This repository contains a curated collection of PowerShell-based remediation scripts for Windows 11 DISA STIG findings.
Each script targets a specific STIG ID and is designed to be:
- Idempotent (safe to run multiple times),
- Non-destructive,
- Fully documented,
- Tested on a Windows 11 lab VM,
- Aligned with DISA STIG compliance requirements,
- Easy to automate (e.g., via SCCM, Intune, GPO Startup Scripts, Ansible, or Vulnerability Management workflows).
All scripts include:
.SYNOPSIS- Authorship metadata
- STIG-ID mapping
- Usage examples
- Verification steps where applicable
Each script follows naming convention:
WN11-<STIG-ID>_<friendly-description>.ps1
Example:
WN11-CC-000391_disabled-ie11.ps1
| STIG ID | Script | Description |
|---|---|---|
| WN11-AU-000005 | WN11-AU-000005_credential-validation.ps1 |
Audit Credential Validation – success & failure |
| WN11-AU-000070 | WN11-AU-000070_logon-failures.ps1 |
Audit Logon – failure |
| WN11-AU-000075 | WN11-AU-000075_logon-successes.ps1 |
Audit Logon – success |
| WN11-AU-000081 | WN11-AU-000081_file-share-failures.ps1 |
Audit File Share – failure |
| WN11-AU-000082 | WN11-AU-000082_file-share-successes.ps1 |
Audit File Share – success |
| WN11-AU-000500 | WN11-AU-000500_max-event-log-size-32768kb.ps1 |
Configure maximum Event Log size to 32768 KB |
All AU scripts automatically enable subcategory auditing requirement (WN11-SO-000030).
| STIG ID | Script | Description |
|---|---|---|
| WN11-CC-000020 | WN11-CC-000020_ipv6-routing-protection.ps1 |
Enforce highest IPv6 source routing protection |
| WN11-CC-000040 | WN11-CC-000040_disabled_smb_logons.ps1 |
Disable insecure SMB guest logons |
| WN11-CC-000100 | WN11-CC-000100_disabled-print-packages-over-http.ps1 |
Disable downloading printer drivers via HTTP |
| WN11-CC-000315 | WN11-CC-000315_disabled-always-install-with-elevated-privileges.ps1 |
Disable Windows Installer elevated privilege installation |
| WN11-CC-000391 | WN11-CC-000391_disabled-ie11.ps1 |
Disable legacy Internet Explorer 11 |
| STIG ID | Script | Description |
|---|---|---|
| WN11-SO-000070 | WN11-SO-000070_machine_locked_after_15_minutes_inactivity.ps1 |
Lock workstation after 15 minutes of inactivity |
| STIG ID | Script | Description |
|---|---|---|
| WN11-UR-000160 | WN11-UR-000160_only-admins-restore-files.ps1 |
Restrict Restore Files & Directories privilege to Administrators |
Run any script with:
PS C:\> .\WN11-CC-000391_disabled-ie11.ps1
All remediations were validated on:
- Windows 11 Pro 25H2 (lab VM)
- Fresh build + Tenable-authenticated scanning
Bartłomiej Biskupiak