How do I use Microsoft Security Baselines for our servers?
Microsoft publishes the Security Compliance Toolkit with baseline GPOs for Windows Server, Windows 10/11 and Edge. A good starting point, but don't import blindly: test and adapt.
Try this first
- 1Download the Security Compliance Toolkit from Microsoft Download Center, pick the version matching your OS (2022/2025).
- 2Import the baseline GPOs with PolicyAnalyzer or LGPO.exe into a test OU. Not into production immediately.
- 3Compare with your current GPOs: PolicyAnalyzer can place two policy sets side by side and show deltas.
- 4Per category (logging, lockdown, services, ciphers) decide what to adopt, with explicit exceptions for what you really need (e.g. SMB1 for a legacy printer, with an end date).
- 5Functionally test on a ring 1 server and workstation. Some baseline settings break old line-of-business apps.
When to bring us in
Sectors with specific compliance (finance, healthcare) often need tighter baselines (CIS, NIST). Microsoft Baseline is a floor there, not a finish line.
See also
- One DC or two DCs for an SMB office?Two is almost always the right answer; one DC is a single point of failure for logon, DNS and GPOs.
- Should I split FSMO roles across two DCs?For a small domain all on one DC is fine; with two DCs splitting is tidier but not required.
- How do I know my AD replication is healthy?Replication errors creep in silently; they only surface when logins or GPOs misbehave.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.