The way I do this: 1. Login to CIS Workbench and download CIS Build Pack for given benchmark eg Windows 11... 2. Unzip the build pack 3. Import whatever you need to Intune GPO Analyser 4. You can even merge GPOs in Intune eg Comp L1 and Comp L2 5. Review and select policies 6. Export as Intune configuration profile Done This way you have original stuff from CIS. You can edit this - add, remove etc.
Well this is promising. It's slightly overwhelming when trying to consider the different frameworks and different ways to implement settings. Thanks for sharing!
This is great!, have you tested in the scenario where you have your baselines already configured or additional configuration profiles configured. It looks good and easy but going to be very difficult to convince security team to disable baselines and use this 🎅🎁🎄
I used this configuration, and they had device lock settings in place, which requires 14 characters, so when using autopilot reset to test out a fresh computer, when prompted with windows hello for business it asked me to setup a PIN that was 14 characters long LOL... what's up with that? This intune stuff is quite confusing...
Preach! catalog > Baseline!! Thanks for sharing Dean, this will definitely be useful for everyone - and thanks to David for compiling this!!
The way I do this:
1. Login to CIS Workbench and download CIS Build Pack for given benchmark eg Windows 11...
2. Unzip the build pack
3. Import whatever you need to Intune GPO Analyser
4. You can even merge GPOs in Intune eg Comp L1 and Comp L2
5. Review and select policies
6. Export as Intune configuration profile
Done
This way you have original stuff from CIS. You can edit this - add, remove etc.
Is there a way to get these Build Packs/Kits without buying a CIS SecureSuite Membership?
Well this is promising. It's slightly overwhelming when trying to consider the different frameworks and different ways to implement settings. Thanks for sharing!
FYI, the Device policy will disable OneDrive, you can find the setting under "System\Disable One Drive File Sync" which is set to "Sync disabled"
Thanks!
This is great!, have you tested in the scenario where you have your baselines already configured or additional configuration profiles configured.
It looks good and easy but going to be very difficult to convince security team to disable baselines and use this 🎅🎁🎄
Hi Dean, Why would you choose for Accounts Block Microsoft Accounts: Users can't add or log on with Microsoft accounts?
very nice... thanks Dean to share
Remote Desktop is being disabled by the policy. I've tried everything, but it’s still not enabling.
Thanks!
Would it be possible to only use Business Premium for this?
I believe it is possible with M365 BP, yes.
I used this configuration, and they had device lock settings in place, which requires 14 characters, so when using autopilot reset to test out a fresh computer, when prompted with windows hello for business it asked me to setup a PIN that was 14 characters long LOL... what's up with that? This intune stuff is quite confusing...
Why not just use AD GPO Windows Baselines instead? Or am I missing something here?
Yep - that would work.
Thanks Dean!