Src/Compliance/CIS.M365.Intune.json
|
{ "_meta": { "framework": "CIS Microsoft 365 Foundations Benchmark", "version": "v3.1.0", "reference": "https://www.cisecurity.org/benchmark/microsoft_365", "lastReviewed": "2025-01-01", "notes": "CIS Levels: L1 = baseline (all orgs), L2 = high-security (sensitive/regulated). Status tokens: [OK] [WARN] [FAIL] [INFO]. Mapped to Intune (Endpoint Manager) controls.", "cisChapters": { "1": "Account / Authentication", "6": "Mobile Device Management", "7": "Data Management" } }, "DeviceCompliance": { "_section": "Mobile Device Management -- Device Compliance Policies", "_cisChapter": "6.1, 6.2", "_source": "CIS M365 Foundations Benchmark v3.1.0", "checks": [ { "id": "CIS-M365-6.1.1", "CISControl": "6.1.1", "Level": "L1", "title": "Device compliance policies are deployed for all managed platforms", "staticStatus": null, "statusExpression": "if ($TotalCompliancePolicies -ge 1) { '[OK]' } else { '[FAIL]' }", "detailTemplate": "{TotalCompliancePolicies} compliance policy/policies configured. CIS requires compliance policies to be deployed for all managed device platforms.", "remediation": "Create device compliance policies in Intune > Devices > Compliance Policies for each platform (Windows, iOS, Android, macOS). Assign to All Devices or relevant groups.", "tags": ["compliance", "mdm", "l1"] }, { "id": "CIS-M365-6.1.2", "CISControl": "6.1.2", "Level": "L1", "title": "Mobile device password/PIN is required", "staticStatus": "[INFO]", "detailTemplate": "Verify iOS and Android compliance policies require a passcode/PIN. CIS 6.1.2 requires mobile devices to require a PIN or password before access.", "remediation": "Enable 'Require a password to unlock mobile devices' (or 'Passcode required') in all iOS and Android compliance policies.", "tags": ["compliance", "password", "mobile", "l1"] }, { "id": "CIS-M365-6.1.3", "CISControl": "6.1.3", "Level": "L1", "title": "Non-compliant device count is acceptable", "staticStatus": null, "statusExpression": "if ($NonCompliantDevices -eq 0) { '[OK]' } elseif ($NonCompliantPct -le 5) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "{NonCompliantDevices} device(s) ({NonCompliantPct}%) are non-compliant. CIS recommends all managed devices maintain compliance status.", "remediation": "Investigate non-compliant devices in Intune > Devices > Monitor > Noncompliant Devices. Remediate configuration gaps or retire unmanageable devices.", "tags": ["compliance", "non-compliant", "l1"] }, { "id": "CIS-M365-6.2.1", "CISControl": "6.2.1", "Level": "L1", "title": "Device encryption is required in compliance policies", "staticStatus": null, "statusExpression": "if ($WindowsBitLockerRequired -or $MobileEncryptionRequired) { '[OK]' } else { '[WARN]' }", "detailTemplate": "Windows BitLocker required: {WindowsBitLockerRequired}. Mobile encryption required: {MobileEncryptionRequired}. CIS requires encryption at rest for all managed devices.", "remediation": "Enable BitLocker requirement in Windows compliance policies and 'Require encryption of data storage on device' in Android compliance policies.", "tags": ["compliance", "encryption", "bitlocker", "l1"] }, { "id": "CIS-M365-6.2.2", "CISControl": "6.2.2", "Level": "L2", "title": "Jailbroken/rooted devices are blocked", "staticStatus": "[INFO]", "detailTemplate": "Verify iOS and Android compliance policies block jailbroken/rooted devices. CIS 6.2.2 (L2) requires managed mobile devices to be free of operating system tampering.", "remediation": "Enable 'Jailbroken devices' (iOS) and 'Rooted devices' (Android) block settings in all mobile compliance policies.", "tags": ["compliance", "jailbreak", "mobile", "l2"] } ] }, "ConfigurationProfiles": { "_section": "Mobile Device Management -- Device Configuration", "_cisChapter": "6.3, 6.4", "_source": "CIS M365 Foundations Benchmark v3.1.0", "checks": [ { "id": "CIS-M365-6.3.1", "CISControl": "6.3.1", "Level": "L1", "title": "Device configuration profiles are deployed", "staticStatus": null, "statusExpression": "if ($TotalConfigProfiles -ge 1) { '[OK]' } else { '[WARN]' }", "detailTemplate": "{TotalConfigProfiles} device configuration profile(s) deployed. Configuration profiles enforce security settings beyond what compliance policies check.", "remediation": "Create and assign configuration profiles for each managed platform to enforce security settings (screen lock, data backup restrictions, browser settings).", "tags": ["configuration", "mdm", "l1"] }, { "id": "CIS-M365-6.3.2", "CISControl": "6.3.2", "Level": "L1", "title": "All configuration profiles are assigned to groups", "staticStatus": null, "statusExpression": "if ($UnassignedConfigProfiles -eq 0) { '[OK]' } elseif ($UnassignedConfigProfiles -le 2) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "{UnassignedConfigProfiles} configuration profile(s) are not assigned to any group. Unassigned profiles have no effect on managed devices.", "remediation": "Review all configuration profiles and assign them to the appropriate device or user groups.", "tags": ["configuration", "assignment", "l1"] }, { "id": "CIS-M365-6.4.1", "CISControl": "6.4.1", "Level": "L2", "title": "Microsoft Security Baselines deployed", "staticStatus": null, "statusExpression": "if ($TotalSecurityBaselines -ge 1) { '[OK]' } else { '[WARN]' }", "detailTemplate": "{TotalSecurityBaselines} Microsoft Security Baseline profile(s) deployed. Security Baselines represent CIS/Microsoft-recommended hardening configurations for Windows.", "remediation": "Deploy the Microsoft Security Baseline for Windows 10/11 from Intune > Endpoint Security > Security Baselines.", "tags": ["configuration", "security-baseline", "l2"] } ] }, "AppManagement": { "_section": "Mobile Device Management -- App Management / MAM", "_cisChapter": "6.5", "_source": "CIS M365 Foundations Benchmark v3.1.0", "checks": [ { "id": "CIS-M365-6.5.1", "CISControl": "6.5.1", "Level": "L1", "title": "App Protection Policies (MAM) deployed for iOS and Android", "staticStatus": null, "statusExpression": "if ($TotalAppProtectionPolicies -ge 2) { '[OK]' } elseif ($TotalAppProtectionPolicies -ge 1) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "{TotalAppProtectionPolicies} App Protection Policy/Policies deployed. CIS requires MAM policies for both iOS and Android to protect corporate data on mobile devices.", "remediation": "Create App Protection Policies in Intune > Apps > App Protection Policies for both iOS and Android. Assign to All Users or licensed user groups.", "tags": ["app-management", "mam", "l1"] }, { "id": "CIS-M365-6.5.2", "CISControl": "6.5.2", "Level": "L1", "title": "App Protection Policies restrict data transfer", "staticStatus": "[INFO]", "detailTemplate": "Verify App Protection Policies are configured to restrict 'Send org data to other apps' to 'Policy managed apps only'. CIS 6.5.2 requires preventing corporate data from being sent to unmanaged apps.", "remediation": "In all App Protection Policies, set 'Send org data to other apps' to 'Policy managed apps'. This prevents copy/paste and data transfer to personal apps.", "tags": ["app-management", "data-protection", "l1"] }, { "id": "CIS-M365-6.5.3", "CISControl": "6.5.3", "Level": "L2", "title": "App Protection Policies enforce PIN requirement", "staticStatus": "[INFO]", "detailTemplate": "Verify App Protection Policies require PIN or biometric authentication. CIS 6.5.3 (L2) requires an additional authentication layer at the app level.", "remediation": "Enable 'Require PIN for access' in all App Protection Policies. Set minimum PIN length to 6 and enable biometric as an alternative.", "tags": ["app-management", "pin", "authentication", "l2"] }, { "id": "CIS-M365-6.5.4", "CISControl": "6.5.4", "Level": "L1", "title": "App Protection Policies are assigned to user groups", "staticStatus": null, "statusExpression": "if ($UnassignedAppPolicies -eq 0) { '[OK]' } else { '[WARN]' }", "detailTemplate": "{UnassignedAppPolicies} App Protection Policy/Policies are not assigned to any group. Unassigned policies provide no protection.", "remediation": "Assign all App Protection Policies to All Users or the relevant licensed user groups.", "tags": ["app-management", "assignment", "l1"] } ] }, "EnrollmentRestrictions": { "_section": "Mobile Device Management -- Enrollment", "_cisChapter": "6.6", "_source": "CIS M365 Foundations Benchmark v3.1.0", "checks": [ { "id": "CIS-M365-6.6.1", "CISControl": "6.6.1", "Level": "L1", "title": "Device enrollment restrictions are configured", "staticStatus": null, "statusExpression": "if ($TotalEnrollmentRestrictions -ge 1) { '[OK]' } else { '[WARN]' }", "detailTemplate": "{TotalEnrollmentRestrictions} enrollment restriction configuration(s) found. CIS requires enrollment restrictions to control which devices and platforms are permitted to enrol.", "remediation": "Configure Device Type Restrictions in Intune > Devices > Enrollment Restrictions to allow only supported platforms and ownership types.", "tags": ["enrollment", "l1"] }, { "id": "CIS-M365-6.6.2", "CISControl": "6.6.2", "Level": "L2", "title": "Enrollment Status Page deployed to block access pre-provisioning", "staticStatus": null, "statusExpression": "if ($TotalESPProfiles -ge 1) { '[OK]' } else { '[INFO]' }", "detailTemplate": "{TotalESPProfiles} Enrollment Status Page profile(s) deployed. CIS 6.6.2 (L2) recommends using ESP to ensure devices receive required policies before the user can log in.", "remediation": "Create an Enrollment Status Page profile in Intune > Devices > Windows > Windows Enrollment > Enrollment Status Page. Assign to Autopilot device groups.", "tags": ["enrollment", "esp", "l2"] } ] }, "EndpointSecurity": { "_section": "Mobile Device Management -- Endpoint Security", "_cisChapter": "6.7", "_source": "CIS M365 Foundations Benchmark v3.1.0", "checks": [ { "id": "CIS-M365-6.7.1", "CISControl": "6.7.1", "Level": "L1", "title": "Antivirus / Microsoft Defender policies deployed", "staticStatus": null, "statusExpression": "if ($TotalAntivirusPolicies -ge 1) { '[OK]' } else { '[WARN]' }", "detailTemplate": "{TotalAntivirusPolicies} Antivirus endpoint security policy/policies deployed. CIS requires antivirus to be enabled and managed on all Windows devices.", "remediation": "Create an Antivirus policy in Intune > Endpoint Security > Antivirus targeting all Windows managed devices.", "tags": ["endpoint-security", "antivirus", "defender", "l1"] }, { "id": "CIS-M365-6.7.2", "CISControl": "6.7.2", "Level": "L1", "title": "Disk Encryption (BitLocker) policies deployed", "staticStatus": null, "statusExpression": "if ($TotalDiskEncryptionPolicies -ge 1) { '[OK]' } else { '[WARN]' }", "detailTemplate": "{TotalDiskEncryptionPolicies} Disk Encryption policy/policies deployed. CIS 6.7.2 requires BitLocker encryption on all managed Windows devices.", "remediation": "Create a Disk Encryption (BitLocker) policy in Intune > Endpoint Security > Disk Encryption targeting all Windows devices.", "tags": ["endpoint-security", "bitlocker", "encryption", "l1"] }, { "id": "CIS-M365-6.7.3", "CISControl": "6.7.3", "Level": "L1", "title": "Firewall policies deployed", "staticStatus": null, "statusExpression": "if ($TotalFirewallPolicies -ge 1) { '[OK]' } else { '[WARN]' }", "detailTemplate": "{TotalFirewallPolicies} Firewall policy/policies deployed. CIS requires Windows Firewall to be enabled and managed via Intune for all Windows devices.", "remediation": "Create a Firewall policy in Intune > Endpoint Security > Firewall targeting all Windows devices. Enable firewall for all network profiles.", "tags": ["endpoint-security", "firewall", "l1"] }, { "id": "CIS-M365-6.7.4", "CISControl": "6.7.4", "Level": "L2", "title": "Endpoint Detection and Response (EDR) policies deployed", "staticStatus": null, "statusExpression": "if ($TotalEDRPolicies -ge 1) { '[OK]' } else { '[WARN]' }", "detailTemplate": "{TotalEDRPolicies} EDR policy/policies deployed. CIS 6.7.4 (L2) recommends onboarding managed devices to Microsoft Defender for Endpoint for advanced threat detection.", "remediation": "Create an Endpoint Detection and Response policy in Intune > Endpoint Security > Endpoint Detection and Response to onboard managed devices to Microsoft Defender for Endpoint.", "tags": ["endpoint-security", "edr", "defender-for-endpoint", "l2"] }, { "id": "CIS-M365-6.7.5", "CISControl": "6.7.5", "Level": "L2", "title": "Attack Surface Reduction rules deployed", "staticStatus": null, "statusExpression": "if ($TotalASRPolicies -ge 1) { '[OK]' } else { '[WARN]' }", "detailTemplate": "{TotalASRPolicies} Attack Surface Reduction policy/policies deployed. ASR rules reduce the attack surface of Windows devices by blocking malicious behaviours.", "remediation": "Create an Attack Surface Reduction policy in Intune > Endpoint Security > Attack Surface Reduction. Enable rules in block mode after testing in audit mode.", "tags": ["endpoint-security", "asr", "l2"] } ] }, "Scripts": { "_section": "Mobile Device Management -- Scripts", "_cisChapter": "6.8", "_source": "CIS M365 Foundations Benchmark v3.1.0", "checks": [ { "id": "CIS-M365-6.8.1", "CISControl": "6.8.1", "Level": "L2", "title": "PowerShell scripts enforce signature checking", "staticStatus": null, "statusExpression": "if ($UnsignedScripts -eq 0) { '[OK]' } elseif ($UnsignedScripts -le 2) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "{UnsignedScripts} PowerShell script(s) deployed without signature enforcement. CIS 6.8.1 recommends enabling script signature check to prevent unsigned scripts from running.", "remediation": "Enable 'Enforce script signature check' for all PowerShell scripts in Intune > Devices > Scripts. Alternatively, sign all scripts with a trusted code-signing certificate.", "tags": ["scripts", "signature", "l2"] } ] }, "Devices": { "_section": "Mobile Device Management -- Managed Devices", "_cisChapter": "6.9", "_source": "CIS M365 Foundations Benchmark v3.1.0", "checks": [ { "id": "CIS-M365-6.9.1", "CISControl": "6.9.1", "Level": "L1", "title": "Managed device fleet achieves high compliance rate", "staticStatus": null, "statusExpression": "if ($CompliantPct -ge 90) { '[OK]' } elseif ($CompliantPct -ge 70) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "{CompliantDevices} of {TotalManagedDevices} devices ({CompliantPct}%) are compliant. CIS target: at least 90% of managed devices should be compliant.", "remediation": "Investigate and remediate non-compliant devices. Review the compliance policy settings to ensure they reflect current organisational policy.", "tags": ["devices", "compliance", "l1"] }, { "id": "CIS-M365-6.9.2", "CISControl": "6.9.2", "Level": "L1", "title": "Stale devices are regularly retired", "staticStatus": null, "statusExpression": "if ($StaleDevicePct -le 5) { '[OK]' } elseif ($StaleDevicePct -le 15) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "{StaleDevices} device(s) ({StaleDevicePct}%) have not checked in for >90 days. CIS recommends retiring devices that have not checked in within 90 days.", "remediation": "Configure Intune Device Cleanup Rules (Intune > Devices > Device Cleanup Rules) to automatically delete devices that have not checked in for 90 days.", "tags": ["devices", "stale", "l1"] }, { "id": "CIS-M365-6.9.3", "CISControl": "6.9.3", "Level": "L2", "title": "Non-compliant devices blocked from accessing corporate resources", "staticStatus": "[INFO]", "detailTemplate": "Verify Conditional Access policies are configured to block or restrict access from non-compliant devices. CIS 6.9.3 requires Intune compliance status to be enforced via Conditional Access. This check requires cross-referencing with Entra ID / Conditional Access configuration.", "remediation": "Create a Conditional Access policy requiring device compliance (Grant: Require device to be marked as compliant) for access to all cloud apps. Assign to All Users.", "tags": ["devices", "compliance", "conditional-access", "l2"] } ] } } |