A standalone PowerShell auditing tool for Windows 10 and 11 endpoints, originally built to give defenders a single-pass view of where a workstation actually sits against the frameworks the business has to answer to. No Microsoft Graph, no Azure AD module, no internet connection required — it leans on dsregcmd, the registry, WMI/CIM, and local tooling, so it runs cleanly on a freshly-imaged laptop with nothing more than an elevated PowerShell prompt.
At a glance
- 800+ security checks across 90 audit categories, mapped to specific control IDs
- 12 frameworks in one pass — CIS L1, CIS L2, Cyber Essentials, Cyber Essentials Plus, NCSC, Entra ID / M365, UK MoD DCC L2 and L3, with cross-references to NIST SP 800-53 Rev 5, ISO 27001:2022, PCI-DSS v4.0, and DISA STIG
- Five output formats generated on every run — plain-text report, CSV for SIEM/GRC, structured JSON, interactive self-contained HTML, and a CycloneDX 1.5 SBOM
- Zero external dependencies — self-contained PowerShell 5.1+, runs on Entra-joined, hybrid-joined, or standalone devices
- Released under GPLv3
What it covers
The 90 audit sections range across the obvious Windows hardening areas — password policy, account lockout, RDP, local accounts, the firewall, patch management, SMBv1, AutoRun, UAC, BitLocker, Secure Boot, PowerShell logging, application control, audit policy, Defender configuration, credential protection, and screen lock — and extend through to areas defenders frequently miss on a build review.
Those include attack-surface reduction rules, kernel DMA protection, LAPS deployment, Windows Defender Application Guard, RPC and DCOM hardening, scheduled-task ACLs, certificate-store hygiene, driver and firmware security (vulnerable driver blocklist, HVCI, unsigned drivers), local privilege-escalation risk (unquoted service paths, AlwaysInstallElevated, world-writable PATH directories, writable SYSTEM service executables), DNS-over-HTTPS, LLMNR / NetBIOS / mDNS, Wi-Fi auto-connect, SMB client signing, browser policy validation for Chrome, Firefox, and Edge, and backup and recovery readiness (Volume Shadow Copy, System Restore, OneDrive Known Folder Move, recovery partition).
Entra-aware checks
Cloud-managed controls are contextually adjusted on Entra-joined devices so that you don’t get a wall of false FAILs when password policy, account lockout, or the local Administrators group are governed by Conditional Access, Intune, or Entra rather than by local Group Policy. Section 27 onwards covers Entra device identity, Intune / MDM enrolment, Windows Hello for Business, Microsoft Defender for Endpoint, Microsoft 365 / Office security, and Conditional Access posture.
Application patch currency and CVE awareness
Section 80 inventories installed desktop applications and checks them against a companion known-vulnerabilities.json database of known critical and high-severity CVEs. The database is maintained via Update-KnownVulnerabilities.ps1, which queries the NIST NVD API v2.0 for severity and minimum safe versions and the CISA KEV catalogue for actively exploited vulnerabilities. KEV-flagged items are highlighted as ACTIVELY EXPLOITED in the report with the CISA remediation due date and ransomware association metadata for priority triage.
Custom organisation checks
Section 81 loads organisation-specific rules from custom-checks.json without modifying the main script. Supported types include registry value checks (with eq, ne, ge, le, gt, lt, exists, not_exists), Windows service status and startup type, and file/directory presence or absence. Each rule carries its own severity, framework label, and remediation string, so bespoke controls land in the same report as the standard frameworks.
Reporting
The HTML report is a self-contained file with inline CSS and JavaScript, SVG doughnut charts per framework, sortable and filterable results tables, collapsible sections, and browser print-to-PDF. The JSON export carries metadata, framework scores, the section scorecard, compliance verdicts, full result detail with compliance mappings, and remediation guidance — designed for ingestion into SIEM, GRC, or dashboard tooling. The CSV export adds a ComplianceMappings column so a single row can be cross-referenced against any of the mapped standards.
Every report includes an executive summary with overall risk rating, severity-weighted compliance score (Critical ×3, High ×2, Medium ×1), Top 5 Risks, and Quick Wins; a per-framework score dashboard with progress bars; a section scorecard across all 90 sections; and a per-framework PASS/FAIL/WARN listing. Failed controls are tagged with severity and a one-line remediation drawn from the companion remediation.json file.
Delta comparison and drift detection
Pass a previous JSON export with -PreviousReport to get a “Changes Since Last Audit” view — score deltas, resolved items, regressions, and new failures. Combined with -Monitor, the script registers a Windows Scheduled Task (daily or weekly), auto-locates the previous report, and writes drift alerts to the Windows Event Log under source OTY-Audit, ID 1001, so a SIEM can pick up regressions without polling.
Remediation automation
-Remediate runs in dry-run mode by default and reports what would change. Adding -Confirm applies registry-based fixes for auto-remediable failures, and -RemediateMinSeverity (Critical / High / Medium) bounds which severity bands are eligible for automatic remediation. A remediation log is written alongside the audit outputs.
Fleet auditing
The companion Invoke-FleetAudit.ps1 runs the audit across multiple Windows hosts via PowerShell Remoting with a connectivity pre-check, parallel execution with throttling, per-host JSON results, a fleet summary JSON, and an aggregated HTML dashboard showing per-host scores, the most common failures across the fleet, and per-framework compliance rates.
Quick start
Clone or download the repository, then run audit.ps1 in an elevated PowerShell session:
git clone https://github.com/pbassill/win-11-build-audit.git
cd win-11-build-audit
.\audit.ps1Use -Audit ce (or cis1, cis2, ncsc, entra, dcc2, dcc3) to focus a single framework. Run without -Audit for the full pass.
Source and licence
Full source, the README, the framework mapping file, and the vulnerability database are on GitHub: github.com/pbassill/win-11-build-audit. Issues and pull requests are welcome — the only style rule is ASCII-only PowerShell so the script keeps working under Windows PowerShell 5.1.
Released under the GNU General Public License v3.0.
Author: Peter Bassill — UK Cyber Defence.