Skip to content

CustomizingRules

Jump to bottom
Michael Rasmussen edited this page Feb 27, 2026 · 1 revision

Customizing Rules in PowerSTIG

PowerSTIG provides two common ways to customize behavior in a baseline:

  1. SkipRule - Mark specific STIG rules as skipped (not enforced).
  2. OrgSettings - Override organization-specific values while keeping rules enforced.

Skipping Rules with SkipRule

Use SkipRule only when a rule is intentionally not enforced in your environment (for example, approved risk acceptance, technical exception, or out-of-scope requirement).

How SkipRule Works

At compile time, PowerSTIG marks the listed rule IDs as skipped in the generated MOF. These rules still appear in the MOF (typically with a [Skip] marker in the ResourceID) but are represented as non-enforcing resources.

In practice, skipped entries are commonly emitted as script-based resources that always pass (TestScript returns $true), so no setting is applied for that rule.

Example: WindowsClient with SkipRule 

Configuration PowerStig
{
	Import-DscResource -ModuleName PowerStig -ModuleVersion 4.29.0

	Node localhost
	{
		WindowsClient Win11-Baseline
		{
			StigVersion = '2.6'
			OsVersion = '11'
			SkipRule = 'V-253261', 'V-253445'
		}
	}
}

. PowerStig -OutputPath 'c:\temp\mof'

Overriding Values with OrgSettings

Use OrgSettings when a STIG rule allows more than one valid value (for example, ranges, allowed options, or organization-defined values) and your organization requires a specific approved setting.

How OrgSettings Works

At compile time, PowerSTIG:

  1. Loads the selected STIG data (Technology, TechnologyVersion, StigVersion).
  2. Applies values from OrgSettings over default STIG values.
  3. Compiles the final configuration into a MOF.

Example: WindowsClient with OrgSettings 

$WindowsClientOrgSettings = @{
	'V-253261' = @{ ValueData = '900' }
	'V-253445' = @{ ValueData = '1' }
}

Configuration PowerStig
{
	Import-DscResource -ModuleName PowerStig -ModuleVersion 4.29.0

	Node localhost
	{
		WindowsClient Win11-Baseline
		{
			StigVersion = '2.6'
			OsVersion = '11'
			OrgSettings = $WindowsClientOrgSettings
		}
	}
}

. PowerStig -OutputPath 'c:\temp\mof'

Recommended Workflow

  1. Start from a known-good baseline configuration.
  2. Use SkipRule only for explicitly approved exceptions.
  3. Add OrgSettings entries for rules that need organization-specific values.
  4. Compile to MOF and review output.
  5. Test in a non-production environment before broad deployment.

Related Guidance

PowerStig

Clone this wiki locally