Owner: Desktop Engineering · Standard: Windows 11 CIS Level 1 · Review Cycle: 6 months
This page defines the operating system build standards for all corporate endpoints. The standard build is based on Windows 11 Enterprise hardened to CIS Benchmark Level 1. Build artefacts are maintained in a golden image library and deployed via Intune Autopilot or, for VDI, via Citrix Machine Creation Services (MCS).
| OS | Edition | Version | Build | Support Status |
|---|---|---|---|---|
| Windows 11 | Enterprise | 23H2 | 22631 | ✅ Current Standard |
| Windows 11 | Enterprise | 22H2 | 22621 | ⚠️ Supported — upgrade scheduled |
| Windows 10 | Enterprise | 22H2 | 19045 | 🔴 Deprecated — migration in progress |
| macOS | — | 14 (Sonoma) | — | ✅ Approved (Dev / Designer use) |
The Windows 11 golden image is built monthly using a Packer + MDT pipeline and tested before deployment. The base image contains:
| Application | Version | Purpose |
|---|---|---|
| Microsoft 365 Apps | Current Channel | Productivity suite |
| Microsoft Teams | Latest stable | Collaboration |
| Microsoft Edge | Latest stable | Primary browser |
| Microsoft Defender for Endpoint | Latest | AV / EDR |
| Cisco Secure Client (AnyConnect) | 5.1 | Corporate VPN |
| Citrix Workspace App | Latest LTSR | VDI access |
| Intune Management Extension | Auto-provisioned | Win32 app deployment |
| Dell Command Update | Latest | Driver/BIOS updates |
| 7-Zip | Latest | Archive utility |
| Notepad++ | Latest | Text editor |
The following Windows components are removed or disabled from the standard build:
The build conforms to CIS Microsoft Windows 11 Enterprise Benchmark v3.0.0 — Level 1. Key control areas:
| Setting | Configured Value |
|---|---|
| Minimum password length | 14 characters |
| Password complexity | Enabled |
| Password history | 24 passwords remembered |
| Maximum password age | 90 days |
| Account lockout threshold | 5 invalid attempts |
| Account lockout duration | 15 minutes |
Note: Passphrase policy is being reviewed in line with NIST SP 800-63B guidance (removing complexity requirements in favour of length). ETA H2 2026.
| Setting | Value |
|---|---|
| Windows Firewall (Domain profile) | Enabled, default deny inbound |
| Windows Firewall (Private profile) | Enabled, default deny inbound |
| Windows Firewall (Public profile) | Enabled, block all inbound |
| SMBv1 | Disabled |
| LLMNR | Disabled |
| NetBIOS over TCP/IP | Disabled |
| Remote Registry | Disabled |
| Autorun/Autoplay | Disabled |
| Unsigned scripts (PowerShell) | Disabled — AllSigned policy |
| WDigest credential caching | Disabled |
| LSASS protection (RunAsPPL) | Enabled |
| Credential Guard | Enabled (Windows 11 default) |
| Setting | Value |
|---|---|
| Encryption algorithm | XTS-AES 256-bit |
| Protectors | TPM 2.0 + PIN (shared devices), TPM only (personal assigned) |
| Recovery key | Escrowed to Entra ID / Intune |
| Fixed data drives | Encrypted (BitLocker To Go disabled for removable) |
| Removable drives | Read-only if not BitLocker encrypted |
Monthly Golden Image Build Pipeline
─────────────────────────────────────────────────────
1. Trigger: Monthly (3rd Tuesday) or critical patch release
2. Packer builds WIM from clean Windows 11 ISO
3. MDT task sequence applies:
a. Windows Updates (all available)
b. CIS hardening via DSC (PowerShell Desired State Config)
c. Standard application installs
d. Sysprep generalise
4. WIM tested in 3-VM test lab:
a. Autopilot enrolment test
b. Application launch tests
c. CIS compliance scan (CIS-CAT Pro)
5. Image promoted to production Autopilot profile
6. Change record closed, release notes published to this wiki
All devices are scanned monthly using CIS-CAT Pro (deployed as an Intune remediation script). Results are:
Current fleet compliance score: 96.2% (target: ≥95%)
macOS devices follow CIS macOS Sonoma Benchmark Level 1, applied via Intune configuration profiles. Key settings:
https://www.cisecurity.org/cis-benchmarkshttps://compliance.internal/desktop