Applying Both Windows Intune and Enterprise Benchmarks
Product Name
CIS Benchmarks
Product Version
Microsoft Windows + Microsoft Intune
Date
Aug 21, 2024
Problem
My Windows system uses both Intune and traditional Group Policy. How can I get accurate results when using CIS-CAT Pro Assessor?
Solution
Both Intune and traditional GP can be applied, but there cannot be any overlapping policies. So, if it’s set through Intune, then don’t set it via GPO. If there is overlapping, it could cause issues in the environment. Extensive testing needs to be done before pushing to production. One possible away to avoid overlapping is to only apply the policies that are NOT included in the Intune to on-prem (GPO), then do the rest through Intune. The Intune to Group Policy mapping spreadsheet can be used as a reference, which is available for download from WorkBench: https://workbench.cisecurity.org/files?q=mapping+document&tags=&visibility=all
For scanning a hybrid machine, the recommendation is to create a custom benchmark for policies not available in the other Benchmark. Guidance on creating a custom Benchmark can be found here:
Extensive testing needs to be done when using both benchmarks. If both benchmarks are fully applied, there will be issues.
Keywords; Hybrid Windows Intune
Content by Label