Workstation Build Review
Most organisations deploy security hardening through Intune and assume the work is done. It rarely is. GPO exceptions accumulate, legacy application conflicts create gaps, and automated compliance scans miss the privilege escalation paths that a real attacker would use. We test your Windows and macOS gold images against industry standard security benchmarks and NCSC End User Device guidance, combining automated baselining with adversarial endpoint hardening tests that go beyond what any scanner reports. All assessments are performed by CREST-certified engineers.
Beyond Intune Compliance
Policy-Based Compliance
- Configures a subset of security controls only
- Cannot detect GPO conflicts or ordering issues
- Miss pre-installed vendor bloatware risks
- No privilege escalation or AppLocker bypass testing
- Not accepted as independent audit evidence
CREST-Accredited Assessment
- 400+ security controls per OS version
- Manual privilege escalation and AppLocker bypass
- GPO conflict and Intune policy drift detection
- Bloatware identification and ASR validation
- Compliance-mapped report for auditors
The Endpoint Hardening Gap
ORGANISATIONS HIT VIA ENDPOINT
Of organisations experienced at least one successful endpoint attack that compromised data or IT infrastructure in the past year. Source: Ponemon Institute, State of Endpoint Security Risk.
SECURITY BENCHMARK CONTROLS
Controls checked per build. Automated scanners and Intune policies typically cover fewer than half. Manual adversarial testing covers what automation misses.
REPORT TURNAROUND
Single-image review: 1 day testing, report within 3-5 working days. Rush turnaround (48-hour report delivery) available for urgent audit deadlines.
Controls
When to Commission an Endpoint Review
Most workstation build reviews are triggered by a pen test finding, an audit deadline, or a gold image standardisation project. If any of these scenarios describe your situation, an independent review provides the evidence you need.
Post-Pen Test Finding
Your penetration test flagged insufficient endpoint hardening as a high-severity finding. You need a control-by-control remediation plan for your gold image, not another finding list.
Cyber Essentials Plus Audit
Your CE+ assessor requires evidence of Secure Configuration for end-user devices. Self-assessment screenshots will not satisfy the technical control requirement. You need independent verification.
ISO 27001 A.8.9 Evidence
Your surveillance audit requires evidence of configuration management under Annex A 8.9. The auditor will not accept Intune compliance dashboard exports as independent assessment evidence.
Intune Policy Drift
Your Intune policies were configured 12 months ago. Industry security benchmarks have been updated. Application teams have requested exceptions. You cannot honestly certify that your deployed endpoints match the intended security baseline.
Gold Image Standardisation
You are building a new SOE for Windows 11 or macOS deployment. You want security built into the gold image before it is cloned to hundreds of devices, not audited after fleet deployment.
Insurance Renewal
Your cyber insurer requires evidence of endpoint hardening controls. Premiums are increasing because you cannot demonstrate that workstations are hardened against credential theft and privilege escalation.
What We Typically Find
Across every workstation estate we review, the same misconfigurations appear. These are not theoretical risks. They are findings our consultants document in reports issued to UK organisations every month.
Unquoted service path allows standard user to SYSTEM
A third-party endpoint agent has an unquoted service path containing spaces. A standard domain user can plant a malicious executable in the unquoted path and escalate to LocalSystem when the service restarts. This finding propagates to every device deployed from the gold image.
LSASS not protected by Credential Guard
Windows Credential Guard is not enabled. An attacker with local admin access can dump LSASS memory using Mimikatz to extract cached domain credentials, Kerberos tickets, and NTLM hashes. This enables lateral movement across the entire Active Directory domain.
AppLocker bypassed via trusted Microsoft binary
AppLocker is configured but can be bypassed using a built-in Microsoft signed binary (LOLBIN). An attacker can execute arbitrary code by leveraging mshta.exe, which is not restricted in the current AppLocker policy. The bypass works with standard user privileges.
LLMNR and NBT-NS enabled allowing credential interception
Link-Local Multicast Name Resolution and NetBIOS Name Service are enabled. An attacker on the same network segment can poison name resolution requests and intercept NTLMv2 hashes from the workstation, then relay or crack them offline.
Pre-installed vendor agent with known CVE remains active
A pre-installed OEM system management agent (vendor trialware) has a known remote code execution vulnerability (published CVE). The agent runs as SYSTEM, listens on a local port, and is not covered by the organisation's patch management or EDR policy.
BitLocker recovery keys not escrowed to Active Directory
BitLocker is enabled but recovery keys are stored only locally on the TPM. If the TPM is cleared or the motherboard is replaced, the encrypted drive becomes permanently inaccessible. Recovery keys are not backed up to Active Directory or Azure AD.
Most workstation builds we review have at least one Critical and three or more High findings on first independent assessment.
What We Assess
We go beyond automated scans, manually attempting to bypass your controls and elevate privileges on a standard corporate build. Each review covers gold image analysis, automated security benchmark baselining, privilege escalation testing, and GPO analysis.
Gold Image Audit
We analyse your master image for security weaknesses before they are deployed across the entire fleet. Fixing one image secures every device. Supported platforms: Windows 10 Enterprise, Windows 11 Enterprise, macOS Ventura/Sonoma, and Linux (Ubuntu LTS / RHEL). VDI and virtual desktop environments tested on request.
Privilege Escalation
We hunt for weak service permissions, unquoted service paths, and misconfigured scheduled tasks that allow a standard user to become System or Administrator. Tests reference MITRE ATT&CK techniques T1078 (Valid Accounts), T1134 (Access Token Manipulation), and T1543 (Create or Modify System Process).
Attack Surface Reduction
We verify ASR rules, confirming that Office macros, PowerShell execution, and lateral movement tools such as PsExec are blocked or restricted to the required policy level.
Bloatware Identification
Pre-installed vendor software often introduces vulnerabilities. We identify unnecessary agents, trialware, and OEM utilities that increase your attack surface and are not covered by standard policy deployments.
Drive Encryption Verification
We verify BitLocker and FileVault configuration, confirming that recovery keys are escrowed securely and TPM chips are correctly utilised to prevent cold boot attacks and offline extraction.
GPO and Intune Analysis
We review Group Policy Objects and Intune policies applied to the workstation to confirm security settings are enforced and cannot be overridden locally. We identify conflicts, ordering issues, and exemptions that silently weaken the intended policy baseline.
Platforms We Assess
We assess all major desktop operating systems and virtual desktop environments. Our consultants have deep hands-on experience with each platform, covering both physical hardware and VDI deployments.
Windows 10/11
macOS
Linux Desktops
Virtual Desktops
Build Audit Process
A rigorous four-stage inspection of your OS configuration, from automated security benchmark baselining to adversarial breakout testing and GPO analysis.
Build Inspection
We receive a sample laptop or VM and perform a manual inspection of the OS, verifying patch levels, installed software inventory, and local account configurations before automated tooling runs.
Automated Baselining
We run automated baselining tooling against the latest industry standard benchmarks for your platform, scoring your build across 400+ controls and identifying deviations from Level 1 and Level 2 requirements.
Breakout Testing
We assume the role of a malicious insider or compromised user, attempting to bypass AppLocker, elevate privileges, disable EDR agents, and move laterally. A standard single-image review takes 1 day of testing.
GPO Analysis and Report
We review Group Policy Objects and Intune policies applied to the workstation to confirm security settings are enforced and cannot be overridden locally. Final report is delivered within 3-5 working days of assessment completion.
What You Receive
Every workstation build review includes the following deliverables, formatted for technical remediation teams, compliance stakeholders, and auditor submission.
Reports are delivered in PDF format. Single-image reviews typically complete within 5 working days from testing.
Close the Hardening Loop.
A workstation build review identifies misconfigurations at a point in time. Pair hardening findings with a server build review to cover your entire infrastructure, an internal network penetration test to validate exploitation in practice, and continuous SOC monitoring to detect when config drift reintroduces exposure.
Discuss Your RequirementsServer Build Review
Extend security benchmark hardening to your Windows Server and Linux estate
Internal Network Pentest
Validate what an attacker can do after compromising a poorly hardened endpoint
Managed SOC
Monitor for credential theft and lateral movement in real time
Configuration Reviews
Firewall, VPN, database, and cloud configuration assessments
Full Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
The best time to test your defences is now.
Join the high-growth companies relying on Precursor for continuous offensive and defensive security.
Frequently Asked Questions
Common questions about this service, methodologies, and deliverables.
Endpoint hardening is the process of reducing the attack surface of a workstation by enforcing security configuration standards: disabling unnecessary services, restricting administrative privileges, applying application control policies, and enforcing encryption. It is distinct from EDR (Endpoint Detection and Response): EDR monitors for malicious activity after it begins; hardening reduces the conditions that allow attacks to succeed in the first place. A workstation built to industry standard security benchmarks — with LLMNR disabled, LSASS protected, and PowerShell restricted — gives an attacker significantly fewer footholds, making EDR detections rarer and more actionable. For Cyber Essentials Plus, evidenced OS hardening is a mandatory control. For ISO 27001, it maps to Annex A 8.9 (configuration management).
We test against three primary standards: industry standard security benchmarks for Windows 10, Windows 11, and macOS; NCSC End User Device (EUD) guidance for government-aligned assessments; and Microsoft Security Baselines for organisations using Intune or Group Policy. We assess both Level 1 (broadly applicable controls) and Level 2 (defence-in-depth controls for higher-risk environments). For Cyber Essentials Plus and ISO 27001 Annex A 8.9 compliance, findings are mapped to the relevant control requirements in the deliverable report.
Workstation build review pricing typically ranges from £2,500 to £6,000 depending on scope and platform diversity. A single gold image review (Windows 10/11 or macOS) averages £2,500 to £3,500 including security benchmark assessment, privilege escalation testing, and GPO analysis. Multiple image reviews covering different OS versions or laptop and VDI variants typically cost £4,000 to £5,500. Physical laptop review adding BIOS, BitLocker, and hardware security verification adds approximately £500. We provide fixed quotes after understanding your image inventory and testing scope.
The deliverable is a structured technical report containing: an executive summary with overall compliance score against the applicable industry standard benchmark; a per-control findings table showing pass/fail status, severity rating, and remediation guidance; privilege escalation findings with reproduction steps and MITRE ATT&CK technique references; GPO analysis results with specific policy corrections; and an automated baseline report as an appendix. The report format is accepted as audit evidence by ISO 27001 assessors, Cyber Essentials Plus auditors, and UK cyber insurers. A remediation-tracking version is available for internal use.
A standard single-image review (one gold image, Windows or macOS) takes 1 day of testing with the final report delivered within 3-5 working days of assessment completion. Multi-image reviews covering multiple OS versions, laptop and VDI variants typically require 2-3 days of testing. Rush turnaround (48-hour report delivery) is available for urgent audit deadlines. Contact us to discuss capacity.
Policy deployment and security validation are different disciplines. MDM policies may not apply correctly due to conflicts, ordering issues, or exemptions. Industry standard security benchmarks cover 400 controls and policy tools typically configure a subset. Privilege escalation vectors (unquoted service paths, weak file permissions) require manual testing to discover. Pre-installed vendor software introduces vulnerabilities policies do not address. AppLocker and ASR bypasses require adversarial testing, not policy configuration. Build review validates that deployed policies actually achieve security objectives, not just configuration intent.
EDR detects and responds to malicious activity after it begins executing. Endpoint hardening removes the conditions that allow attackers to get established in the first place. A misconfigured workstation build gives attackers the tools they need: LLMNR poisoning to harvest credentials, unquoted service paths to escalate privileges, unrestricted PowerShell to move laterally. Hardening those conditions means an attacker who bypasses your perimeter finds an environment actively hostile to their techniques, significantly reducing the blast radius of any breach. For Cyber Essentials Plus, evidenced OS hardening is a mandatory control. For ISO 27001, it maps directly to Annex A control 8.9 (configuration management).
A gold image (also called a Standard Operating Environment or SOE) is the master workstation configuration that is cloned to all corporate devices. A gold image security review assesses that master build, before or after deployment, to identify security weaknesses that will propagate to every device in the fleet. Reviewing the gold image is more cost-effective than assessing individual machines: a single remediation secures the entire estate. Precursor's workstation build review includes gold image analysis as standard, alongside manual privilege escalation testing and GPO analysis.
Ideally yes. Shipping us a corporate laptop allows us to test full disk encryption (BitLocker), BIOS passwords, and physical port security. We can also perform the build review remotely if you provide a VM image or VPN access to a designated workstation.
No. Build reviews are performed on a gold image or a designated test laptop configured identically to a production machine. No active users are impacted during the assessment.