Hardening Windows 11 - updated

Windows 11 by default is not hardened. What do I mean, simply that, it's not fully secure after you install, sign in to your Microsoft account, install your apps and get the hell on with it.

If you are running Windows 11 Home, you're a little out of luck, you should try for the Professional version.

So how do you harden it. Well corporations have things like domain controllers and those that are using Microsoft 365 have things like Intune to deploy what is called group policy. You have this on your Windows 11 Professional setup, but it's all set as default.

The way I did it. It's a little complicated but doable as long as you're not trying to deploy it to lots of Windows 11 devices and requires physical access to those devices. For remote deployment, I will need a Microsoft Live response script that is still bouncing around in my head at the moment.

First of all, we need to figure out what we need to change in group policy to harden it to "best practices" and who's best practices at that. I chose Microsoft's

Solution. Sign up with Microsoft 365 and buy a license for Microsoft Endpoint for business (about $7 a month per user - we need just one license) and install it on your test system. After about 24 hours, maybe quicker you will see in the Microsoft Security Portal a list of recommendations for the device.

Now you don't need to do this, but I found its fast and dynamic, and the manual methods will take time, more reading and well nobody has the time anymore.

With the list of recommendations. You need to be realistic here. Some of the recommendations are for cutting edge hardware, and some would make end users lives a nightmare. This I am afraid requires some experience so it's not for the novice.

In each of the recommendations it will provide you with a solution to apply via group policy. Now not all of these group policy administration templates will come on a clean machine. You need to hunt down the group policy templates and install them on your prototype device.

For the moment let's stick to seeing what we can apply without installing additional templates.

Follow the instructions given on the portal and slowly apply the templates via group policy. If you can't find one, you're missing the template, make a note of it and move on.

Now a quick note on ASR (attack surface reduction), its important. It's also a pain in the butt if you have gamers in the house running mods and games in steam. But still turn it on but you will need to educate the gamer on how to set exceptions.

With a little work, you will end up with a group policy that hardens up your prototype device and your security score in Microsoft Security Portal will improve

So, when your satisfied how do you deploy it to your other Windows 11 systems.

It is explained here

Microsoft Security Compliance Toolkit Guide

This article describes how to use Security Compliance Toolkit in your organization.

Microsoft Learnvinaypamnani-msft

The LGPO tool is located here.

Download Microsoft Security Compliance Toolkit 1.0 from Official Microsoft Download Center

This set of tools allows enterprise security administrators to download, analyze, test, edit and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products, while comparing them against other security configurations.

Microsoft Store - Download Center

Now the LGPO tool will take the group policy that you created, back it up to say a USB device and then you import it into your other devices and apply it.

1.  To backup a policy from the template device
        a.  LGPO.exe /b path /n "Default Policy"
        b.  LGPO.exe /b d:/Policy /n "Default Policy"

2.  To deploy the policy on a target device
        a.  LGPO.exe /g C:\GPOBackups /v > lgpo.out 2> lgpo.err
        b.  LGPO.exe /g d:/Policy/GPO /v >lgpo.out 2> lgpo.err

Obviously, you need to extract the LGPO from the zip archive and fiddle a bit with its location and so on to ensure you are navigating to the correct directory in the command prompt - but you get the idea from the commands above.

Once you import the policy on all the other Windows devices you can either reboot or run the "gpupdate /force" command. I recommend the reboot option, especially if you have decided to deploy Microsoft Defender for Business across your other machines as well.

What do to if you stuff up

Perfectly normal I do this all the time. How do you undo what you have done if you make a mistake. Unless you have a memory like an elephant you can simply reverse the policy, go off to a search engine, consult an AI or delete the lot and start again. How - see below

To quickly remove all Group Policy settings on Windows 11 and reset them to default without reinstalling, follow these steps:

1. **Delete Group Policy Folders**:
   - Open File Explorer and navigate to `C:\Windows\System32`.
   - Locate and delete the folders named `GroupPolicy` and `GroupPolicyUsers`. (If only one exists, delete that one.)

2. **Force Group Policy Update**:
   - Open Command Prompt as Administrator.
   - Run the command: `gpupdate /force`.

3. **Restart Your Computer**:
   - Reboot your system to ensure all changes take effect.

This method removes all active Group Policy settings and resets them to their default state

There are lots of steps and I have not stated where you get the additional administration templates from. But if you're reading this and considering it, you will know how to find them and install them. Note you only need to deploy the additional templates to your prototype device. The group policy will apply on your other devices without the templates needing to be installed.

This method works, does not require expensive Microsoft licenses and has bought my security score up around the 90 percent mark, with a few exceptions set tenant wise, which I will have to review in a year.

Because its set by group policy you will also have less issues with the Micrsoft Security portal if you are setting these the old way using registry editor, even PowerShell.

It worked for me.

#enoughsaid