PRACTITIONER GUIDE | ENDPOINT SECURITY
Practitioner GuideUpdated 11 min read

Microsoft Windows Security Baseline and CIS Benchmarks: How to Apply Them Without Breaking Your Environment

400+ settings
The Windows 11 and Windows Server 2022 Microsoft Security Baselines each configure over 400 security settings via Group Policy. Most organizations have not reviewed or deliberately configured the majority of these settings -- applying the baseline is the fastest way to close hundreds of configuration gaps at once
Security Compliance Toolkit
is the free Microsoft download that contains the Security Baseline GPO backups, policy rules, and the Policy Analyzer tool for comparing current settings against the baseline. Download it from Microsoft at no cost and import the GPO backups directly into your AD
CIS Level 1 vs Level 2
Level 1 settings are broadly applicable with minimal functionality impact -- appropriate for most enterprise endpoints. Level 2 settings are for high-security environments and will break more applications. Start with Level 1 for workstations; Level 1 + selected Level 2 settings for servers handling sensitive data
Test in a pilot OU
before fleet-wide deployment. Apply the baseline GPO to a dedicated pilot OU containing representative workstations and a cross-section of business applications. Run the pilot for two weeks, collect compatibility issues, document exceptions, then expand

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The Microsoft Security Baselines and CIS Benchmarks contain years of hardening research condensed into deployable configurations. The common objection to applying them is 'it will break things' -- which is true, but manageable with a test-first approach. The alternative is leaving hundreds of security settings at their permissive defaults indefinitely. This guide covers what the baselines actually configure, how to deploy them safely, and the settings most likely to need exceptions in typical enterprise environments.

Download and Import the Microsoft Security Baseline

Download the Security Compliance Toolkit:

  1. Go to microsoft.com/en-us/download/details.aspx?id=55319
  2. Download the Windows 11 Security Baseline (or the version matching your endpoints)
  3. Extract the ZIP

Contents of the Security Baseline package:

  • GPOs\ folder: GPO backups ready to import into AD
  • Scripts\ folder: Baseline-Local.ps1 for standalone (non-domain) machines
  • Templates\ folder: Custom ADMX files if needed
  • PolicyAnalyzer\ folder: Tool to compare current settings vs baseline

Import the baseline GPO into Active Directory:

# Create a new GPO from the backup
# Open Group Policy Management Console (gpmc.msc)
# Right-click 'Group Policy Objects' > Import Settings
# Browse to the GPOs folder from the Security Baseline download
# Select the 'MSFT Windows 11 - Computer' GPO backup
# Create new GPO named 'Security Baseline - Windows 11 - Computer'

# Do NOT link the GPO to any OU yet -- link only to a Pilot OU first

Use Policy Analyzer to see what changes the baseline makes:

# Run PolicyAnalyzer.exe from the toolkit
# Click 'Add...' and select the baseline GPO folder
# Compare against your current 'Default Domain Policy' and other GPOs
# The comparison shows: settings in baseline only, settings in your GPO only, conflicts
# Export the comparison to review settings before deployment

Settings Most Likely to Break Applications

Before deploying broadly, test these specific baseline settings that commonly break enterprise applications:

1. NTLM restriction settings (covered in the NTLM guide): The Microsoft baseline sets LM Authentication Level to 5 (NTLMv2 only). Applications using NTLMv1 or connecting by IP address may fail.

2. Credential Guard enablement: The Windows 11 baseline enables Credential Guard (virtualization-based security). This breaks applications using unconstrained Kerberos delegation. See the Credential Guard guide for compatibility checks.

3. SMB signing required: The baseline requires SMB signing on both client and server. Devices connecting to your endpoints via old NAS appliances or SMBv1 will fail.

4. Audit policy changes: The baseline enables many additional audit categories (command line process auditing, DPAPI activity, detailed file tracking). On busy systems, this can increase event log volume significantly. Verify your SIEM is prepared for the increased log volume.

5. PowerShell execution policy: The baseline may configure PowerShell execution policy to RemoteSigned or higher, which blocks unsigned local scripts. Any environment with PowerShell scripts that are not code-signed may see failures.

6. UAC settings: The baseline configures UAC to prompt for credentials (not just consent) for administrator accounts on the secure desktop. Users with scripts or automation that trigger UAC without credentials will be interrupted.

7. SCM (Service Configuration Manager) settings: The baseline disables several services (Print Spooler on servers, WDigest, LAN Manager hash storage). Each disabled service should be verified against your management tooling.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Deploy via Group Policy with a Pilot OU

Deployment stages:

Stage 1: Create a Pilot OU

# Create a dedicated pilot OU
New-ADOrganizationalUnit -Name 'Security Baseline Pilot' `
    -Path 'OU=Workstations,DC=domain,DC=com'

# Move 10-20 representative workstations into the pilot OU
# Include: a variety of business unit workstations, machines used by
# your most complex applications, an IT admin workstation

Stage 2: Link the baseline GPO to the Pilot OU only

# Via GPMC: right-click the Pilot OU > Link an Existing GPO
# Select 'Security Baseline - Windows 11 - Computer'
# Force a policy update on pilot machines:
Invoke-GPUpdate -Computer (Get-ADComputer -SearchBase 'OU=Security Baseline Pilot,...' -Filter * | Select -ExpandProperty Name) -Force

Stage 3: Monitor for two weeks

  • Check your helpdesk ticket queue for new tickets from pilot users
  • Review Event Logs on pilot machines for audit policy changes, blocked operations
  • Run Policy Analyzer from the pilot machines to verify the baseline applied

Stage 4: Document exceptions, create exception policy

# For each setting that breaks an application, create a documented exception:
# 1. Identify the specific baseline setting causing the issue
# 2. Create an exception GPO that overrides only that setting
# 3. Link the exception GPO to the Pilot OU with higher priority than the baseline GPO
# 4. Verify the exception resolves the application issue
# 5. Document: which application, why the exception is needed, review date

Stage 5: Expand to the full fleet

  • Link the baseline GPO to all Workstations OUs
  • Keep the exception GPO linked alongside it
  • Monitor for new compatibility issues in the first two weeks

Deploy via Intune Using the Security Baseline Profile

For Intune-managed devices, use the built-in Intune Security Baseline profile instead of importing the GPO.

Location: Intune admin center > Endpoint Security > Security Baselines

Available baselines in Intune:

  • Windows 365 Security Baseline
  • Microsoft Defender for Endpoint Baseline
  • Windows Security Baseline (Windows 10/11)
  • Microsoft Edge Baseline
  • Microsoft 365 Apps Baseline

Create and assign the Windows Security Baseline:

  1. Endpoint Security > Security Baselines > Windows Security Baseline
  2. Create profile > give it a name
  3. Configuration settings: review each category -- the defaults match the Microsoft Security Baseline recommendations. Change individual settings that you know will break your applications.
  4. Assignments: assign to a pilot Entra ID device group first

Review conflicts with existing Intune policies: Intune automatically detects conflicts between the security baseline and other device configuration profiles. Review the Endpoint Security > Security Baselines > [your baseline] > Device Status report for conflict and error counts after deployment.

# Check the compliance status of the security baseline on an enrolled device
# On the device, in PowerShell:
Get-MpComputerStatus  # Defender settings from baseline
Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction
Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' | Select-Object LmCompatibilityLevel

The bottom line

Apply the Microsoft Security Baseline or CIS Level 1 benchmark to a pilot OU of 10-20 machines before fleet deployment. Run the pilot for two weeks, document compatibility issues, create exception policies for legitimate application needs, then expand. The baseline GPO import and pilot OU setup takes under two hours. The value -- hundreds of security settings applied consistently across every managed endpoint -- far exceeds the compatibility testing investment.

Frequently asked questions

What is the difference between the Microsoft Security Baseline and the CIS Benchmark?

The Microsoft Security Baseline is Microsoft's own recommended configuration, distributed as ready-to-import GPO backups via the Security Compliance Toolkit. It focuses on settings that Microsoft has validated for security value with minimal application compatibility impact. The CIS Benchmark is developed by the Center for Internet Security through a consensus process with security practitioners and covers more settings in more detail, with Level 1 (broadly applicable) and Level 2 (high-security) profiles. The CIS Benchmarks are more comprehensive and cross-reference compliance frameworks (SOC 2, PCI-DSS, HIPAA). For most organizations starting hardening, the Microsoft Security Baseline is the easier entry point; the CIS Benchmark provides a more thorough and compliance-referenced configuration.

Will applying the security baseline affect my compliance posture with PCI-DSS or SOC 2?

Positively. Both the Microsoft Security Baselines and CIS Level 1 Benchmarks address requirements in common frameworks. CIS Benchmarks explicitly map each setting to PCI-DSS, HIPAA, and NIST controls. If you use the CIS Benchmark, the mapping documentation helps you demonstrate to auditors that specific settings address specific framework requirements. Note that applying a baseline does not guarantee compliance -- frameworks have requirements (logging, access reviews, incident response procedures) that go beyond technical endpoint configuration. The baseline addresses the technical configuration component of compliance.

How do I roll back the security baseline if it causes major issues?

If you deployed via GPO: unlink the baseline GPO from the affected OU and run gpupdate /force on affected machines. The settings revert to whatever your previous GPOs configured (or defaults if no prior configuration existed). If you deployed via Intune: remove the Security Baseline assignment from the device group -- settings revert over the next MDM sync cycle (approximately 8 hours or force a sync). For both deployment methods: if you deployed in stages (pilot OU first), only the pilot machines are affected and rollback is limited to that OU. This is why the pilot OU approach is essential -- it makes rollback trivial.

Does the security baseline include antivirus and EDR configuration?

The Microsoft Security Baseline for Windows includes Microsoft Defender Antivirus settings (real-time protection, cloud-delivered protection, PUA protection). It does not cover Defender for Endpoint advanced settings or third-party EDR products. The Intune Security Baseline for Microsoft Defender for Endpoint is a separate profile in Intune that covers EDR-specific settings. If you use a third-party EDR, configure it using the vendor's hardening guide rather than the Windows Security Baseline. CIS Benchmarks are vendor-neutral and include Defender-specific sections but do not cover third-party products.

How often should the security baseline be updated and how do I manage the update process?

Microsoft releases updated Security Baselines roughly twice a year, aligned with major Windows feature updates. The update process: download the new baseline from the Microsoft Security Compliance Toolkit, compare it against your current deployment using the Policy Analyzer tool included in the toolkit, identify settings that changed between versions, test changed settings in a pilot OU for two weeks, and then deploy to production via the same phased rollout used for the initial baseline. Never apply a new baseline directly to production without review -- Microsoft does occasionally change settings in ways that break enterprise applications. Subscribe to the Microsoft Security Baselines blog for release announcements so you catch updates promptly.

What is the difference between the Microsoft Security Baseline and the CIS Benchmark, and which should I use?

The Microsoft Security Baseline is developed by Microsoft's security team, maintained alongside Windows releases, and distributed as ready-to-import GPO and Intune templates. It is optimized for Microsoft's view of the right balance between security and compatibility in enterprise environments. The CIS Benchmark is developed by the Center for Internet Security, a non-profit, with input from a global community of security practitioners. CIS Benchmarks come in two levels: Level 1 (reasonable for most enterprises, lower compatibility risk) and Level 2 (higher security, more likely to break enterprise applications). For most enterprise environments, start with the Microsoft Security Baseline as the foundation because it has the best tooling support and compatibility testing. Apply CIS Level 1 additions on top where your compliance framework requires CIS alignment. Avoid applying CIS Level 2 settings wholesale without thorough testing -- the higher-security settings are designed for environments where security priority outweighs compatibility.

Sources & references

  1. Microsoft -- Microsoft Security Baselines
  2. Microsoft -- Security Compliance Toolkit
  3. CIS -- CIS Benchmarks

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.