CIS Security Benchmarks for Windows Server (Preview)

Important

This feature is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Introduction

This page documents Azure's new capability offering built-in CIS Benchmarks for Windows Server. The Center for Internet Security (CIS) Benchmarks are globally recognized security configuration guidelines for hardening systems and applications. CIS benchmarks provide two implementation levels:

• Level 1 (L1): Essential security configurations that provide a clear security benefit without significant impact on functionality.
• Level 2 (L2): More stringent security configurations intended for environments requiring higher security, potentially with some impact on functionality or usability.

The initial preview supports L1 only. L2 profile support is planned for future releases.

Using CIS Benchmarks in Azure

For machines managed by Azure (Arc-enabled machines and Azure virtual machines), you can now use built-in CIS security benchmarks through Azure Policy with Machine Configuration. This new capability enables:

• Automated compliance assessment: Continuously monitor your Windows Server systems against official CIS benchmarks.
• Tailored benchmarks: Customize the benchmark by defining exceptions and custom parameters.

To get started, navigate to Azure Policy in the Azure portal. In the left navigation, under Authoring, select Machine Configuration.

Select the CIS for Windows Server entry from the list. Then, click on Modify Settings to see the list of security controls and to fine tune for your environment. With the list of benchmark rules visible, you can customize as follows:

• To remove a rule from the evaluation, uncheck the box for that rule.
• To customize the payload value which should be considered compliant (for example, minimum password length 14 rather than 12), edit the value shown for that rule.

Supported benchmarks and versions

In the initial preview release, coverage is limited to Windows Server 2025. We plan to update this table as additional versions and capabilities become available.

OS version	Benchmark version	Profiles	Audit	Auto-remediation
Windows Server 2025	1.0.0	L1 Member Server, L1 Domain Controller	✓	X
Windows Server 2022	Coming soon	Coming soon	X	X
Windows Server 2019	Coming soon	Coming soon	X	X

Auto-remediation capabilities are planned for future releases and will be marked with ✓ when available.

The implementation for Azure/Arc managed machines, through Azure Policy and Machine Configuration, is intended to be a faithful representation of CIS benchmark definitions, published here.

Customization via settings JSON

In the customization workflow, you can download (and later upload) a JSON representation of your fine-tuned rule set. This allows for out-of-band customization, your own version control management (commits, PR approvals, etc.), integration with automated deployment methods, and so on.

As an example, the following JSON snippet (excerpt from a larger JSON settings file) represents minimum password history being set to 28 (up from default of 24) in both domain member and domain controller profiles.

{
  "ruleId": "263cf970-bb6b-489e-b3c7-b2b7f31977f0",
  "name": "1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)';Value",
  "value": "{\"DomainController\":\"28\",\"MemberServer\":\"28\"}"
}

Release notes

Current release

• Version: 1.0.0
• Release Date: 2026-05-15
• Features:
  • Initial release of CIS Windows Server baselines for Azure Policy.
  • Initial demonstration of support, limited to Server 2025.
  • Audit-only functionality for compliance assessment.
  • The built-in Policy name associated with this capability is: [Preview]: Center for Internet Security (CIS) Benchmarks for Windows Server.

For questions or feedback regarding Azure Policy and Machine Configuration, please contact Azure support.