CIS Windows 11 Enterprise Benchmark, continuously evidenced.
The CIS Windows 11 Enterprise Benchmark defines 555 security controls covering account policies, audit policies, advanced audit policies, BitLocker, Windows Defender, AppLocker, Windows Firewall, and Group Policy settings. It is the most widely-referenced configuration baseline for Windows 11 endpoint hardening across enterprise environments. CISGuard's agent-based scanning evaluates every control with per-endpoint evidence and historical drift tracking.
Windows 11 benchmark at a glance.
- Benchmark version
- v5.0.0
- Total controls
- 555
- Scan type
- Agent
- Available tier
- All plans
- Category
- Endpoint
- Drift detection
- Yes, between every scheduled scan
What this benchmark actually covers.
- Account Policies (Password Policy, Account Lockout)
- Local Policies (Audit, User Rights, Security Options)
- Advanced Audit Policy Configuration
- Windows Defender Antivirus + Application Control
- BitLocker Drive Encryption
- Windows Firewall with Advanced Security
- AppLocker + Smart App Control
- Group Policy administrative templates
Windows 11 questions, answered directly.
How does CISGuard scan Windows 11 against the CIS benchmark?
CISGuard deploys a lightweight Windows agent that evaluates every control in the CIS Windows 11 Enterprise Benchmark with native Windows API queries. No Group Policy modification or system change is required for scanning. Per-control evidence is collected at the configured cadence (typically 4-24 hours) with drift detection between scans.
Does CISGuard support both CIS Level 1 and Level 2 for Windows 11?
Yes. CISGuard evaluates Level 1 (essential baseline) and Level 2 (defense-in-depth) controls separately, with per-control reporting on which level each control belongs to. Most customers run L1 across all Windows 11 endpoints and L2 selectively on endpoints handling sensitive data.
Can CISGuard scan Windows 11 in air-gapped environments?
Yes. Air-gapped Windows 11 scanning is supported. The agent operates with zero outbound connectivity; benchmark and software updates ship as cryptographically signed media via secure delivery channels. This is required for NCA Top Secret, FedRAMP High classified, and IL4/IL5 environments.
Often deployed together with Windows 11.
Want a Windows 11 scan of your environment?
Our compliance engineers will scope your environment and quote within one business day of an initial briefing.