Harden Windows Security the right way | Only with official supported well-documented methods | without breaking anything


Firstly as we jump in, allow me to say that camDown helps stop hackers from getting access to the webcam that I use for my work. Now I can get even more gigs as a freelancer and advertise that I have top security with my home computer.

Hi, made this GitHub repository for me at first, but then decided to work on the style to be suitable for public consumption. let me know if you have any question that I haven't already covered in the GitHub repo (including the Wiki), for code related questions please open a GitHub issue.


  • Always up-to-date and only guaranteed to work with the latest build of Windows (Currently Windows 11 - Rigorously tested on the latest Stable and Insider Dev builds)

  • It doesn't break anything.

  • All of the links and sources are official from Microsoft websites, straight from the source. no bias, no misinformation and no old obsolete methods, that's why there are no links to 3rd party news websites, made up blogs or articles.

  • Doesn't remove or disable Windows functionalities against Microsoft's recommendation.

  • This Readme page is used as the reference for all of the security measures applied by this script and Group Policies.

  • When a hardening measure is no longer necessary because it's applied by default by Microsoft on new builds of Windows, it will also be removed from this script in order to prevent any problems and because it won't be necessary anymore.

  • The script can be run infinite number of times, it's made in a way that it won't make any duplicate changes at all.

  • The script asks for confirmation, in the PowerShell console, before running each hardening category, so you can selectively run (or don't run) each of them.

  • Applying this script makes your PC compliant with Microsoft Security Baselines and Secured-core PC specifications (providing that you use modern hardware that supports the latest Windows security features). - See what makes a Secured-core PC. Check Device Guard category for more details.

    • Secured-core – recommended for the most sensitive systems and industries like financial, healthcare, and government agencies. Builds on the previous layers and leverages advanced processor capabilities to provide protection from firmware attacks.

  • There are 3 items tagged with #TopSecurity that can cause difficulties. When you run this script, you will have an option to enable them if you want to. Press Control + F and search for #TopSecurity on Github to find those security measures.

How To Use

To run the script:

Invoke-RestMethod "https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1" | Invoke-Expression

Hardening Categories

From Top to bottom in order:

  • Commands that require Administrator Privileges (click/tap on each of these to see in-depth info)

    • Microsoft Security Baselines

    • Windows Security aka Defender

    • Attack surface reduction rules

    • Bitlocker Settings

    • TLS Security

    • Lock Screen

    • UAC (User Account Control)

    • Device Guard

    • Windows Firewall

    • Optional Windows Features

    • Windows Networking

    • Miscellaneous Configurations

    • Windows Update configurations

    • Edge Browser configurations

    • Certificate Checking Commands

    • Country IP Blocking

  • Commands that don't require Administrator Privileges

    • Non-Admin Commands that only affect the current user and do not make machine-wide changes

Due to Reddit's 40k characters limit, I could either post only the headlines or include only half of the details, and I chose the former. so, if you want to know the details of everything, please visit the GitHub repository.


Also, Here's a quick video of the script

I’d like to add that camDown has a modern UI, that is secure and has the improved features that you need and your father would feel the same.