Most of the recommendations to harden Windows 11 machines are based on GPOs or simply recommend you spin up a CIS Hardened image in the cloud. While this is great, I wanted to create a script for non-domain joined machines, or at least, a generic script that could be run by another service. I could not find any examples to go off of so I took the results from a SIEM, exported them, and converted the values into Powershell commands that can be run locally or remotely. The scripts modifies registry keys to get the necessary results.

PLEASE REVIEW THE CODE AND COMMENT OUT ANYTHING YOU DO NOT NEED OR THAT MAY CAUSE ISSUES IN YOUR ENVIRONMENT!

To run locally, copy all the Powershell files to C:\ComplianceToolkit, open Powershell as an Administrator, and execute .\Run-ComplianceToolkit.ps1 -DryRun (Remove -DryRun when you want it to make changes)

To run remotely on another computer be sure to first edit the $computers variable in the Deploy-ComplianceToolkitRemotely.ps1 file based on your use case. You can list them in an array or use Get-ADComputer to filter to your liking. Copy all the Powershell files to C:\ComplianceToolkit, open Powershell as an Administrator and execute .\Deploy-ComplianceToolkitRemotely.ps1 -DryRun (Remove -DryRun when you want it to make changes). It'll ask you for credentials and provided the account you provide has the appropriate permissions and your AV doesn't block it, will perform a DryRun or remediate accordingly! ;)