Add Windows security baseline

[thomastysong]

Summary

Adds CIS Microsoft Windows 11 Enterprise Benchmark v4.0.0 solution artifacts — configuration profiles, verification policies, and remediation scripts — to docs/solutions/windows/ for use with Fleet's existing MDM, policy, and script systems.

These artifacts cover ~225 CIS benchmark controls across User Rights, Local Security Policy, Service Configuration, BitLocker, Windows Update, and Endpoint Security categories. Each setting is mapped to the appropriate Fleet primitive:

• CSP configuration profiles (SyncML XML) for settings with OMA-URI equivalents
• Verification policies (osquery SQL) for compliance checking
• Remediation scripts (PowerShell) for settings without CSP equivalents

No Go code changes, no new database tables, no orbit modifications — just deployable content artifacts.

What's included

Configuration profiles (12 SyncML XML files)

Profile	Controls	CSP Area
CIS 2.2 - User Rights Assignment [Bundle]	39 controls	UserRights CSP
CIS 18.10.9.1.1 - Enhanced Anti-Spoofing	1 control	Biometrics CSP
CIS 18.10.10.4 - DMA Protection	1 control	DataProtection CSP
CIS 18.10.10 - BitLocker Fixed Data Drives [Bundle]	13 controls	BitLocker CSP
CIS 18.10.10.2 - BitLocker OS Drives [Bundle]	14 controls	BitLocker CSP
CIS 18.10.10.3 - BitLocker Removable Drives [Bundle]	15 controls	BitLocker CSP
CIS 18.10.59.5 - Encrypted File Indexing	1 control	Search CSP
CIS 18.10.93 - Windows Update [Bundle]	8 controls	Update CSP
Windows Update Operations [Bundle]	18 settings	Update CSP
Endpoint Security - App & Browser Isolation [Bundle]	4 settings	ApplicationGuard CSP
Endpoint Security - Application Control [Bundle]	3 settings	SmartScreen CSP
Endpoint Security - Web Protection [Bundle]	3 settings	Defender/Browser CSP

Verification policies (4 YAML files, ~106 individual policies)

Policy file	Entries	Covers
CIS 2.3 - Local Security Policy	53	UAC, SMB signing, NTLM, Kerberos, network access, domain member settings
CIS 5 - Service Configuration	42	Service start-type checks for all CIS section 5 services
CIS Windows Update	3	Registry-based WU settings not expressible as CSP
Endpoint Security - Compliance	8	OS version, BitLocker, TPM, antivirus, MDM enrollment

Each SCRIPT & POLICY policy includes a run_script reference to its corresponding remediation script.

Remediation scripts (3 PowerShell files)

Script	Purpose
configure-local-security-policy.ps1	Registry + secedit for all CIS 2.3.x controls
configure-services.ps1	Disables all 42 CIS section 5 services
configure-windows-update-registry.ps1	Windows Update registry settings

CIS Benchmark mapping

Settings are categorized by the Fleet primitive they require:

• CSP (SyncML profile): User Rights (2.2.x), BitLocker (18.10.10.x), Windows Update CSPs, Endpoint Security CSPs
• SCRIPT & POLICY (script + verification policy): Local Security Policy (2.3.x), Service Configuration (5.x), WU registry settings
• POLICY (verification only): Endpoint Security compliance checks (ES-008–ES-015)

How to use

These are standalone solution artifacts deployable through Fleet today:

1. Profiles: Upload XML files via POST /api/v1/fleet/mdm/profiles or fleetctl apply
2. Policies: Import YAML via fleetctl apply or the Fleet UI
3. Scripts: Upload PS1 files via POST /api/v1/fleet/scripts or fleetctl apply, then link to policies via run_script

Test plan

• All SyncML profiles pass Fleet's ValidateUserProvided() on upload
• Policy YAML files parse correctly via fleetctl apply --dry-run
• Scripts execute successfully on a Windows 11 test device
• Verification policies return correct pass/fail on configured vs. unconfigured hosts

[codecov]

Codecov Report

❌ Patch coverage is 27.44361% with 193 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.31%. Comparing base (b9f844d) to head (c882ee8).
⚠️ Report is 8 commits behind head on main.

Files with missing lines	Patch %	Lines
server/service/baselines.go	3.07%	126 Missing ⚠️
server/mdm/baselines/baselines.go	52.85%	17 Missing and 16 partials ⚠️
...trolsPage/OSSettings/cards/Baselines/Baselines.tsx	49.05%	27 Missing ⚠️
frontend/services/entities/baselines.ts	33.33%	6 Missing ⚠️
frontend/utilities/endpoints.ts	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #41582      +/-   ##
==========================================
- Coverage   66.35%   66.31%   -0.05%     
==========================================
  Files        2491     2495       +4     
  Lines      199310   199658     +348     
  Branches     8827     8949     +122     
==========================================
+ Hits       132262   132401     +139     
- Misses      55089    55278     +189     
- Partials    11959    11979      +20     

Flag	Coverage Δ
backend	68.11% <21.67%> (-0.05%)	⬇️
frontend	54.23% <46.03%> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[noahtalerman]

Thanks @thomastysong!

I think this is a great starting point for use our pair programming call on Tues. I set this to draft in the meantime...

Also, I think we can close the other PR? I think we're rolling with this new PR as the latest and greatest.