Is your Windows machine actually configured securely? The final Cyber Essentials check

Secure configuration is the Cyber Essentials control that most businesses overlook — and it's often where assessors find the most gaps.

At Prestige Cyber Guard, we've now published free scripts for four of the five Cyber Essentials controls. This is the final one — and in many ways the most important. Secure configuration isn't about one specific setting or one piece of software. It's about the cumulative risk of a machine that's been set up, used, updated, and modified over months or years without anyone ever stepping back to ask: is this machine as locked down as it should be?

The good news is that a short PowerShell script can check the most common misconfigurations in under a minute.

What Cyber Essentials requires for secure configuration

The scheme has six clear expectations when it comes to configuration:

• Guest and default accounts must be disabled or removed

• Inactive user accounts must be disabled or deleted

• Password policies must enforce a minimum of eight characters

• AutoPlay and AutoRun must be disabled to prevent malicious USB attacks

• Screen lock must be configured and require a password on resume

• Unnecessary software and Windows features must be removed to reduce attack surface

Each of these sounds simple in isolation. The problem is that they're easy to miss, easy to forget, and easy to undo accidentally — a software installation enables a feature, an old employee's account never gets removed, or AutoPlay gets re-enabled after a Windows update.

Why secure configuration matters more than most people realise

Every unnecessary feature, every unused account, and every weak password is an additional way in for an attacker. Cyber Essentials uses the term "attack surface" — the sum of all the different ways your machines and systems could be compromised. Secure configuration is about shrinking that surface as small as possible.

Some specific risks worth highlighting:

The Guest account gives anyone who sits at your machine access to files and resources without needing a password. It should always be disabled.

SMBv1 is a legacy Windows file-sharing protocol with serious known vulnerabilities — it was the protocol exploited by the WannaCry ransomware attack. It's still enabled by default on some older Windows configurations.

AutoRun allows code on a USB drive to execute the moment it's plugged in. A malicious USB left in a car park and picked up by a curious employee is a real and documented attack vector.

Inactive accounts are a favourite target for attackers because they're less likely to be monitored. An old account from a former employee, still enabled, is a door that nobody is watching.

The script: check your configuration in under a minute

Our free PowerShell script runs seven checks automatically, giving you a clear PASS, WARN, or FAIL on each one — with plain-English instructions on what to fix.

How to run it (no technical experience needed)

1. Press the Windows key on your keyboard

2. Type PowerShell

3. Right-click on "Windows PowerShell" in the results

4. Click "Run as administrator"

5. Click "Yes" if a blue permission box appears

6. Paste this line and press Enter:

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

7. Then paste the full script and press Enter

Note: This command is temporary. It only affects the current PowerShell window and resets automatically when you close it.

The script

Write-Host "=====================================================" -ForegroundColor Cyan
Write-Host "  CYBER ESSENTIALS - SECURE CONFIGURATION CHECK" -ForegroundColor Cyan
Write-Host "=====================================================" -ForegroundColor Cyan

# CHECK 1: Guest account
$guest = Get-LocalUser -Name "Guest" -ErrorAction SilentlyContinue
if ($guest -and $guest.Enabled) {
    Write-Host "[FAIL] Guest account is ENABLED - disable it" -ForegroundColor Red
} else {
    Write-Host "[PASS] Guest account is disabled" -ForegroundColor Green
}

# CHECK 2: Built-in Administrator
$admin = Get-LocalUser -Name "Administrator" -ErrorAction SilentlyContinue
if ($admin -and $admin.Enabled) {
    Write-Host "[WARN] Built-in Administrator account is enabled - consider disabling" -ForegroundColor Yellow
} else {
    Write-Host "[PASS] Built-in Administrator account is disabled" -ForegroundColor Green
}

# CHECK 3: Inactive accounts
$cutoff = (Get-Date).AddDays(-90)
Get-LocalUser | Where-Object { $_.Enabled -and $_.Name -notin @("Administrator","Guest","DefaultAccount","WDAGUtilityAccount") } | ForEach-Object {
    if ($_.LastLogon -lt $cutoff -or $_.LastLogon -eq $null) {
        Write-Host "[WARN] Account '$($_.Name)' inactive - review and disable if not needed" -ForegroundColor Yellow
    }
}

# CHECK 4: AutoPlay
$ap = Get-ItemProperty "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers" -Name DisableAutoplay -ErrorAction SilentlyContinue
if ($ap -and $ap.DisableAutoplay -eq 1) {
    Write-Host "[PASS] AutoPlay is disabled" -ForegroundColor Green
} else {
    Write-Host "[WARN] AutoPlay may be enabled - Settings > Bluetooth & devices > AutoPlay > Off" -ForegroundColor Yellow
}

# CHECK 5: Password minimum length
$pol = net accounts 2>$null
$len = ($pol | Select-String "Minimum password length").ToString() -replace "[^0-9]",""
if ([int]$len -ge 8) {
    Write-Host "[PASS] Minimum password length: $len characters" -ForegroundColor Green
} else {
    Write-Host "[FAIL] Minimum password length is only $len - must be 8 or more" -ForegroundColor Red
}

# CHECK 6: Screen lock
$st = Get-ItemProperty "HKCU:\Control Panel\Desktop" -Name ScreenSaveTimeOut -ErrorAction SilentlyContinue
$ss = Get-ItemProperty "HKCU:\Control Panel\Desktop" -Name ScreenSaverIsSecure -ErrorAction SilentlyContinue
if ($st -and [int]$st.ScreenSaveTimeOut -le 900 -and $ss.ScreenSaverIsSecure -eq "1") {
    Write-Host "[PASS] Screen locks with password after $([math]::Round([int]$st.ScreenSaveTimeOut/60,0)) minutes" -ForegroundColor Green
} else {
    Write-Host "[WARN] Screen lock not fully configured - Settings > Sign-in options > Require sign-in" -ForegroundColor Yellow
}

# CHECK 7: SMBv1
$smb = Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -ErrorAction SilentlyContinue
if ($smb -and $smb.State -eq "Enabled") {
    Write-Host "[FAIL] SMBv1 is enabled - this is a serious vulnerability, disable immediately" -ForegroundColor Red
} else {
    Write-Host "[PASS] SMBv1 is disabled" -ForegroundColor Green
}

Write-Host ""
Write-Host "Need help? Contact Prestige Cyber Guard:" -ForegroundColor White
Write-Host "hello@prestigecyberguard.co.uk" -ForegroundColor Cyan

What the results mean

[PASS] — that check meets the Cyber Essentials requirement. No action needed.

[WARN] — something needs reviewing. It may not block certification immediately, but it's a gap an assessor will likely question and expect you to address at renewal.

[FAIL] — this must be fixed before you can achieve or renew Cyber Essentials certification. Each fail includes a plain-English action so you know exactly what to do.

A note on SMBv1

If your script flags that SMBv1 is enabled, treat this as urgent — not just a compliance issue. SMBv1 is the protocol that allowed WannaCry to spread across networks in 2017, causing billions in damage globally. Microsoft disabled it by default in Windows 10 version 1709, but it can still be present on older machines or re-enabled by certain software.

To disable it, go to Programs → Turn Windows features on or off → SMB 1.0/CIFS File Sharing Support and untick it. Restart your machine when prompted. If anything breaks after disabling it, that's a sign something on your network is relying on a legacy protocol it shouldn't be — worth investigating.

The complete Cyber Essentials series

This is the fifth and final post in our free Cyber Essentials script series. Together, these scripts give you a practical, hands-on way to audit your Windows machines across all five controls before your assessment:

• ✅ User Access Control — Are your accounts running with more privilege than they need?

• ✅ Malware Protection — Is Windows Defender actually protecting you?

• ✅ Security Update Management — When did your Windows machine last update?

• ✅ Firewall — Is your Windows Firewall actually blocking the right things?

• ✅ Secure Configuration — This post

All scripts are free, require no technical experience to run, and are available on our GitHub.

What's next?

Running these scripts across one machine is a great start — but Cyber Essentials certification requires you to evidence all five controls across every device in scope. That means your laptops, desktops, servers, and any cloud services your organisation uses.

If you've worked through this series and found gaps, or if you're ready to start your certification journey, we're here to help. At Prestige Cyber Guard, our Cyber Essentials support service takes you from gap assessment through to certified.

Get in touch today: 📧 hello@prestigecyberguard.co.uk 🌐 www.prestigecyberguard.co.uk

Cyber Essentials is a UK government-backed scheme managed by IASME on behalf of the National Cyber Security Centre (NCSC). Holding certification demonstrates that your organisation has the fundamental controls in place to protect against the most common cyber threats.