CIS Microsoft Intune for Windows 10 v1.1.0 L1 + BL + NG

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Microsoft Intune for Windows 10 v1.1.0 L1 + BL + NG

Updated: 2/12/2024

Authority: CIS

Plugin: Windows

Revision: 1.9

Estimated Item Count: 298

Audit Changelog

 
Revision 1.9

Feb 12, 2024

Miscellaneous
  • Audit deprecated.
  • Metadata updated.
  • References updated.
Revision 1.8

Jan 9, 2024

Functional Update
  • 18.3.2 Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'
  • 18.4.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' - Enabled: Highest protection, source routing is completely disabled
  • 18.4.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' - Enabled: Highest protection, source routing is completely disabled
  • 18.5.14.1 Ensure 'Hardened UNC Paths' is set to 'Enabled, with 'Require Mutual Authentication' and 'Require Integrity' set for all NETLOGON and SYSVOL shares' - set for all NETLOGON and SYSVOL shares
  • 18.8.14.1 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'
  • 18.8.37.2 Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'
  • 18.8.7.1.1 Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'
  • 18.8.7.1.2 Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A'
  • 18.8.7.1.3 Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked)
  • 18.8.7.1.5 Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)
  • 18.9.11.1.6 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'
  • 18.9.11.1.7 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'
  • 18.9.11.2.1 Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'
  • 18.9.11.2.10 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'
  • 18.9.11.2.2 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'
  • 18.9.11.2.4 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'
  • 18.9.11.2.5 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'
  • 18.9.11.2.6 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'
  • 18.9.11.2.7 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages'
  • 18.9.11.2.8 Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'
  • 18.9.11.2.9 Ensure 'Require additional authentication at startup' is set to 'Enabled'
  • 18.9.27.1.2 Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' - Enabled: 32,768 or greater
  • 18.9.27.2.2 Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' - Enabled: 196,608 or greater
  • 18.9.27.4.2 Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' - Enabled: 32,768 or greater
  • 18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'
  • 18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'
Miscellaneous
  • Metadata updated.
Revision 1.7

Dec 8, 2023

Functional Update
  • 18.1.1.1 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
  • 18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
  • 18.2.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'
  • 18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'
  • 18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'
  • 18.3.3 Ensure 'Configure SMB v1 server' is set to 'Disabled'
  • 18.3.4 Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'
  • 18.3.5 Ensure 'WDigest Authentication' is set to 'Disabled'
  • 18.4.5 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' - Disabled
  • 18.4.7 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' - Enabled
  • 18.5.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
  • 18.5.21.1 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'
  • 18.8.22.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' - Enabled
  • 18.8.22.1.4 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' - Enabled
  • 18.8.28.2 Ensure 'Do not display network selection UI' is set to 'Enabled' - Enabled
  • 18.8.28.4 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' - Disabled
  • 18.8.28.5 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' - Enabled
  • 18.8.28.6 Ensure 'Turn off picture password sign-in' is set to 'Enabled' - Enabled
  • 18.8.28.7 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' - Disabled
  • 18.8.34.6.3 Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled' - Disabled
  • 18.8.34.6.4 Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled' - Disabled
  • 18.8.34.6.5 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' - Enabled
  • 18.8.34.6.6 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' - Enabled
  • 18.8.36.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
  • 18.8.36.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
  • 18.8.37.1 Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'
  • 18.8.4.1 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'
  • 18.9.102.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled' - Disabled
  • 18.9.102.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled' - Disabled
  • 18.9.102.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled' - Enabled
  • 18.9.102.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled' - Disabled
  • 18.9.102.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled' - Disabled
  • 18.9.102.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' - Enabled
  • 18.9.16.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' - Disabled
  • 18.9.31.2 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' - Disabled
  • 18.9.31.3 Ensure 'Turn off heap termination on corruption' is set to 'Disabled' - Disabled
  • 18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
  • 18.9.65.2.2 Ensure 'Do not allow passwords to be saved' is set to 'Enabled' - Enabled
  • 18.9.66.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled' - Enabled
  • 18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
  • 18.9.91.1 Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' - Disabled
  • 19.7.4.2 Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'
Revision 1.6

Dec 4, 2023

Miscellaneous
  • Platform check updated.
  • Variables updated.
Revision 1.5

Nov 3, 2023

Functional Update
  • 18.1.1.1 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
  • 18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
  • 18.2.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'
  • 18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'
  • 18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'
  • 18.3.3 Ensure 'Configure SMB v1 server' is set to 'Disabled'
  • 18.3.4 Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'
  • 18.3.5 Ensure 'WDigest Authentication' is set to 'Disabled'
  • 18.4.5 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' - Disabled
  • 18.4.7 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' - Enabled
  • 18.5.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
  • 18.5.21.1 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'
  • 18.8.22.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' - Enabled
  • 18.8.22.1.4 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' - Enabled
  • 18.8.28.2 Ensure 'Do not display network selection UI' is set to 'Enabled' - Enabled
  • 18.8.28.4 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' - Disabled
  • 18.8.28.5 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' - Enabled
  • 18.8.28.6 Ensure 'Turn off picture password sign-in' is set to 'Enabled' - Enabled
  • 18.8.28.7 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' - Disabled
  • 18.8.34.6.3 Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled' - Disabled
  • 18.8.34.6.4 Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled' - Disabled
  • 18.8.34.6.5 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' - Enabled
  • 18.8.34.6.6 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' - Enabled
  • 18.8.36.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
  • 18.8.36.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
  • 18.8.37.1 Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'
  • 18.8.4.1 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'
  • 18.9.102.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled' - Disabled
  • 18.9.102.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled' - Disabled
  • 18.9.102.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled' - Enabled
  • 18.9.102.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled' - Disabled
  • 18.9.102.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled' - Disabled
  • 18.9.102.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' - Enabled
  • 18.9.16.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' - Disabled
  • 18.9.31.2 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' - Disabled
  • 18.9.31.3 Ensure 'Turn off heap termination on corruption' is set to 'Disabled' - Disabled
  • 18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
  • 18.9.65.2.2 Ensure 'Do not allow passwords to be saved' is set to 'Enabled' - Enabled
  • 18.9.66.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled' - Enabled
  • 18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
  • 18.9.91.1 Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' - Disabled
  • 19.7.4.2 Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'
  • 2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'
  • 2.2.10 Ensure 'Create permanent shared objects' is set to 'No One'
  • 2.2.11 Configure 'Create symbolic links' is set to 'Administrators'
  • 2.2.12 Ensure 'Debug programs' is set to 'Administrators'
  • 2.2.13 Ensure 'Deny access to this computer from the network' to include 'Guests, Local account'
  • 2.2.15 Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'
  • 2.2.16 Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'
  • 2.2.18 Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'
  • 2.2.19 Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'
  • 2.2.2 Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'
  • 2.2.20 Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'
  • 2.2.21 Ensure 'Load and unload device drivers' is set to 'Administrators'
  • 2.2.22 Ensure 'Lock pages in memory' is set to 'No One'
  • 2.2.23 Ensure 'Manage auditing and security log' is set to 'Administrators'
  • 2.2.24 Ensure 'Modify an object label' is set to 'No One'
  • 2.2.25 Ensure 'Modify firmware environment values' is set to 'Administrators'
  • 2.2.26 Ensure 'Perform volume maintenance tasks' is set to 'Administrators'
  • 2.2.27 Ensure 'Profile single process' is set to 'Administrators'
  • 2.2.28 Ensure 'Restore files and directories' is set to 'Administrators'
  • 2.2.29 Ensure 'Take ownership of files or other objects' is set to 'Administrators'
  • 2.2.3 Ensure 'Act as part of the operating system' is set to 'No One'
  • 2.2.4 Ensure 'Allow log on locally' is set to 'Administrators, Users'
  • 2.2.5 Ensure 'Back up files and directories' is set to 'Administrators'
  • 2.2.6 Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'
  • 2.2.7 Ensure 'Create a pagefile' is set to 'Administrators'
  • 2.2.8 Ensure 'Create a token object' is set to 'No One'
  • 2.2.9 Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'
Revision 1.4

Sep 27, 2023

Miscellaneous
  • Platform check updated.
  • References updated.
  • Variables updated.
Revision 1.3

Aug 24, 2023

Miscellaneous
  • References updated.
Added
  • 18.9.108.2.2 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'
Removed
  • 18.9.108.2.2 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' - Every day'
Revision 1.2

Apr 12, 2023

Miscellaneous
  • Metadata updated.
  • Platform check updated.
  • Variables updated.
Revision 1.1

Mar 7, 2023

Miscellaneous
  • Metadata updated.
  • References updated.