Microsoft Windows Security Baseline and CIS Benchmarks: How to Apply Them Without Breaking Your Environment

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The Microsoft Security Baselines and CIS Benchmarks contain years of hardening research condensed into deployable configurations. The common objection to applying them is 'it will break things' -- which is true, but manageable with a test-first approach. The alternative is leaving hundreds of security settings at their permissive defaults indefinitely. This guide covers what the baselines actually configure, how to deploy them safely, and the settings most likely to need exceptions in typical enterprise environments.
Download and Import the Microsoft Security Baseline
Download the Security Compliance Toolkit:
- Go to microsoft.com/en-us/download/details.aspx?id=55319
- Download the Windows 11 Security Baseline (or the version matching your endpoints)
- Extract the ZIP
Contents of the Security Baseline package:
GPOs\folder: GPO backups ready to import into ADScripts\folder: Baseline-Local.ps1 for standalone (non-domain) machinesTemplates\folder: Custom ADMX files if neededPolicyAnalyzer\folder: Tool to compare current settings vs baseline
Import the baseline GPO into Active Directory:
# Create a new GPO from the backup
# Open Group Policy Management Console (gpmc.msc)
# Right-click 'Group Policy Objects' > Import Settings
# Browse to the GPOs folder from the Security Baseline download
# Select the 'MSFT Windows 11 - Computer' GPO backup
# Create new GPO named 'Security Baseline - Windows 11 - Computer'
# Do NOT link the GPO to any OU yet -- link only to a Pilot OU first
Use Policy Analyzer to see what changes the baseline makes:
# Run PolicyAnalyzer.exe from the toolkit
# Click 'Add...' and select the baseline GPO folder
# Compare against your current 'Default Domain Policy' and other GPOs
# The comparison shows: settings in baseline only, settings in your GPO only, conflicts
# Export the comparison to review settings before deployment
Settings Most Likely to Break Applications
Before deploying broadly, test these specific baseline settings that commonly break enterprise applications:
1. NTLM restriction settings (covered in the NTLM guide): The Microsoft baseline sets LM Authentication Level to 5 (NTLMv2 only). Applications using NTLMv1 or connecting by IP address may fail.
2. Credential Guard enablement: The Windows 11 baseline enables Credential Guard (virtualization-based security). This breaks applications using unconstrained Kerberos delegation. See the Credential Guard guide for compatibility checks.
3. SMB signing required: The baseline requires SMB signing on both client and server. Devices connecting to your endpoints via old NAS appliances or SMBv1 will fail.
4. Audit policy changes: The baseline enables many additional audit categories (command line process auditing, DPAPI activity, detailed file tracking). On busy systems, this can increase event log volume significantly. Verify your SIEM is prepared for the increased log volume.
5. PowerShell execution policy: The baseline may configure PowerShell execution policy to RemoteSigned or higher, which blocks unsigned local scripts. Any environment with PowerShell scripts that are not code-signed may see failures.
6. UAC settings: The baseline configures UAC to prompt for credentials (not just consent) for administrator accounts on the secure desktop. Users with scripts or automation that trigger UAC without credentials will be interrupted.
7. SCM (Service Configuration Manager) settings: The baseline disables several services (Print Spooler on servers, WDigest, LAN Manager hash storage). Each disabled service should be verified against your management tooling.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Deploy via Group Policy with a Pilot OU
Deployment stages:
Stage 1: Create a Pilot OU
# Create a dedicated pilot OU
New-ADOrganizationalUnit -Name 'Security Baseline Pilot' `
-Path 'OU=Workstations,DC=domain,DC=com'
# Move 10-20 representative workstations into the pilot OU
# Include: a variety of business unit workstations, machines used by
# your most complex applications, an IT admin workstation
Stage 2: Link the baseline GPO to the Pilot OU only
# Via GPMC: right-click the Pilot OU > Link an Existing GPO
# Select 'Security Baseline - Windows 11 - Computer'
# Force a policy update on pilot machines:
Invoke-GPUpdate -Computer (Get-ADComputer -SearchBase 'OU=Security Baseline Pilot,...' -Filter * | Select -ExpandProperty Name) -Force
Stage 3: Monitor for two weeks
- Check your helpdesk ticket queue for new tickets from pilot users
- Review Event Logs on pilot machines for audit policy changes, blocked operations
- Run Policy Analyzer from the pilot machines to verify the baseline applied
Stage 4: Document exceptions, create exception policy
# For each setting that breaks an application, create a documented exception:
# 1. Identify the specific baseline setting causing the issue
# 2. Create an exception GPO that overrides only that setting
# 3. Link the exception GPO to the Pilot OU with higher priority than the baseline GPO
# 4. Verify the exception resolves the application issue
# 5. Document: which application, why the exception is needed, review date
Stage 5: Expand to the full fleet
- Link the baseline GPO to all Workstations OUs
- Keep the exception GPO linked alongside it
- Monitor for new compatibility issues in the first two weeks
Deploy via Intune Using the Security Baseline Profile
For Intune-managed devices, use the built-in Intune Security Baseline profile instead of importing the GPO.
Location: Intune admin center > Endpoint Security > Security Baselines
Available baselines in Intune:
- Windows 365 Security Baseline
- Microsoft Defender for Endpoint Baseline
- Windows Security Baseline (Windows 10/11)
- Microsoft Edge Baseline
- Microsoft 365 Apps Baseline
Create and assign the Windows Security Baseline:
- Endpoint Security > Security Baselines > Windows Security Baseline
- Create profile > give it a name
- Configuration settings: review each category -- the defaults match the Microsoft Security Baseline recommendations. Change individual settings that you know will break your applications.
- Assignments: assign to a pilot Entra ID device group first
Review conflicts with existing Intune policies: Intune automatically detects conflicts between the security baseline and other device configuration profiles. Review the Endpoint Security > Security Baselines > [your baseline] > Device Status report for conflict and error counts after deployment.
# Check the compliance status of the security baseline on an enrolled device
# On the device, in PowerShell:
Get-MpComputerStatus # Defender settings from baseline
Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction
Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' | Select-Object LmCompatibilityLevel
The bottom line
Apply the Microsoft Security Baseline or CIS Level 1 benchmark to a pilot OU of 10-20 machines before fleet deployment. Run the pilot for two weeks, document compatibility issues, create exception policies for legitimate application needs, then expand. The baseline GPO import and pilot OU setup takes under two hours. The value -- hundreds of security settings applied consistently across every managed endpoint -- far exceeds the compatibility testing investment.
Frequently asked questions
What is the difference between the Microsoft Security Baseline and the CIS Benchmark?
The Microsoft Security Baseline is Microsoft's own recommended configuration, distributed as ready-to-import GPO backups via the Security Compliance Toolkit. It focuses on settings that Microsoft has validated for security value with minimal application compatibility impact. The CIS Benchmark is developed by the Center for Internet Security through a consensus process with security practitioners and covers more settings in more detail, with Level 1 (broadly applicable) and Level 2 (high-security) profiles. The CIS Benchmarks are more comprehensive and cross-reference compliance frameworks (SOC 2, PCI-DSS, HIPAA). For most organizations starting hardening, the Microsoft Security Baseline is the easier entry point; the CIS Benchmark provides a more thorough and compliance-referenced configuration.
Will applying the security baseline affect my compliance posture with PCI-DSS or SOC 2?
Positively. Both the Microsoft Security Baselines and CIS Level 1 Benchmarks address requirements in common frameworks. CIS Benchmarks explicitly map each setting to PCI-DSS, HIPAA, and NIST controls. If you use the CIS Benchmark, the mapping documentation helps you demonstrate to auditors that specific settings address specific framework requirements. Note that applying a baseline does not guarantee compliance -- frameworks have requirements (logging, access reviews, incident response procedures) that go beyond technical endpoint configuration. The baseline addresses the technical configuration component of compliance.
How do I roll back the security baseline if it causes major issues?
If you deployed via GPO: unlink the baseline GPO from the affected OU and run gpupdate /force on affected machines. The settings revert to whatever your previous GPOs configured (or defaults if no prior configuration existed). If you deployed via Intune: remove the Security Baseline assignment from the device group -- settings revert over the next MDM sync cycle (approximately 8 hours or force a sync). For both deployment methods: if you deployed in stages (pilot OU first), only the pilot machines are affected and rollback is limited to that OU. This is why the pilot OU approach is essential -- it makes rollback trivial.
Does the security baseline include antivirus and EDR configuration?
The Microsoft Security Baseline for Windows includes Microsoft Defender Antivirus settings (real-time protection, cloud-delivered protection, PUA protection). It does not cover Defender for Endpoint advanced settings or third-party EDR products. The Intune Security Baseline for Microsoft Defender for Endpoint is a separate profile in Intune that covers EDR-specific settings. If you use a third-party EDR, configure it using the vendor's hardening guide rather than the Windows Security Baseline. CIS Benchmarks are vendor-neutral and include Defender-specific sections but do not cover third-party products.
How often should the security baseline be updated and how do I manage the update process?
Microsoft releases updated Security Baselines roughly twice a year, aligned with major Windows feature updates. The update process: download the new baseline from the Microsoft Security Compliance Toolkit, compare it against your current deployment using the Policy Analyzer tool included in the toolkit, identify settings that changed between versions, test changed settings in a pilot OU for two weeks, and then deploy to production via the same phased rollout used for the initial baseline. Never apply a new baseline directly to production without review -- Microsoft does occasionally change settings in ways that break enterprise applications. Subscribe to the Microsoft Security Baselines blog for release announcements so you catch updates promptly.
What is the difference between the Microsoft Security Baseline and the CIS Benchmark, and which should I use?
The Microsoft Security Baseline is developed by Microsoft's security team, maintained alongside Windows releases, and distributed as ready-to-import GPO and Intune templates. It is optimized for Microsoft's view of the right balance between security and compatibility in enterprise environments. The CIS Benchmark is developed by the Center for Internet Security, a non-profit, with input from a global community of security practitioners. CIS Benchmarks come in two levels: Level 1 (reasonable for most enterprises, lower compatibility risk) and Level 2 (higher security, more likely to break enterprise applications). For most enterprise environments, start with the Microsoft Security Baseline as the foundation because it has the best tooling support and compatibility testing. Apply CIS Level 1 additions on top where your compliance framework requires CIS alignment. Avoid applying CIS Level 2 settings wholesale without thorough testing -- the higher-security settings are designed for environments where security priority outweighs compatibility.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
