Windows 11 Hardening for Cyber Essentials Plus, the Per-Control Engineering Reference

Net Sec Group is an IASME and NCSC certification body. Across our 800-plus engagement history, Windows 11 is the dominant endpoint platform UK SMEs run, which makes Windows 11 Cyber Essentials Plus hardening the highest-volume engineering question we field. This article is the engineering reference: each of the five Cyber Essentials controls mapped onto Windows 11 configuration, with the configuration the assessor accepts, the evidence format the assessor expects, and the rejection patterns we see at audit.

The article complements the netsecgroup.io Windows 11 hardening guide, which is the broader reference; this article adds the assessor-side accept/reject detail per control. For the broader CE Plus assessment-day reference, see the CE Plus Assessment Guide. For the per-control foundations on this site, see Secure Configuration, User Access Control, Malware Protection, Patching and Updates, and Firewalls and Gateways.

The 5-row Windows 11 hardening table

Each row names the CE Plus control, the Windows 11 configuration the assessor accepts cleanly, and the evidence the engineer captures.

| Control | Configuration the assessor accepts | Evidence format | |---|---|---| | Boundary Firewalls and Internet Gateways | Windows Defender Firewall on for Domain, Private, and Public profiles, with default-deny on inbound; outbound rules documented; configuration delivered via Group Policy or Intune Endpoint Security Firewall policy | Per-device screenshot of Get-NetFirewallProfile output OR Intune Firewall policy compliance report; Group Policy Object export if delivered via GPO | | Secure Configuration | Microsoft Security Baseline applied (current version), default account state hardened (Guest disabled, default Administrator renamed and disabled, Power Users group empty), CIS Benchmark or Microsoft Security Baseline as documented standard build, Smart App Control on (Windows 11 24H2+) or AppLocker policy delivered via Intune | Intune compliance report showing baseline applied; AppLocker policy export; per-device security configuration export via secedit /export | | User Access Control | BitLocker on with TPM-backed protector, recovery key escrow to Entra ID (cloud) or Active Directory (on-premises); local admin separation (standard users do not have local admin); MFA enforced on Entra-joined account sign-in via Conditional Access; UAC at default level (notify when apps make changes) | BitLocker recovery key escrow report from Entra; local admin group membership export via Get-LocalGroupMember Administrators; Conditional Access policy export covering device sign-in | | Malware Protection | Microsoft Defender Antivirus on with Tamper Protection enabled, cloud-delivered protection on, automatic sample submission on; Attack Surface Reduction (ASR) rules in audit or block mode (Microsoft Security Baseline default set); third-party AV present only where it owns the antivirus role with Defender disabled (no two-AV conflict) | Defender for Endpoint console showing tamper protection state per device, ASR rule mode, last definition update; per-device Defender state export via Get-MpComputerStatus | | Security Update Management | Windows Update for Business policy delivering quality updates within IASME 14-day window for critical and high severity; supported feature update channel (currently 24H2 LTS where applicable, 24H2 General Availability for the typical SME); Windows 10 fully removed from in-scope estate (or feature update path documented) | Intune compliance report showing patch state per device; Windows Update for Business policy export; feature update inventory showing every device on a supported version |

Per-control engineering detail and assessor accept/reject

Boundary Firewalls

Accept: Windows Defender Firewall configured via Intune Endpoint Security Firewall policy or GPO, with all three profiles (Domain, Private, Public) on, default-deny inbound, and the policy applied to every in-scope device verified through the compliance report.

Reject: a single device with the firewall service stopped or the firewall profile set to off; a "private network" profile that the user has switched the network to in order to allow inbound shares without proper documentation; an outbound rule allowing arbitrary RDP egress because a vendor support tool needs it but with no documented exception.

Secure Configuration

Accept: a documented standard build referencing the current Microsoft Security Baseline or CIS Windows 11 Benchmark. Smart App Control on for Windows 11 24H2 estates that support it (24H2 24H1 fresh installs, not upgrades). AppLocker via Intune for older Windows 11 builds and for hosts where Smart App Control is not available.

Reject: a "standard build" that exists as a wiki page but has not been applied to the fleet via Intune or GPO; a Windows 11 install with the Guest account still enabled or the default Administrator account active; a Power Users group containing standard users on a workstation; default vendor accounts on OEM-imaged devices that the IT team has not removed during enrolment.

User Access Control

Accept: BitLocker on with TPM-backed protector, recovery key escrow to Entra ID (for Entra-joined devices) or to Active Directory (for AD-joined). Local administrators group containing only the named admin role and not the standard user. UAC at default level. Conditional Access policy enforcing MFA on every sign-in to the Entra-joined account.

Reject: BitLocker on but the recovery key only printed by the user and stored locally (no escrow); the standard user account holding local admin permissions because the user "needed it to install something"; UAC set to "never notify" via a Group Policy override; Entra sign-in without Conditional Access (the user's Microsoft 365 password is the only authentication factor).

For the deeper local-admin restriction reference, see the Remediation Guide: Local Admin Restrictions on netsecgroup.io.

Malware Protection

Accept: Microsoft Defender Antivirus on with Tamper Protection enabled, cloud-delivered protection on, automatic sample submission on, ASR rules in block mode (Microsoft Security Baseline default set). Third-party AV (CrowdStrike Falcon, ESET, Sophos, Bitdefender) present where the firm has chosen it as the primary AV, with Microsoft Defender Antivirus disabled to avoid the two-AV conflict, and the third-party console state evidenced.

Reject: Defender on but Tamper Protection off; ASR rules in audit-only mode without a documented plan to move to block mode; two AV products both running and both reporting active (the conflict produces unreliable detection); cloud-delivered protection off because the firm "does not allow telemetry" without a documented compensating control.

Security Update Management

Accept: Windows Update for Business policy enforcing 14-day window for critical and high-severity quality updates; supported feature update channel (24H2 General Availability for the typical SME); Windows 10 fully removed from in-scope estate. Intune compliance report shows every device current on quality updates.

Reject: Windows 10 still in active in-scope use without a documented feature-update plan; quality updates deferred more than 14 days for critical or high severity; a "deferred indefinitely" feature update producing CVE accumulation on the device; Windows 11 23H2 still in scope after general availability of 24H2 has passed long enough that the deferral falls outside the IASME-acceptable window.

For the patching window mechanics, see the Cyber Essentials 14-day Patching Guide on netsecgroup.io.

The three Windows 11-specific scope errors at audit

Across our engagement history, three patterns recur as Windows 11-specific failures.

Error 1, unsupported feature update version still in active fleet

The applicant has Windows 11 deployed, but a subset of the fleet is on a feature update that Microsoft has stopped supporting (typically because the feature update reached end-of-service while the firm was running its own deferral). Devices on the unsupported feature update accumulate security patches the device cannot install until the feature update advances. The scan reports CVEs the firm believes are patched. The fix: roll the unsupported devices forward via a feature update before the assessment day, validate the patch state with a fresh scan, and document the feature update inventory.

Error 2, third-party AV in conflict with Defender

The applicant runs CrowdStrike (or ESET, Sophos, Bitdefender) as the primary AV. Defender is supposed to be disabled but is in fact still running on a subset of the fleet because the disablement was inconsistent. Both AVs report active, both flag findings, and the scan output shows a confusing picture. The assessor flags the conflict and queries which AV is authoritative. The fix: confirm exactly one AV is active per device via Intune compliance and the third-party console; document the disablement of the other.

Error 3, local admin granted to standard users via UAC bypass settings

The applicant has documented standard-user-only sign-in but a UAC override (registry key, Group Policy setting, or Intune device configuration) has effectively granted local admin to the standard user. The scanner detects the elevation; the engineer is surprised because the user account is in the standard users group nominally. The fix: audit UAC bypass settings via Get-LocalGroupMember Administrators and secedit /export, remove the bypass, re-test elevation prompts, document.

Practitioner observations from 800-plus engagements

Three observations decide Windows 11 CE Plus pass rate in practice.

1. Intune-delivered policies survive audits more reliably than GPO-delivered policies on Entra-joined estates. GPO is acceptable but the audit trail is harder to capture cleanly when the firm runs hybrid Entra-AD-joined devices. Intune produces a compliance report per device that the assessor reads as a single artefact; GPO requires multiple exports stitched together.

2. The Microsoft Security Baseline catches more CIS-Benchmark items than engineers expect. Applying the current Security Baseline (24H2 baseline at time of writing) covers the bulk of CIS Windows 11 Benchmark items without a separate CIS deployment, which simplifies the documented standard build. CIS Benchmark deployment makes sense where the firm has a separate CIS-mandated requirement; otherwise the Security Baseline is the simpler path.

3. BitLocker recovery key escrow to Entra ID is the cleanest evidence path because the escrow report exports per device with the recovery key reference (not the key itself). Engineers who escrow to AD or to a third-party key vault have to compose an equivalent report manually, which is acceptable but slower to assemble.

Common questions

Does Windows 11 Home pass CE Plus?

Generally not, because Windows 11 Home lacks BitLocker management, Group Policy enforcement, and Intune-managed configuration at the level CE Plus expects. CE Plus engagements on Windows 11 estates almost always run on Pro or Enterprise. If a device on Home accesses in-scope data, the cleanest path is to upgrade to Pro before the engagement.

What about Windows 11 ARM (Snapdragon) devices?

Supported. The hardening configuration is the same as for x64; the configuration tooling (Intune, Group Policy, security baselines) is platform-agnostic. The scanner coverage on ARM is slightly thinner than on x64; verify the scanner covers ARM before booking, or supplement with per-device evidence on ARM devices.

Does Windows 11 24H2 require any different configuration?

The major shift is Smart App Control replacing AppLocker as the default application-control mechanism on fresh 24H2 installs. Estates upgrading from older Windows 11 retain AppLocker; fresh 24H2 installs default to Smart App Control. The assessor accepts either; document which mechanism is in use per device.

Where do we book CE Plus?

Book a Cyber Essentials Plus assessment with Net Sec Group. The booking form lets you describe the Windows 11 fleet topology; the assessor confirms the scope and engagement timeline.

Reference material

Where this fits on this site

This article is the Windows 11 spoke under the platform-specific pillar. The other platform-specific spokes are Intune for CE Plus configuration, macOS for CE Plus checklist, and Google Workspace for CE Plus. For the per-control foundation references, see Secure Configuration, User Access Control, Malware Protection, Patching and Updates, and Firewalls and Gateways on this site.