Applying Both Windows Intune and Enterprise Benchmarks


Product Name

CIS Benchmarks

Product Version

Microsoft Windows + Microsoft Intune

Date

Aug 21, 2024



 

Problem

My Windows system uses both Intune and traditional Group Policy. How can I get accurate results when using CIS-CAT Pro Assessor?

 

Solution

Both Intune and traditional GP can be applied, but there cannot be any overlapping policies. So, if it’s set through Intune, then don’t set it via GPO. If there is overlapping, it could cause issues in the environment. Extensive testing needs to be done before pushing to production. One possible away to avoid overlapping is to only apply the policies that are NOT included in the Intune to on-prem (GPO), then do the rest through Intune. The Intune to Group Policy mapping spreadsheet can be used as a reference, which is available for download from WorkBench: https://workbench.cisecurity.org/files?q=mapping+document&tags=&visibility=all

For scanning a hybrid machine, the recommendation is to create a custom benchmark for policies not available in the other Benchmark. Guidance on creating a custom Benchmark can be found here:

Extensive testing needs to be done when using both benchmarks. If both benchmarks are fully applied, there will be issues.

Keywords; Hybrid Windows Intune

Content by Label


Copyright © 2024

Center for Internet Security®