CIS Microsoft Intune for Windows 10 v3.0.1 L1

Audit Details

Name: CIS Microsoft Intune for Windows 10 v3.0.1 L1

Updated: 5/10/2024

Authority: CIS

Plugin: Windows

Revision: 1.0

Estimated Item Count: 279

File Details

Filename: CIS_Microsoft_Intune_for_Windows_10_v3.0.1_L1.audit

Size: 695 kB

MD5: 6f64975d8eb01210b818eee5507d7c50
SHA256: 28c6bc4876fa5124f12438e7937ef73b9d98200c2ac8876000259198321c4a92

Audit Items

DescriptionCategories
1.1 (L1) Ensure 'Allow Cortana Above Lock' is set to 'Block'

CONFIGURATION MANAGEMENT

3.1.3.1 (L1) Ensure 'Enable screen saver (User)' is set to 'Enabled'

ACCESS CONTROL

3.1.3.2 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'

ACCESS CONTROL

3.1.3.3 (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'

ACCESS CONTROL

3.4.1 (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'

ACCESS CONTROL

3.4.2 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'

CONFIGURATION MANAGEMENT

3.4.3 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'

CONFIGURATION MANAGEMENT

3.4.4 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'

SYSTEM AND INFORMATION INTEGRITY

3.4.5 (L1) Ensure 'WDigest Authentication' is set to 'Disabled'

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.5.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.5.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'

SYSTEM AND COMMUNICATIONS PROTECTION

3.5.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'

SYSTEM AND COMMUNICATIONS PROTECTION

3.5.5 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.5.7 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.5.9 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'

SYSTEM AND INFORMATION INTEGRITY

3.5.10 (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'

ACCESS CONTROL

3.5.13 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'

AUDIT AND ACCOUNTABILITY

3.6.4.1 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'

CONFIGURATION MANAGEMENT

3.6.9.1 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.6.9.2 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'

CONFIGURATION MANAGEMENT

3.6.9.3 (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'

ACCESS CONTROL

3.6.11.1 (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with 'Require Mutual Authentication' and 'Require Integrity' set for all NETLOGON and SYSVOL shares'

IDENTIFICATION AND AUTHENTICATION

3.6.18.1 (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.6.18.2 (L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'

SYSTEM AND COMMUNICATIONS PROTECTION

3.6.19.1 (L1) Ensure 'Require PIN pairing' is set to 'Enabled'

SYSTEM AND COMMUNICATIONS PROTECTION

3.7.1 (L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.7.2 (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'

ACCESS CONTROL

3.7.3 (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'

CONFIGURATION MANAGEMENT

3.9.1.1 (L1) Ensure 'Turn off toast notifications on the lock screen (User)' is set to 'Enabled'

CONFIGURATION MANAGEMENT

3.10.4.1 (L1) Ensure 'Include command line in process creation events' is set to 'Enabled'

AUDIT AND ACCOUNTABILITY

3.10.5.1 (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'

SYSTEM AND INFORMATION INTEGRITY

3.10.5.2 (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'

IDENTIFICATION AND AUTHENTICATION

3.10.9.2 (L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

3.10.13.1 (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'

SYSTEM AND INFORMATION INTEGRITY

3.10.19.1 (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.10.19.2 (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.10.19.3 (L1) Ensure 'Configure security policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.10.19.4 (L1) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.10.19.5 (L1) Ensure 'Continue experiences on this device' is set to 'Disabled'

CONFIGURATION MANAGEMENT

3.10.19.6 (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.10.20.1.2 (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'

CONFIGURATION MANAGEMENT

3.10.20.1.5 (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'

CONFIGURATION MANAGEMENT

3.10.25.1 (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.10.25.2 (L1) Ensure 'Do not display network selection UI' is set to 'Enabled'

ACCESS CONTROL

3.10.25.3 (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'

ACCESS CONTROL

3.10.25.4 (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'

ACCESS CONTROL

3.10.25.5 (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'

CONFIGURATION MANAGEMENT

3.10.25.6 (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'

CONFIGURATION MANAGEMENT

3.10.25.7 (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'

CONFIGURATION MANAGEMENT

3.10.28.5.1 (L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'

SYSTEM AND INFORMATION INTEGRITY