Windows Benchmark Assignment
Nanitor automatically assigns the appropriate CIS benchmark to Windows devices based on their management status. This ensures each device receives security hardening guidance relevant to its configuration.
Windows Desktop Benchmarks (Windows 10/11)
For Windows 10 and Windows 11, there are three benchmark variants:
| Management Status | Benchmark Assigned | Description |
|---|---|---|
| Domain-joined (Active Directory) | CIS Microsoft Windows 11 Enterprise | Standard benchmark with Group Policy rules |
| Intune-managed | CIS Microsoft Windows 11 Intune Managed | Benchmark with Intune-specific configuration rules |
| Standalone (neither AD nor Intune) | CIS Microsoft Windows 11 Stand-alone | Benchmark for unmanaged workstations |
The same pattern applies to Windows 10.
Windows Server Benchmarks
For Windows Server, there are two benchmark variants:
| Management Status | Benchmark Assigned | Description |
|---|---|---|
| Domain-joined (Active Directory) | CIS Microsoft Windows Server 2025 | Standard benchmark with Group Policy rules |
| Standalone (not domain-joined) | CIS Microsoft Windows Server 2025 Stand-alone | Benchmark for standalone servers |
Available standalone server benchmarks:
- CIS Microsoft Windows Server 2025 Stand-alone v1.0.0
- CIS Microsoft Windows Server 2022 Stand-alone v1.0.0
Automatic Assignment
Benchmarks are automatically assigned based on detection of the device's management status:
- Domain-joined: Nanitor detects Active Directory membership
- Intune-managed: Nanitor detects Intune enrollment (Windows 10/11 only)
- Standalone: Neither AD nor Intune detected
This automatic assignment ensures devices receive the appropriate benchmark without manual configuration.
Why Different Benchmarks?
Each management approach has different configuration mechanisms:
| Management Type | Configuration Method | Example Rules |
|---|---|---|
| Active Directory | Group Policy Objects (GPO) | Domain password policies, Kerberos settings |
| Intune | MDM policies | Cloud-based security baselines, compliance policies |
| Standalone | Local Security Policy | Local account policies, audit settings |
Using the wrong benchmark would result in: - False positives for rules that don't apply - Missing rules specific to the management method - Incorrect remediation guidance
Checking Benchmark Assignment
To verify which benchmark is assigned to a device:
- Navigate to Inventory > Assets
- Select the Windows device
- Click the Benchmarks tab
- The assigned benchmark will indicate the variant (Enterprise, Intune Managed, or Stand-alone)
Available Windows Benchmarks
Windows 11
- CIS Microsoft Windows 11 Enterprise (domain-joined)
- CIS Microsoft Windows 11 Intune Managed
- CIS Microsoft Windows 11 Stand-alone
Windows 10
- CIS Microsoft Windows 10 Enterprise (domain-joined)
- CIS Microsoft Windows 10 Intune Managed
Windows Server 2025
- CIS Microsoft Windows Server 2025 (domain-joined)
- CIS Microsoft Windows Server 2025 Stand-alone
Windows Server 2022
- CIS Microsoft Windows Server 2022 (domain-joined)
- CIS Microsoft Windows Server 2022 Stand-alone
Windows Server 2019 and earlier
- CIS Microsoft Windows Server 2019
- CIS Microsoft Windows Server 2016
- CIS Microsoft Windows Server 2012 R2
- CIS Microsoft Windows Server 2012