CIS Microsoft Intune for Windows 11 Benchmark in Settings Catalog (JSON)

A short post about CIS Benchmarks in Intune, first if you don’t know what CIS (Center for Internet Security) is then I urge you to visit their webpage at https://www.cisecurity.org/

Why should you use CIS Benchmarks?

The CIS benchmarks are developed by cybersecurity experts and are widely know and accepted as best practice’s. Some might ask why not use Microsoft Security Baselines instead? Currently the Microsoft Security Baseline have not been updated sense November 2021. CIS is currently working on a new draft for Windows 11 in Intune but the latest benchmark was published 2023-01-26 (Version 1.0)

Other benefits with using a CIS Benchmark in the way I later describe in this post is that you are more in control of your settings, better overview and can build your own structure, it is also based on Settings Catalog making it easier to work with overall.

Can everything be mapped in Settings Catalog?

Mapping in settings catalog based on the CIS Microsoft Intune for Windows 11 Benchmark v1.0.0 – 01-26-2023 I only found one setting that was not available in settings catalog, this is not included in the exported JSON files in this post.

(If you find the settings for this, please let me know in the comments)

Not available
18.9.45.1 (L2) Ensure ‘Allow Message Service Cloud Sync’ is set
to ‘Disabled’ (Automated)

User Rights issue in Settings Catalog

*UPDATE* This issue is resolved using “” like I did in the User Rights policies are working correctly, this would equal blank value and for CIS it is the same as setting to “No One”

In the section 2. Local Policies the recommendation is to set certain access levels in the system to “No One” However there is an issue with this using settings catalog, it is not a visible issue and the setting is set correctly however if you look in the event viewer we can see errors generated, for more information please look at:

https://github.com/MicrosoftDocs/windows-itpro-docs/issues/11564

In the exported JSON I have simply set the values that should equal “No One” to “”, you might need to changes this to: </Data> for it to resolve correctly on the device settings but not in event viewer. If you have a solution for this, please post it on the GitHub page mentioned above or post it in the comments.

CIS Microsoft Intune for Windows 11 Benchmark JSON

The structure i picked for these policies gives you a nice overview and easy to follow up and edit for future changes.

You can download the settings catalog JSON files below and then use the following PowerShell script to import them into your tenant.

When installing AzureAD module use version 2.0.2.140, there is a bug in the later releases making the PowerShell for Exporting/Importing Settings catalog not to work.

Install-Module AzureAD -RequiredVersion 2.0.2.140

https://github.com/microsoftgraph/powershell-intune-samples/tree/master/SettingsCatalog

Used for importing:
https://github.com/microsoftgraph/powershell-intune-samples/blob/master/SettingsCatalog/SettingsCatalog_Import_FromJSON.ps1

The Benchmark files in JSON format based on Settings Catalog.

The structure is based on each main category and split in (L1), (L2), (BL) and (NG) this could also all be in one big policy or have L1 and L2 together, but working with such large amount of settings in a policy makes it slow and not optimal.

It is important for you to test out the policy, some policies will affect pre-provisioning for more information about certain conflicting policies check out https://learn.microsoft.com/en-us/autopilot/policy-conflicts

Remember not all settings fits everyone so test them out carefully.

5 3 votes
Article Rating
Subscribe
Notify of
guest

28 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Cody
Cody
10 months ago

You have Local Policies L1 listed twice, missing L2.

Kjetil
Kjetil
10 months ago

Great work! I miss some clarification about what benchmark and version is the base for your policies though – Is it The ”CIS Microsoft Windows 11 Enterprise Benchmark” v2.0.0, the ”CIS Microsoft Intune for Windows 11 Benchmark” v2.0.0 – or a combination of those? – Maybe state this somewhere along with the policies 🙂
Edit: I See in the text that it is ”CIS Microsoft Intune for Windows 11 Benchmark v1.0.0” – have you considered if you also need to include the WIndows Enterprise benchmark?

Last edited 10 months ago by Kjetil
Thomas
Thomas
10 months ago

Hi
I am getting this error:
Adding Device Configuration Policy ”
Response content:
{”error”:{”code”:”ModelValidationFailure”,”message”:”Cannot create an abstract class.”,”innerError”:{”message”:”Cannot create an abstract class.”,”date”:”2023-09-21T07:49:29″,”request-id”:”511961c3-318c-426d-9ace-bbfed9548dae”,”client-request-id”:”511961c3-318c-426d-9ace-bbfed9548dae”}}}
Add-DeviceConfigurationPolicy : Request to https://graph.microsoft.com/Beta/deviceManagement/deviceConfigurations failed with HTTP Status BadRequest Bad Request
At C:\Users\admin\Desktop\CIS Intune JSON\DeviceConfiguration_Import_FromJSON.ps1:349 char:1
+ Add-DeviceConfigurationPolicy -JSON $JSON_Output
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  + CategoryInfo     : NotSpecified: (:) [Write-Error], WriteErrorException
  + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Add-DeviceConfigurationPolicy

Chris
Chris
8 months ago

Thanks for this. I did notice the ”interactivelogon_machineinactivitylimit” setting in Local Policies L1 is set to 15. The policy is in seconds though so it should be 900 instead.

jstrong013
jstrong013
8 months ago

This is awesome! Appreciate all the work that went into this and sharing with the community. Cheers!

Thomas
Thomas
7 months ago

Hi! Thanks for the script and the policies. How would I get all of them imported into my tenant?

Jarrod
Jarrod
Reply to  Everything365
6 months ago

Thank You for publishing these, I was easily able to get them imported using the scripts you provided. Do you know when v2 will be ready, and any chance you will be able to provide the changes made or additions from the v1 set?

Justin
Justin
4 months ago

Hey man, thank you for this write-up. I saw you were creating an updated version and was wondering if I should just wait for that and instructions on how to implement this? I was having some difficulty figuring it out. Thank you.

Carl
Carl
Reply to  Everything365
3 months ago

hi, will you be doing another post when they are updated? Keeping an eye on this, thank you!

Richard
Richard
3 months ago

Hi! thanx for the json files! I have them implemented om two test machines, so far so good. Only enabled the Onedrive sync again 🙂
I ran the CIS CSAT (CIS Assessor) before – and after the policies are applied. Went from 21% CIS1 compliant, to 62% so that’s great, but I did expect it to score higher.
I noticed that for example all firewall settings are flagged as not-implemented. I do have the feeling that the intune config profiles are applied using another method then the same GPO does. The assessor checks for example:
The recommended state for this setting is: On (recommended) .
To establish the recommended configuration via GP, set the following UI path to On (recommended) :
Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Firewall state
But these settings aren’t make using the config profile, guess the assessor just doesn’t support Intunes way of settings those configs.

Jennifer Jarose
Jennifer Jarose
3 months ago

Hi @Everything365,

Thank you for writing this article. CIS has published the latest version of Intune (v3.0.0) about a month ago along with a build kits (JSON files). You can find the new version here: CIS WorkBench / Benchmarks (cisecurity.org)

Feedback is always welcome and encouraged. Again, thank you for this great article.

Nicolai
Nicolai
Reply to  Everything365
3 months ago

Is there any chance you would be updating your JSON files based on the latest CIS release which Jennifer Jarose is referring to?

Rick
Rick
Reply to  Everything365
1 month ago

Hello,
Is there a way we can get the link for this?
I am registered to the CIS Workbench now but only see the PDF files and not the JSON files.
Or do we need a payed account for this?