Skip to content

Benchmark Changelog

Benchmark updates are delivered via the compliance feed independently of Nanitor product releases. When updates are available, the Nanitor server fetches them automatically; no manual action is required.

This page tracks benchmark additions, updates, and changes. For a full list of supported benchmarks, see Benchmark Platforms Supported.

Pending Release

The following benchmarks are ready but have not yet been published to the compliance feed.

Why are these held back? When a benchmark is upgraded, new rules are automatically added to baselines, existing rules may be updated with new severities and recommendations, and removed rules are archived, all silently. For large upgrades, this can cause significant, unexpected drops in Configuration Health scores. Multiple customers and MSPs have experienced this with past benchmark updates.

Unlike vulnerabilities, which represent active and emerging risk, configuration benchmark recommendations are best-practice guidance. They evolve over time as CIS refines their recommendations, but changes are not urgent and should not cause sudden score swings. Partners and customers need stability and the ability to plan how they address new configuration recommendations with their clients.

Nanitor 7.0 will introduce benchmark upgrade controls that give administrators visibility and control over what changes are applied to their baselines. The new defaults will be:

  • Auto-add new rules to baseline: off
  • Auto-update baseline recommendations for existing rules: off
  • Auto-update severities: off
  • Rule content, checks, and remediation guidance: always updated (not configurable, you always get the latest check logic)

This means administrators can review what changed in a benchmark upgrade and decide when and how to adopt new rules, rather than having score changes applied automatically. Once this is in place, these benchmarks can be safely released without disrupting existing compliance baselines.

CIS Microsoft Windows 11 Enterprise v4.0.0

  • Status: Pending
  • Type: Version update (from v2.0.0)
  • Platform: Windows 11 Enterprise
  • Notes: Aligns with latest CIS recommendations for Windows 11. This is a major version update that introduces significant changes to the default baseline, including new rules, updated severities, and revised prioritization. Release is on hold until we finalize improvements that give administrators more control over when and how benchmark baseline changes are applied to their environments, so that compliance scores are not unexpectedly affected by the upgrade.

In Development

The following benchmarks are actively being worked on but are not yet complete.

CIS Microsoft Windows 11 Stand-alone v1.0.0

  • Status: In progress
  • Type: New benchmark
  • Platform: Windows 11 (not domain-joined)
  • Auto-assignment: Will automatically assign to non-domain-joined Windows 11 devices
  • Notes: Currently in active development. This benchmark will provide standalone-specific CIS compliance checks for Windows 11 devices that are not managed via Active Directory domain policies.

CIS Microsoft Windows Server 2022 Stand-alone v1.0.0

  • Status: Planned
  • Type: New benchmark
  • Platform: Windows Server 2022 (not domain-joined)
  • Auto-assignment: Will automatically assign to non-domain-joined Windows Server 2022 devices
  • Notes: Planned for a future release. This benchmark will provide standalone-specific CIS compliance checks for Windows Server 2022 environments not joined to a domain.

Released

v6.9.1 - March 2026

New benchmark, bug fixes, and check corrections across Windows and Linux platforms.

  • CIS Microsoft Windows Server 2025 Stand-alone v1.0.0. New benchmark for non-domain-joined Windows Server 2025 devices. Automatically assigns to standalone Server 2025 systems. The CPE auto-assignment logic has been updated (NAN-5856) to prevent dual-assignment with the domain-joined benchmark.
  • CIS Ubuntu Linux 24.04 LTS. Fixed false failure results in crontab, UFW, and rsyslog checks.
  • CIS Microsoft Windows Server 2019. Fixed false negative on "Rename guest account" check. Rule now uses SID-based lookup instead of username enumeration.
  • CIS Microsoft Windows Server 2022. Baseline correction included with the WS2019 guest account fix.
  • CIS Microsoft Windows 11 Intune. Fixed 3 Defender rules (Allow Behavior Monitoring, Allow Full Scan Removable Drive Scanning, Allow scanning of downloaded files) that were checking Group Policy registry paths instead of Intune/MDM Policy Manager paths.
  • Print Spooler service check. Fixed false positive when the Spooler service is not installed (common on Server Core). Affected benchmarks: Windows 10, 11 Intune, Server 2012 R2, 2022, 2025, and 2025 Standalone.

v6.9.0 - February 2026

Bug fixes for two benchmarks addressing false failure results reported by customers. No baseline changes; these are targeted corrections to check logic only.

  • CIS Microsoft Windows Server 2019. Fixed rule "Ensure 'Deny log on as a service' to include 'Guests'". The check was evaluating SeDenyInteractiveLogonRight instead of the correct SeDenyServiceLogonRight user right, causing systems with the correct policy applied to report incorrect results.
  • CIS Ubuntu Linux 20.04 LTS. Fixed rule 5.4.2.4 "Ensure root password is set". The password hash detection regex did not match valid extended-format hashes (e.g. $6$rounds=656000$...), causing false failures on systems where the root password was correctly configured.

v6.7.0 and earlier

For changes included in previous releases, see the release notes for the corresponding Nanitor product version.