The £0 Cyber Essentials Checklist: How to Secure Windows 11 and Microsoft 365 Using Built-In Tools in 2026

“WE’VE JUST FAILED CYBER ESSENTIALS PLUS – AND WE DIDN’T BUY A SINGLE SECURITY TOOL.”

That’s the uncomfortable conversation more UK IT leaders are having in 2026.

Not because they lack budget for shiny new platforms, but because they never fully used the controls already sitting in Windows 11 and Microsoft 365.

With v3.3 tightening Cyber Essentials rules – auto‑fail MFA, auto‑fail patching, stricter scoping – the margin for error has vanished.

This article walks through a practical, £0‑spend checklist using only what’s built in, so your Windows 11 and Microsoft 365 estate can withstand both real attacks and a Cyber Essentials / CE+ audit.

What you’ll learn

How the 2026 Cyber Essentials changes impact Windows 11 and Microsoft 365 environments.
A control‑by‑control checklist (firewalls, secure configuration, UAC, malware, patching) using only built‑in features.
How to meet the new mandatory MFA and 14‑day patching rules without extra licensing.
How to align Microsoft 365 identities, passkeys, and Security Defaults with the User Access Control requirements.
How to bring BYOD, contractors, and cloud services into scope without exploding costs.
How to pre‑stage evidence for Cyber Essentials Plus using native Windows and M365 tooling.

Designing a £0 Cyber Essentials Posture with What You Already Own

Answer-First Summary: Most UK organisations already have the tools needed for a clean Cyber Essentials pass if they run Windows 11 Pro/Enterprise and Microsoft 365 Business/Enterprise. The challenge is configuration, not procurement.

The 2026 update doesn’t add new controls – it makes existing ones non‑negotiable and closes loopholes around cloud scope, MFA, and patch management.

The strategy is therefore simple: implement the five controls end‑to‑end, prove them, and do it with native capabilities.

Map the five Cyber Essentials controls to Microsoft:

Firewalls & gateways → Windows Defender Firewall, router/firewall configuration.
Secure configuration → Windows 11 security baselines, hardening, default password removal.
User access control → Entra ID (Azure AD), Security Defaults, MFA, passkeys, admin separation.
Malware protection → Microsoft Defender Antivirus, SmartScreen, application control.
Security update management → Windows Update for Business / WSUS / manual, M365 service health & updates.

📋 Mini‑Checklist – Before You Touch Any Settings

Create/refresh an asset register: Windows devices, mobiles, servers, firewalls, routers, cloud services.

Decide which legal entities are in scope and document them.

Confirm all devices and cloud services that access organisational data are in scope (including BYOD and contractors).

Download the latest Cyber Essentials Question Set & Requirements for IT Infrastructure v3.3 for reference.

Agree board‑level ownership – directors must sign a declaration confirming that all controls are fully implemented.

With this mapped, you can work control‑by‑control through Windows 11 and Microsoft 365, checking both security posture and auditability.

Secure Configuration and Firewalls in Windows 11

Answer-First Summary: Secure configuration and boundary firewalls are still among the highest failure points. In 2026, every device that connects to the internet and holds organisational data is in scope unless it is technically segregated. That includes home‑working laptops and many BYOD endpoints.

You can get very close to the required baseline using only built‑in Windows 11 features and your existing perimeter devices.

1. Lock down Windows 11 using security baselines

Microsoft Security Baselines distil thousands of Group Policy and MDM settings into a curated, security‑focused set.

They are developed by Microsoft’s security engineering teams and partners and are distributed as GPO backups and MDM baselines.

On‑prem AD:

Download the latest Windows 11 Security Baseline via the Security Compliance Toolkit.
Import the baseline GPOs into Group Policy Management.
Link them to the OUs containing in‑scope Windows 11 devices.

Cloud‑managed:

In Intune, use the built‑in Endpoint Security → Security Baselines (for Windows 11).
Assign to all in‑scope device groups (including remote workers).
Monitor compliance and remediate drift.

Key secure‑config items Cyber Essentials expects, all achievable with baselines / local policy:

Disable auto‑run and auto‑play on all removable media.
Disable guest accounts, ensure unique named accounts only.
Remove or change all default manufacturer passwords (including printers, switches, Wi‑Fi APs).
Enforce minimum password lengths (see identity section) and account lockout / throttling.

💡 Pro Tip – Proving Configuration to a CE+ Assessor

For GPO: Export Resultant Set of Policy (RSoP) reports for sampled machines.

For Intune: Export device compliance reports and screenshots of baseline assignments.

Documentation: Keep a short hardening runbook mapping Cyber Essentials secure‑config bullets to actual settings / GPO names.

2. Configure host and boundary firewalls properly

Firewall misconfiguration accounts for a large proportion of failures. Cyber Essentials expects:

Every internet boundary protected by a documented, default‑deny firewall policy.
No management interfaces exposed directly to the internet.
Host‑based firewalls enabled and tamper‑resistant on all in‑scope devices.

On Windows 11:

Use Windows Defender Firewall with Advanced Security:
- Confirm all profiles (Domain, Private, Public) are On.
- Enforce block‑by‑default for inbound, allow‑by‑exception.
- Use GPO/Intune to prevent standard users from disabling the firewall.

On perimeter devices:

Implement a default‑deny inbound rule set; document every exception and get formal approval.
Change all default admin credentials and restrict management access to trusted IPs or VPN only.
For home workers where you don’t manage the router, Cyber Essentials allows Windows Defender Firewall to act as the boundary.

🔑 Key Takeaway

If a Windows 11 laptop can reach the internet and holds business data, its host firewall must be enabled and centrally enforced. Relying on consumer broadband routers is not sufficient for compliance.

User Access Control, MFA and Passkeys in Microsoft 365

Answer-First Summary: User Access Control is where the 2026 changes bite hardest. MFA is now a strict auto‑fail control for all in‑scope cloud services where it is available; passwordless and passkeys are strongly promoted; and standard user accounts are recognised as prime targets, not just admins.

1. Enforce MFA everywhere using Security Defaults or policies

Under v3.3, if any cloud service (including Microsoft 365) supports MFA, it must be enabled for all accounts – users, admins, break‑glass, service accounts – or the assessment fails.

In Microsoft 365 / Entra ID:

For smaller tenants without complex Conditional Access:
- Turn on Security Defaults in the Entra ID properties blade.
- This enforces MFA for all users and modern auth security baselines at no extra cost.
For larger / more complex environments (with appropriate licensing):
- Use Conditional Access to require MFA for:
  - All cloud apps, all users (including guests and contractors).
  - Especially admin roles and privileged operations.
- Block legacy protocols that bypass MFA.

Accepted factors include app‑based OTP, push notifications, hardware FIDO2 keys, Windows Hello for Business and (although weaker) SMS.

📋 Mini‑Checklist – MFA for Cyber Essentials 2026

MFA enforced for all Entra ID users, including contractors and part‑timers.

MFA enforced for all M365 admin roles (Global Admin, Exchange, SharePoint, etc.).

MFA enabled on every other in‑scope SaaS that supports it (CRM, finance, HR, ticketing).

Written confirmation that MFA is mandatory, not “optional for users”.

Evidence (screenshots / exports) of Security Defaults or Conditional Access policies.

2. Modernise passwords and move towards passkeys

Cyber Essentials now mirrors NCSC guidance:

Minimum 8 characters with MFA, or 12 characters if MFA is genuinely impossible.
No mandatory periodic password expiry; change only on suspicion or evidence of compromise.
Implement brute‑force protection (lockout or throttling) on all internet‑accessible accounts.

Within Windows 11 and Microsoft 365:

Set password policies via Entra ID or on‑prem AD synced to Entra ID.
Implement account lockout (e.g. lock after ≤10 failed attempts).
Encourage human‑chosen passwords using NCSC’s “three random words” approach.
Deploy or at least formally allow password managers to prevent credential reuse.

On the passwordless front:

Enable Windows Hello for Business for Windows 11 endpoints (PIN + biometrics).
Roll out FIDO2 security keys / passkeys in Entra ID where feasible.
Treat FIDO2 authenticators as both passwordless and a strong form of MFA, in line with NCSC and Cyber Essentials emphasis.

🔑 Key Takeaway

In 2026, a complex password policy without MFA, lockout and anti‑reuse controls will fail both security expectations and the Cyber Essentials marking scheme.

3. Separate admin accounts and least privilege

Cyber Essentials still expects strict separation of duties:

Every admin has a separate admin account (e.g. admin.j.smith) used only for privileged tasks.
No user – including IT – has local admin rights on their day‑to‑day account.
No shared or generic accounts for administration.

In practice:

In Entra ID / M365, assign admin roles only to dedicated admin accounts.
Use Privileged Access Workstations (PAWs) or at least separate hardened VMs for admin tasks.
Remove local admin from users via GPO/Intune; manage local passwords with LAPS or equivalent.
Implement joiners/movers/leavers process tied to HR, with rapid de‑provisioning of leavers.

Microsoft Defender and Application Hardening for Malware Protection

Answer-First Summary: Malware protection in Cyber Essentials is no longer just “have AV installed”. Assessors verify that defences are active, updated and effective in real life – including safe‑malware downloads during CE+.

Windows 11 and Microsoft 365 give you substantial coverage at zero additional licence cost.

1. Standardise on Microsoft Defender Antivirus

For most SMEs, Microsoft Defender Antivirus in active mode on all Windows 11 endpoints is sufficient to meet the malware control when correctly configured:

Ensure real‑time protection, cloud‑delivered protection and automatic sample submission are enabled.
Confirm daily definition updates (via Windows Update, WSUS or Intune).
Block users from disabling Defender AV or its core protections.

For Cyber Essentials Plus:

Be prepared for the assessor to attempt a safe test malware download (e.g. EICAR).
Verify in advance that Defender blocks execution and logs the event centrally.

2. Use SmartScreen and application control

Malware often arrives via the browser and untrusted executables. You can harden this without extra tooling:

Enable Microsoft Defender SmartScreen for Edge and (where managed) for other browsers.
Consider implementing Smart App Control or AppLocker / WDAC policies to:
- Allow only trusted, signed or whitelisted binaries.
- Block unsigned or unknown executables from user profile locations.

For Microsoft 365:

Turn on built‑in protections such as Safe Attachments / Safe Links where your licence includes Defender for Office 365.
At minimum, enforce basic anti‑phishing policies and block high‑risk file types via Exchange Online.

💡 Pro Tip

For CE+, build a small evidence pack: screenshots of Defender configuration, sample malware detections, and export of security event logs from a representative Windows 11 device.

14‑Day Patching and Asset Scope Using Built-In Windows and M365 Tools

Answer-First Summary: The 2026 scheme enforces strict auto‑fail rules in the security update management section: fail to deploy any high‑risk or critical update within 14 days of release, and you fail the assessment. This includes OS, applications, browser extensions, and firmware on routers, firewalls and network gear.

1. Implement a 14‑day patching rhythm on Windows 11

You can hit the 14‑day requirement with Windows’ standard management stack:

Smaller estates:

Use Windows Update directly with well‑defined maintenance windows.
Maintain a central register showing when devices last received updates.

Larger / more distributed environments:

Use Windows Update for Business or WSUS to approve and track updates.
For Intune‑managed devices, enforce Update Rings with deadlines ≤ 7 days for quality updates.

For travel / seldom‑used laptops:

Enforce automatic update installation once powered on and online.
Include them in monthly patch compliance reviews so they don’t quietly drift out of date.

For Cyber Essentials:

Document your patching process, including how you identify critical updates and how you measure compliance.
Keep exportable proof: compliance reports, WSUS statistics, Intune update reports.

2. Don’t forget firmware and network devices

The new rules explicitly cover:

Firewall and router firmware.
Managed switches, VPN appliances, Wi‑Fi access points.

While there is no Microsoft tooling here, compliance is still possible without extra spend:

Maintain an inventory of all network devices in scope, including ISP‑provided kit where you manage config.
Subscribe to vendor security advisories and track firmware versions.
For each advisory rated high/critical, schedule and document an upgrade within 14 days.

If a critical patch would break line‑of‑business software and cannot be applied:

Cyber Essentials only accepts full network isolation as a mitigation:
- Move the affected system to a segregated subnet with no internet connectivity.
- Ensure it cannot reach, or be reached from, in‑scope systems.
- Document the design and be ready to explain it to the assessor.

🔑 Key Takeaway

“We planned to patch next quarter” is no longer acceptable. For high‑risk / critical vulnerabilities, assessors do not consider business reasons; the only options are patch within 14 days or fully isolate.

3. Align Microsoft 365 and cloud patch posture

For Microsoft 365 itself, patching is largely Microsoft’s responsibility under the shared responsibility model. Your obligations are:

Ensure all client applications (Office desktop, browsers, plug‑ins) on Windows 11 are patched within 14 days.
Keep unsupported software (end‑of‑life Office versions, old browsers) completely off in‑scope devices, or fully segregated.
Maintain a register of other SaaS apps and confirm vendor patch policies; where you control any agent or connector on Windows 11, treat it like any other application.

Cloud and BYOD Scope: Making Microsoft 365 and Personal Devices Compliant

Answer-First Summary: The v3.3 update removes scoping ambiguity. Any device that connects to the internet and holds organisational data is in scope unless technically segregated. Any cloud service accessed with business credentials that stores or processes organisational data is in scope and cannot be excluded.

1. Get Microsoft 365 fully in scope and configured

Microsoft 365 is almost always in scope as a cloud service:

List it explicitly in the assessment answer that requests all cloud services.
Ensure:
- MFA is enforced for all identities.
- Admin roles are separated and minimised.
- Security Defaults / Conditional Access are configured as your primary guardrails.
- Audit logging is enabled (where available in your SKU).

Remember: if M365 offers a security feature (e.g. MFA, security defaults) and you haven’t turned it on, this is now a marking problem, not a “nice‑to‑have”.

2. Bring BYOD and contractors under control without buying an MDM platform

The rules for 2026 clarify:

Any personal or contractor device used to access corporate data – even only via browser/VDI – is in scope.
You must either:
- Fully apply all five Cyber Essentials controls to that device, or
- Use some form of containerisation or work profile to control the corporate slice.

With zero extra spend, you have limited but usable options:

For personal mobiles:

Use platform‑native work profiles (Android work profile, iOS managed profiles where you have an MDM licence – if not available, reduce mobile data exposure to the absolute minimum).
Enforce browser‑only access to M365 with conditional access and app‑level policies where licensed.

For contractor laptops:

Where practicable, issue corporate‑managed Windows 11 devices instead of trusting unknown builds.
If not, require written evidence that the contractor devices meet equivalent controls (MFA, AV, patching, encryption) and limit access to the minimum necessary.

💡 Pro Tip

Many organisations fail not on controls but on documentation. Maintain a short BYOD and contractor appendix to your asset register explicitly stating:

Which device types are allowed.

What controls they must have.

How you verify compliance (onboarding checks, periodic attestations, conditional access).

The Counter-Intuitive Lesson Most People Miss

The most counter‑intuitive aspect of the 2026 Cyber Essentials regime is this: buying more tools often makes passing harder, not easier.

CE+ failures frequently stem from:

An overgrown stack of partially deployed security products.
Legacy agents and “quick wins” that conflict with one another.
Misconfigured cloud security features left in “pilot” for years.

Each extra tool introduces:

Another patching surface you must keep within the 14‑day SLA.
Another console you have to monitor and demonstrate to assessors.
Another agent that can break baselines, interfere with updates or confuse incident response.

By contrast, organisations that standardise heavily on:

Windows 11 security baselines.
Microsoft Defender as primary endpoint defence.
Entra ID + MFA / passkeys as the core identity plane.

often find it easier to:

Demonstrate end‑to‑end coverage.
Produce clear audit evidence from a small number of consoles.
Maintain continuous compliance between annual assessments.

In other words, depth of configuration beats breadth of procurement. The scheme is deliberately written around controls that Windows 11 and Microsoft 365 already implement well when used properly. Exploiting those to the full is usually a faster, cheaper and more robust route to both real security and a clean certificate.

Key Terms Mini‑Glossary

Cyber Essentials – A UK government‑backed baseline security certification covering five technical controls for organisations.
Cyber Essentials Plus (CE+) – The higher tier adding hands‑on technical testing, vulnerability scanning and device sampling by an external assessor.
Entra ID (Azure AD) – Microsoft’s cloud identity platform backing Microsoft 365 sign‑ins, MFA and Conditional Access.
Security Defaults – A no‑cost Entra ID configuration enforcing MFA and modern security defaults tenant‑wide.
Microsoft Security Baselines – Microsoft‑recommended groups of Windows and Edge configuration settings focused on reducing security risk.
Multi‑Factor Authentication (MFA) – Authentication requiring at least two factors (knowledge, possession, inherence) before granting access.
Passkey / FIDO2 authenticator – Device‑bound cryptographic credentials, often unlocked with biometrics, providing phishing‑resistant, passwordless sign‑in.
Windows Defender Firewall – The built‑in Windows host firewall providing per‑device network boundary protection.
Microsoft Defender Antivirus – The integrated Windows endpoint protection platform providing anti‑malware and exploit protection.
Windows Update for Business (WUfB) – Cloud‑based Windows update management using policies and rings to control deployment timing.

FAQ

Q1. Can an organisation realistically get Cyber Essentials Plus using only Windows 11 and Microsoft 365 tools?

Yes. For many SMEs, Windows 11 (with security baselines, Defender and proper patching) plus Microsoft 365 (with enforced MFA and hardened identities) is entirely sufficient. The determining factor is configuration quality and evidence, not how many third‑party tools you own.

Q2. Does Security Defaults really satisfy the 2026 MFA auto‑fail requirement?

Security Defaults enforces MFA and other hardening measures across all users in a tenant. Where your architecture allows it and you don’t need granular Conditional Access, it is typically accepted as a compliant way to meet the “MFA everywhere” requirement for M365.

Q3. How are legacy or specialist Windows systems treated if they can’t be patched within 14 days?

If they are in scope and cannot receive a critical patch, Cyber Essentials expects them to be fully isolated from the internet and from in‑scope networks. Compensating controls like extra firewalls are not enough unless they achieve real segregation.

Q4. Are SMS one‑time codes acceptable as MFA under Cyber Essentials?

Yes, SMS codes are still technically accepted, but they are recognised as the weakest option due to SIM‑swap and signalling attacks. Organisations are strongly encouraged to favour authenticator apps, hardware tokens or passkeys where possible.

Q5. Do thin clients or VDI sessions simplify the assessment scope?

Not in 2026. Both the thin client hardware and the virtual desktop environment are in scope and must meet all five technical controls. Access control has to be enforced at both layers.

Q6. How much evidence will a CE+ assessor typically ask for around Windows 11 configuration?

Expect them to inspect a random device sample, review effective policy (RSoP / Intune reports), verify AV and firewalls in real time, test malware blocking, and check patch levels and local admin rights. Having prepared exports and screenshots accelerates the process.

Conclusion

The 2026 Cyber Essentials update has turned MFA and patching into unforgiving gatekeepers and pulled every meaningful cloud service and internet‑connected device into scope.

That shift has exposed a quiet truth: most organisations already own almost everything they need to comply – in Windows 11 and Microsoft 365.

By:

Hardening Windows 11 with Microsoft Security Baselines and properly configured firewalls.
Enforcing MFA (and increasingly passkeys) across all Microsoft 365 and other cloud services.
Standardising on Microsoft Defender for malware protection.
Meeting the 14‑day patching rule with disciplined use of Windows Update and firmware management.
Bringing BYOD, contractors and cloud apps into a clearly documented scope.

you can achieve a robust, auditable security posture without new licences.

The organisations that will sail through Cyber Essentials and CE+ in 2026 are not the ones with the biggest security stack; they are the ones that squeezed the most security out of the stack they already had – starting with Windows 11 and Microsoft 365.