Hardening Windows 11 Endpoints with CIS Benchmark Level 1
What the CIS Benchmark Is (and Isn't)
The CIS Windows 11 Benchmark is a prescriptive set of configuration recommendations developed by the Center for Internet Security. Level 1 is designed to be deployable in most enterprise environments without significant operational disruption. Level 2 adds additional restrictions that may require more testing and exception management.
What it is: A defensible, auditable baseline. It documents your organisation's intent to apply a recognised hardening standard.
What it isn't: A guarantee of security. It addresses known configuration weaknesses but does not substitute for patch management, EDR, identity controls, or monitoring.
This guide covers Level 1 only. Level 2 is appropriate for high-security environments and requires separate validation.
Tested environment: Windows 11 22H2 and 24H2, Group Policy with Windows Server 2022 domain controllers, and Microsoft Intune (April 2026 service release) for MDM-managed endpoints. The CIS Windows 11 Benchmark v3.0.0 was used as the reference.
When I Would Not Apply This As-Is
Do not apply a full CIS Level 1 baseline unchanged to every endpoint type. Shared kiosks, developer workstations, lab devices, manufacturing PCs, and machines with older VPN or printing dependencies often need a separate profile with documented exceptions.
I would also avoid using this baseline as the first security control in an unmanaged estate. Get patching, Defender, BitLocker key escrow, local admin password management, and basic monitoring working first. A hardening baseline is easier to defend when the core management plumbing is already reliable.
For Level 2 settings, create a separate project. Level 2 can be appropriate, but it changes the exception workload and support model. Treat it as a higher assurance profile rather than a quiet upgrade to Level 1.
Prerequisites
- Windows 11 22H2 or 24H2 (the benchmark versions differ slightly — confirm you are applying the correct benchmark revision for your OS version)
- PolicyAnalyzer from Microsoft's Security Compliance Toolkit (for validation)
Invoke-WindowsHardeningscript if you prefer automated application- Group Policy Management Console or Intune admin access
- A pilot OU or pilot device group containing 5–10 representative machines before broad deployment — do not skip this step
Pilot Deployment: Do This Before Broad Rollout
Applying a hardening baseline to production endpoints without testing is the fastest way to create a support incident. Use this pilot process:
- Create a dedicated pilot OU (or Entra ID device group for Intune) containing representative machines across your hardware models and OS build versions.
- Apply the CIS baseline to the pilot scope only.
- Let the policy process for at least 48 hours and through at least one logon for each test user.
- Test the following before broader rollout:
- All critical line-of-business applications launch and function correctly
- Network access (shared drives, print servers) works under NTLMv2-only restrictions
- NTLM-dependent legacy applications are identified (see Known Conflicts section)
- PowerShell script execution policy is acceptable for your environment
- VPN client connects without friction
- Document any exceptions required and create a separate GPO or Intune profile for those exceptions — do not weaken the main baseline.
Applying via Group Policy
Download the CIS Windows 11 Benchmark GPO package from the CIS website (free with registration). The package includes importable .PolicyRules files for PolicyAnalyzer and a PolicyDefinitions folder.
Import the ADMX Templates
- Copy the
PolicyDefinitionsfolder contents to%SystemRoot%\PolicyDefinitionson your domain controller (or to the SYSVOL central store if you use one). - Verify the templates load in the GPMC by opening any GPO and confirming the new settings appear in Administrative Templates.
Create and Link the GPO
- In the GPMC, create a new GPO:
CIS-Win11-Level1-Computer. - Back up any existing baseline GPOs first:
Backup-GPO -All -Path C:\GPOBackups\PreCIS - Import the CIS benchmark settings using Group Policy Management Editor > Action > Import Settings and point to the CIS-provided
.xmlbackup. - Link the GPO to your pilot OU only. Do not link to all workstations yet.
- After pilot validation, extend the link progressively: pilot → department 1 → department 2 → all workstations.
Applying via Microsoft Intune
For Intune-managed devices, use a combination of Settings Catalog and Endpoint Security profiles:
Settings Catalog
- Navigate to Devices > Configuration profiles > Create profile.
- Select Windows 10 and later and Settings catalog.
- Search for settings by their CIS benchmark references. Key categories to configure:
Windows Security > App and browser protectionWindows Firewall > Domain ProfileUser Rights Assignment(via Settings Catalog)Credential Guard > Enable Credential Guard
Security Baseline
Microsoft provides a Windows 11 Security Baseline in Intune that covers many of the same areas as CIS Level 1. It is not identical but is a defensible starting point. Apply it first, then use Settings Catalog to close gaps.
Conflict warning: If you apply both the Microsoft Security Baseline and a CIS-aligned Settings Catalog profile, check for conflicting settings. The last-applied policy wins — set the CIS profile to higher priority if you want CIS to take precedence.
Key Controls at Level 1
The following settings are the highest value in terms of risk reduction:
Account Controls
- Minimum password length: 14 characters
- Account lockout threshold: 5 invalid attempts
- Administrator account: Renamed and disabled where possible (use LAPS for the local admin)
- Guest account: Disabled
Audit Policy
Enable the following audit subcategories at a minimum:
Audit Credential Validation: Success and Failure
Audit Logon: Success and Failure
Audit Account Lockout: Success and Failure
Audit Process Creation: Success
Audit PowerShell Script Block Logging: SuccessWindows Defender Settings
- Real-time monitoring: Enabled
- Cloud-delivered protection: Enabled
- Potentially unwanted application (PUA) protection: Block
- Tamper protection: Enabled (via Intune Security Experience profile — cannot be set via Group Policy on enrolled devices)
Network Security
- LAN Manager Authentication Level: Send NTLMv2 response only, refuse LM and NTLM
- Minimum session security for NTLM SSP: Require NTLMv2 and 128-bit encryption
- SMB v1: Disabled (verify and disable via PowerShell)
- Windows Firewall: All three profiles (Domain, Private, Public) set to On with default inbound block
Disabling SMBv1
SMBv1 should be disabled before applying the broader baseline. Verify it is not in use first:
# Check current SMBv1 state
Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol
# Check for active SMBv1 sessions (run during business hours)
Get-SmbSession | Where-Object { $_.Dialect -eq '1.0' }If no SMBv1 sessions are active, disable it:
Set-SmbServerConfiguration -EnableSMB1Protocol $false -ForceConfirm the change:
Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol
# Expected: EnableSMB1Protocol : FalseCredential Guard
Credential Guard isolates LSASS in a virtualisation-based security environment. Verify it is active after applying the baseline:
# Check Credential Guard status
(Get-CimInstance -Namespace root/Microsoft/Windows/DeviceGuard -ClassName Win32_DeviceGuard).SecurityServicesRunningA return value of 2 indicates Credential Guard is running. If it returns 0, check that Virtualization Based Security is enabled in the UEFI settings and that the GPO setting is applied correctly.
Validating Compliance
After applying the baseline, validate with PolicyAnalyzer:
- Download PolicyAnalyzer from the Microsoft Security Compliance Toolkit.
- Open PolicyAnalyzer and click Add > Files from GPO Backup for your CIS GPO.
- Add the CIS benchmark
.PolicyRulesfile as a reference. - Compare and identify gaps or conflicts.
For Intune-managed devices, use the Invoke-WindowsHardening script in audit mode to generate a compliance delta report:
Invoke-WindowsHardening -Mode Audit -Level CIS1 -ReportPath C:\Temp\HardeningReport.htmlSpot-checking critical settings
# Verify NTLMv2 enforcement
(Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa").LmCompatibilityLevel
# Expected: 5 (Send NTLMv2 response only, refuse LM and NTLM)
# Verify PowerShell Script Block Logging
(Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -ErrorAction SilentlyContinue).EnableScriptBlockLogging
# Expected: 1
# Verify Windows Firewall domain profile is on
(Get-NetFirewallProfile -Profile Domain).Enabled
# Expected: TrueCommon Conflicts and Exceptions
LOB Application Conflicts
The CIS benchmark restricts NTLM and disables older TLS cipher suites. Older line-of-business applications may break. Common symptoms:
| Symptom | Likely CIS setting | Fix |
|---|---|---|
| App fails to authenticate against file share | NTLMv2 enforcement (LM Compatibility Level 5) | Update app to Kerberos or create a specific NTLM exception via Group Policy Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication |
| HTTPS connection fails with cipher error | TLS cipher suite restrictions | Identify the app's required cipher, check if it is on the CIS-allowed list, create an exception if business-critical |
| Older PowerShell scripts break | Script execution policy | Apply Set-ExecutionPolicy RemoteSigned -Scope LocalMachine and sign internal scripts |
BYOD and Guest Access Scenarios
CIS Level 1 disables guest network access and restricts many network features. Review whether your guest Wi-Fi or BYOD workflows depend on settings that Level 1 restricts.
Developer Workstations
Developer machines may require exceptions for settings like Prevent access to registry editing tools or Script Execution Policy. Consider a separate CIS-compliant profile with an approved exceptions list for developer endpoints — document each exception with a business justification.
Rollback Procedure
If the baseline causes production issues, roll back cleanly:
GPO rollback
- Remove the link from the affected OU in GPMC (do not delete the GPO — just unlink it).
- Run
gpupdate /forceon affected machines or wait for the next background refresh cycle. - Investigate the issue using the Group Policy troubleshooting guide.
- Restore the previous GPO state from backup if needed:
Restore-GPO -Name "CIS-Win11-Level1-Computer" -Path C:\GPOBackups\PreCIS
Intune rollback
- Navigate to the Settings Catalog or Security Baseline profile in Intune.
- Remove the assignment from the affected device group.
- Devices will receive the "remove settings" signal on the next sync cycle — note that some settings (like BitLocker and Credential Guard) do not reverse on profile removal.
Settings that do not revert automatically
- BitLocker: Once enabled, removing the policy does not decrypt the drive. This is intentional.
- Credential Guard: Disabling via policy requires a registry change and a reboot. Use
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISOto disable it if needed. - Audit policy: Removing the GPO reverts audit policy at next refresh.
Related Resources
Microsoft Intune
RecommendedManage, secure, and report on all your endpoints from a single cloud-native console.
AdminSignal Editorial
Editorial Staff
Written and reviewed by the AdminSignal editorial team. All content is independently verified for technical accuracy against official Microsoft documentation.
AdminSignal content is produced independently. Editorial policy