Windows 11 Security Baseline: Hardening Guide 2026

Your Windows 11 machines shipped with decent defaults. The problem? "Decent" is not a security posture. It is a starting point that threat actors already know by heart. A Windows 11 security baseline transforms those factory settings into a fortress, closing the gaps that ransomware, credential theft, and supply chain attacks love to exploit. Whether you manage ten endpoints or ten thousand, baselining is the single most cost-effective hardening move you can make.

TL;DR

A Windows 11 security baseline is a curated set of Group Policy, Intune, or registry settings that harden your OS beyond its defaults.
Microsoft, CIS, and DISA all publish free baseline frameworks. Microsoft updated theirs for Windows 11 25H2 in late 2025.
Key areas: credential protection, attack surface reduction (ASR) rules, BitLocker encryption, network protocol hardening, and application control via WDAC.
Start in audit mode, graduate to enforcement. Test in a pilot ring before you roll to production.

What Is a Windows 11 Security Baseline?

A security baseline is a documented, repeatable set of configuration settings that define your organization's minimum acceptable security posture. Think of it as a blueprint. Instead of hoping every admin configures things the same way, you codify the answer once and deploy it everywhere.

For Windows 11, that blueprint typically covers Group Policy Objects (GPOs), Microsoft Intune configuration profiles, or a combination of both. It addresses everything from password policies and firewall rules to which legacy protocols get disabled and how aggressively Defender scans packed executables.

Microsoft alone exposes more than 3,000 Group Policy settings for Windows. Add Internet Explorer legacy settings and you are staring at nearly 5,000 toggles. Nobody should be hand-picking those one at a time. Baselines exist so you do not have to.

Baseline vs. Hardening: What Is the Difference?

A baseline establishes the floor. Hardening raises it. Baselining says "every machine must have these settings." Hardening goes further: disabling unnecessary services, restricting local admin rights, deploying application control. In practice, most organizations layer hardening on top of a baseline. The baseline is non-negotiable; hardening is where you tailor the fit to your environment.

The Big Three Baseline Frameworks

Not all baselines are born equal, but three frameworks dominate the Windows 11 landscape. Picking the right one (or blending them) depends on your compliance requirements, management tooling, and appetite for granularity.

Framework	Publisher	Format	Best For
Microsoft Security Baselines	Microsoft	GPO backups, Intune profiles	Organizations already invested in the Microsoft ecosystem
CIS Benchmarks	Center for Internet Security	PDF guides, CIS-CAT scanner	Multi-vendor environments and compliance-driven teams
DISA STIGs	Defense Information Systems Agency	XCCDF checklists, SCAP content	Government, defense, and contractors with NIST 800-171 obligations

CIS benchmarks break their recommendations into Level 1 (low disruption, broad applicability) and Level 2 (tighter controls, potential productivity impact). Most enterprises start with CIS Level 1 or the Microsoft baseline, then cherry-pick Level 2 items where the risk justifies the friction. You can explore the Microsoft Security Compliance Toolkit to download, compare, and customize GPO baselines before deploying them.

What the Windows 11 25H2 Baseline Actually Changes

Microsoft released the security baseline for Windows 11 version 25H2 in September 2025, and it brought some genuinely meaningful updates. This is not a "we moved some furniture" release. Several changes reflect Microsoft's ongoing crusade to retire legacy protocols and shrink the attack surface of a default Windows installation.

New Policies Worth Knowing

NetBIOS disabled everywhere: The baseline now disables NetBIOS name resolution on all adapters, including domain and private networks. Legacy systems that depend on NetBIOS will need migration planning.
PSExec/WMI ASR rule (audit mode): A new Attack Surface Reduction rule blocks process creation originating from PSExec and WMI commands, set to audit by default so you can see the blast radius before flipping to block.
Printer security: Two new policies enforce encrypted Internet Printing Protocol (IPPS) and TLS certificate validation for IPP printers.
NTLM auditing: Enhanced NTLM audit logging is now on by default, giving security teams visibility into legacy authentication still lurking in the environment.
Command line in process events: Process creation events now include the full command line, a boon for threat hunters and SIEM correlation.
Internet Explorer COM lockdown: The COM automation interface for IE is disabled, closing one more door on that remarkably persistent fossil.

Settings Removed

The 25H2 baseline also cleaned house. WDigest Authentication was dropped because modern Windows already disables it by default. The "Scan packed executables" setting was removed since Defender now always scans them. And the "Control whether exclusions are visible to local users" policy was pulled because its parent policy handles the behavior.

Pro Tip: Watch for NetBIOS Fallout

The NetBIOS change is the one most likely to cause help desk tickets. Before deploying the 25H2 baseline, audit your network for devices or services that rely on NetBIOS name resolution. Legacy printers, older NAS appliances, and some line-of-business applications are the usual suspects. Running nbtstat -n across your fleet will surface dependencies quickly.

Core Baseline Categories: Where the Real Work Happens

A baseline touches dozens of policy areas, but five categories do the heaviest lifting for Windows 11 security. Nail these and you have eliminated the majority of common attack paths.

1. Credential Protection

Credential theft remains the single most exploited attack vector in enterprise breaches. Your baseline should enable Credential Guard (which isolates LSASS in a virtualization-based security container), enforce LSASS protection as a protected process, and disable WDigest storage of plaintext credentials. Pair this with LAPS (Local Admin Password Solution) to rotate local administrator passwords automatically through Intune or Active Directory.

2. Attack Surface Reduction Rules

ASR rules are Defender's behavioral guardrails. They block specific actions that malware commonly abuses: Office macros spawning executables, scripts downloading payloads, credential dumping from LSASS, and more. Microsoft recommends at minimum three standard protection rules:

Block credential stealing from lsass.exe
Block abuse of exploited vulnerable signed drivers
Block persistence through WMI event subscription

Expert Tip: Advanced ASR Rules

A mature baseline adds rules for blocking Office child processes, obfuscated scripts, untrusted USB processes, and Adobe Reader child process creation. Start every rule in audit mode, collect data for two weeks, then promote low-noise rules to block. The Windows Defender Application Control page covers application-level policies that complement ASR rules.

3. BitLocker Encryption

A lost or stolen laptop without disk encryption is a data breach waiting to happen. Your baseline should enforce BitLocker with XTS-AES 256-bit encryption on all drive types, require a TPM startup PIN (minimum six characters), and back up recovery keys to Active Directory or Entra ID. Enable enhanced PINs for alphanumeric complexity beyond the default numeric-only option.

4. Network Protocol Hardening

Legacy protocols are the cockroaches of enterprise networking: stubbornly persistent and surprisingly dangerous. Your baseline should disable NetBIOS, restrict NTLM authentication (while auditing first to find dependencies), enforce SMB signing, and disable LLMNR. For printing, enforce IPPS over plain IPP. Each of these protocols has been used in real-world lateral movement, relay attacks, and man-in-the-middle exploits.

5. Firewall and Defender Configuration

Windows Firewall should be enabled across all profiles: domain, private, and public. Block inbound connections by default and log dropped packets. For Defender, enable real-time protection, cloud-delivered protection, automatic sample submission, and tamper protection. The baseline should also enable Controlled Folder Access to protect sensitive directories from ransomware encryption.

"A security baseline is not a destination. It is the floor you build everything else on. Without it, every additional security investment is sitting on sand."

Deploying Your Baseline: GPO vs. Intune

How you deploy depends on your management infrastructure. Both paths lead to the same result, but they serve different architectures.

Group Policy (On-Premises / Hybrid)

Download the baseline package from the Microsoft Security Compliance Toolkit. Import the GPO backups into your Active Directory, link them to the appropriate OUs, and test against a pilot group. Use PolicyAnalyzer (included in the toolkit) to compare your existing GPOs against the baseline and identify gaps or conflicts.

Microsoft Intune (Cloud-Managed)

Intune offers built-in security baseline profiles under Endpoint Security > Security Baselines. Create a new profile, review the default settings, customize as needed, and assign to a test group.

Warning: Intune Policy Conflicts

Intune baselines function as configuration policies internally, which means settings cannot be inherited or exist twice with different values. Watch for conflicts with existing configuration profiles. Duplicate settings across baseline and configuration profiles will cause deployment failures.

Pro Tip: The Pilot Ring Is Not Optional

Never deploy a baseline to your entire fleet on day one. Create a pilot ring of 20 to 50 machines that represent your hardware and software diversity. Run the baseline in audit/report-only mode for two weeks minimum. Review Defender ASR audit events, check for application compatibility issues, and validate that printers, VPNs, and line-of-business apps still function. Only then graduate to enforcement across your production fleet.

CIS Benchmarks: Going Beyond Microsoft's Defaults

The CIS Microsoft Windows 11 Enterprise Benchmark provides hundreds of additional recommendations beyond what Microsoft's own baseline covers. It is organized into two tiers:

Level 1: Practical security controls with minimal operational disruption. Suitable for most enterprise endpoints.
Level 2: Stricter controls that may reduce functionality or usability. Ideal for high-security environments like financial systems, healthcare terminals, or machines handling classified data.

The CIS also publishes the Microsoft Intune for Windows 11 Benchmark (version 4.0.0 as of April 2025), specifically written for MDM-managed environments. This variant maps CIS recommendations directly to Intune configuration profile settings, eliminating the translation layer between benchmark and deployment.

The benchmarks are freely available in PDF format for non-commercial use from the CIS Benchmarks portal. For automated compliance scanning, CIS-CAT Pro provides assessment tooling that checks machines against the benchmark and generates remediation reports.

Australian ASD Hardening Guidance

For organizations operating under Australian regulatory frameworks (or anyone who appreciates thorough hardening guidance), the Australian Signals Directorate (ASD) publishes detailed hardening guides for Windows 11 workstations. Their January 2026 update aligns with Windows 11 version 25H2 and introduces revised Group Policy settings, updated audit policy recommendations, and new hardening measures for printers, widgets, app installations, and SMB sessions.

The ASD guidance is particularly valuable because it goes beyond configuration settings into operational controls: how to manage local administrator accounts, how to restrict removable media, and how to configure application control with WDAC. If your organization follows the Essential Eight maturity model, the ASD Windows 11 guide maps directly to those controls.

Windows Baseline Security Mode: The Future of Secure Defaults

Microsoft is moving toward making strong security the default, not the exception. The upcoming Windows Baseline Security Mode (BSM) shifts runtime integrity protections from optional to on-by-default, paired with a new User Transparency and Consent model that presents mobile-style permission prompts for sensitive operations. Think of it as Windows finally borrowing the best ideas from iOS and Android permission management.

BSM represents a philosophical shift: instead of relying on admins to enable protections, the OS assumes a secure posture and requires explicit opt-out for weaker configurations. For organizations already running baselines, BSM will reinforce your existing controls. For those who have not started baselining yet, BSM will do some of the heavy lifting, but it is not a replacement for a managed baseline. You will still need organizational customization, compliance reporting, and drift detection.

Supply Chain Considerations

A baseline protects your configuration, but what about the integrity of the software itself? Supply chain attacks targeting Windows environments have shifted from theoretical to routine. Your baseline strategy should include verification steps:

Authenticode verification: Validate digital signatures on all executables, drivers, and scripts before deployment.
WDAC policies: Windows Defender Application Control restricts which applications can run based on publisher, hash, or file path rules.
Windows Update integrity: Verify that update channels are not compromised and that WSUS (if used) is properly secured.
Driver signing enforcement: Require all kernel-mode drivers to be signed by a trusted authority.
PowerShell constrained language mode: Limit PowerShell capabilities to signed scripts in production environments.

Our Windows Supply Chain Security Guide walks through each of these controls in detail, with practical implementation steps for both standalone and domain-joined environments.

Measuring Baseline Compliance and Detecting Drift

Deploying a baseline is step one. Keeping it enforced is the real challenge. Configuration drift, where machines gradually diverge from the baseline through manual changes, software installations, or policy conflicts, is inevitable without monitoring.

For GPO-managed environments, the Security Compliance Toolkit's PolicyAnalyzer can compare live GPO state against your baseline. For Intune, the compliance dashboard shows which devices meet baseline requirements and which have drifted. Azure Policy Machine Configuration (formerly Guest Configuration) extends this to Azure and Arc-connected servers with automated drift detection and optional remediation.

Build a quarterly review cadence: compare your deployed baseline against the latest published version, review ASR audit events for false positives, and validate that new applications have not introduced policy conflicts. If you need help establishing this process, our Windows Baseline Hardening Service includes ongoing compliance monitoring and drift remediation.

Key Takeaways

A Windows 11 security baseline is the foundation of every hardening strategy. It codifies your minimum acceptable security posture into repeatable, deployable settings.
Three frameworks dominate: Microsoft Security Baselines, CIS Benchmarks, and DISA STIGs. Most organizations start with Microsoft or CIS Level 1.
The Windows 11 25H2 baseline brings meaningful changes: NetBIOS disabled, new ASR rules, enhanced NTLM auditing, and printer security enforcement.
Five core areas matter most: credential protection, ASR rules, BitLocker, network protocol hardening, and firewall/Defender configuration.
Always deploy in audit mode first with a pilot group. Two weeks of data beats two hours of assumptions.
Baseline deployment is not a one-time event. Drift detection, quarterly reviews, and compliance monitoring keep your posture intact over time.
Supply chain verification (Authenticode, WDAC, driver signing) is the layer above baselining that most organizations still overlook.

Frequently Asked Questions

Is the Microsoft security baseline free to use?

Yes. Microsoft publishes security baselines at no cost through the Security Compliance Toolkit. You can download GPO backups, Intune profiles, and analysis tools from the Microsoft Download Center. The baselines work with all Windows 11 editions (Pro, Enterprise, Education) and require no additional licensing.

What is the difference between Microsoft baselines and CIS benchmarks?

Microsoft baselines are first-party recommendations designed for the Microsoft ecosystem, delivered as importable GPO backups and Intune profiles. CIS benchmarks are vendor-neutral, community-driven standards with detailed rationale for each setting, organized into Level 1 (broad applicability) and Level 2 (high security) tiers. Many organizations use both: the Microsoft baseline as the deployment mechanism and CIS benchmarks as the compliance validation layer.

Can I apply a security baseline to Windows 11 Home edition?

Windows 11 Home lacks Group Policy Editor (gpedit.msc) and does not support domain join, which limits your ability to deploy baselines through standard enterprise tools. You can still apply many settings via registry edits, PowerShell scripts, or third-party tools, but the process is manual and harder to maintain. For any environment where security matters, Windows 11 Pro or Enterprise is the recommended starting point.

How often should I update my Windows 11 baseline?

Review and update your baseline every time Microsoft releases a new feature update (typically once per year) and whenever Microsoft publishes a new baseline version. Additionally, perform quarterly reviews to check for configuration drift, evaluate new ASR rules, and assess whether emerging threats require additional controls. Subscribe to the Microsoft Security Baselines blog for release notifications.

Will applying a baseline break my applications?

It can, which is exactly why pilot testing exists. The most common breakage comes from network protocol changes (disabling NetBIOS or NTLM), application control policies (WDAC blocking unsigned apps), and ASR rules (blocking macro-heavy workflows). Start with audit mode to identify conflicts before enforcing. Document every exception you grant, because each one is a deliberate trade-off between security and functionality.

Do I still need a baseline if I use Microsoft Defender for Endpoint?

Absolutely. Defender for Endpoint is a detection and response tool. It watches for threats and responds to incidents. A baseline is a prevention tool. It hardens the OS configuration to reduce the attack surface before threats arrive. They are complementary layers, not alternatives. In fact, a strong baseline makes Defender more effective by reducing the noise and false positives it has to process.

Next Steps

A Windows 11 security baseline is not a checkbox. It is the foundation that every other security investment builds on. Start with one of the three major frameworks, deploy to a pilot ring, validate in audit mode, and then roll to production with confidence.

If you want expert hands on the keyboard, our Windows Baseline Hardening Service handles the full lifecycle: framework selection, customization, deployment, and ongoing compliance monitoring. Or start by exploring our Windows Workstations category for tools, guides, and services purpose-built for Windows endpoint security.

Your machines are only as secure as their configuration. Make sure the configuration is deliberate.