> Get-GPResultantSetOfPolicy -Computer DC01 -ReportType HTML_
A gold image is only as good as the day it was hardened. We review your Windows builds against CIS Benchmarks and industry best practice—so misconfigurations don’t become footholds.
Every Windows endpoint that leaves your build pipeline inherits the same strengths—and the same weaknesses. A single misconfigured Group Policy, an overly permissive local administrator account or a legacy service left running is all it takes. Multiply that across hundreds or thousands of machines and you have a systemic risk, not an isolated one.
Our Windows Build Review examines your Standard Operating Environment (SOE) or gold image against the Centre for Internet Security (CIS) Windows Benchmarks, Microsoft security baselines and real-world attack tradecraft. We assess Group Policy Objects, local security settings, service configurations, network hardening, privilege management and endpoint protection—then tell you exactly what to fix, in priority order.
Organisations invest heavily in perimeter defences yet deploy endpoints with default configurations that an attacker can escalate in minutes. A hardened build is not a nice-to-have—it is the foundation everything else sits on. Without it, your EDR, your SIEM and your SOC are compensating for problems that should never have existed.
Each review covers the following areas, mapped to CIS controls and scored by risk severity.
We do not simply run a scanner and hand you a spreadsheet. Each review combines automated benchmark tooling with manual analysis by experienced consultants who understand how attackers actually exploit misconfigurations in the wild.
Every finding includes a risk rating, the specific CIS control reference, the current value, the recommended value and step-by-step remediation guidance—including GPO paths and registry keys where applicable.
Different roles demand different hardening. We tailor each review to the build type and its operational context.
| Build Type | Typical OS | Review Focus |
|---|---|---|
| Desktop | Windows 10 / 11 Enterprise | User privilege, browser hardening, BitLocker, AppLocker, removable media, Wi-Fi profiles, credential guard |
| Server | Server 2019 / 2022 | Role-based service minimisation, remote management, TLS configuration, file share permissions, backup agent security |
| Domain Controller | Server 2019 / 2022 | Kerberos settings, NTDS protection, DC-specific GPOs, replication security, AdminSDHolder, DSRM account, tiered admin model |
Need more than one build type reviewed? Most organisations bundle desktop and server reviews together—speak to us about scoping the right combination for your environment.
Your build may pass today, but Group Policy changes, new software deployments and patching cycles introduce configuration drift. What was hardened in January may not be hardened in June.
For continuous visibility into endpoint configuration, security events and threat detection across your estate, see our SOCinaBox managed detection and response service—purpose-built to catch what point-in-time assessments miss.
Research consistently shows that configuration drift begins within weeks of deployment. A hardened build without continuous monitoring is a depreciating asset. Pair your build review with ongoing detection to stay ahead of the drift curve.
Book a free, no-obligation scoping call. We will walk through your build environment, agree the right benchmarks and give you a clear proposal—no jargon, no pressure.