Windows 11 Hardening for Cyber Essentials: Settings That Actually Fail Assessments

‍​‌‌‌​‌​​​‌‌‌‌​​​‌​‌‌‌​​​​‌​​‌​​​‌​‌​​‌​‌‌‌​‌​​​‌‌​‌‌‌​​‌​​​​​​‌​‍Windows 11 is the best starting point Microsoft has ever shipped for Cyber Essentials (CE). Firewall on, Defender on, and account lockout configured. Compared to what we used to deal with on Windows 7, it's a different world.

But "better than what came before" doesn't pass an assessment. Three settings catch most businesses: firewall exceptions nobody's documented, users running as local admins because that's how Windows set them up, and patches older than 14 days because someone deferred updates after a bad experience. All three are either defaults or extremely common configurations.

And there's one more thing worth flagging. Windows 10 reached end of life on 14 October 2025. Any device still running it auto-fails CE because it no longer receives security updates. If you've got a machine in the corner running Windows 10 because the accounting software hasn't been migrated, that device needs sorting before your assessment. People are genuinely shocked when a single forgotten laptop sinks the whole thing.

The seven defaults that fail

Here's the reference table covering all seven. Every row is a setting that either ships wrong or isn't managed by Windows at all.

Setting	Windows 11 default	CE requirement	Fix
Autoplay/AutoRun	Enabled	Must be disabled	Group Policy Object (GPO) or registry: NoDriveTypeAutoRun = 255
Quality update deferral	Configurable (can exceed 14 days)	Critical patches within 14 days	Set deferral to 0 days
Third-party app updates	Not managed	Must patch within 14 days	Patch management tool or manual process
Admin account separation	Setup account often has admin rights	Admin only for admin tasks	Create separate standard account
Multi-factor authentication (MFA) on cloud services	Not enforced by operating system	Must be enabled on all supporting services	Configure per service
Firewall rule documentation	No documentation exists	All inbound allow rules documented	Audit and document
Password policy (standalone)	No minimum enforced on local accounts	8 characters + deny list, OR 12 characters, OR 8 characters + MFA	GPO or Intune

The left column is what Windows gives you. The right column is what an assessor expects. The gap between them is your preparation work.

Firewalls (Control A)

Windows Defender Firewall is actually compliant out of the box. It's enabled on all three profiles (Domain, Private, Public) with default inbound set to block. That's the headline requirement met without any changes.

The area where businesses most commonly fail is documentation.

Windows ships with a number of pre-installed firewall exceptions. Some of them are for services you're probably using, like network discovery on the Domain profile. Others are for services you've never heard of and certainly aren't using. Every enabled inbound allow rule needs a business justification during the assessment. "I didn't know that rule was there" isn't one.

Run this in an elevated PowerShell session to see your current profiles:

Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction, DefaultOutboundAction

All three profiles should show Enabled: True and DefaultInboundAction: Block. If any profile shows otherwise, fix that first.

Then list every active inbound allow rule:

Get-NetFirewallRule -Direction Inbound -Enabled True -Action Allow | Select-Object DisplayName, Profile, Description

Go through that list. If you can't explain why a rule exists, disable it. Remote Desktop enabled from any address on the Public profile is a common one. If you're not using Remote Desktop, turn the rule off. If you are using it, restrict the source addresses.

The National Cyber Security Centre (NCSC) also recommends blocking outbound connections on Private and Public profiles. That's not a CE requirement, but it's worth doing. Their device security guidance at ncsc.gov.uk/collection/device-security-guidance/platform-guides/windows covers the rationale.

Secure configuration (Control B)

This is the longest section because it's where the most defaults need changing. Three things to check here: autoplay, password policy, and account lockout.

Autoplay

Autoplay is the classic CE fail on Windows 11 because it's enabled by default. The CE secure configuration control requires it to be disabled because autoplay allows removable media to execute content automatically when connected, which is precisely how USB-based attacks work.

Check current state:

Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name 'NoDriveTypeAutoRun' -ErrorAction SilentlyContinue

If that property doesn't exist or the value isn't 255, autoplay is still active. Fix it:

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name 'NoDriveTypeAutoRun' -Value 255 -Type DWord

Value 255 disables autoplay on all drive types. If the registry path doesn't exist yet, create it first with New-Item.

I still see this one in roughly half the assessments I run. An Edinburgh consultancy failed on this alone last month. It's a two-minute fix that people don't know they need to make.

Password policy

CE gives you three compliant password configurations, so pick whichever fits your setup:

1. Minimum 8 characters with MFA enabled on the account
2. Minimum 12 characters with no maximum length restriction
3. Minimum 8 characters with a common password deny list (a blocklist of known compromised passwords)

Windows 11 doesn't enforce any of these on local accounts by default. If you're using Microsoft accounts or Azure Active Directory (Azure AD), the cloud policy handles it. But local accounts, including any admin account you create for separation of duties, need a policy set through GPO or Intune.

Account lockout

Good news on the account lockout front. Since Windows 11 22H2, the default lockout policy is 10 failed attempts with a 10-minute lockout duration, which is compliant. CE requires a maximum of 10 attempts within five minutes, and the Windows default meets that requirement.

Verify it hasn't been changed:

net accounts

You're looking for Lockout threshold: 10 and Lockout duration (minutes): 10. If the threshold shows Never, someone changed the defaults or the machine was imaged from an older build.

Guest accounts and unnecessary software

The guest account is disabled by default on Windows 11, so check it hasn't been re-enabled. Remove any pre-installed software you're not using. Bloatware counts as unnecessary software under CE, and an assessor may ask why it's still installed. (referenced in the independent governance benchmarking report).

User access control (Control C)

This is the most common fail I see. Not close and not arguable, it is the most common.

Windows 11 setup creates the first account with administrator rights. Most people use that account for everything: email, browsing, day-to-day work. Under CE, administrator accounts are for administrative tasks only. Using an admin account to check email violates the user access control requirement.

Check who's in the Administrators group right now:

Get-LocalGroupMember -Group "Administrators"
Get-LocalUser | Select-Object Name, Enabled, LastLogon

If the account you log in with every morning is listed in the Administrators group, you need to fix that. Create a separate local admin account, add it to Administrators, and remove admin rights from your daily account.

The fix itself takes five minutes at most. The adjustment period takes longer because suddenly every software install and system change requires you to enter separate admin credentials. That's the entire point of separating the accounts. CE wants you to think about what you're elevating, not click through it automatically.

Windows 11 24H2 introduced Local Administrator Password Solution (LAPS) as a built-in feature, which automatically manages local admin account passwords. If you're on Enterprise edition, Credential Guard is also enabled by default in 24H2. Both are worth knowing about, though neither is strictly required for CE.

MFA on cloud services also falls under this control. Windows 11 doesn't enforce MFA at the operating system level. You configure it per service: Microsoft 365, Google Workspace, and anything else your business uses that supports it. If a cloud service offers MFA and you haven't enabled it, that's a fail.

Malware protection (Control D)

Short section because this one is mostly already compliant. Microsoft Defender Antivirus ships with everything you need turned on: real-time protection, cloud-delivered protection, automatic signature updates, and SmartScreen, all of which are compliant out of the box.

Verify it's actually running:

Get-MpComputerStatus | Select-Object AMServiceEnabled, AntispywareEnabled, AntivirusEnabled, RealTimeProtectionEnabled, AntivirusSignatureAge

Everything should show True. The AntivirusSignatureAge value is the number of days since the last signature update. It needs to be 0 or 1. If it's higher, automatic updates aren't working or the device has been offline too long.

The only way this control fails is if someone turned Defender off. It happens more often than you'd think. I see it disabled on machines because "it was slowing down my laptop." If that's happened, turn it back on. If a third-party endpoint tool is installed instead (SentinelOne, CrowdStrike, Sophos), that's fine, but it needs to be on every in-scope device, not just some of them.

Patching (Control E)

The CE patching requirement says critical and high-risk patches, anything with a Common Vulnerability Scoring System (CVSS) score of 7.0 or above, must be applied within 14 days of release. That 14-day clock starts when the vendor releases the update, not when you notice it.

Check what's been installed

Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 5 HotFixID, InstalledOn

If the most recent patch is more than 14 days old and a critical update was released in that window, you're out of compliance.

Check deferral settings

This is the hidden problem that catches people. Quality update deferral lets you delay Windows updates by a set number of days. Someone sets it to 30 days after a bad experience with a specific update, forgets about it, and the device quietly falls outside the 14-day window.

Set deferral to 0 across the estate. If you're worried about updates breaking things, test on one machine first, but don't defer across the estate.

Check your OS version

Get-ComputerInfo | Select-Object OsName, OsVersion, WindowsVersion

Windows 10 reached end of life on 14 October 2025. Any device running it auto-fails because it no longer receives security updates, and there's no workaround or exception. The device either runs a supported operating system or it's out of scope.

Third-party applications

This is the gap most businesses miss. Windows Update handles Windows and some Microsoft applications. Everything else, Chrome, Zoom, Adobe, your line-of-business software, needs separate management. You can have every Windows patch applied within 48 hours and still fail because Chrome is three versions behind on half your estate.

You need either a patch management tool (Intune, NinjaOne, or similar) or a documented manual process. The CE requirement applies to all software on in-scope devices, not just the operating system.

Windows 11 24H2 introduced checkpoint cumulative updates, which reduce the download size of monthly patches. That doesn't change the compliance requirement, but it does make the process faster on slower connections.

The audit checklist

Before your assessment, run through this list on every in-scope Windows 11 device:

1. Confirm all three firewall profiles are enabled with inbound set to block
2. List every inbound allow rule and document the business justification for each
3. Verify autoplay is disabled (NoDriveTypeAutoRun = 255)
4. Confirm account lockout is set to 10 attempts, 10 minutes
5. Check the Administrators group contains only dedicated admin accounts, not daily-use accounts
6. Verify Defender is running with real-time protection enabled and signatures current
7. Check the most recent patch date is within 14 days of the latest critical release
8. Confirm quality update deferral is set to 0
9. Verify the OS version is Windows 11 (not Windows 10)
10. Check third-party applications are up to date

The PowerShell commands for each of these are in the sections above. On a single machine, the full audit takes about 15 minutes. If you've got 50 machines, you'll want to script it.

CE control mapping

CE Control	Windows 11 setting	Default compliant?	Action
A: Firewalls	Defender Firewall enabled, inbound blocked	Yes	Audit and document all inbound allow rules
B: Secure configuration (autoplay)	Autoplay enabled	No	Set NoDriveTypeAutoRun to 255
B: Secure configuration (lockout)	10 attempts, 10-minute lockout (22H2+)	Yes	Verify only
B: Secure configuration (password)	No local policy enforced	No	Set via GPO or Intune
B: Secure configuration (guest)	Guest account disabled	Yes	Verify only
C: User access control	Setup account has admin rights	No	Separate admin and daily accounts
C: MFA on cloud services	Not enforced by OS	No	Configure per cloud service
D: Malware protection	Defender enabled, real-time on, SmartScreen on	Yes	Verify signature age is 0 or 1
E: Patching (Windows)	Auto-update on	Conditional	Check deferral is 0 days
E: Patching (third-party)	Not managed	No	Add patch management tool or process
E: Patching (OS support)	Depends on version	Conditional	Windows 10 auto-fails after 14 October 2025

---

Keep up with Cyber Essentials changes

New requirements, deadline changes, and assessment tips with no spam and no sales pitches.

Subscribe to the newsletter | Follow Daniel on LinkedIn

Related articles

• Cyber Essentials 14-Day Patching: What the Requirement Actually Means

netsec-canary-785016c8d9b1.