Applying CIS Benchmarks to Harden Windows 11 VDI Systems

Virtual Desktop Infrastructure (VDI) has become a cornerstone of modern IT environments, especially as organizations embrace remote work, centralized management, and scalable computing. VDI allows users to access desktop environments hosted on centralized servers, rather than relying on local machines. This architecture offers numerous benefits: streamlined updates, reduced hardware costs, and improved control over data and applications.

CIS Benchmarks + VDI

At the Center for Internet Security^® (CIS^®), we use Omnissa Horizon Client (formerly VMware Horizon Client) to connect to remote Windows 11 desktops. These virtual machines (VMs) reside in a secure data center and are accessed over a network, enabling our team to work efficiently from anywhere while maintaining a consistent user experience.

However, with convenience comes responsibility. Like any endpoint, virtual desktops are vulnerable to misconfigurations, malware, and unauthorized access. That’s why applying CIS Benchmarks^®—globally recognized security configuration guidelines—is essential. These Benchmarks help organizations harden systems, reduce attack surfaces, and maintain consistent security across environments, including virtual desktops.

In this blog, we’ll share how the CIS IT team successfully implemented CIS Benchmarks in a VDI environment, focusing on Windows 11 deployments within an Omnissa Horizon setup. We’ll walk through our methodology, the tools we leveraged, and the key lessons we learned to help others replicate or tailor this strategy to their own environments.

Dispelling VDI Security Myths

One of the most persistent myths in IT security is that VDI environments are inherently harder to secure—or worse, incompatible with CIS Benchmarks. This misconception often stems from the assumption that virtual desktops behave differently than physical endpoints. In reality, VDI systems follow the same foundational security principles as traditional on-premises machines.

The truth is that the same tools used to harden physical machines—such as Group Policy, Active Directory, and CIS Build Kits—work just as effectively in virtual environments. VDI is not a separate security domain; it’s an extension of your existing infrastructure.

CIS Benchmarks are designed with flexibility in mind, making them well-suited for both sides of a VDI deployment:

• Server-side infrastructure: The systems hosting the virtual desktops
• Client-side desktops: The virtual machines accessed by end users

This dual applicability allows organizations to maintain consistent security across their entire VDI ecosystem—without reinventing the wheel. Whether you're managing hundreds of virtual desktops or just a handful, CIS Benchmarks provide a standardized, proven approach to hardening systems. 

Implementation Strategy for Windows 11 in Omnissa Horizon

To bring CIS Benchmarks into our VDI environment, we followed a structured, repeatable process that balances performance optimization with robust security hardening. Here’s how we did it:

Step 1: Build a Clean Golden Image

We began by creating a pristine golden image of Windows 11. This image served as the foundation for all VDI systems. Importantly, we left the image unhardened during initial setup to preserve flexibility. This allowed us to make performance optimizations and departmental customizations before locking down security settings.

Step 2: Optimize with Omnissa Horizon OS Optimization Tool

Before cloning the golden image, we used the Omnissa Horizon OS Optimization Tool to enhance performance. This tool adjusts registry settings and Group Policy to streamline the user experience, reduce latency, and improve responsiveness. While some optimizations overlap with CIS Benchmarks, we applied the Benchmarks afterward to ensure security remained the top priority.

Step 3: Clone and Join Active Directory

Once optimized, the image was cloned to create individual virtual desktops. Each VM automatically joined our Active Directory domain, enabling centralized policy enforcement and streamlined management. This step was crucial for applying consistent security policies across all virtual desktops.

Step 4: Apply CIS Benchmarks via Group Policy

With domain integration complete, we applied CIS Benchmark settings using Group Policy Objects (GPOs). This approach offered several advantages:

• Reuse of GPOs across both VDI clients and physical workstations
• Customization of policies by department through Organizational Units (OUs)
• Easy integration of additional Benchmarks (e.g., Microsoft Office, Chrome)

As CIS SecureSuite^® Members, we also utilized Build Kits—template GPOs that streamline the deployment of CIS Benchmarks via Group Policy. These kits provide preconfigured settings aligned with CIS recommendations, reducing the time and effort required to implement secure configurations. For best practices, we referenced Active Directory and Group Policy Management guidelines.

Results and Scalability

Using this method, CIS IT successfully deployed the CIS Windows 11 Benchmark to over 100 VDI systems. The process proved to be:

• Scalable across multiple departments
• Flexible for diverse use cases
• Compatible with existing endpoint management tools

We’re now expanding this strategy to include additional Benchmarks, such as those for Microsoft Office.

CIS Benchmarks are not just compatible with VDI—they’re essential. Whether you’re securing physical workstations or virtual desktops, the same GPOs and foundational security principles apply. This unified approach simplifies administration, enhances consistency, and strengthens your overall security posture.

By following a structured process—starting with a clean image, optimizing for performance, joining Active Directory, and applying CIS Benchmarks via Group Policy—organizations can confidently secure their VDI environments without sacrificing usability or scalability.

Security doesn’t have to be complicated. With the right tools and a clear strategy, you can make VDI just as secure as any other endpoint in your network.

Want to help shape the future of CIS Benchmarks?