CIS Windows 11 Enterprise 3.0.0

Overview:

The Devicie CIS Windows 11 Enterprise 3.0.0 - L1 template provides configuration is to meet the CIS Enterprise 3.0 Benchmark.

Intune Description:

Centre for Internet Security Windows 11 Enterprise Benchmark v3.0.0 Level 1 (Custom)

Scope:

This baseline should be applied to Windows devices.

Policy Impact Areas:

When deployed, this policy will impact:

TBA

Deployment Notes

Pre-Deployment Considerations:
- TBA
Post-Deployment Validation:
- TBA

Known Issues and Resolutions

Issue 1: None at this time
- Resolution: N/A

Configuration Settings:

*OMA-URI Settings*
*BackupDirectory*
Name	BackupDirectory
Description	18.9.25.1
OMA-URI	./Device/Vendor/MSFT/LAPS/Policies/BackupDirectory
Data type	Integer
Value	1
*PasswordExpirationProtectionEnabled*
Name	PasswordExpirationProtectionEnabled
Description	18.9.25.2
OMA-URI	./Device/Vendor/MSFT/LAPS/Policies/PasswordExpirationProtectionEnabled
Data type	Boolean
Value	True
*ADPasswordEncryptionEnabled*
Name	ADPasswordEncryptionEnabled
Description	18.9.25.3
OMA-URI	./Device/Vendor/MSFT/LAPS/Policies/ADPasswordEncryptionEnabled
Data type	Boolean
Value	True
*PasswordComplexity*
Name	PasswordComplexity
Description	18.9.25.4
OMA-URI	./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity
Data type	Integer
Value	4
*PasswordLength*
Name	PasswordLength
Description	18.9.25.5
OMA-URI	./Device/Vendor/MSFT/LAPS/Policies/PasswordLength
Data type	Integer
Value	15
*PasswordAgeDays*
Name	PasswordAgeDays
Description	18.9.25.6
OMA-URI	./Device/Vendor/MSFT/LAPS/Policies/PasswordAgeDays
Data type	Integer
Value	30
*PostAuthenticationResetDelay*
Name	PostAuthenticationResetDelay
Description	18.9.25.7
OMA-URI	./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationResetDelay
Data type	Integer
Value	4
*PostAuthenticationActions*
Name	PostAuthenticationActions
Description	18.9.25.8
OMA-URI	./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationActions
Data type	Integer
Value	3
*AuditApplicationGuard*
Name	AuditApplicationGuard
Description	18.10.43.1
OMA-URI	./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Audit/AuditApplicationGuard
Data type	Integer
Value	1
*AllowCameraMicrophoneRedirection*
Name	AllowCameraMicrophoneRedirection
Description	18.10.43.2
OMA-URI	./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/AllowCameraMicrophoneRedirection
Data type	Integer
Value	0
*AllowPersistence*
Name	AllowPersistence
Description	18.10.43.3
OMA-URI	./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/AllowPersistence
Data type	Integer
Value	0
*SaveFilesToHost*
Name	SaveFilesToHost
Description	18.10.43.4
OMA-URI	./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/SaveFilesToHost
Data type	Integer
Value	0
*ClipboardSettings*
Name	ClipboardSettings
Description	18.10.43.5
OMA-URI	./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/ClipboardSettings
Data type	Integer
Value	1
*AllowWindowsDefenderApplicationGuard*
Name	AllowWindowsDefenderApplicationGuard
Description	18.10.43.6
OMA-URI	./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/AllowWindowsDefenderApplicationGuard
Data type	Integer
Value	1
*AllowTelemetry*
Name	AllowTelemetry
Description	18.10.15.1
OMA-URI	./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry
Data type	Integer
Value	0

Devicie Template Name	CIS Windows 11 Enterprise 3.0.0 - L1 (Custom)
Default Intune Deployed Name	CIS Windows 11 Enterprise 3.0.0 - L1 (Custom)
Version	1.0
Template Last Updated	Nov 8, 2024
Document Last Updated:	Jul 24, 2025

CIS Windows 11 Enterprise 3.0.0 - L1 (Custom)