Have you hardened your systems according to CIS benchmarks and feel secure? In principle, that’s exactly what you should do, but be careful: With the March 2026 update, the rules of the game have changed for Windows 11 and Windows Server. It’s essential that you familiarize yourself with the changes and adjust your hardening configuration.

Outdated security standards are like a lock that used to provide protection but no longer meets today’s requirements. The Center for Internet Security (CIS) has just released the March update—and has changed several settings, particularly for Windows environments.

“Set and Forget” is a fatal mistake when it comes to curing

Many IT teams carry out a hardening project once and then consider the issue resolved for the next two years. But IT infrastructures are constantly evolving: Microsoft rolls out new ADMX templates, features are deprecated, and new attack vectors require new protective measures.

If you’re still working with benchmarks from 2025, you need to take action. Settings that were once secure no longer exist or have been changed, while new, critical configuration options (especially in Defender and Edge) are completely missing.

An Overview of the CIS March 2026 Update

The good news: CIS has delivered. This update is one of the most comprehensive in recent months. Here at TEAL, we’ve taken a close look at the changes for you. Here are the highlights you need to keep in mind:

1. Windows 11 Enterprise (v5.0.0) – The Big Spring Cleanup

The update to version 5.0.0 is a milestone. It’s not just about a few new settings, but a fundamental adaptation to the current ADMX templates.

• • 9 new security settings: Additional barriers against modern exploit techniques.
  • 23 updated settings: Fine-tuning of existing rules.
  • 18 removed settings: Dead weight has been jettisoned – anyone still enforcing these will generate error messages in the log.

2. Windows Server 2022 (v5.0.0) & 2025 (v2.0.0)

The server landscape is also getting the upgrade it deserves. The jump to version 2.0.0 in Windows Server 2025 is particularly exciting. Eight new settings have been added and 17 deprecated ones removed. Anyone already using Server 2025 in production must follow suit to take full advantage of the security potential of the new OS generation.

3. Finally here: Defender & Intune for Edge

Two completely new benchmarks round out the portfolio:

• • CIS Microsoft Defender Antivirus Benchmark v1.0.0: Finally, a dedicated standard for configuring Defender beyond the default settings.
  • CIS Microsoft Intune for Edge Benchmark v1.0.0: A must-have for anyone who centrally manages browser security via the cloud.

Conclusion: It’s time for an audit

The new benchmarks show that the bar for IT security will be raised once again in March 2026. In particular, the updates for Windows 11 and the Server family are critical for the stability and security of your configuration due to the ADMX changes.

What you should do now:

• • Check your current configuration against the new CIS versions (v5.0.0 for Win 11 / Server 2022).
  • Implement the new Defender and Edge benchmarks to optimize your endpoint protection.
  • Check whether your automation tools already support the new standards.

Need help with implementation? At TEAL, we can help you efficiently integrate the new CIS standards into your infrastructure without disrupting operations.