![Full Logo.png]](https://help.devicie.com/hs-fs/hubfs/Full%20Logo.png?height=30&name=Full%20Logo.png){kind=small}
CIS Intune for Windows 4.0.0 - L1 Detailed Guide
The Center for Internet Security's Intune for Windows Benchmark version 4.0.0, Level 1
The Center for Internet Security provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows Operating Systems (OS). The secure configuration guide is based on Windows 11 and is intended for all releases of the Windows 11 operating system, including older versions. The secure configuration guide was tested against Microsoft Windows 11 24H2 Enterprise edition.
Devicie is an active contributor to multiple CIS Benchmarks, including the Intune for Windows Benchmark.
Some controls are removed to streamline deployment and adoption. These controls, their security rationale, and our reasons for removal are provided below.
| Control Number | Name | Rationale | Comment |
| 4.10.26.2 | Ensure 'Do not display network selection UI' is set to 'Enabled' | An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows. |
This setting has been removed, as the user cannot connect to a new wireless network connection at the logon screen, which becomes a problem with pre-provisioning. |
| 49.29 | Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' |
One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run. |
This setting has been removed as the user does not get prompted to enter in the LAPS password when trying to install applications. |
| 81.13 | Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed' | Hosting an SSH server from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. | sshd is disabled by default, and not available to configure with Intune Settings Catalog or custom config. |
Other controls are modified for similar reasons.
| Control Number | Name | Rationale | Comment |
|
Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM' Ensure 'Require additional authentication at startup: Configure TPM startup:' is set to 'Enabled: Do not allow TPM' |
TPM without use of a PIN will only validate early boot components and does not require a user to enter any additional authentication information. If a computer is lost or stolen in this configuration, BitLocker will not provide any additional measure of protection beyond what is provided by native Windows authentication unless the early boot components are tampered with or the encrypted drive is removed from the machine. |
These settings have been changed to require TPM without use of a PIN. Requiring users to create and remember a PIN before boot has very high user impact, and minimal risk impact as increasing prevalence of fTPMs makes TPM sniffing attacks very challenging anyway. Pre-boot PINs are also unsupported by Autopilot. |
CIS recommends running certain Attack Surface Reduction rules in Audit mode at first, then moving to Block mode with appropriate exemption list. We recommend the Defender for Endpoint report or local Event Logs under Applications and Services > Microsoft > Windows > Windows Defender > Operational.
| Control Number | Rule | Comment |
|
Block all Office applications from creating child processes |
Can break certain Office add-ins |
|
|
Block executable files from running unless they meet a prevalence, age, or trusted list criterion |
Blocks less-common files by design. Particularly impactful to developers. |
|
|
Block execution of potentially obfuscated scripts |
|
|
|
Block Office communication application from creating child processes |
Can break certain Outlook add-ins, including DLP policy tips and ToolTips |
|
|
Block process creations originating from PSExec and WMI commands |
Not compatible with ConfigMgr co-managed devices, and some third-party management or security tools |
|
|
Use advanced protection against ransomware |
|
The following controls are provided in a separate (User) policy for assignment to user groups, as they cause Autopilot failures when assigned to device groups.
- 4.5.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'
- 26.8 (L1) Ensure 'Device Password Enabled: Min Device Password Length' is set to '14 or more character(s)'
- 49.9 (L1) Configure 'Interactive logon: Message text for users attempting to log on'
- 49.10 (L1) Configure 'Interactive logon: Message title for users attempting to log on'
- 49.28 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators' is set to 'Prompt for consent on the secure desktop' or higher (Automated)
- 90.1 (L1) Ensure 'Hypervisor Enforced Code Integrity' is set to 'Enabled with UEFI lock'
- 90.2 (L1) Ensure 'Require UEFI Memory Attributes Table' is set to 'Require UEFI Memory Attributes Table'
The following controls are provided as part of the Foundation baselines.
- 105.1 (L1) Ensure 'Backup Directory' is set to 'Backup the password to Azure AD only'
- 105.2 (L1) Ensure 'Password Age Days' is set to 'Configured: 30 or fewer'
- 105.3 (L1) Ensure 'Password Complexity' is set to 'Large letters + small letters + numbers + special characters'
- 6-word passphrases are automatically used instead on Windows 24H2 and later, improve password readability without impacting risk
- 105.4 (L1) Ensure 'Password Length' is set to 'Configured: 15 or more'
- 105.5 (L1) Ensure 'Post-authentication actions' is set to 'Reset the password and logoff the managed account' or higher
- 105.6 (L1) Ensure 'Post Authentication Reset Delay' is set to 'Configured: 8 or fewer hours, but not 0'
Variables
- Interactive Logon Message Title: shown on the lock screen
- Interactive Logon Message Text: shown on the lock screen
- Built-in Admin Account Name: defaults to biadm
- Built-in Guest Account Name: defaults to bigst