Skip to content

Home

Jump to bottom
Michael Rasmussen edited this page Feb 27, 2026 · 33 revisions

What Is PowerSTIG

PowerSTIG is a PowerShell module published to the PowerShell Gallery and updated on a quarterly cadence. It provides PowerShell DSC composite resources for applying DISA STIG security baselines.

When you use PowerSTIG, you work with high-level DSC resources (for example, WindowsClient, DotNetFramework, Edge) instead of manually authoring individual STIG rules.

Learn More

Install PowerSTIG

PowerSTIG is published on PowerShell Gallery.

Steps

  1. Open PowerShell ISE or a PowerShell prompt as Administrator (PowerShell v5).

  2. Install the module:

    Install-Module -Name PowerStig

  3. If prompted about an untrusted repository, select Yes.

  4. Confirm the install path:

    C:\Program Files\WindowsPowerShell\Modules\PowerSTIG

  5. Validate the install:

    Get-DscResource -Module PowerStig

Once installed, you can compile DSC configurations that reference PowerSTIG resources.

Install Screenshots

Install command example: Install PowerStig

Untrusted repository prompt: Untrusted Repo

Installed module location example: Module Location

Validation command output example: Get-DscResource

PowerSTIG Composite Resources

Each supported product in PowerSTIG is represented by a DSC composite resource.

For example, support for the Windows 11 Client STIG is exposed through the WindowsClient resource.

Example

Configuration PowerStig
{
    Import-DscResource -ModuleName PowerStig -ModuleVersion 4.28.0

    WindowsClient 11Baseline
    {
        StigVersion = "2.5"
        OsVersion   = "11"
    }
}

. PowerStig -OutputPath "c:\class\mof"

This compiles a MOF file to the output path. The MOF can then be applied to enforce the selected STIG baseline.

You can include multiple resources in one configuration (for example, WindowsClient + Edge + Adobe).

MOF Inspection Tool

There is also a .NET UI utility for viewing MOF files created with PowerSTIG.

The executable is not code signed, so it carries Mark of the Web metadata. Windows may show a warning when launching it.

If you want to avoid this warning entirely, compile and publish the solution yourself.

Version Alignment Requirements

The module version in -ModuleVersion must exist on the machine compiling the configuration.

Import-DscResource -ModuleName PowerSTIG -ModuleVersion 4.28.0

If that version is not installed, install it or update your configuration to a version that is present.

Selecting the Correct StigVersion

The StigVersion for a resource (for example, WindowsClient) must match STIG data available in the installed PowerSTIG module.

For example, with PowerSTIG 4.28.0, inspect:

C:\Program Files\WindowsPowerShell\Modules\PowerSTIG\4.28.0\StigData\Processed\

With each PowerSTIG version, the version directory changes. Next version is 4.29.0 and so on.

If multiple versions of a DSC resource are available (for example, v2.4 and v2.5), use the latest approved version for your environment.

For more information about working With PowerSTIG versions:

How Composite Resources Are Used

Composite resources expose a focused set of properties you populate in your DSC configuration.

To view available technologies and versions:

Import-Module PowerStig
Get-Stig -ListAvailable

Example output for WindowsClient (Windows 11 shown):

Technology        : WindowsClient
TechnologyVersion : 11
TechnologyRole    : 
Version           : 2.4
RuleList          : {}

Technology        : WindowsClient
TechnologyVersion : 11
TechnologyRole    : 
Version           : 2.5
RuleList          : {}

In your configuration, you would enter either 2.4 or 2.5 When the configuration runs:

  1. PowerShell compiles the configuration.
  2. A MOF file is generated (localhost.mof or <NodeName>.mof).
  3. DSC applies the resulting resource definitions to the target node.

Example Configuration (with Node and PSDscResources)

Configuration PowerStig
{
    Import-DscResource -ModuleName PowerStig -ModuleVersion 4.27.0
    Import-DscResource -ModuleName PSDscResources -ModuleVersion 2.12.0.0

    Node localhost
    {
        WindowsClient 11-Baseline
        {
            StigVersion = "2.4"
            OsVersion   = "11"
        }
    }
}

. PowerStig -OutputPath "c:\someFolder"

Two notable items in this example:

  • PSDscResources provides standard DSC resources and is only needed when your configuration uses them.
  • Node {} defines the target node and controls MOF naming (localhost.mof or <NodeName>.mof).

Processed STIG Data and MOF Generation

PowerSTIG ships with pre-processed STIG XML data files that drive resource generation.

Example path for Windows 11 STIG v2.5 in PowerSTIG 4.28.0:

C:\Program Files\WindowsPowerShell\Modules\PowerSTIG\4.28.0\StigData\Processed\WindowsClient-11-2.5.xml

A rule entry in the processed XML includes a dscresource attribute that indicates which DSC resource implementation will enforce that setting during MOF generation.

Current process:

  • DISA releases updated STIG content.
  • PowerSTIG converts XCCDF source into DSC-friendly XML.
  • Converted XML is added to StigData\Processed and used during MOF compilation.

For a full list of supported products, see Supported STIGs.

Windows 11 with .NET Example

Configuration PowerStig
{
    Import-DscResource -ModuleName PowerStig -ModuleVersion 4.27.0
    Import-DscResource -ModuleName PSDscResources -ModuleVersion 2.12.0.0

    Node localhost
    {
        WindowsClient 11Baseline
        {
            StigVersion = "2.4"
            OsVersion   = "11"
            SkipRule    = 'V-253261', 'V-253445'
        }

        DotNetFramework 4-Baseline
        {
            StigVersion      = "2.7"
            FrameworkVersion = "4"
        }
    }
}

. PowerStig -OutputPath "c:\someFolder"

This produces localhost.mof containing settings for both Windows 11 and .NET baselines.

External Reference

PowerStig

Clone this wiki locally