A default-installed Windows 11 endpoint in 2026 has eight major attack surfaces enabled out of the box that should not be: NTLM authentication, LM/NTLMv1 fallback in many cases, unsigned-driver execution, LSASS access from non-protected processes, BitLocker without PIN, Office macros from internet sources, SmartScreen passable via mark-of-the-web bypass, and PowerShell without script-block logging. This Windows 11 enterprise hardening guide for 2026 is the consolidated 10-phase rollout that closes every one of those gaps — aligned with the CIS Microsoft Windows 11 Enterprise Benchmark, Microsoft’s Security Baselines, and the operational realities of running a multi-thousand-endpoint fleet under Intune, Group Policy, or both.

If you operate a Windows 11 enterprise environment and you’ve been waiting for a guide that goes deeper than “turn on Defender,” this is it. Every phase has concrete PowerShell, the exact GPO and Intune CSP path, real ASR rule GUIDs, a “what breaks” warning, and a roll-back recipe.

TL;DR — the 90-day Windows 11 hardening rollout

The phased plan you can copy into a project tracker today:

  • Days 1–7 (Phase 0): Baseline import — Microsoft Security Baseline + CIS Benchmark Level 1 GPO into a staging OU
  • Days 8–14 (Phase 1): Identity hardening — Credential Guard, LSA Protection, Windows Hello for Business, Windows LAPS
  • Days 15–21 (Phase 2): Network hardening — SMB signing, disable SMBv1/LLMNR/NetBIOS/mDNS/WPAD, DoH, firewall lockdown
  • Days 22–35 (Phase 3): Attack Surface Reduction (ASR) — all 19 rules in audit mode for 14 days before any switch to block
  • Days 36–42 (Phase 4): Microsoft Defender hardening — cloud protection, tamper protection, Controlled Folder Access, Network Protection
  • Days 43–49 (Phase 5): Application Control — Smart App Control, WDAC base policy, SmartScreen at maximum, block macros from internet
  • Days 50–56 (Phase 6): BitLocker + PIN, removable media policy, encrypted Recovery Partition
  • Days 57–63 (Phase 7): Privilege management — remove standard users from local Administrators, JIT admin, UAC at maximum, NTLM disable
  • Days 64–77 (Phase 8): Logging & detection — PowerShell scriptblock + module logging, Sysmon (Olaf Hartong config), WEF/AMA to SIEM, audit policy at CIS Level 1
  • Days 78–84 (Phase 9): OS surface reduction — disable autoplay, Cortana web search, telemetry to Security level, optional features review
  • Days 85–90 (Phase 10): Zero Trust integration — Conditional Access policies, device compliance, risk-based sign-in, continuous evaluation

Total: 90 days for a measured, audit-friendly rollout. Aggressive teams can compress to 45.

Why Windows 11 hardening matters in 2026

Four numbers that frame the priority:

  • 80%+ of ransomware incidents in Microsoft’s 2024 Digital Defense Report involved credential-abuse paths that ASR rules + Credential Guard + LAPS would have blocked.
  • 94% of malware observed in IBM’s 2024 X-Force Threat Index was delivered through email or web — exactly what Smart App Control, MOTW enforcement, and the email-execution ASR rule are designed to stop.
  • The median dwell time before detection of a Windows endpoint compromise in 2024 was 10 days (Mandiant M-Trends). PowerShell scriptblock logging + Sysmon forwarded to a SIEM compresses that to hours.
  • CIS Microsoft Windows 11 Enterprise Benchmark v3 has 365 settings. The 80/20 hit comes from ~60 of them — the ones in this guide.

Hardening Windows 11 isn’t optional for any organization processing regulated data (HIPAA, PCI DSS, NIST 800-171, ISO 27001). It’s also a hard requirement for cyber insurance — the 2025 application questionnaires from major carriers (Beazley, AIG, Chubb) explicitly ask about MFA, LAPS, EDR, ASR rules, BitLocker, and PowerShell logging. “No” to any of these is now a coverage-affecting answer.

The hardening framework (10 phases at a glance)

#PhasePrimary controlsTooling
1Identity & AuthCredential Guard, LSA Protection, WHfB, LAPSGPO + Intune
2NetworkSMB signing, disable SMBv1/LLMNR/NetBIOS/WPAD, DoHGPO + PS
3ASR Rules19 ASR rules in Defender for EndpointIntune + PS
4Defender HardeningCloud protection, CFA, Network Protection, Tamper ProtectionIntune + PS
5Application ControlSmart App Control, WDAC, SmartScreen, macro blockingIntune + GPO
6EncryptionBitLocker + TPM 2.0 + PIN, removable mediaGPO + Intune
7Privilege MgmtRemove from local admin, UAC max, JIT, NTLM disableGPO + PIM
8LoggingPS scriptblock, module, transcript, Sysmon, WEFGPO + Intune
9Surface ReductionDisable autoplay, Cortana, optional features, telemetryGPO + Intune
10Zero TrustConditional Access, device compliance, continuous evalEntra ID

Each phase below is self-contained: prerequisites, what to set, the exact path, the verification command, and the failure modes.

How to harden Windows 11 for enterprise (10-phase rollout)

How To

How to harden Windows 11 for enterprise in 90 days

Estimated time: 90D

  1. Import the security baseline

    Download the Microsoft Security Baseline for Windows 11 24H2 from the Microsoft Security Compliance Toolkit. Import the GPO objects into a staging OU. Also reference CIS Microsoft Windows 11 Enterprise Benchmark v3 Level 1 settings (Level 2 for high-security tier). Baseline first, then layer organisation-specific deltas — never start from scratch.
  2. Enable identity hardening: Credential Guard + LSA Protection + WHfB + LAPS

    Enable Credential Guard (UEFI virtualisation-based security) and LSA Protection (RunAsPPL = 1) — both block credential theft from lsass.exe. Deploy Windows Hello for Business for passwordless. Deploy Windows LAPS for local admin rotation. These four controls together eliminate the most-abused credential attack paths.
  3. Harden the network: disable legacy protocols, enforce SMB signing, switch to DoH

    Disable SMBv1 (Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol), LLMNR (GPO: Turn off multicast name resolution), NetBIOS over TCP/IP, mDNS, WPAD. Enforce SMB signing required on both client and server. Configure DNS over HTTPS (Set-DnsClientDohServerAddress). Lock the Windows Firewall to default-deny inbound.
  4. Enable Attack Surface Reduction rules in audit mode for 14 days, then block

    Deploy all 19 ASR rules in Audit mode first via Intune (Endpoint security → Attack surface reduction) or PowerShell (Set-MpPreference -AttackSurfaceReductionRules_Ids ... -AttackSurfaceReductionRules_Actions AuditMode). Watch Event ID 1122 in Microsoft-Windows-Windows Defender/Operational for hits. After 14 days, flip the production-safe rules to Block (Action = Enabled), keep the noisy ones in Audit.
  5. Harden Microsoft Defender: cloud protection, CFA, Network Protection, Tamper Protection

    Set-MpPreference -MAPSReporting Advanced -SubmitSamplesConsent SendSafeSamples -DisableBlockAtFirstSeen $false -CloudBlockLevel High -EnableControlledFolderAccess Enabled -EnableNetworkProtection Enabled. Enable Tamper Protection via Intune (cannot be set locally). Tamper Protection is the single most important Defender setting — it stops attackers from disabling AV via registry/PS.
  6. Lock down application execution: Smart App Control, WDAC, SmartScreen, macros

    Smart App Control on (Win 11 22H2+ clean installs only). WDAC base policy in audit mode → enforce within 30 days. SmartScreen for Apps and Edge at Block. Block all Office macros from the internet via GPO (Block macros from running in Office files from the Internet). Block VBA macros in trusted documents for high-risk users (finance, legal).
  7. Encrypt with BitLocker + TPM 2.0 + PIN

    BitLocker with TPM-only is insecure against an attacker with physical access (DMA attacks, cold-boot residuals). Require TPM + PIN for all enterprise endpoints. Use XTS-AES 256 encryption. Configure removable media policy: BitLocker To Go required, or block writes to unencrypted removable media. Store recovery keys in Entra ID (Intune) or AD.
  8. Eliminate standing privilege: remove from local admin, UAC max, JIT access, disable NTLM

    Remove standard users from the local Administrators group. Set UAC = Always notify (Consent Prompt = 2). Adopt Just-in-Time (JIT) admin via Entra PIM or third-party PAM — no permanent admins. Disable NTLM via the NTLM removal guide. The combination is what red teams hate most.
  9. Enable comprehensive logging: PowerShell + Sysmon + audit policy + SIEM forwarding

    Turn on PowerShell ScriptBlock logging (Event 4104), Module logging (Event 4103), and Transcription. Deploy Sysmon with Olaf Hartong’s modular config (or SwiftOnSecurity baseline). Enable CIS Level 1 audit policy (Account Logon, Logon/Logoff, Object Access, Privilege Use). Forward via Windows Event Forwarding (WEF) or Azure Monitor Agent (AMA) to your SIEM. Without forwarding, you have logs nobody reads.
  10. Integrate with Zero Trust: Conditional Access, device compliance, continuous evaluation

    Enforce Conditional Access policies on every cloud app: require compliant device + MFA. Configure device compliance in Intune: BitLocker on, secure boot, OS version >= 24H2, AV active. Enable Continuous Access Evaluation so token revocation is real-time. Add risk-based sign-in policies in Entra ID Premium P2. This is the final layer: identity-aware access on top of an already-hardened endpoint.

The remaining sections expand each phase with the implementation detail you need.

Phase 1: Identity & Authentication

Four controls. Deploy in this order.

Credential Guard

Virtualisation-based security (VBS) that runs LSASS secrets in an isolated VTL1 enclave. Mimikatz, lsadump-style attacks, and pass-the-hash become impossible against domain credentials. Available on Win 10 1607+, default-on for Win 11 22H2+ on clean installs of Enterprise/Education SKUs.

Verification:


# Check VBS + Credential Guard status
$dg = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace 'root\Microsoft\Windows\DeviceGuard'
$dg.VirtualizationBasedSecurityStatus      # 2 = running
$dg.SecurityServicesRunning                # contains 1 = CredGuard, 2 = HVCI
$dg.AvailableSecurityProperties            # 1 BaseVirtualizationSupport, 2 SecureBoot, 3 DMA Protection

Enable via GPO (if not default-on): Computer Config → Admin Templates → System → Device Guard → Turn On Virtualization Based SecurityEnabled, with Credential Guard Configuration = Enabled with UEFI lock.

What breaks: Some old VPN clients (Cisco AnyConnect pre-4.10), some Citrix Receiver versions, legacy biometric drivers. Audit list of known-incompatible drivers with mdmdiagnosticstool.exe -Area DeviceGuard.

LSA Protection (RunAsPPL)

Stops non-PPL (Protected Process Light) code from injecting into lsass.exe. Blocks procdump lsass.exe and most reflective DLL injection.


# Enable PPL on LSASS
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'RunAsPPL' -Type DWord -Value 1
# Verify after reboot
(Get-WinEvent -LogName 'Microsoft-Windows-CodeIntegrity/Operational' -MaxEvents 50 |
  Where-Object { $_.Message -match 'LSASS' }) | Format-List

What breaks: Custom AV drivers that aren’t PPL-signed. Audit for 7 days, identify any failure events (Event ID 3033 in CodeIntegrity log), get signed drivers from your vendor.

Windows Hello for Business

Passwordless logon backed by TPM-bound asymmetric keys. Configure via Intune (Endpoint security → Account protection → Windows Hello for Business) or GPO (Computer Config → Admin Templates → Windows Components → Windows Hello for Business). Require PIN complexity (min 8 digits), biometric off for high-security tiers, certificate-trust model for hybrid AD.

Windows LAPS

Native local Administrator password rotation. See the full Windows LAPS implementation guide for the 8-step rollout: schema, KDS root key, tiered RBAC, encrypted storage, and DSRM password backup on DCs.

Phase 2: Network Security

Five settings that together kill the most common lateral-movement techniques.

Disable SMBv1


# Check current state
Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

# Remove (requires reboot)
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

Why: SMBv1 is the protocol EternalBlue (MS17-010) exploited. Removal is a no-brainer. Any device that still requires SMBv1 (some old NAS, some MFP scan-to-share) needs an upgrade or replacement, full stop.

Enforce SMB signing required

GPO: Computer Config → Policies → Windows Settings → Security Settings → Local Policies → Security Options:

  • Microsoft network server: Digitally sign communications (always) = Enabled
  • Microsoft network client: Digitally sign communications (always) = Enabled

SMB signing prevents the SMB→SMB relay attack that’s the second most common ntlmrelayx target. Required by default since Win 11 24H2 / Server 2025; verify older builds explicitly.

Disable LLMNR, NetBIOS, mDNS, WPAD

ProtocolWhat it leaksDisable how
LLMNRHashes (Responder bait)GPO: Computer Config → Admin Templates → Network → DNS Client → Turn off multicast name resolution = Enabled
NetBIOS over TCP/IPHashes + hostnamesPer NIC: Set-NetAdapterAdvancedProperty -Name 'Ethernet' -DisplayName 'NetBIOS over TCP/IP' -DisplayValue 'Disabled'; or GPO via DHCP option
mDNSHostnamesSet-NetTCPSetting -SettingName Internet -MDnsEnabled $false
WPADProxy hijack vectorGPO: Disable Internet Explorer's automatic detection of proxy settings; also Set-Service -Name WinHttpAutoProxySvc -StartupType Disabled

These four are universal Responder/Inveigh bait. Disable on every workstation and server.

DNS over HTTPS (DoH)


# Configure DoH against your corporate resolver (or 1.1.1.1 as example)
Set-DnsClientDohServerAddress -ServerAddress '10.1.1.53' -DohTemplate 'https://corp-dns.local/dns-query' -AllowFallbackToUdp $false -AutoUpgrade $true

Prevents passive DNS sniffing by attackers on the same broadcast domain. Pair with split-horizon DNS so internal queries still resolve through your DC.

Firewall lockdown

Default-deny inbound on every profile. Allow only what’s explicitly required (RDP from jump hosts, SMB from servers to file shares, etc.). GPO at: Computer Config → Windows Settings → Security Settings → Windows Defender Firewall with Advanced Security → set Inbound to Block by default for Domain, Private, and Public profiles.

Phase 3: Attack Surface Reduction rules (the 19-rule reference)

The single highest-ROI Defender feature. ASR rules are heuristic blocks for common malware behaviour. Roll out in Audit mode for 14 days before flipping to Block — the noise rate varies wildly by environment.

The full 19-rule table with recommended action and GUID:

RuleGUIDAudit first?Production action
Block abuse of exploited vulnerable signed drivers56a863a9-875e-4185-98a7-b882c64b5ce5YesBlock
Block Adobe Reader from creating child processes7674ba52-37eb-4a4f-a9a1-f0f9a1619a2cNoBlock
Block all Office applications from creating child processesd4f940ab-401b-4efc-aadc-ad5f3c50688aYesBlock
Block credential stealing from lsass.exe9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2YesBlock
Block executable content from email/webmailbe9ba2d9-53ea-4cdc-84e5-9b1eeee46550NoBlock
Block executable files unless prevalence/age/trusted01443614-cd74-433a-b99e-2ecdc07bfc25Yes (high noise)Audit → Block in tier 2 only
Block execution of obfuscated scripts5beb7efe-fd9a-4556-801d-275e5ffc04ccYesBlock
Block JS/VBS from launching downloaded executabled3e037e1-3eb8-44c8-a917-57927947596dNoBlock
Block Office apps from creating executable content3b576869-a4ec-4529-8536-b80a7769e899NoBlock
Block Office apps from injecting code into other processes75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84YesBlock
Block Office communication app (Outlook) from child procs26190899-1602-49e8-8b27-eb1d0a1ce869NoBlock
Block persistence through WMI event subscriptione6db77e5-3df2-4cf1-b95a-636979351e5bNoBlock
Block process creations from PSExec and WMId1e49aac-8f56-4280-b9ba-993a6d77406cYesBlock in tier 2; Audit-only for admin tier (PSExec is a legit admin tool)
Block reboot to Safe Mode (preview)33ddedf1-c6e0-47cb-833e-de6133960387YesBlock
Block untrusted/unsigned processes from USBb2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4NoBlock
Block use of copied/impersonated system toolsc0033c00-d16d-4114-a5a0-dc9b3a7d2cebYesBlock
Block Webshell creation for Serversa8f5898e-1dc8-49a9-9878-85004b8a61e6YesBlock (server SKUs)
Block Win32 API calls from Office macros92e97fa1-2edf-4476-bdd6-9dd0b4dddc7bNoBlock
Use advanced protection against ransomwarec1db55ab-c21a-4637-bb3f-a12568109d35YesAudit only initially; review FPs

Bulk-enable in audit mode:


$rules = @(
  '56a863a9-875e-4185-98a7-b882c64b5ce5',
  '7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c',
  'd4f940ab-401b-4efc-aadc-ad5f3c50688a',
  '9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2',
  'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550',
  '5beb7efe-fd9a-4556-801d-275e5ffc04cc',
  'd3e037e1-3eb8-44c8-a917-57927947596d',
  '3b576869-a4ec-4529-8536-b80a7769e899',
  '75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84',
  '26190899-1602-49e8-8b27-eb1d0a1ce869',
  'e6db77e5-3df2-4cf1-b95a-636979351e5b',
  'd1e49aac-8f56-4280-b9ba-993a6d77406c',
  'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4',
  '92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b',
  'c1db55ab-c21a-4637-bb3f-a12568109d35'
)
foreach ($r in $rules) {
  Add-MpPreference -AttackSurfaceReductionRules_Ids $r -AttackSurfaceReductionRules_Actions AuditMode
}

# After 14 days, switch to Enabled (Block)
foreach ($r in $rules) {
  Set-MpPreference -AttackSurfaceReductionRules_Ids $r -AttackSurfaceReductionRules_Actions Enabled
}

# Monitor hits
Get-WinEvent -LogName 'Microsoft-Windows-Windows Defender/Operational' -FilterXPath "*[System[EventID=1121 or EventID=1122]]" -MaxEvents 50 |
  Format-Table TimeCreated, Id, Message -AutoSize

Event IDs:

  • 1121 — ASR rule blocked an action
  • 1122 — ASR rule audited an action (would have blocked)
  • 5007 — Defender preference change

Phase 4: Microsoft Defender hardening

Default Defender is “on.” Enterprise-grade Defender is configured. The full baseline:


Set-MpPreference -MAPSReporting Advanced `
  -SubmitSamplesConsent SendSafeSamples `
  -CloudBlockLevel High `
  -CloudExtendedTimeout 50 `
  -DisableBlockAtFirstSeen $false `
  -DisableArchiveScanning $false `
  -DisableEmailScanning $false `
  -DisableRemovableDriveScanning $false `
  -DisableScriptScanning $false `
  -EnableControlledFolderAccess Enabled `
  -EnableNetworkProtection Enabled `
  -PUAProtection Enabled `
  -SignatureUpdateInterval 4 `
  -ScanScheduleDay Everyday `
  -ScanScheduleTime 02:00:00 `
  -RemediationScheduleDay Everyday

Tamper Protection can only be enabled centrally via Intune (Endpoint security → Antivirus → Windows Security experience → Tamper Protection) or Microsoft Defender for Endpoint portal — not via Set-MpPreference. Without Tamper Protection, an attacker with local admin can simply turn off everything you just configured.

Controlled Folder Access (CFA) is Defender’s ransomware-folder protection. After enabling, audit for 14 days (Set-MpPreference -EnableControlledFolderAccess AuditMode); add legitimate apps to the allow list with Add-MpPreference -ControlledFolderAccessAllowedApplications C:\Path\To\App.exe; then enforce.

Network Protection blocks outbound connections to known-bad URLs/IPs based on Microsoft’s threat intelligence. Pair with Defender for Endpoint’s web content filtering for category blocking.

Phase 5: Application Control

Layered defense — each tool catches what the others miss.

Smart App Control

A Microsoft cloud-driven application reputation engine. Only available on clean installs of Windows 11 22H2+. If you upgraded from Win 10, you can’t enable it post-install — you need a clean re-image. The configuration is at Windows Security → App & browser control → Smart App Control settings. Set to On for general users; Evaluation for power users you don’t want to block by default.

WDAC (Windows Defender Application Control)

Real, kernel-enforced app whitelisting. Build a base policy from a clean reference image:


# Build a base WDAC policy from a clean reference image
New-CIPolicy -FilePath C:\WDAC\BasePolicy.xml -Level Publisher -UserPEs -Fallback Hash -ScanPath C:\

# Convert to binary and copy
ConvertFrom-CIPolicy -XmlFilePath C:\WDAC\BasePolicy.xml -BinaryFilePath C:\WDAC\BasePolicy.cip

# Deploy in audit mode first (Set-RuleOption -FilePath BasePolicy.xml -Option 3)
# After 14 days of audit, remove option 3 (audit mode) and re-deploy

WDAC is the highest-effort, highest-reward control on this list. Plan 4–8 weeks for a proper rollout per user persona (admin, dev, finance, etc.). Use Microsoft’s WDAC Wizard for non-PowerShell policy authoring.

SmartScreen

Block at every level:

GPO: Computer Config → Admin Templates → Windows Components → Microsoft Defender SmartScreen → Configure App Install Control = Block apps from outside the Store + Configure Windows Defender SmartScreen = Warn and prevent bypass.

For Edge: Configure Windows Defender SmartScreen = Warn and prevent bypass.

Block Office macros from the internet

GPO: User Config → Admin Templates → Microsoft Office 2016 → Security Settings → Block macros from running in Office files from the Internet = Enabled.

For each app (Word, Excel, PowerPoint, Outlook, Access, PowerPoint): <App> 2016 → Security Settings → VBA Macro Notification Settings = Disable all without notification for high-risk users; Disable with notification for general fleet.

Phase 6: BitLocker + TPM 2.0 + PIN

BitLocker with TPM-only protection is insecure against an attacker with physical access — cold-boot attacks, DMA attacks via Thunderbolt/USB-C, and PCIleech can extract keys. Require TPM + PIN for every enterprise endpoint.

GPO path: Computer Config → Admin Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives:

  • Require additional authentication at startup = Enabled with Configure TPM startup PIN = Require startup PIN with TPM
  • Allow enhanced PINs for startup = Enabled (allows alphanumeric PIN)
  • Configure minimum PIN length for startup = 8 characters
  • Disallow standard users from changing the PIN or password = Enabled (prevents PIN downgrade)
  • Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) = XTS-AES 256-bit

Removable media: Removable Data Drives → Deny write access to removable drives not protected by BitLocker = Enabled.

Recovery key escrow: Intune → Endpoint security → Disk encryption → BitLocker → Save BitLocker recovery information to Microsoft Entra ID = Yes. For AD-joined hosts, the equivalent GPO writes recovery info to the computer object.

Verify deployment:


Get-BitLockerVolume | Format-Table MountPoint, VolumeStatus, EncryptionMethod, ProtectionStatus, KeyProtector

You want VolumeStatus = FullyEncrypted, EncryptionMethod = XtsAes256, and the KeyProtector list to include both Tpm and TpmPin.

Phase 7: Privilege management

Remove standard users from local Administrators. This is the single highest-value control on this list. Use Restricted Groups in GPO:

Computer Config → Policies → Windows Settings → Security Settings → Restricted Groups
  → Administrators → Members: DOMAIN\Domain Admins, DOMAIN\Workstation Admins

That declaratively sets the local Administrators group membership on every linked endpoint, removing whatever drift has accumulated.

UAC at maximum:

GPO: Computer Config → Admin Templates → Windows Components → User Account Control (and parallel Security Options) → Behavior of the elevation prompt for administrators in Admin Approval Mode = Prompt for credentials on the secure desktop, Run all administrators in Admin Approval Mode = Enabled, Switch to the secure desktop when prompting for elevation = Enabled.

Just-in-Time admin access: Use Entra Privileged Identity Management (PIM) for cloud roles. For on-prem admin elevation, use a third-party PAM tool (BeyondTrust, CyberArk, Delinea) or build a JIT workflow with Just-In-Time group-add scripts gated by ticket approval.

Disable NTLM to remove the credential-relay path entirely — see the full NTLM disable guide.

Phase 8: Logging & detection

The goal: make every privileged action observable, then forward to a SIEM that someone actually reads.

PowerShell logging trio

GPO: Computer Config → Admin Templates → Windows Components → Windows PowerShell:

  • Turn on Module Logging = Enabled, with all modules: *
  • Turn on PowerShell Script Block Logging = Enabled (Event 4104)
  • Turn on PowerShell Transcription = Enabled, with output to a write-only network share

PowerShell ScriptBlock logging (4104) is the single highest-value Windows event for detecting modern attacks — it captures every PowerShell script body, including decoded base64, before execution.

Sysmon

Sysmon’s process/network/file/registry events are the standard EDR baseline. Deploy with Olaf Hartong’s modular config (community-maintained, MITRE-aligned) or SwiftOnSecurity’s baseline if you want simpler tuning:


# Download Sysmon + Hartong config
Invoke-WebRequest -Uri 'https://download.sysinternals.com/files/Sysmon.zip' -OutFile $env:TEMP\Sysmon.zip
Expand-Archive -Path $env:TEMP\Sysmon.zip -DestinationPath C:\Tools\Sysmon
Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml' -OutFile C:\Tools\Sysmon\config.xml

# Install
C:\Tools\Sysmon\Sysmon64.exe -accepteula -i C:\Tools\Sysmon\config.xml

# Verify
sc query Sysmon64
Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' -MaxEvents 5

Audit policy

Configure to CIS Level 1 minimums. The killer subcategories:

  • Account Logon → Credential Validation: Success and Failure
  • Account Management → User Account Management, Computer Account Management: Success and Failure
  • Detailed Tracking → Process Creation: Success (with command-line auditing GPO enabled)
  • Logon/Logoff → Logon, Logoff, Special Logon: Success and Failure
  • Object Access → File Share, File System (selectively): Success and Failure
  • Policy Change → Audit Policy Change: Success and Failure
  • Privilege Use → Sensitive Privilege Use: Success and Failure

Enable command-line auditing for Event 4688 to include the full process command line: Computer Config → Admin Templates → System → Audit Process Creation → Include command line in process creation events = Enabled.

Forward to SIEM

Without forwarding, logs are a data graveyard. Use Windows Event Forwarding (WEF) for on-prem SIEMs or Azure Monitor Agent (AMA) for Sentinel/Log Analytics. Forward at minimum: Security, System, Application, PowerShell/Operational, Sysmon/Operational, Defender/Operational, AppLocker, NTLM/Operational.

Phase 9: OS surface reduction

Small settings, real attack-surface reduction:

SettingGPO / ActionWhy
Disable Autoplay for all mediaComputer Config → Admin Templates → Windows Components → AutoPlay Policies → Turn off Autoplay = Enabled, All drivesUSB drop attacks
Disable Cortana web searchComputer Config → Admin Templates → Windows Components → Search → Allow Cortana = Disabled, Allow web search = DisabledData leak via search
Set telemetry to Security level (Enterprise only)Computer Config → Admin Templates → Windows Components → Data Collection → Allow Diagnostic Data = Diagnostic data off (Security only)Privacy + reduced internet exposure
Disable Optional FeaturesDisable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2,IIS-WebServerRole,WCF-Services45,Internet-Explorer-Optional-amd64Removes legacy attack surface
Update Rings (Intune)Endpoint Security → Update Rings → Quality updates: 7d defer; Feature updates: 60d defer; Allow updates from Microsoft onlyPatch within SLA, no third-party update spoofing
Disable PowerShell v2Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Rootv2 lacks scriptblock logging — attackers use powershell -version 2 to evade detection

Phase 10: Zero Trust integration

Endpoint hardening is necessary but not sufficient — Zero Trust treats every access request as untrusted until proven otherwise.

Conditional Access policies

In Entra ID, build these baseline policies:

  1. Require MFA for all users (no exceptions; use break-glass accounts excluded)
  2. Require compliant device for accessing Microsoft 365, internal apps
  3. Block legacy auth (basic auth, IMAP, POP3, EWS, MAPI/HTTP)
  4. Block sign-in from anonymising VPNs / Tor
  5. Require password change on high-risk sign-in (Entra ID P2)
  6. Block downloads on unmanaged devices for SharePoint/OneDrive

Device compliance (Intune)

Required compliance settings for “compliant” status:

  • BitLocker = enabled
  • Secure Boot = enabled
  • TPM = present and ready
  • OS version >= 10.0.26100 (Windows 11 24H2)
  • Antivirus = active
  • Antispyware = active
  • Firewall = active
  • Code integrity = enabled
  • No-jailbreak / no admin elevation = clean

Non-compliant devices are then blocked by Conditional Access — the loop is closed.

Continuous Access Evaluation

Enable in Entra ID → Conditional Access → Session → Customise continuous access evaluation. Token revocation becomes near-real-time (typically <5 minutes) instead of waiting for token lifetime. Critical for fast response to compromised accounts.

Ransomware-specific protections

Five settings deliberately stacked for ransomware resilience:

  1. Controlled Folder Access (enabled) — already in Phase 4. Protects Documents, Pictures, etc. against unauthorized write.
  2. ASR rule c1db55ab-c21a-4637-bb3f-a12568109d35 (Use advanced protection against ransomware) — Defender’s behavioral ransomware blocker.
  3. ASR rule e6db77e5-3df2-4cf1-b95a-636979351e5b (Block persistence through WMI event subscription) — kills the most common backdoor for re-infection after cleanup.
  4. Block reboot to Safe Mode (33ddedf1-c6e0-47cb-833e-de6133960387) — ransomware reboots to Safe Mode to evade AV; this rule blocks that.
  5. Backups: 3-2-1, with immutability — 3 copies, 2 different media, 1 offsite, at least one immutable. Veeam Hardened Repository, AWS S3 Object Lock, Azure Immutable Blob.

The 3-2-1 backup with immutability is the last line of defense and the only one that survives a full domain compromise.

CIS Microsoft Windows 11 Enterprise Benchmark alignment

The CIS Benchmark is the most widely-cited baseline. As of 2026, the current version is v3.0.0, with two profiles:

ProfileTargetSettings
Level 1General-purpose enterprise endpoints~280 settings; balances security and operability
Level 2High-security / regulated environments~365 settings; includes restrictions that may break legacy apps

This guide aligns with Level 1 by default and notes Level 2 deltas where applicable (e.g., the “Block executable files unless prevalence/age/trusted” ASR rule is Level 2 only; BitLocker network unlock is Level 2 only).

To deploy CIS automatically: download the CIS-CAT Pro tool or the CIS Build Kit GPO templates from CIS Workbench. Import into a staging OU, link to a pilot ring, audit failures, then expand.

Tool comparison: GPO vs Intune vs PowerShell vs SCM

ToolBest forLimitations
Group Policy (GPO)AD-joined on-prem fleetsDoesn’t apply to Entra-joined; no real-time reporting
Intune (MDM)Entra-joined / hybrid / BYODSome settings only available via CSP; license required (M365 E3+)
PowerShell (Set-MpPreference, etc.)One-off baseline scripting, lab workDrifts on its own; no enforcement loop
Security Compliance Toolkit (SCM)Microsoft Security Baseline importGPO output only; no Intune export
CIS-CAT ProCIS Benchmark assessment + remediationSubscription-only; not a deployment tool
WDAC WizardAuthoring WDAC policiesSingle-purpose

Most enterprises will use Intune as primary + GPO as fallback for AD-only hosts and Security Baseline import.

90-day implementation roadmap

Repeated from the TL;DR for the planner-PMs in your audience. Time-boxed milestones:

DayMilestoneOwner
1–7Baseline import (MS Security Baseline + CIS Level 1) into staging OUPlatform team
8–14Identity hardening (CredGuard, LSA Prot, WHfB, LAPS) on Tier 0 serversIdentity team
15–21Network hardening (SMB signing, disable legacy protocols, DoH) on all serversNetwork team
22–35ASR rules in Audit mode on a pilot OU (200 endpoints)Endpoint team
36–42Defender hardening + Tamper Protection on full fleetEndpoint team
43–49Smart App Control / WDAC base policy in auditApp control team
50–56BitLocker + TPM + PIN rollout per replacement cycleEndpoint team
57–63Local admin removal + UAC max + JIT adminIdentity team
64–77PowerShell logging + Sysmon + SIEM forwardingSOC team
78–84OS surface reduction + Update RingsEndpoint team
85–90Zero Trust (Conditional Access, device compliance, CAE)Identity team

Track each in a project board. Weekly status with the executive sponsor. After day 90, run a formal CIS-CAT scan to measure your compliance score; aim for >85% Level 1 in the first quarter.

Common mistakes (and how to avoid them)

Twelve recurring failures from real Windows 11 hardening projects:

MistakeWhy it happensFix
ASR rules in Block mode on day one“We’re under attack, hurry”Always 14-day Audit first; review hits; then Block
BitLocker with TPM-only (no PIN)“PINs are inconvenient”TPM-only is broken by cold-boot/DMA; TPM+PIN is non-negotiable for enterprise
Domain Admins running on workstationsLegacy practiceHard-separate Tier 0 admin accounts from daily-use accounts
PowerShell logging on but no SIEM forwardingLogging considered “done”Forward to SIEM with retention; otherwise pointless
Tamper Protection offSet-MpPreference can’t enable itEnable via Intune or Defender for Endpoint portal
Credential Guard breaks legacy VPNDriver incompatibilityIdentify with mdmdiagnosticstool /Area DeviceGuard; upgrade driver or replace VPN
WDAC enforce mode on day one breaks everythingSkipped audit phase4–8 weeks of audit per persona; build allow-list iteratively
ASR rule blocking PsExec for sysadminsSysadmin tooling caught by ASRApply rule only to non-admin tier 2 OU; allow PsExec for admin jump hosts
SMB signing breaks third-party NASOld NAS firmwareFirmware update or replacement; no exception list
Removing local admin breaks developer toolsDev tooling needs elevationCreate a dev-tier with elevated permissions on dev-VMs only; never on the developer’s primary laptop
Conditional Access without break-glass accountLocked everyone out (including admins)Always exclude two emergency-only accounts from CA; rotate quarterly
Sysmon deployed with default config“Just install it”Use Olaf Hartong or SwiftOnSecurity config; tune monthly

Windows 11 enterprise hardening audit checklist

Use this quarterly. Each item is yes/no.

Identity & Auth

  • Credential Guard running on every endpoint
  • LSA Protection enabled (RunAsPPL = 1)
  • Windows Hello for Business deployed with cert-trust model
  • Windows LAPS deployed with encryption + tiered RBAC (guide)
  • NTLM auditing enabled; NTLMv2-only on every host (guide)

Network

  • SMBv1 removed
  • SMB signing required (both client and server)
  • LLMNR / NetBIOS / mDNS / WPAD disabled
  • DNS over HTTPS configured
  • Firewall default-deny inbound on all profiles

ASR & Defender

  • All 19 ASR rules in Block (or audit-justified) mode
  • MAPSReporting = Advanced
  • CloudBlockLevel = High
  • Tamper Protection enabled
  • Controlled Folder Access enabled
  • Network Protection enabled
  • Daily scheduled scan configured

Application Control

  • Smart App Control on (or evaluation mode where compatible)
  • WDAC base policy in enforce mode for general fleet
  • SmartScreen at “Warn and prevent bypass” for both Apps and Edge
  • Office macros from internet blocked
  • Office VBA macros disabled with notification

Encryption

  • BitLocker enabled on every endpoint
  • TPM + PIN required (no TPM-only)
  • XTS-AES 256-bit encryption
  • Removable media write-blocked unless BitLocker To Go
  • Recovery keys escrowed in Entra ID / AD

Privilege

  • Standard users removed from local Administrators (verified via Restricted Groups)
  • UAC at maximum (prompt for credentials on secure desktop)
  • No standing admin accounts (PIM/JIT for cloud, PAM for on-prem)
  • NTLM blocked domain-wide with documented exceptions

Logging

  • PowerShell ScriptBlock + Module + Transcript logging enabled
  • Sysmon deployed with maintained config (Hartong or SwiftOnSecurity)
  • Audit policy at CIS Level 1 minimum
  • Command-line auditing for Event 4688
  • All logs forwarded to SIEM with 90-day+ retention

Surface Reduction

  • AutoPlay disabled for all drives
  • Cortana web search disabled
  • Telemetry at Security level (Enterprise SKU)
  • PowerShell v2 disabled
  • IE/legacy components removed via DISM

Zero Trust

  • Conditional Access enforced (MFA + compliant device for all cloud apps)
  • Legacy auth blocked
  • Continuous Access Evaluation enabled
  • Risk-based sign-in policies in place (P2)
  • Break-glass accounts excluded from CA, with rotation

If you’re at <80% on this checklist, prioritize the missing items by phase order — Phase 1 (Identity) gaps are higher-impact than Phase 9 (Surface Reduction) gaps.

Frequently asked questions

How do I harden Windows 11 for enterprise use?
Follow a phased rollout in this order: (1) Identity hardening — Credential Guard, LSA Protection, LAPS, Windows Hello for Business; (2) Network hardening — disable SMBv1/LLMNR/NetBIOS/WPAD, enforce SMB signing; (3) Attack Surface Reduction rules in audit then block; (4) Microsoft Defender hardening with Tamper Protection; (5) Application Control — Smart App Control / WDAC; (6) BitLocker with TPM + PIN; (7) Privilege management — remove standing local admins, disable NTLM; (8) Logging — PowerShell ScriptBlock, Sysmon, SIEM forwarding; (9) OS surface reduction; (10) Zero Trust — Conditional Access, device compliance. Use the CIS Microsoft Windows 11 Enterprise Benchmark v3 Level 1 as your baseline and Microsoft Security Baseline as the floor.
Can I harden Windows 11 Pro the same way as Enterprise?
Mostly yes, with three notable Enterprise-only features: (1) Windows Defender Application Guard (Edge browser isolation, retired in 2024 but some orgs still use it), (2) DirectAccess and AppLocker (Pro has SmartScreen + WDAC but not full AppLocker GUI), (3) Telemetry set to ‘Security’ level requires Enterprise/Education. Pro can still deploy 95% of this guide via Intune or GPO — Credential Guard, LAPS, WDAC, BitLocker, ASR, Defender, Smart App Control are all available.
What is the most important Windows 11 security setting?
There’s no single ‘most important’ but if forced to rank: (1) remove standard users from local Administrators — eliminates 90% of malware impact; (2) enable Tamper Protection on Defender — without it, attackers turn off everything else; (3) enable Credential Guard — kills LSASS credential theft; (4) enable BitLocker with TPM + PIN — physical theft protection; (5) deploy LAPS — kills lateral movement via local admin reuse. Do these five and you’ve blocked the most common attack chains.
How long does it take to harden a Windows 11 enterprise environment?
A measured rollout takes 90 days for a 1,000–5,000 endpoint environment. Aggressive teams compress to 45 days at the cost of more incident risk during transitions. Start with identity (week 1–2) — that’s where the highest-ROI controls live. Save WDAC for last (week 6–8 minimum) because the per-persona policy authoring takes the longest.
Do I need Intune to harden Windows 11, or can Group Policy do everything?
GPO can do ~95% of what’s in this guide, but Intune is required for Tamper Protection, Smart App Control management, and modern device compliance signals. The pragmatic split: GPO for AD-joined fleet, Intune for Entra-joined / hybrid / BYOD. Microsoft is investing all new security features in Intune CSPs first; if you’re cloud-pivoting, plan Intune adoption.
What are Attack Surface Reduction rules and which should I enable?
ASR rules are Microsoft Defender heuristic blocks for common malware behaviour. There are 19 rules as of 2026 — see the full table in this guide. The high-confidence, low-noise rules to Block immediately: Office child processes, Office injection, executable content from email, JS/VBS launching downloaded executables, Win32 API from macros, abuse of vulnerable signed drivers, USB unsigned execution, persistence via WMI, credential theft from LSASS. Run all 19 in Audit mode for 14 days first, then graduate to Block based on hit volume.
Should I require a BitLocker PIN or is TPM-only enough?
Require a PIN. TPM-only BitLocker is broken against attackers with physical access via cold-boot attacks, DMA via Thunderbolt/USB-C, and tools like PCIleech. The minimum enterprise standard is TPM + 8-character PIN. Users complain about PIN entry for a week, then adapt. Enforce via GPO Configure TPM startup PIN = Require startup PIN with TPM.
How does Windows 11 hardening map to Zero Trust?
Endpoint hardening provides the trust signals Zero Trust evaluates. A ‘compliant’ device in Conditional Access is defined by Intune compliance policies: BitLocker on, secure boot, TPM, modern OS, AV active, no jailbreak. Without endpoint hardening, every device is non-compliant, every access request gets blocked, and Zero Trust becomes Zero Productivity. Harden first, then layer Conditional Access on top.
How do I align Windows 11 hardening with the CIS Benchmark?
Download the CIS Microsoft Windows 11 Enterprise Benchmark v3 from CIS Workbench (free for personal use; subscription for the Build Kit GPO templates). Use Level 1 for general-purpose endpoints and Level 2 for high-security tiers. The CIS-CAT Pro assessment tool gives you a compliance score per setting. Realistic target: 85%+ Level 1 in the first quarter, 95%+ within 12 months.
Does enabling Credential Guard break anything?
Yes, in three known-bad cases: (1) legacy VPN clients (Cisco AnyConnect pre-4.10, GlobalProtect pre-5.2) — upgrade or replace; (2) custom AV drivers not signed as PPL — get a signed driver from your vendor; (3) some Citrix Receiver versions — upgrade to current. Audit first with mdmdiagnosticstool.exe /Area DeviceGuard, identify any failure events in Microsoft-Windows-CodeIntegrity/Operational, then deploy.
What's the difference between Smart App Control and WDAC?
Smart App Control is a cloud-driven reputation engine that ships on clean installs of Windows 11 22H2+ — Microsoft decides per-app whether to allow it. Simple to deploy, no policy authoring, but you can’t customize allowlists. WDAC (Windows Defender Application Control) is real kernel-enforced app allowlisting where you author the policy. More work, more control. Use Smart App Control on general fleet, WDAC on high-security tiers and servers.

Conclusion: hardening is a rollout, not a checkbox

Windows 11 enterprise hardening in 2026 is no longer a “lock down a few settings and call it done” exercise — it’s a phased, measured, audit-driven program that closes the credential-theft, lateral-movement, ransomware-execution, and exfiltration paths in sequence. The 10-phase framework in this guide is what gets you from a default Windows 11 image to a CIS Benchmark v3 Level 1-compliant endpoint with the operational realities of an enterprise change-control process baked in.

The three most impactful actions you can take this quarter:

  1. Deploy Windows LAPS — kills lateral movement via local admin password reuse in one sprint.
  2. Deploy the NTLM removal rollout — kills NTLM relay attacks at the protocol level.
  3. Roll the 19 ASR rules through audit and into block — the highest-ROI per-hour-of-work Defender feature.

These three controls alone close the most-abused attack chains we see in modern incident response. The remaining phases harden the surface against the long tail.

If you’re rolling out this guide and hit something not covered — particularly Intune CSP edge cases or WDAC compatibility quirks with your line-of-business apps — get in touch. We maintain a running list of “what breaks during Windows 11 hardening” with vendor-specific fixes.

Share this guide

LinkedIn:

The complete Windows 11 enterprise hardening guide for 2026 — 10 phases, 90 days, CIS Benchmark v3-aligned. Includes the full 19-rule ASR reference, BitLocker + PIN config, Credential Guard, LAPS, Smart App Control, WDAC, and Zero Trust integration. Save for your next hardening project. 👇

X / Twitter:

Windows 11 hardening 90-day plan: 1) Identity (CredGuard, LAPS, WHfB) 2) Network (kill SMBv1/LLMNR/WPAD) 3) ASR audit→block 4) Defender + Tamper Protect 5) Smart App Control + WDAC 6) BitLocker + PIN 7) Remove local admin 8) PS logging + Sysmon 9) Surface reduction 10) Zero Trust. Full guide:

References