CIS Benchmark in GPO format

Reading Time: < 1 minute

The Center for Internet Security put out their recommendations for a secure configuration of any particular operating system.

But why in a pdf format?

For many, having the benchmark in a GPO format helps when working in a Windows environment, especially when comparing it to an already applied policy.

Question: How do we get the benchmark in GPO format?


  1. Use the Build Kit provided by CIS. (This may not always be available)
  2. Make the GPO yourself

Making a CIS benchmark GPO yourself for Windows

No, you don’t have to spin up a Windows server and configure each policy setting according to the pdf. That’s absurd.

AWS has CIS hardened AMI!

  1. Spin up the AWS CIS AMI
  2. Download LGPO to the instance
  3. Backup the current applied policy using LGPO
> LGPO.exe /b [absolute path to store the policy]
  1. Move the file off the instance so you can terminate it and not get charged!
  2. Done

Now you can use Policy Analyzer to compare a CIS hardened OS GPO to your own policies.

Beesham Sarendranauth

Author: Beesham Sarendranauth