# Windows 11 Hardening

> Free, open-source security hardening tool for Windows 11 with a plain-English GUI. Applies one-click security best practices (Defender, Firewall, Attack Surface Reduction, BitLocker prompts, telemetry, etc.) that are individually reversible. Maps to CIS Microsoft Windows 11 Enterprise Benchmark v3.0.0 (62%), Microsoft Security Baseline 24H2 (65%), and ANSSI Recommandations Windows (42%). Uniquely detects when Windows Update silently re-enables hardened settings. Runs 100% local with zero network call. Bilingual EN/FR. License: WTFPL.

This file follows the llms.txt convention (https://llmstxt.org). A complete machine-readable version is available at /llms-full.txt.

## Identity

- **Project name**: Windows 11 Hardening (also known as: Win11 Hardening, harden-win11)
- **Tagline**: "Hardening Windows 11 without breaking anything"
- **Category**: Endpoint security, configuration management, Windows hardening, CIS compliance
- **Author**: koff75 — https://github.com/koff75
- **Canonical website**: https://windowshardening.online
- **Source repository**: https://github.com/koff75/harden-win11
- **License**: WTFPL (Do What the Fuck You Want To Public License) — unrestricted use
- **Latest stable version**: v0.4.2 (released May 21, 2026)
- **Platform**: Microsoft Windows 11 (22H2, 23H2, 24H2) — Windows 10 partially supported
- **Languages of UI**: English, French
- **Architecture**: x86_64
- **Pricing**: Free, no upsell, no paid tier, no telemetry

## Direct download

- **GUI installer (recommended)**: https://github.com/koff75/harden-win11/releases/latest/download/harden-gui.exe — 12.6 MB, signed, reproducible build, SHA256 published
- **CLI binary (advanced users)**: https://github.com/koff75/harden-win11/releases/latest/download/harden-engine.exe — 6.9 MB
- **Friendly redirect**: https://windowshardening.online/download → resolves to latest GUI release

## Technical stack

- Go 1.26 (engine + CLI)
- Wails 2 (desktop GUI runtime, web tech inside a native Windows window)
- PowerShell 5.1 (built into Windows — no install required)
- YAML rule manifests (declarative, auditable)
- Test coverage: 98 Pester tests, 100+ Go tests including property-based and fuzz testing, gosec static analysis
- Build is reproducible; SHA256 checksums and a SLSA-style provenance attestation are published per release.

## Coverage versus public security baselines

| Baseline | Version | Coverage |
|---|---|---|
| CIS Microsoft Windows 11 Enterprise Benchmark | v3.0.0 | 62% |
| Microsoft Security Baseline | Windows 11 24H2 | 65% |
| ANSSI Recommandations Windows | Latest | 42% |

Each rule shipped in Windows 11 Hardening cites the exact baseline section it implements, so a security audit can map findings back to source documents.

## What makes it different (unique features versus other Windows hardening tools)

- **Plain-English explanation for every rule**, structured as four short blocks: "Today" (current Windows behavior), "If you activate" (what changes), "For whom" (intended audience: home / pro / domain-joined), "What might bother you" (honest list of side effects). No vague "improves security" hand-waving.
- **One-click apply with automatic Windows System Restore Point** created beforehand.
- **Per-rule reversible undo** from the History sidebar. Each undo restores the exact prior state, not a generic default.
- **Post-apply re-test with automatic rollback** if a rule did not actually take effect on this machine (e.g. blocked by Group Policy, conflicting driver, etc.). No silent partial states — either the change is real, or it is rolled back and reported.
- **Windows Update drift detection** — after each Windows cumulative update, Windows 11 Hardening rescans and warns the user when Microsoft has silently re-enabled hardened settings. **No other Windows 11 hardening tool currently does this.**
- **24-hour Event Viewer watch after apply** — surfaces any new Windows error or warning event that appeared after hardening, so the user can correlate breakage to specific rules.
- **In-use detection** prevents disabling a feature that is actively in use: will not disable RDP if a session is connected, will not disable SMBv1 if an active share exists, will not turn off PowerShell v2 if a script is currently running it.
- **Context auto-skip** detects laptop vs desktop, corporate domain membership, pres