This page explains how PowerSTIG composite resources map to DISA STIG content and how those resources compile into MOF files.

Each supported product in PowerSTIG is represented by a DSC composite resource. For a list of supported products, see Supported STIGs

For example, support for the Windows 11 Client STIG is exposed through the WindowsClient resource.

Configuration PowerStig
{
    Import-DscResource -ModuleName PowerStig -ModuleVersion 4.28.0

    WindowsClient 11Baseline
    {
        StigVersion = "2.5"
        OsVersion   = "11"
    }
}

. PowerStig -OutputPath "c:\class\mof"

The following list explains each part of the example configuration and compile command.

• Configuration: Required DSC keyword that starts a configuration definition.
• PowerStig: Arbitrary name of the configuration; you run this name to compile MOF output.
• Import-DscResource: Imports the DSC resources your configuration uses; the module version should match the PowerSTIG version installed.
• WindowsClient: The DSC resource type used in this configuration; one resource can produce many automated STIG rule settings.
• 11Baseline: Resource instance name (a label you choose for this specific resource block).
• StigVersion: The STIG release version to apply (for example, 2.5).
• OsVersion: The target OS version for the selected STIG data (for example, 11).
• . PowerStig -OutputPath c:\someFolder: Runs the configuration and writes compiled MOF files to the specified output path. The leading . is required.

The above script compiles a MOF file to the output path. The MOF file can then be applied to enforce the included STIG baseline. To see how to apply a MOF file to an endpoint, see Applying Configurations

You can include multiple DSC resources in one configuration (for example, WindowsClient, Edge, and Adobe). You can also mix PowerSTIG composite resources (such as WindowsClient) with built-in PowerShell DSC resources (such as Registry).

There is also a .NET UI utility for viewing MOF files created with PowerSTIG.

• GitHub Page: Mof Inspector
• Download: Mof Inspector x64

The executable is not code signed, so it carries Mark of the Web metadata. Windows may show a warning when launching it.

If you want to avoid this warning entirely, compile and publish the solution yourself.

The module version in -ModuleVersion must exist on the machine compiling the configuration.

Import-DscResource -ModuleName PowerSTIG -ModuleVersion 4.28.0

If that version is not installed, install it or update your configuration to a version that is present.

The StigVersion for a resource (for example, WindowsClient) must match STIG data available in the installed PowerSTIG module.

For example, with PowerSTIG 4.28.0, inspect:

C:\Program Files\WindowsPowerShell\Modules\PowerSTIG\4.28.0\StigData\Processed\

With each PowerSTIG release, the module path changes (for example, 4.28.0, 4.29.0, and so on).

If multiple versions of a DSC resource are available (for example, v2.4 and v2.5), use the latest approved version for your environment.

For more information about working with PowerSTIG versions:

• Get Version Info

Composite resources expose a focused set of properties you populate in your DSC configuration.

To view available technologies and versions:

Import-Module PowerStig
Get-Stig -Technology WindowsClient

Example output for WindowsClient (Windows 11 shown):

Technology        : WindowsClient
TechnologyVersion : 11
TechnologyRole    : 
Version           : 2.4
RuleList          : {}

Technology        : WindowsClient
TechnologyVersion : 11
TechnologyRole    : 
Version           : 2.5
RuleList          : {}

In your configuration, use one of the available versions shown above (for example, 2.4 or 2.5).

When the configuration runs:

1. PowerShell compiles the configuration.
2. A MOF file is generated (localhost.mof or <NodeName>.mof).
3. This MOF file can then be applied to endpoints, see Applying MOFs for more info.

Configuration PowerStig
{
    Import-DscResource -ModuleName PowerStig -ModuleVersion 4.27.0
    Import-DscResource -ModuleName PSDscResources -ModuleVersion 2.12.0.0

    Node localhost
    {
        WindowsClient 11Baseline
        {
            StigVersion = "2.4"
            OsVersion   = "11"
        }
    }
}

. PowerStig -OutputPath "c:\someFolder"

Two notable items in this example:

• PSDscResources provides standard DSC resources and is only needed when your configuration uses them. Standard DSC resources would include items like Registry, WindowsFeature, File, etc.
• Node {} defines the target node and controls MOF naming (localhost.mof or <NodeName>.mof).

PowerSTIG ships with pre-processed STIG XML data files that drive resource generation.

Example path for Windows 11 STIG v2.5 in PowerSTIG 4.28.0:

C:\Program Files\WindowsPowerShell\Modules\PowerSTIG\4.28.0\StigData\Processed\WindowsClient-11-2.5.xml

A rule entry in the processed XML includes a dscresource attribute that indicates which DSC resource implementation will enforce that setting during MOF generation.

Current process:

• DISA releases updated STIG content.
• PowerSTIG converts XCCDF source into DSC-friendly XML.
• Converted XML is added to StigData\Processed and used during MOF compilation.

For a full list of supported products, see Supported STIGs.

Configuration PowerStig
{
    Import-DscResource -ModuleName PowerStig -ModuleVersion 4.27.0
    Import-DscResource -ModuleName PSDscResources -ModuleVersion 2.12.0.0

    Node localhost
    {
        WindowsClient 11Baseline
        {
            StigVersion = "2.4"
            OsVersion   = "11"
            SkipRule    = 'V-253261', 'V-253445'
        }

        DotNetFramework 4Baseline
        {
            StigVersion      = "2.7"
            FrameworkVersion = "4"
        }
    }
}

. PowerStig -OutputPath "c:\someFolder"

This produces localhost.mof containing settings for both Windows 11 and .NET baselines.

• DISA STIG Library