Is Windows 11 hardening necessary?

Yes. A fresh Windows 11 install in 2026 still ships with SMBv1, NTLMv1, WPAD, Office macros from internet downloads, and Defender ASR rules turned off — vectors used in WannaCry, NotPetya and modern phishing campaigns.

Is this tool free and open source?

Yes. WTFPL licensed, source on GitHub, reproducible build with SHA256 published. 100% local — zero network call at runtime.

Will it break my apps?

Unlikely. The tool creates a Windows Restore Point first, detects in-use protocols (won't kill SMBv1 if an active share exists, won't disable RDP if a session is active), and automatically rolls back any rule that didn't actually take effect.

Does it work on Windows 11 Home?

Yes. Most rules work on Home and Pro. Rules that need a corporate domain are auto-skipped.

Does it require a graphical user interface or command line?

Both ship in the same release. The GUI (harden-gui.exe, 12.6 MB) is the recommended default. A CLI binary (harden-engine.exe, 6.9 MB) is provided for sysadmins who want to script applies.

Does the tool send any data over the network?

No. Zero network calls at runtime. Reproducible build, SHA256 published for each release.

v0.4.2 · open source · WTFPL · EN / FR

Windows 11 hardening in 3 clicks.
No CLI. Nothing breaks.

A free open-source desktop app that explains every Windows 11 security setting in plain English, applies them with one click, and undoes everything if you change your mind. Built on top of CIS Benchmark, Microsoft Security Baseline and ANSSI recommendations.

⬇ Download for Windows 11harden-gui.exe · 12.6 MB · v0.4.2 ★ Star on GitHubfree · open source

harden-engine.exe (CLI · 6.9 MB) All releases & ZIP bundle SHA256 checksum

62% CIS Win11 65% MS Baseline 42% ANSSI 98 Pester + 100+ Go tests 100% local · zero network call

// THE PROBLEM

A fresh Windows 11 install in 2026 still ships insecure by default.

Not opinion. Microsoft keeps these settings off for backwards compatibility. Windows 11 Hardening flips them, explains why, and lets you undo any of them individually.

Legacy protocols still ON

SMBv1, NTLMv1, WPAD — names that appear in every WannaCry / NotPetya post-mortem.

network

Telemetry & ads baked in

Advertising ID, Bing in Start menu, diagnostic data feeding Microsoft every day.

privacy

Macros auto-running

Office still trusts macros from Internet-downloaded documents by default.

phishing

Credentials caching

A single phishing email can leak your domain password through cached credentials.

creds

Defender ASR off

Microsoft's own Attack Surface Reduction rules exist — and are disabled out of the box.

defender

Windows Update drift

Cumulative updates silently re-enable settings. No other tool tells you when this happens.

unique

// HOW IT WORKS

Three steps. No PowerShell required.

Download the .exe

One-click direct download of harden-gui.exe (12.6 MB). SHA256 published next to each release. Reproducible from source with go build.

Right-click → Run as admin

No installation. No service. No registry touched until you click Apply. Delete the file = uninstalled.

Check → Apply → Done

See what's wrong, hover for plain-English explanations, click Apply. Roll back any rule anytime.

// SEE IT IN ACTION

What 3 clicks actually look like.

The GUI shows every rule with a plain-English explanation. Hover for context. Click Apply. Roll back any rule from the sidebar. No registry keys, no PowerShell, nothing to memorize.

Windows 11 Hardening main dashboard: dark theme app showing a list of security rules with checkboxes, a Check (dry-run) button, an Apply button, and a maturity score panel.

Tooltip showing the 4-line plain-English explanation for a hardening rule: Today, If you activate, For whom, What might bother you. — **Plain-English on every rule**Hover any setting. Four lines: *Today*, *If you activate*, *For whom*, *What might bother you*. Zero jargon.

Apply screen with progress bars per rule, Windows Restore Point check at top, and an in-use detection skipping RDP. — **Apply with safety belts on**Restore Point first. In-use detection (won't kill an active RDP session). Per-rule progress with a cancel button.

Maturity score panel with letter grades A, B, C, D showing how hardened the machine is and concrete next steps. — **Maturity score A / B / C / D**One letter tells you where you stand. Hover for the breakdown and the next 3 highest-impact rules to enable.

Yellow banner at the top of the app saying Windows Update reset 2 rules, click to re-apply. — **Windows Update drift detection**Microsoft cumulative updates silently re-enable settings. We notice. Banner on next boot, one click to re-apply. No other Win11 tool does this.

EN/FR language toggle in the top-right corner of the interface. — **EN / FR — one click switch**Bilingual interface including all tooltips. Built with the ANSSI ecosystem in mind, but works for anyone.

// SAFETY MODEL

Six layers of "are you sure?" before anything changes.

Most hardening tools fire and forget. This one is paranoid about your machine — by design.

Context auto-skip

Laptop? Hibernation stays on. Corporate domain? We don't rename Administrator. Rules detect their environment.

In-use detection

Active RDP session? We refuse to disable RDP. Active SMBv1 share? We refuse to kill SMBv1.

Windows Restore Point

Created automatically before any apply. One-click revert from Windows itself if everything goes south.

Pre/post snapshot

25+ critical settings captured before and after. You see exactly what changed, with diffs.

Post-apply re-test

If a setting didn't actually take effect — automatic rollback. No silent partial states.

24h Event Viewer watch

The app monitors logs for 24h. If Defender, SMB or printers start complaining, you see a banner.

// HONEST COMPARISON

How it stacks against the popular Windows hardening tools.

There are great tools out there. Most cover part of the surface — privacy or enterprise hardening, GUI or CLI. Windows 11 Hardening tries to combine plain-English UX with enterprise-grade coverage.

Feature	O&O ShutUp10++	Privatezilla	Chris Titus WinUtil	MS Security Baseline	Windows 11 Hardening
Plain-English per-rule explanation	⚠	⚠	✕	✕	✓
Defender + Firewall + ASR coverage	✕	✕	⚠	✓	✓
Reversible per individual rule	⚠	⚠	⚠	✕	✓
Auto Restore Point before apply	✓	✕	⚠	✕	✓
Post-apply re-test + auto rollback	✕	✕	✕	✕	✓
Detects Windows Update drift	✕	✕	✕	✕	✓
Mapped to CIS / ANSSI / MS	✕	✕	✕	MS only	✓
Open source	freeware	✓	✓	⚠	✓
Locale	EN/DE	EN/DE/RU	EN	EN	EN / FR

// MAPPED TO PUBLIC STANDARDS

You're not running someone's homemade ideas.

Every rule maps to a published baseline. You can verify each one against the source document.

65%

Microsoft Security Baseline

Windows 11 24H2

62%

CIS Benchmark

Win11 Enterprise · v3.0.0

42%

ANSSI

Recommandations Windows

// SHIP IT

A fresh Windows 11 deserves better defaults.

Free. Open source. 100% local. Reversible. WTFPL — do whatever you want with it.

⬇ Download for Windows 11harden-gui.exe · 12.6 MB · v0.4.2 ★ Star on GitHubfree · open source 🇫🇷 Version françaisebilingual

Windows 11 hardening in 3 clicks.No CLI. Nothing breaks.