CIS compliancy: Intune

  • Last update on September 27th, 2024

Authorized applications should be deployed to managed devices

An authorized application inventory should be kept for corporate approved applications. These applications should be packaged and deployed in Microsoft Intune from the applications section of the Intune Admin Center. The application lifecycle should be maintained through Intune, including the patch cycle. The applications listed here will be unique to a tenant/organization.

 
 

Devices and applications shall be wiped when a user leaves the organization or reports a lost/stolen device

Standard operating procedures should be put into place to remotely wipe devices and applications when a user leaves the organization, or a device is lost or stolen. This is not an action performed on an ad hoc basis.

 
 

Review CIS Microsoft Intune benchmarks 

CIS post benchmarks for Microsoft Intune Windows Devices. Currently, they have benchmarks for Windows 10 and Windows 11 devices. The granularity of these benchmarks is too verbose to cover in this guide but we would encourage you to review it over time to see what additional controls you would want to add to your baseline depending on your environment.

  • You can download the benchmarks from the Microsoft Intune for Windows section on the CIS Downloads page at cisecurity.org.