Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
Full offline capability added. This mode operates independently of Microsoft servers or GitHub, without checking for updates or downloading any files. You must supply paths to the Microsoft Security baseline, the Microsoft 365 Enterprise apps security baseline, and the LGPO. These files should be in .zip format, as they are when downloaded from the Microsoft Security Compliance Toolkit.
The new -Offline parameter activates offline mode. This mode requires three additional parameters that specify the paths to the required files on your local system. The parameters validate the selected .zip files to ensure they contain the right files and avoid accidental errors. You can also use the file picker GUI by pressing the Tab key to browse for the files graphically.
Detailed logging, activated by the new -Log parameter. When you use this parameter, another parameter will be available to you, called -LogPath, you can use it to choose a name and path for the log file to be saved, otherwise the log file will be saved in the current working directory and will have a dynamically generated name that also contains the current time and date.
Added block remote image load exploit mitigations to the following PPL processes: Csrss.exe, Services.exe and Lsass.exe to prevent loading of DLLs from network locations such as SMB - WebDAV - etc. This is a proactive defense-in-depth strategy because to achieve exploits like that one needs to gain administrator privileges first. More PPLs will be added eventually once enough testing has been done.
Improved the verbose messages. Highly recommended to use the -Verbose parameter when using the -Log parameter to enable detailed logging.
Added execution time calculation to the log file so you will know how long it took to run the Protect-WindowsSecurity cmdlet.
What's Changed
Full offline capability added. This mode operates independently of Microsoft servers or GitHub, without checking for updates or downloading any files. You must supply paths to the Microsoft Security baseline, the Microsoft 365 Enterprise apps security baseline, and the LGPO. These files should be in
.zipformat, as they are when downloaded from the Microsoft Security Compliance Toolkit.-Offlineparameter activates offline mode. This mode requires three additional parameters that specify the paths to the required files on your local system. The parameters validate the selected.zipfiles to ensure they contain the right files and avoid accidental errors. You can also use the file picker GUI by pressing the Tab key to browse for the files graphically.Detailed logging, activated by the new
-Logparameter. When you use this parameter, another parameter will be available to you, called-LogPath, you can use it to choose a name and path for the log file to be saved, otherwise the log file will be saved in the current working directory and will have a dynamically generated name that also contains the current time and date.Added block remote image load exploit mitigations to the following PPL processes: Csrss.exe, Services.exe and Lsass.exe to prevent loading of DLLs from network locations such as SMB - WebDAV - etc. This is a proactive defense-in-depth strategy because to achieve exploits like that one needs to gain administrator privileges first. More PPLs will be added eventually once enough testing has been done.
Improved the verbose messages. Highly recommended to use the
-Verboseparameter when using the-Logparameter to enable detailed logging.Added execution time calculation to the log file so you will know how long it took to run the
Protect-WindowsSecuritycmdlet.Updated the module documentation.
Bumped the minimum required PowerShell version to 7.4.1