This repository houses prebuilt Microsoft Intune configuration profiles in JSON format that can be imported into Microsoft Endpoint Manager (MDM). Benchmark: https://workbench.cisecurity.org/benchmarks/14355 (v2.0.0)

At the moment, all portions of the CIS Intune benchmark (L1,L2,BL,NG) are being implemented into a single configuration profile. Once all portions have been implemented, I plan to separate them.

Some CIS configurations have been "opposed". When a configuration has been opposed, the configuration strays away from the CIS recommended option. The OMA-URI description specifies any configurations that have been opposed and provides a reason for the setting. You can follow a similar strategy in your environment if you require changes.

The profiles are all configured using OMA-URI. There are a few reasons for this approach:

• Each configuration can be named according the section and name provided by CIS. EG: 1.1.1
• It is clear what CIS option a particular configuration is addressing
• When CIS recommendations change, it will be easy to make changes to align with the new recommendation
• OMA-URIs allow for a "description". This description can be used to note configurations that differ from CIS and provide a reason for the difference. If you use Risk Acceptance Forms (RAF) in your environment, you can also note a RAF # to address the difference.

A lot of the OMA-URIs in these configuration profiles are not published by CIS. The OMA-URIs were found here: https://learn.microsoft.com/en-us/windows/client-management/mdm/ Some configuration options were found by finding corresponding ADMX Group Policy files and locating their xml element ids. These are specified using the SyncML syntax as documented here: https://learn.microsoft.com/en-us/windows/client-management/understanding-admx-backed-policies#enabling-a-policy If you need to implement your own configurations, open the admx file (located at C:\windows\policydefintions) and locate the policy and the corresponding element you want to configure and follow the syntax.

2024.01.22 Microsoft no longer supports ADAL, so I have included a new script that uses the Microsoft.Graph Powershell Module to import the configuration.

To import a profile:

1. Download this Powershell Script: IntuneConfiguration_ImportCustomConfig.ps1
2. Download the JSON configuration file in this repository
3. Run the powershell script
4. Enter the location to the JSON file when prompted

NOTE: To use the new Import script, you may need to "Approve" the requested appaccess. This is done in the Azure Portal under Enterprise Applications -> Admin consent Requests

To verify a configuration applied:

• Open Event Viewer

• Open the log "Application and Services Logs"\Microsoft\Windows\DeviceManagement-Enterprise-Diagnostics-Provider\Admin

• Review any entries with "Error"

  • Ignore event id 2545 (checkNewInstanceData) - this appears to be an Intune bug. See https://answers.microsoft.com/en-us/windows/forum/all/event-2545-microsoft-windows-devicemanagement/a7e0f8e9-685f-44d8-be69-58fd1f8a716e. As of 2024.01.23, I am no longer seeing this in my deployment.
  • Ignore error referencing "./Device/Vendor/MSFT/Policy/ConfigOpoerations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version. This is an expected error the informs you that Intune is working properly. See: https://www.reddit.com/r/Intune/comments/n8u51x/intune_fakepolicy_not_found_error/

• Intune remediation failures for User Rights Assignment policies that apply a blank value. (2.2.1 through 2.2.30)

  • May report the error "0x87D1FDE8" (Remediation Failure). Despite this error, the blank policies are applied properly.
  • This appears to be an issue with intune reporting. See the "cause" mentioned here: https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-configuration/device-configuration-profile-reports-error-2016281112
  • Because blanks are specified using <!CDATA[]]>, Intune expects to receive this value in the response. However, only "blank" is sent back to Intune, resulting in this "error" even though the policy was applied successfully.
  • These blank policies can be refactored into a new policy (Endpoint protection/User Rights) that does not use OMA-URI to prevent this reporting error.

Here is the results of an audit of a workstation after running Hardening Kitty Audit (https://github.com/scipag/HardeningKitty) against the Windows 10 Enterprise benchmark.

NOTE: The Windows 10 Enterprise benchmark audit below contains some settings that are not included in the Intune benchmark. The CIS sections below will not map 1-to-1 with the Intune benchmark. If anyone has a public domain tool that will audit against the Intune benchmark, feel free to recommend it. For the most part, the Enterprise benchmark contains more security settings than the Intune benchmark. Auditing against it should provide good coverage of the Intune benchmark.

Firefox can be a pain to work with OMA-URIs. I created a stylesheet to make it a lot easier and that can be seen in the screenshot above. To install, go into the "Extras" folder for instructions.

All settings of CIS Intune benchmark implemented with the exception of Bitlocker. A seperate bitlocker configuration will be created.