CIS compliancy: Intune

An authorized application inventory should be kept for corporate approved applications. These applications should be packaged and deployed in Microsoft Intune from the applications section of the Intune Admin Center. The application lifecycle should be maintained through Intune, including the patch cycle. The applications listed here will be unique to a tenant/organization.

• For detailed instructions on preparing Win32 app content for upload, refer to the article Prepare Win32 app content for upload on Microsoft Learn.
• To learn how to add Microsoft Store apps to Microsoft Intune, see the article Add Microsoft Store apps to Microsoft Intune on Microsoft Learn.
• To package and deploy applications using the Configuration Manager portal, leverage the app builder section by following the guide Get started with App Builder on Configuration Manager.

Standard operating procedures should be put into place to remotely wipe devices and applications when a user leaves the organization, or a device is lost or stolen. This is not an action performed on an ad hoc basis.

• For guidance on removing devices using wipe, retire, or manual unenrollment, refer to the article Remove devices by using wipe, retire, or manually unenrolling the device on Microsoft Learn.
• To learn how to wipe only corporate data from apps, see the article How to wipe only corporate data from apps - Microsoft Intune on Microsoft Learn.

CIS post benchmarks for Microsoft Intune Windows Devices. Currently, they have benchmarks for Windows 10 and Windows 11 devices. The granularity of these benchmarks is too verbose to cover in this guide but we would encourage you to review it over time to see what additional controls you would want to add to your baseline depending on your environment.

• You can download the benchmarks from the Microsoft Intune for Windows section on the CIS Downloads page at cisecurity.org.