Applying Both Windows Intune and Enterprise Benchmarks

Owned by Nick Romanzo, created
Last updated: Aug 21, 2024 by Amanda McGown
1 min read

Product Name

CIS Benchmarks

Product Version

Microsoft Windows + Microsoft Intune

Date

Aug 21, 2024

Ā 

Problem

My Windows system uses both Intune and traditional Group Policy. How can I get accurate results when using CIS-CAT Pro Assessor?

Ā 

Solution

Both Intune and traditional GP can be applied, but there cannot be any overlapping policies. So, if itā€™s set through Intune, then donā€™t set it via GPO. If there is overlapping, it could cause issues in the environment. Extensive testing needs to be done before pushing to production. One possible away to avoid overlapping is to only apply the policies that are NOT included in the Intune to on-prem (GPO), then do the rest through Intune. The Intune to Group Policy mapping spreadsheet can be used as a reference, which is available for download from WorkBench: https://workbench.cisecurity.org/files?q=mapping+document&tags=&visibility=all

For scanning a hybrid machine, the recommendation is to create a custom benchmark for policies not available in the other Benchmark. Guidance on creating a custom Benchmark can be found here:

Extensive testing needs to be done when using both benchmarks. If both benchmarks are fully applied, there will be issues.

Keywords; Hybrid Windows Intune

Content by Label

Copyright Ā© 2024

Center for Internet SecurityĀ®

Ā