From winsentinel --audit to Compliant in 20 Minutes

A step-by-step walkthrough: install, audit, fix, verify. We take a real machine from 68/100 to 94/100 in under 20 minutes.

Let's do this for real. Fresh Windows 11 Pro machine, default settings, a few months of accumulated drift. Starting score: 68/100 (Grade D).

Minute 0–2: Install and first scan

dotnet tool install --global WinSentinel.Cli
winsentinel --audit --json > baseline.json
winsentinel --score

Output:

Score: 68/100 (Grade D)
Critical: 3 | Warning: 8 | Info: 5

Minute 2–5: Fix critical findings

The three critical findings on this machine:

Windows Defender real-time protection disabled — Someone turned it off to install a game mod months ago. Fix: Set-MpPreference -DisableRealtimeMonitoring $false
Windows Firewall (Public) disabled — Happened during network troubleshooting. Fix: Set-NetFirewallProfile -Profile Public -Enabled True
UAC set to Never Notify — "Those popups are annoying." Fix: registry edit to restore default level.

Or just: winsentinel --fix --severity critical — the CLI handles all three with elevation prompts.

Minute 5–12: Address warnings

Warnings are real risks that aren't actively exploitable right now:

Windows Update 47 days behind → trigger update
Guest account enabled → net user Guest /active:no
RDP enabled, NLA off → enable NLA in System Properties
AutoRun enabled → registry fix
PowerShell Unrestricted → Set-ExecutionPolicy RemoteSigned
SMBv1 enabled → Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
No BitLocker on C: → enable via Control Panel (takes 5 min background)
LLMNR enabled → group policy or registry

Minute 12–15: Re-scan

winsentinel --score

Output:

Score: 91/100 (Grade A)
Critical: 0 | Warning: 1 | Info: 4

The remaining warning is BitLocker still encrypting in the background. The info items are cosmetic (telemetry settings, advertising ID).

Minute 15–20: Lock it in

# Export a compliance snapshot
winsentinel export --json > compliant-2026-05-27.json

# Set up weekly monitoring (free)
winsentinel schedule create --cadence weekly --time 09:00 --day MON

Done. 68 → 91 in under 20 minutes. No enterprise license, no agent install, no cloud dependency. Just a CLI and real Windows APIs.

Install WinSentinel and see where your machine stands.