generator · v1.3 BETA

A wizard that produces a verified Windows hardening PowerShell script. Pick the deployment type to start: Local PC for a standalone machine, or Domain Joined PC for a Group Policy Object that applies the hardening across an OU. Pick a baseline (DISA STIG, CIS L1, NSA/CISA, CCCS, CMMC L2 / CPCSC, or Minimum Viable), toggle individual controls with full rationale and source citations, and download a SHA-256 fingerprinted .ps1. Every control sourced from DISA STIG, CIS, NSA/CISA, CSE/CCCS, or Microsoft. Local PC mode in BETA, GPO mode in ALPHA.

SELECT DEPLOYMENT TYPE
🖥
LOCAL PC
Standalone. Not domain joined.
→ AVAILABLE NOW | v1 BETA
🏢
DOMAIN JOINED PC
Active Directory member. GPO configuration.
→ AVAILABLE NOW | v1 ALPHA

What this tool is

A wizard-driven PowerShell script generator for Windows workstation and server hardening. Every control is sourced from a published standard, no made-up registry keys, no unverified commands. The generated script requires administrator privileges, creates a system restore point, logs every action to C:\Logs\, and embeds a SHA-256 fingerprint of your configuration in the script header so you can verify it has not been tampered with.

Standards referenced

DISA STIG Windows 11 V2R2, Windows 10 V2R7 (public.cyber.mil)
CIS Microsoft Windows 11 Benchmark v3.0 (cisecurity.org)
NSA/CISA Cybersecurity Information Sheets (media.defense.gov)
CSE/CCCS ITSP.70.012, Guidance for Hardening Microsoft Windows 10 Enterprise (cyber.gc.ca)
Microsoft Security Documentation (learn.microsoft.com)

Pro vs Enterprise

The generated script detects the OS edition at runtime. Enterprise/Education-only controls (Credential Guard, AppLocker enforcement) are auto-skipped on Pro with a logged warning, so you can run the same script across mixed environments without breakage.

Local PC vs Domain Joined PC

Local PC (BETA) mode produces a per-machine PowerShell script that runs on the workstation itself. Restore point, verbose log, OS-edition detection, and Enterprise-only controls auto-skip on Pro with a logged warning.

Domain Joined PC (ALPHA) mode produces a script that creates (or updates) a Group Policy Object on the domain using New-GPO and Set-GPRegistryValue. Specify the GPO name, an optional OU distinguished name to link to, and an OS-scope WMI filter suggestion. Registry-deliverable controls (the majority of the catalogue) apply natively through GPO. Controls that need a non-registry mechanism (auditpol via audit.csv, Defender ADMX, BitLocker enablement, AppLocker rules, bcdedit, powercfg) are listed at the foot of the generated script with the alternate mechanism. Run on a Domain Controller or admin workstation with the RSAT Group Policy Management Tools installed, signed in as Group Policy Creator Owners with permission on the target OU.

The tool generates the script. It does not run it. Review and test in a lab before linking to a production OU. Feedback to contact@hans.study.

Related guidance

Hardening Windows Server: Getting Started, the baseline starting point.
Hardening Windows Server: Group Policy Baseline, GPO-driven STIG/CIS settings.
Hardening Windows Server: Audit Logging, auditpol, event log sizing, WEF, PowerShell logging.
Hardening Windows Server: Other Considerations, TLS, RDP, SMB signing, LAPS, certificates.
CMMC vs CPCSC: The Practitioner's Comparison, the compliance lens these controls map to.