TickYouOff
Sign in
Back
🔒

Microsoft Windows 11 STIG Compliance Checklist

Hard 18 items · 4 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist helps IT administrators and security teams implement and validate the Microsoft Windows 11 STIG (Ver 2, Rel 7). It groups essential discovery, deployment, hardening, testing, and maintenance tasks to achieve and sustain compliance across managed Windows 11 systems.

Source: https://ncp.nist.gov/checklist/1028

Progress
0 / 18
  1. Gather STIG resources from DISA — Collect official resources, downloads, and guidance before changes.
  2. Download SCAP 1.3 content — Get SCAP 1.3 Benchmark (Microsoft Windows 11 STIG Ver 2, Rel 7).
  3. Download standalone XCCDF files — Fetch XCCDF for Chef and standalone XCCDF versions for automation.
  4. Download Intune policies — Obtain the Intune Policy package (latest update included).
  5. Download Group Policy Objects (GPOs) — Grab provided GPOs (January 2026 or latest) for domain systems.
  6. Download SCC automated content — Download SCC/SCCM automated content (e.g., SCC 5.14 Windows).
  7. Review STIG and SRG to map controls to systems — Identify which requirements apply to Enterprise vs Professional.
  8. Inventory target systems and editions — Document domain-joined vs standalone, OS editions, and hardware (TPM).
  9. Apply baseline Group Policy and Intune policies — Deploy and test GPOs/Intune policies in a lab before production.
  10. Configure secure boot, TPM, and enable BitLocker — Ensure device firmware settings and disk encryption are enabled.
  11. Enforce Windows Update and patch management — Apply latest patches and configure automatic update policies.
  12. Disable SMBv1 and remove unnecessary services/features — Harden systems by removing legacy protocols and unused roles.
  13. Enforce strong authentication and MFA — Require multi-factor authentication and tighten credential policies.
  14. Configure auditing, event log retention, and log forwarding — Set log retention and forward critical events to a centralized SIEM.
  15. Test STIG compliance with SCAP/XCCDF and automated scans — Run scans, compare results to the STIG benchmark, and export reports.
  16. Remediate findings and document approved exceptions — Fix issues, track mitigations, and record any formal exceptions.
  17. Maintain and track DISA updates, resource SHAs, and version changes — Monitor DISA change history and update resources when published.
  18. Submit feedback or change requests to DISA if needed — Send comments or proposed revisions to the DISA contact email.
Sign in to save
📝 My Notes