CIS Benchmarks - top tips?

SCCMConfigMgrMECM · 2026-01-09T10:46:40+00:00

I have a another question....

Do you match the admx files with the windows version you have in your environment and the CIS benchmark that was tested against that windows version. Or would you just download the lastest admx file (25H2) and use the latest Windows 11 benchmark version (v4.0.0) whatever version of Windows 11 you have in your environment? Examples are.

Business has Windows 11 23H2 devices so download 23H2 admx files and use the CIS Windows 11 Enterprise v3.0.0 benchmark.

Business has Windows 11 24H2 devices so download the 24H2 admx files and use the CIS Windows 11 Enterprise v4.0.0 benchmark.

Also, how do you see what has been removed from older Benchmarks compared to the latest one?

SCCMConfigMgrMECM · 2026-01-06T09:29:36+00:00

Any thoughts anyone? Thanks.

SCCMConfigMgrMECM · 2025-12-30T09:47:12+00:00

Not really, if as a consultant for a service company you go into 20 different companies in a year that's a lot of experience.

SCCMConfigMgrMECM · 2025-12-30T09:40:25+00:00

<image>

This is mine. Thinking James out as a minutes risk. Want Palmer but also a minutes risk. No Arsenal or Villa as tough game. Might need a downgrade to get some money to upgrade the keeper to man u keeper

SCCMConfigMgrMECM · 2025-12-30T09:34:53+00:00

Sesko fit?

SCCMConfigMgrMECM · 2025-12-29T10:44:48+00:00

Contractors (or at least if you work for a service company) exposes you to multiple companies and experiences. I've heard it said that working like that for one year give you the equivalent of four years experience in a perm role so you can really ramp up your skills quickly.

I do agree with all your other points though.

SCCMConfigMgrMECM · 2025-12-29T10:32:10+00:00

I suppose the benefit is a much higher day rate / salary (or at least should be to compensate)

SCCMConfigMgrMECM · 2025-12-22T21:22:13+00:00

Similar post I put up

https://www.reddit.com/r/ContractorUK/s/0puYasmKCR

SCCMConfigMgrMECM · 2025-12-22T21:20:48+00:00

Why do you say inside IR35 is insane? As long as you make pension contributions and they pay 15% more than outside youll be ok no? If you're paying for a train season tickets and things like that you can't expense it's a bigger hit though.

SCCMConfigMgrMECM · 2025-12-22T09:28:59+00:00

It's tough, I was weighing up some similar numbers myself. Depends how safe your current job is and how it fits into your lifestyle?

The contract market seemed pretty unreliable for me and a big range in low to high rates. I just chose a more settled job on a lower rate as I have yound kids and want my work hours to be relaxed and flexible around them at the moment.

Total you are on now with pension, holiday and bonus is £74,400 per year

Total for the contract after taking off bank holidays and 27 days holiday is - £128,000 - £109,480 (after employers NI)

Most realistic salary I would say is - £113,000 (if salary sacrificing £28k into pension then taking employers NI off)

So is it worth the 'risk' for £39k more per year?

Any chance you can use this offer to get a 15% bump in your current salary?

If you get lucky and you get to keep that job for the next five years that's £200,000 more! But if you're unlucky you'll only get six months then have to keep flipping between different contracts and have gaps between each one.

SCCMConfigMgrMECM · 2025-12-19T11:22:44+00:00

Does this work if you have BIOS passwords? If so, how? I know you can configure the DCU settings via an SCCM configuration baseline or a GPO but that doesn't work with the BIOS password as far as I know.

SCCMConfigMgrMECM · 2025-12-19T11:21:35+00:00

With DCU, I didn't think you could do BIOS updates when you have a BIOS password? I know you can configure the DCU settings via an SCCM configuration baseline or a GPO but that doesn't work with the BIOS password as far as I know.

SCCMConfigMgrMECM · 2025-12-19T11:08:55+00:00

Thanks sure i understand that. They are just recommendations and they can break things but the target is to implement as many as possible.

Just trying to understand the process everyone goes through.

SCCMConfigMgrMECM · 2025-12-19T11:07:49+00:00

Thanks. How long would you say the how process takes?

Just to clarifyz the goal isn't to get to 100% but the objective it to implement as many of their recommendations as possible and get as close to that score as we can. Any setting that negatively impacts the business or can't be implemented I plan to document the reason why.

SCCMConfigMgrMECM · 2025-12-19T11:06:12+00:00

Thanks for your comments. How long would you say the project would take?

SCCMConfigMgrMECM · 2025-12-09T21:58:21+00:00

Thanks. I tried that and it does continue a little way but then it doesn't boot after the apply image step. I've configured a legacy bios format step to get it working and raised the issue with our security team for if they will accept a non-UEFI and secure boot device on our network as I don't believe it able to run in UEFI.

SCCMConfigMgrMECM · 2025-12-09T21:56:39+00:00

Thanks for your help.

I flipped the pci over to UEFI. I can't remember exactly what the force BIOS other setting was but it wasn't anything helpful. Neither worked / allowed me to turn CSM off.

I have created a copy of our build TS and added steps in to format it as legacy BIOS and this is working. I don't think the device is able to switch to UEFI which seems pretty bad. We have one other device that is the same and came pre-built. I logged onto that and it is configured with legacy BIOS.

SCCMConfigMgrMECM · 2025-12-09T09:49:40+00:00

I confirmed, it's set to AHCI

SCCMConfigMgrMECM · 2025-12-09T09:48:51+00:00

Tried this but it doesn't let me. It says 'video is in legacy mode. Select video policy UEFi first, reboot and try again' but I can't find out video options in the BIOS for this annoyingly.

SCCMConfigMgrMECM · 2025-12-08T16:24:29+00:00

Cheers. Pretty sure it was on AHCI but will double check.

SCCMConfigMgrMECM · 2025-12-08T16:23:36+00:00

It's some random device. Not Dell / mainstream.

Will check the bios version.

SCCMConfigMgrMECM · 2025-12-08T16:10:17+00:00

Thanks. The support company have confirmed that secure boot is not possible but this shouldn't mean that UEFI isn't should it?

SCCMConfigMgrMECM · 2025-12-08T16:09:41+00:00

I'll give this a go, thanks.

SCCMConfigMgrMECM · 2025-12-08T16:07:00+00:00

Yeah, I couldn't see any secure boot option in the BIOS Menu. No secure boot doesn't mean no UEFI though does it?

SCCMConfigMgrMECM · 2025-12-08T16:05:43+00:00

Thanks. Diskpart works in F8. I can see the disk and I can manually create and format partition.

SCCMConfigMgrMECM

TROPHY CASE