A short post about CIS Benchmarks in Intune, first if you don’t know what CIS (Center for Internet Security) is then I urge you to visit their webpage at https://www.cisecurity.org/
Why should you use CIS Benchmarks?
The CIS benchmarks are developed by cybersecurity experts and are widely know and accepted as best practice’s. Some might ask why not use Microsoft Security Baselines instead? Currently the Microsoft Security Baseline have not been updated sense November 2021. CIS is currently working on a new draft for Windows 11 in Intune but the latest benchmark was published 2023-01-26 (Version 1.0)
Other benefits with using a CIS Benchmark in the way I later describe in this post is that you are more in control of your settings, better overview and can build your own structure, it is also based on Settings Catalog making it easier to work with overall.
Can everything be mapped in Settings Catalog?
Mapping in settings catalog based on the CIS Microsoft Intune for Windows 11 Benchmark v1.0.0 – 01-26-2023 I only found one setting that was not available in settings catalog, this is not included in the exported JSON files in this post.
(If you find the settings for this, please let me know in the comments)
Not available
18.9.45.1 (L2) Ensure ‘Allow Message Service Cloud Sync’ is set
to ‘Disabled’ (Automated)
User Rights issue in Settings Catalog
*UPDATE* This issue is resolved using “” like I did in the User Rights policies are working correctly, this would equal blank value and for CIS it is the same as setting to “No One”
In the section 2. Local Policies the recommendation is to set certain access levels in the system to “No One” However there is an issue with this using settings catalog, it is not a visible issue and the setting is set correctly however if you look in the event viewer we can see errors generated, for more information please look at:
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/11564
In the exported JSON I have simply set the values that should equal “No One” to “”, you might need to changes this to: </Data> for it to resolve correctly on the device settings but not in event viewer. If you have a solution for this, please post it on the GitHub page mentioned above or post it in the comments.
CIS Microsoft Intune for Windows 11 Benchmark JSON
The structure i picked for these policies gives you a nice overview and easy to follow up and edit for future changes.
You can download the settings catalog JSON files below and then use the following PowerShell script to import them into your tenant.
When installing AzureAD module use version 2.0.2.140, there is a bug in the later releases making the PowerShell for Exporting/Importing Settings catalog not to work.
Install-Module AzureAD -RequiredVersion 2.0.2.140
https://github.com/microsoftgraph/powershell-intune-samples/tree/master/SettingsCatalog
Used for importing:
https://github.com/microsoftgraph/powershell-intune-samples/blob/master/SettingsCatalog/SettingsCatalog_Import_FromJSON.ps1
The Benchmark files in JSON format based on Settings Catalog.
The structure is based on each main category and split in (L1), (L2), (BL) and (NG) this could also all be in one big policy or have L1 and L2 together, but working with such large amount of settings in a policy makes it slow and not optimal.
It is important for you to test out the policy, some policies will affect pre-provisioning for more information about certain conflicting policies check out https://learn.microsoft.com/en-us/autopilot/policy-conflicts
Remember not all settings fits everyone so test them out carefully.
You have Local Policies L1 listed twice, missing L2.
Will fix this today, thank you for letting me know
Fixed
Great work! I miss some clarification about what benchmark and version is the base for your policies though – Is it The ”CIS Microsoft Windows 11 Enterprise Benchmark” v2.0.0, the ”CIS Microsoft Intune for Windows 11 Benchmark” v2.0.0 – or a combination of those? – Maybe state this somewhere along with the policies 🙂
Edit: I See in the text that it is ”CIS Microsoft Intune for Windows 11 Benchmark v1.0.0” – have you considered if you also need to include the WIndows Enterprise benchmark?
Thank you for commenting, im in the process of mapping based on what MS vurnelability management using assessment baseline for CIS 2.0 so i belive this will include for Windows 11 enterprise, however for cloud only device i dont think all settings will apply and i know some settings wont be available in settings catalog. But im looking into a good way to keep these updated and add more.
CIS do have some benchmarks available as admx files allowing you to import it to Intune.
But I will be working on expanding and document this more.
Hi
I am getting this error:
Adding Device Configuration Policy ”
Response content:
{”error”:{”code”:”ModelValidationFailure”,”message”:”Cannot create an abstract class.”,”innerError”:{”message”:”Cannot create an abstract class.”,”date”:”2023-09-21T07:49:29″,”request-id”:”511961c3-318c-426d-9ace-bbfed9548dae”,”client-request-id”:”511961c3-318c-426d-9ace-bbfed9548dae”}}}
Add-DeviceConfigurationPolicy : Request to https://graph.microsoft.com/Beta/deviceManagement/deviceConfigurations failed with HTTP Status BadRequest Bad Request
At C:\Users\admin\Desktop\CIS Intune JSON\DeviceConfiguration_Import_FromJSON.ps1:349 char:1
+ Add-DeviceConfigurationPolicy -JSON $JSON_Output
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Add-DeviceConfigurationPolicy
Using Graph requires you to add certain fields into the json.
Use the Powershell script supplied by MS to import settings catalog.
https://github.com/microsoftgraph/powershell-intune-samples/tree/master/SettingsCatalog
Thanks for this. I did notice the ”interactivelogon_machineinactivitylimit” setting in Local Policies L1 is set to 15. The policy is in seconds though so it should be 900 instead.
Thank you will update this
This is now updated, again thank you for letting me know.
This is awesome! Appreciate all the work that went into this and sharing with the community. Cheers!
Thank you, and thanks for sharing it. Have a great day
Hi! Thanks for the script and the policies. How would I get all of them imported into my tenant?
You can use the import function in Intune or the powershell module in the post.
I will be updating this for v2 release wirh simple steps on import etc
Thank You for publishing these, I was easily able to get them imported using the scripts you provided. Do you know when v2 will be ready, and any chance you will be able to provide the changes made or additions from the v1 set?
V2 was published but i revised version of v2 will be made available in February so Im waiting for that, then i will publish a simple tool that allows you to create policies based on v2 and original configs like v1 available
Hey man, thank you for this write-up. I saw you were creating an updated version and was wondering if I should just wait for that and instructions on how to implement this? I was having some difficulty figuring it out. Thank you.
I will update on soon hopefully, belive v2 had another revision as the first release had some settings that needed to be fixed.
hi, will you be doing another post when they are updated? Keeping an eye on this, thank you!
Yes I will do an update, will be working on it starting next week so hopefully a new post later this month
Hi! thanx for the json files! I have them implemented om two test machines, so far so good. Only enabled the Onedrive sync again 🙂
I ran the CIS CSAT (CIS Assessor) before – and after the policies are applied. Went from 21% CIS1 compliant, to 62% so that’s great, but I did expect it to score higher.
I noticed that for example all firewall settings are flagged as not-implemented. I do have the feeling that the intune config profiles are applied using another method then the same GPO does. The assessor checks for example:
The recommended state for this setting is: On (recommended) .
To establish the recommended configuration via GP, set the following UI path to On (recommended) :
Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Firewall stateBut these settings aren’t make using the config profile, guess the assessor just doesn’t support Intunes way of settings those configs.
Hi Richard,
The CSAT will check for registry values etc. This is based on non Intune devices so you assumptetion are correct.
I also ran Microsoft Security Baseline Assessment and will have the same outcome with the compliancy score on CIS.
Hi @Everything365,
Thank you for writing this article. CIS has published the latest version of Intune (v3.0.0) about a month ago along with a build kits (JSON files). You can find the new version here: CIS WorkBench / Benchmarks (cisecurity.org)
Feedback is always welcome and encouraged. Again, thank you for this great article.
Thank you Jennifer, and thank for doing such great and important work with your guidelines and policies. And now you made build kits available people can easily get the JSON files if they have a membership and stay up to date.
I’m currently reviewing your latest version and saw you changed up on the sections/grouping of different policies to make it easier to follow for Settings Catalog, I also saw a lot of improvements, so again great work.
Is there any chance you would be updating your JSON files based on the latest CIS release which Jennifer Jarose is referring to?
Jennifer is one of the people working on the Intune benchmark for CIS. When i made my version CIS had no build kit available for Intune.
This changed now and members of CIS have full access to templates at the CIS website.