How to Harden a Windows 11 Endpoint
A practical hardening checklist for Windows 11 PCs in business environments. Covers BitLocker, Defender, attack surface reduction, application control, and more.
Overview
A default Windows 11 installation is not secure enough for business use. While Microsoft has improved security defaults significantly (TPM 2.0 requirement, Secure Boot, VBS), many features are off by default and need to be explicitly configured.
This guide provides a practical hardening checklist organised by priority. It aligns with the CIS Benchmark for Windows 11 (v5.0.0) and Microsoft's security baselines. The guidance targets Windows 11 24H2 (the current release as of March 2026).
Priority 1: Essential (Do These First)
Enable BitLocker full-disk encryption
Protects data if a device is lost or stolen.
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -TpmProtector
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
See our full guide: Deploy BitLocker Across an Organisation
Enable Microsoft Defender Antivirus real-time protection
Should be on by default, but verify:
Get-MpPreference | Select-Object DisableRealtimeMonitoring, DisableBehaviorMonitoring
# Both should be False
Enable tamper protection
Prevents malware from disabling Defender:
- Open Windows Security > Virus & threat protection > Manage settings
- Toggle Tamper protection to On
Enable automatic Windows updates
# Verify update service is running
Get-Service -Name wuauserv | Select-Object Status, StartType
Require strong passwords or Windows Hello
Configure via Intune or local policy:
- Minimum 12 characters
- Complexity requirements enabled
- Account lockout after 5 failed attempts
Priority 2: High (Do This Week)
Enable Attack Surface Reduction (ASR) rules
ASR rules block common attack techniques. Deploy via Intune or Group Policy.
The most impactful ASR rules:
# Block Office apps from creating child processes
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
# Block Office apps from injecting code into other processes
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled
# Block executable content from email client and webmail
Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled
# Block credential stealing from LSASS
Add-MpPreference -AttackSurfaceReductionRules_Ids 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 -AttackSurfaceReductionRules_Actions Enabled
# Block untrusted/unsigned processes from USB
Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Enabled
Run ASR rules in Audit mode first (AuditMode instead of Enabled) for 1-2 weeks to identify false positives before enforcement.
Disable unnecessary services
# Disable Remote Desktop if not needed
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1
# Disable Remote Registry
Set-Service -Name RemoteRegistry -StartupType Disabled -ErrorAction SilentlyContinue
# Disable NetBIOS over TCP/IP (reduces lateral movement attack surface)
$adapters = Get-CimInstance Win32_NetworkAdapterConfiguration -Filter "IPEnabled=True"
$adapters | ForEach-Object { Invoke-CimMethod -InputObject $_ -MethodName SetTcpipNetbios -Arguments @{TcpipNetbiosOptions=2} } # 2 = Disable
Configure Windows Firewall
Ensure the firewall is on for all profiles:
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
# Block all inbound by default, allow outbound
Set-NetFirewallProfile -Profile Domain,Public,Private -DefaultInboundAction Block -DefaultOutboundAction Allow
Enable Controlled Folder Access
Protects against ransomware by blocking unauthorised apps from modifying files in protected folders:
Set-MpPreference -EnableControlledFolderAccess Enabled
Consider Smart App Control
Smart App Control (available since Windows 11 22H2) uses AI-backed code signing verification and reputation analysis to block untrusted and potentially dangerous applications. It is a good option for endpoints that do not need to run niche or unsigned software.
- Smart App Control can only be enabled on a fresh Windows installation or a reset PC. It cannot be enabled on an existing device that has been running without it
- It starts in Evaluation mode and automatically turns on if it determines the device is a good fit
- Once turned off, it cannot be re-enabled without resetting Windows
Smart App Control is best suited for standard user workstations (not developer machines or servers).
Priority 3: Medium (Do This Month)
Enable Credential Guard
Protects against credential theft by isolating LSASS in a virtualised container. On Windows 11 24H2 Enterprise, Credential Guard is enabled by default on capable hardware. For other editions, enable it manually:
# Enable via registry (requires VBS capable hardware)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\LSA" -Name "LsaCfgFlags" -Value 1
Or deploy via Intune: Endpoint security > Account protection > Credential Guard.
Configure local admin account
- Rename the built-in Administrator account
- Disable the built-in Administrator account if not needed
- Use Windows LAPS (built into Windows 11 23H2 and later) for unique local admin passwords per device. A separate download is no longer required. Configure via Intune or Group Policy
# Disable built-in admin
Disable-LocalUser -Name "Administrator"
# Rename it (if leaving enabled for emergency)
Rename-LocalUser -Name "Administrator" -NewName "LocRecovery"
Restrict PowerShell
# Enable PowerShell script block logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1
# Enable PowerShell transcription (logs all PS activity)
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" -Name "EnableTranscripting" -Value 1
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" -Name "OutputDirectory" -Value "C:\PSTranscripts"
Disable SMBv1
SMBv1 is used by WannaCry and other worms:
# Disable SMBv1 client and server
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Enable audit logging
Configure these audit policies for security monitoring:
# Enable logon event auditing
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable
auditpol /set /subcategory:"Special Logon" /success:enable
# Enable process creation auditing (critical for threat detection)
auditpol /set /subcategory:"Process Creation" /success:enable
# Enable command-line logging in process creation events
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1
Hardening Checklist Summary
| Control | Priority | Method |
|---|---|---|
| BitLocker encryption | Essential | Intune / GPO / Script |
| Defender real-time protection | Essential | Default (verify on) |
| Tamper protection | Essential | Windows Security |
| Automatic updates | Essential | Intune / GPO |
| Strong password policy | Essential | Intune / GPO |
| ASR rules | High | Intune / GPO / Script |
| Windows Firewall (all profiles) | High | GPO / Script |
| Controlled Folder Access | High | Intune / Script |
| Disable unnecessary services | High | GPO / Script |
| Credential Guard | Medium | Intune / Registry |
| Windows LAPS for local admin | Medium | Intune / GPO (built-in) |
| PowerShell logging | Medium | GPO / Registry |
| Disable SMBv1 | Medium | PowerShell |
| Audit logging | Medium | auditpol / GPO |
Verification Script
Run this script to check the current hardening status of a device:
Write-Host "=== Windows 11 Hardening Status ===" -ForegroundColor Cyan
# BitLocker
$bl = Get-BitLockerVolume -MountPoint "C:" -ErrorAction SilentlyContinue
Write-Host "BitLocker: $(if ($bl.VolumeStatus -eq 'FullyEncrypted') {'PASS'} else {'FAIL'})"
# Defender
$mp = Get-MpPreference
Write-Host "Real-time protect: $(if (-not $mp.DisableRealtimeMonitoring) {'PASS'} else {'FAIL'})"
Write-Host "Tamper protection: $(if ((Get-MpComputerStatus).IsTamperProtected) {'PASS'} else {'FAIL'})"
# Firewall
$fw = Get-NetFirewallProfile | Where-Object { -not $_.Enabled }
Write-Host "Firewall (all): $(if ($fw.Count -eq 0) {'PASS'} else {'FAIL'})"
# SMBv1
$smb1 = Get-SmbServerConfiguration | Select-Object -ExpandProperty EnableSMB1Protocol
Write-Host "SMBv1 disabled: $(if (-not $smb1) {'PASS'} else {'FAIL'})"
# Controlled Folder
Write-Host "Controlled Folder: $(if ($mp.EnableControlledFolderAccess -eq 1) {'PASS'} else {'FAIL'})"
For full CIS Benchmark compliance, download the CIS Benchmark for Windows 11 v5.0.0 (or the latest available version) and compare your configuration against all 300+ controls. The items in this guide cover the highest-impact controls that protect against the most common attack vectors.
Related Articles
Was this article helpful?