1. A security team downloads the Microsoft SCT, customizes 12 settings for their operational environment, documents the justifications, and gets formal approval for the resulting configuration standard.
2. Using Active Directory Group Policy and an MDM platform, the security team pushes the approved configuration settings to all 600 workstations and enrolled mobile devices, verifying 100% coverage within 24 hours.
3. When a new vulnerability bulletin requires disabling TLS 1.0, the team updates the baseline document, tests the change on a pilot group, confirms application compatibility, and then redeploys the updated setting organization-wide within 48 hours.
4. Every quarter, the compliance team runs a formal assessment comparing all server configurations against the approved baseline, produces a compliance report, and stores it as documented evidence for the upcoming PCI DSS assessment.