Security Baselines Are a Starting Point — Not a Deployment Strategy

Microsoft publishes a Windows 11 security baseline through its Security Compliance Toolkit and integrates baseline templates directly into Intune and Group Policy. On paper, it looks like a clean “apply and secure” package.

In reality? It’s not that simple.

Over the years — from managing on-prem AD domains to deploying Intune-managed fleets — I’ve seen organisations either:

• Blindly apply the full baseline and break line-of-business applications
• Ignore the baseline entirely and remain dangerously exposed

The truth sits in the middle.

A security baseline is a framework. Your enforcement strategy determines whether it improves security or causes operational pain.

This article isn’t a rewrite of Microsoft documentation. It’s what I actually enforce in production environments — and why.

Understanding What the Windows 11 Security Baseline Actually Does

The Windows 11 baseline primarily focuses on:

• Credential protection
• Attack Surface Reduction (ASR)
• Defender configuration
• Virtualisation-Based Security (VBS)
• SMB protocol hardening
• BitLocker enforcement
• Account lockout and authentication policies
• Exploit protection settings

It assumes:

• TPM 2.0 enabled
• Secure Boot enabled
• UEFI firmware
• Modern CPU with virtualisation support

If your fleet doesn’t meet these requirements consistently, you’ll experience friction.

Before applying anything, I always audit:

• TPM status (tpm.msc)
• Secure Boot state
• Virtualisation support in BIOS
• Existing GPO conflicts
• Legacy software dependencies

Security begins with visibility.

What I Always Enforce in Production

These are non-negotiable in 2026.

1. BitLocker with TPM and Key Escrow

If you enforce only one control, make it this.

Device theft is still one of the most common data breach vectors.

I enforce:

• TPM-backed BitLocker (no USB keys)
• Recovery keys escrowed to:
  • Azure AD (Entra ID) for cloud-managed devices
  • Active Directory for on-prem
• Pre-boot PIN only in high-risk environments

Why?

Because if a device is stolen and unencrypted, the incident becomes a reportable breach under Australian privacy regulations.

BitLocker changes that scenario entirely.

2. Credential Guard and LSASS Protection

Credential theft remains a primary lateral movement technique.

Windows 11 handles Credential Guard more reliably than Windows 10 when VBS is enabled on supported hardware.

I enforce:

• LSA Protection (RunAsPPL)
• Credential Guard where hardware supports it

Yes, this can break older drivers or legacy VPN clients.

That’s why pilot testing matters.

3. Disable SMBv1 Completely

If SMBv1 is still enabled, that’s a red flag.

There is no valid modern reason to run SMBv1 on business endpoints.

If a device requires it:

• Isolate it
• Replace it
• Do not weaken the fleet for one legacy system

4. Defender Antivirus in Active Mode

Even if a third-party AV is installed, I evaluate:

• Is Defender in passive mode?
• Are ASR rules available?
• Is tamper protection enabled?

In many SMB environments, Defender alone is sufficient when properly configured.

The mistake is leaving it in default consumer mode.

Attack Surface Reduction (ASR): Where Most Admins Get It Wrong

ASR rules are powerful — but dangerous if deployed carelessly.

The baseline enables several ASR rules. Some are excellent. Some require staged deployment.

Here’s how I approach them.

Start in Audit Mode

Never enforce immediately.

Use audit mode for:

• 30 days minimum
• Monitor via:
  • Microsoft Defender portal
  • Event Viewer logs
  • Intune reporting

You will discover:

• Finance macros triggering blocks
• Legacy installers flagged
• In-house applications behaving unusually

Blind enforcement causes helpdesk chaos.

ASR Rules I Usually Enforce

After testing, I typically enforce:

• Block credential stealing from LSASS
• Block executable content from email and webmail
• Block Office apps creating child processes (after validation)

ASR Rules I Phase Carefully

• Block Office from injecting into other processes
• Block Win32 API calls from Office macros

These can break legitimate automation scripts.

Virtualisation-Based Security (VBS): Performance vs Protection

VBS is often blamed for performance issues.

On older hardware, that criticism was valid.

On modern CPUs with hardware virtualisation support?

The performance impact is minimal.

Windows 11 handles VBS better than Windows 10, especially on 11th gen Intel and newer.

I enable:

• Memory Integrity (HVCI)
• Credential Guard
• Kernel DMA protection

On modern fleet hardware, there is little reason not to.

Account Policies: Balance Security with Reality

Microsoft’s baseline often recommends strict lockout policies.

Be careful.

Too aggressive:

• 5 invalid attempts
• 15-minute lockout

In SMB environments, this results in:

• Constant helpdesk calls
• Frustrated users
• Password fatigue

I recommend:

• 10 failed attempts
• 15-minute lockout
• 15-minute reset counter

Security should reduce risk — not cripple productivity.

SMB Hardening and Network Security

The baseline tightens:

• NTLM usage
• SMB signing requirements
• Guest account access

SMB signing should be enabled.

However, test network performance impacts if you’re running older NAS devices.

I’ve seen legacy NAS firmware struggle under mandatory signing.

Intune vs Group Policy: Deployment Strategy

Modern environments should prefer Intune.

Why?

• Reporting visibility
• Device compliance integration
• Conditional Access enforcement
• Easier staged rollouts

Group Policy still works well for on-prem AD environments.

But it lacks:

• Real-time reporting
• Granular device visibility
• Easy rollback capability

Common Mistakes I See with Windows 11 Baselines

1. Applying everything at once
2. Not auditing ASR rules
3. Ignoring hardware readiness
4. Failing to test legacy applications
5. Not communicating changes to users

Security must be implemented with change management.

A Phased Rollout Strategy That Actually Works

Here’s the process I follow:

Phase 1 – Audit

Enable logging.
Review events.
Identify breakpoints.

Phase 2 – Pilot Group

Apply to IT and power users.
Monitor impact.

Phase 3 – Gradual Enforcement

Enforce high-value protections first:

• BitLocker
• Defender tamper protection
• SMB hardening

Then phase in ASR.

Australian Compliance Considerations

For Australian businesses handling personal information:

• BitLocker reduces breach reportability risk.
• Credential Guard reduces lateral movement exposure.
• Logging helps with incident response under Notifiable Data Breaches (NDB) scheme.

Security isn’t just technical — it’s regulatory protection.

What I Don’t Enforce Automatically

Not every Microsoft recommendation fits every business.

I evaluate before enforcing:

• SmartScreen strict blocking in high-automation environments
• All ASR rules simultaneously
• Excessively restrictive firewall profiles
• Removal of NTLM in hybrid environments without readiness testing

Security maturity must match infrastructure maturity.

Final Thoughts: Security Baselines Should Evolve

A Windows 11 security baseline is not:

• A compliance checkbox
• A one-time project
• A copy-paste template

It’s a living configuration.

Review it:

• Quarterly
• After major feature updates
• After hardware refresh cycles
• After security incidents

Modern Windows 11 security is significantly stronger than previous generations — but only when configured intentionally.

Blind enforcement creates friction.
Ignoring the baseline creates risk.

The right approach is structured, phased, and informed by real operational experience.ess.

Daniel Lutton

From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.