CIS 4.0.0 L1
      Back to home
      1. Help Center
      2. CIS 4.0.0 L1

      CIS Intune for Windows 4.0.0 - L1

      The Center for Internet Security's Intune for Windows Benchmark version 4.0.0, Level 1

      The Center for Internet Security provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows Operating Systems (OS). The secure configuration guide is based on Windows 11 and is intended for all releases of the Windows 11 operating system, including older versions. The secure configuration guide was tested against Microsoft Windows 11 24H2 Enterprise edition.

      Devicie is an active contributor to multiple CIS Benchmarks, including the Intune for Windows Benchmark.

       

      Some controls are removed to streamline deployment and adoption. These controls, their security rationale, and our reasons for removal are provided below.

      Control Number Name Rationale Comment
      4.10.26.2 Ensure 'Do not display network selection UI' is set to 'Enabled' An unauthorized user could disconnect the PC from the network or can connect the PC 
      to other available networks without signing into Windows.      		 This setting has been removed, as the user cannot connect to a new wireless network connection at the logon screen, which becomes a problem with pre-provisioning.
      49.29 Ensure 'User Account Control: Behavior of the 
      elevation prompt for standard users' is set to 'Automatically deny 
      elevation requests'      		 One of the risks that the User Account Control feature introduced with Windows Vista is 
      trying to mitigate is that of malicious programs running under elevated credentials 
      without the user or administrator being aware of their activity. This setting raises
      awareness to the user that a program requires the use of elevated privilege operations 
      and requires that the user be able to supply administrative credentials in order for the 
      program to run.      		 This setting has been removed as the user does not get prompted to enter in the LAPS password when trying to install applications.
      81.13 Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed' Hosting an SSH server from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. sshd is disabled by default, and not available to configure with Intune Settings Catalog or custom config.

       

      Other controls are modified for similar reasons. TODO implement these

      Control Number Name Rationale Comment

      4.11.7.2.12

      4.11.7.2.13

      Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM'

      Ensure 'Require additional authentication at startup: Configure TPM startup:' is set to 'Enabled: Do not allow TPM'

      		 TPM without use of a PIN will only validate early boot components and does not require a user to enter any additional authentication information. If a computer is lost or stolen in this configuration, BitLocker will not provide any additional measure of protection beyond what is provided by native Windows authentication unless the early boot components are tampered with or the encrypted drive is removed from the machine.

      These settings have been changed to require TPM without use of a PIN. Requiring users to create and remember a PIN before boot has very high user impact, and minimal risk impact as increasing prevalence of fTPMs makes TPM sniffing attacks very challenging anyway. 
           

      These names have been changed for clarity and backwards compatibility with the CIS Enterprise Benchmarks. bi stands for Built In.

      The following controls are provided in a separate (User) policy for assignment to user groups, as they cause Autopilot failures when assigned to device groups.

      Variables

      • InteractiveLogonMessageTitle: shown on the lock screen
      • InteractiveLogonMessageText: shown on the lock screen